19 April 2000 Source: http://www.access.gpo.gov/su_docs/aces/aaces002.html ----------------------------------------------------------------------- [DOCID: f:sr259.106] From the Senate Reports Online via GPO Access [wais.access.gpo.gov] Calendar No. 489 106th Congress Report SENATE 2d Session 106-259 _______________________________________________________________________ GOVERNMENT INFORMATION SECURITY ACT OF 1999 __________ R E P O R T of the COMMITTEE ON GOVERNMENTAL AFFAIRS UNITED STATES SENATE to accompany S. 1993 TO REFORM GOVERNMENT INFORMATION SECURITY BY STRENGTHENING INFORMATION SECURITY PRACTICES THROUGHOUT THE FEDERAL GOVERNMENT April 10, 2000.--Ordered to be printed __________ U.S. GOVERNMENT PRINTING OFFICE 79-010 WASHINGTON : 2000 COMMITTEE ON GOVERNMENTAL AFFAIRS FRED THOMPSON, Tennessee, Chairman WILLIAM V. ROTH, Jr., Delaware JOSEPH I. LIEBERMAN, Connecticut TED STEVENS, Alaska CARL LEVIN, Michigan SUSAN M. COLLINS, Maine DANIEL K. AKAKA, Hawaii GEORGE VOINOVICH, Ohio RICHARD J. DURBIN, Illinois PETE V. DOMENICI, New Mexico ROBERT G. TORRICELLI, New Jersey THAD COCHRAN, Mississippi MAX CLELAND, Georgia ARLEN SPECTER, Pennsylvania JOHN EDWARDS, North Carolina JUDD GREGG, New Hampshire Hannah S. Sistare, Staff Director and Counsel Ellen B. Brown, Senior Counsel Susan G. Marshall, Professional Staff Member Joyce A. Rechtschaffen, Minority Staff Director and Counsel Deborah Cohen Lehrich, Minority Counsel Darla D. Cassell, Administrative Clerk Calendar No. 489 106th Congress Report SENATE 2d Session 106-259 ====================================================================== GOVERNMENT INFORMATION SECURITY ACT OF 1999 _______ April 10, 2000.--Ordered to be printed _______ Mr. Thompson, from the Committee on Governmental Affairs, submitted the following R E P O R T [To accompany S. 1993] The Committee on Governmental Affairs, to which was referred the bill (S. 1993) to reform Government information security by strengthening information security practices throughout the Federal Government, having considered the same, reports favorably thereon with an amendment in the nature of a substitute and recommends by voice vote that the bill as amended do pass. C O N T E N T S Page I. Purpose and Summary..............................................1 II. Background and Need for Legislation..............................3 III. Legislative History..............................................6 IV. Section-by-Section Analysis.....................................10 V. Regulatory Impact Statement.....................................15 VI. CBO Cost Estimate...............................................15 VII. Changes to Existing Law.........................................17 I. Purpose and Summary The Government Information Security Act would provide a comprehensive framework for establishing and ensuring the effectiveness of controls over information resources that support Federal operations and assets. It is modeled on the ``best practices'' of leading organizations in the area of informationsecurity. It does this by strengthening responsibilities and procedures and coordinating information policy to ensure better control and oversight of systems. It also recognizes the highly networked nature of the current Federal computing environment and provides for governmentwide management and oversight of the related information security risks including coordination of security efforts between civilian, national security and law enforcement communities. S. 1993 would amend the Paperwork Reduction Act by inserting a new Subchapter II. Agency Responsibilities: Agency heads would be responsible for developing and implementing security policies. This responsibility would be delegable to the agency's Chief Information Officer or comparable official. Each agency would be responsible for developing and implementing an agency-wide security program which must include risk assessment considering internal and external threats, risk-based policies, security awareness training for personnel, periodic reviews of the effectiveness of security policies including remedies to address deficiencies, and procedures for detecting, reporting and responding to security incidents. Further, each agency would be required to identify specific actions--including budget, staffing, and training resources--necessary to implement the security program and include this as part of its Government Performance and Results Act performance plan. Director of OMB Responsibilities: The agency plans must be affirmatively approved by the Director of OMB who also would be responsible for establishing government-wide policies for the management of programs that support the cost-effective security of Federal information systems by promoting security as an integral part of each agency's business operations. Other responsibilities of the Director would include overseeing and coordinating agency implementation of security policies, and coordinating with the National Institute for Standards and Technology on the development of standards and guidelines for security controls for Federal systems. Such standards would be voluntary and consensus-based and developed in consultation with industry. To enforce agency accountability, the Director would be authorized to take budgetary action with respect to an agency's information resources management allocations. The OMB Director may delegate these responsibilities only down to the Deputy Director for Management. Annual Audit: Based on the General Accounting Office's audit findings, S. 1993 adds a new requirement that each agency must annually undergo an independent evaluation of its information security program and practices to be conducted either by the agency's Inspector General, the General Accounting Office or an independent external auditor. GAO then will review these evaluations and report annually to Congress regarding the adequacy of agency information programs and practices. National Security Systems: S. 1993 would require that the same management framework be applied to all systems including national security systems. However, in order to ensure that national security concerns are adequately addressed and that the appropriate individuals have oversight over national security and other classified information, the substitute amendment would vest responsibility for approving the security plan for these systems in the Secretary of Defense and the Director of Central Intelligence, rather than the Director of OMB. Additionally, for these systems, the Secretary of Defense or the Director of Central Intelligence shall designate who conducts the evaluation of these systems with the IG conducting an audit of the evaluation. Finally, the bill also allows the defense and intelligence agencies to develop their own procedures for detecting, reporting and responding to security incidents. Specific Agency Responsibilities: The Department of Commerce would continue to be responsible for developing, issuing, reviewing and updating standards and guidance for the security of information in Federal computer systems. The Department of Justice would be responsible for reviewing and updating guidance to agencies on legal remedies regarding security incidents and coordination with law enforcement agencies concerning such incidents. The General Services Administration would be responsible for reviewing and updating guidance on addressing security considerations relating to the acquisition of information technology. The Office of Personnel Management would be responsible for reviewing and updating regulations concerning computer security training for Federal civilian employees and for providing, along with the National Science Foundation, for personnel and training initiatives such as a Federal Cyber Service. II. Background and Need for Legislation Recent news accounts have described attacks on a handful of popular commercial Internet web sites. Less publicized, though potentially more damaging, is the fact that government computer systems also are vulnerable to the kinds of attacks these businesses have been suffering. Like the rest of the nation, government is increasingly dependent upon computers to store important information and perform vital tasks. That dependence, however, has not been accompanied by an equivalent growth in the security of those computer systems, leaving the governmentsusceptible to potentially devastating disruptions in critical services, potentially exposing our citizens' most personal information and opening our national security apparatus to attack from terrorists or enemy states. The Committee on Governmental Affairs has spent considerable time examining the security of the government's information technology systems. During the past several years, Committee hearings and Committee-requested reports from the General Accounting Office (GAO) have uncovered and publicly highlighted the security failures affecting our vulnerability to domestic and international cyberterrorism. On October 6, 1999, in testimony before the Senate Judiciary Committee, GAO noted that significant information security weaknesses exist in 22 Federal agencies it analyzed. In fact, GAO believes the problems in the government's information technology systems to be so severe that it has put governmentwide information security on its list of ``high-risk'' government programs. GAO Reports As a result of its work, GAO identified many specific weaknesses in agency controls and concluded that an underlying cause was inadequate security program planning and management. In particular, agencies were addressing identified weaknesses on a piecemeal basis rather than proactively addressing systemic causes that diminished security effectiveness throughout the agency. Over the years, the following GAO reports provided the Committee with substantial evidence of Federal agency vulnerabilities in the area of information security and became the basis for S. 1993: Department of Energy Procedures Lacking to Protect Computerized Data (GAO/AIMD-95-118, June 1995): Allegations were made that the Idaho National Engineering Laboratory sold surplus computer equipment that contained sensitive data to an Idaho businessman. GAO concluded that some of the computers sold may have contained sensitive data, but did not determine how many. GAO added that, like all Federal agencies, the Department of Energy is required to establish computer security safeguards, yet it had not. Information Security: Computer Attacks at Department of Defense Pose Increasing Risks (GAO/AIMD-96-84, May 1996): Unknown and unauthorized individuals were increasingly attacking and gaining access to highly sensitive unclassified information at the DoD. These attacks ranged from being nuisances to being a serious threat to national security. According to GAO, DoD needed to make better use of technology and, more importantly, needed to develop better policies and employ better trained personnel. Information Security: Opportunities for Improved OMB Oversight of Agency Practices (GAO/AIMD-96-110, September 1996): GAO provided OMB with a number of recommendations on how to better manage governmentwide information technology system security. The recommendations included directing the Office of Information and Regulatory Affairs, Office of Federal Financial Management and others to review Chief Financial Officer audits for any information security weaknesses, proactively monitoring agency information security effectiveness through reviews, and encouraging the development of improved information resources to better evaluate agency information security effectiveness. Resolving Serious Information Security Weaknesses (GAO/HR- 97-1, February 1997): GAO identified information security as a governmentwide high-risk area because of growing evidence indicating that controls over computer operations were not effective. GAO recommended that agencies proactively manage risk and that strong, governmentwide leadership be provided on the issue by OMB in order to ensure that executives understand their risks, monitor agency performance, and resolve issues affecting multiple agencies. IRS Systems: Tax Processing Operations and Data Still at Risk Due to Serious Weaknesses (GAO/AIMD-97-76, April 1997): The GAO reported that ``weaknesses in IRS computer security controls continue to place IRS's automated systems and taxpayer data at serious risk to both internal and external attack.'' The report stated that more needs to be done at IRS to combat the unauthorized access or browsing of taxpayer records by agency employees. For example, the GAO found that IRS's ability to detect and monitor employee browsing of taxpayer data remains limited. In addition, unauthorized employees were given access to sensitive computer areas while employees whose jobs did not require it were given the ability to change, alter, or delete taxpayer data. Additionally, the GAO reported that the IRS could not account for a total of 397 missing computer tapes (some of which contained sensitive taxpayer data or privacy information) and found that tapes and disks containing taxpayer data were not erased prior to reuse (thus potentially allowing unauthorized access to sensitive data). Computer Security: Pervasive, Serious Weaknesses Jeopardize State Department Operations (GAO/AIMD-98-145, May 1998): Todetermine the extent to which the State Department's systems are vulnerable to unauthorized attack, the GAO directed and supervised penetration testing of State Department systems. GAO's reviews and testing revealed the susceptibility of the State Department's systems to unauthorized access and that unauthorized retrieval of sensitive information from such systems was possible. Specifically, testers were able to download, delete, and modify data, add new data, shut down servers, and monitor network traffic. Moreover, this activity went largely undetected, further underscoring the State Department's serious vulnerability to attack. Air Traffic Control: Weak Computer Security Practices Jeopardize Flight Safety (GAO/AIMD-98-155, May 1998): Malicious attacks on computer systems could cause nationwide disruption of air traffic or even the loss of life due to collisions. Such attacks are an increasing threat to the Federal Aviation Administration's (FAA) systems and, consequently, those who fly. Auditors at GAO found that, in all critical areas of review, FAA was ineffective in implementing sound computer security practices. In fact, FAA was found not only to be ineffectively managing current systems, but it did not provide accurate security specifications in new modernization efforts. Information Security: Many NASA Mission-Critical Systems Face Serious Risks (GAO/AIMD-99-47, May 1999): GAO conducted an evaluation of the National Aeronautics and Space Administration's (NASA) information technology security program to determine (1) whether NASA's mission critical systems are vulnerable to unauthorized access; (2) whether NASA is effectively managing its information systems security; and (3) what NASA is doing to address the risk of unauthorized access to mission critical systems. GAO determined that NASA's information security program did not include key elements of a comprehensive information technology security management program because it did not assess risks, effectively implement controls, provide training, monitor policy compliance, or provide incident response capabilities. Information Security: Serious Weaknesses Place Critical Federal Operations and Assets at Risk (GAO/AIMD-98-92, September 1998): GAO conducted a review of 24 of the largest Federal agencies and found serious weaknesses in the government's ability to adequately protect: (1) federal assets from fraud and misuse; (2) sensitive information from inappropriate disclosure; and (3) critical operations, including some affecting safety, from disruption. According to the report's conclusions, these weaknesses place critical government operations, such as national defense, tax collection, law enforcement and benefit distribution, at risk. Further, the Committee asked GAO to study organizations with superior information security programs to identify management practices that could benefit Federal agencies. This report detailed the ``best practices'' used by these organizations and became the basis for the management framework of S. 1993: Information Security Management: Learning from Leading Organizations (GAO/AIMD-98-68, May 1998): At the Committee's request, GAO studied the management practices of eight organizations known for their superior security programs and found that these organizations managed information security through continuous management activities which incorporated specific practices to support their information security principles. These practices included providing senior management support and involvement, defining procedures, integrating business and technical experts, holding business units responsible, documenting and maintaining results, identifying threats, ranking critical assets, estimating potential damage, identifying cost-effective mitigating controls, and documenting assessment findings. III. Legislative History The oversight of Federal government information management is within the jurisdiction of the Committee on Governmental Affairs. Over the years, the Committee spent considerable time on this issue. During the 105th Congress, Committee hearings focused on information security and cyberterrorism. The Committee uncovered and identified failures of information security affecting our international security and revealing our vulnerability to domestic and international terrorism. These hearings highlighted our nation's vulnerability to computer attacks--from international and domestic terrorists to crime rings to everyday hackers--and led to the development of S. 1993. Hearings On May 18, 1998, the Committee held a hearing--``Weak Computer Security in the Government: Is the Public at Risk?''-- on how Federal agencies are providing computer security. The hearing provided many new insights into how the government has not kept pace with the advances in technology and its multipleapplications. In fact, the hearing revealed that, not only has technology advanced, it has become less complex for users and its availability is not limited and instead is widely distributed around the world. Witnesses at this hearing addressed systemic problems which make government computer and communication systems vulnerable to both deliberate and inadvertent attacks. Dr. Peter Neumann, Principal Scientist, Computer Science Laboratory, SRI International, testified that our nation's underlying information infrastructure (for example, power generation, transmission and distribution, air traffic control, and telecommunications) remains at risk. Even though the risk is widely known, Dr. Neumann stated that until high-visibility disasters occur, few people are willing to admit that something drastic needs to be done. He testified that it may take a Chernobyl-scale event to raise awareness levels adequately. Also, seven members of L0pht, a ``hacker'' think tank, provided testimony to the Committee. L0pht said that, in a matter of thirty minutes, they could unlock the security systems within the Internet and make the entire system unusable for a couple of days. On June 24, 1998, the Committee held another hearing-- ``Cyber Attack: Is the Nation at Risk?'' This hearing addressed threats and vulnerabilities to the U.S. national security due to weak computer security. The Director of Central Intelligence, Mr. George Tenet, testified that information warfare has the potential to deal a crippling blow to our national security if strong measures are not taken to counter it. Director Tenet noted that the U.S. is highly dependent on information systems and therefore is the most likely target for an information-based attack. He testified that potential threats range from national intelligence and military organizations to terrorists, criminals, industrial competitors, hackers, and disgruntled or disloyal insiders. Director Tenet stated that several countries, including, Russia and China, have government- sponsored information warfare programs with both offensive and defensive applications. These countries see information warfare as a way of leveling the playing field against a stronger military power, such as the U.S. The more difficult threat to assess is that from non-State actors, such as terrorists and criminals. Cyber attacks offer these groups greater security and operational flexibility. They can launch an assault from almost anywhere in the world without directly exposing themselves to physical harm. The Director of the National Security Agency (NSA), Lieutenant General Kenneth Minihan, USAF, testified on the findings from the DoD's exercise ``Eligible Receiver.'' This exercise demonstrated that our nation's information infrastructure is riddled with vulnerabilities and that severe deficiencies exist in our ability to respond to a coordinated attack on our national infrastructure and information systems. During the exercise, a team of hackers from NSA, using tools easily obtained from the Internet, proved that they could deny our military the ability to deploy forces and conduct operations. On September 23, 1998, the Committee held a hearing on computer security in Federal government agencies which examined whether private information held by the Federal government-- information relating to one's identification, finances and health--is susceptible to unauthorized access and manipulation by computer hackers. The hearing focused on the results of penetration testing performed under GAO's direction and supervision at two federal agencies--the Department of Veterans Affairs (VA) and the Social Security Administration (SSA). The Committee heard testimony from agents of the SSA Office of Inspector General who described a variety of computer crimes committed by SSA employees. The agents discussed in detail a series of prosecutions, known as ``Operation Pinch,'' in which 14 SSA employees were convicted for their part in a widespread credit card fraud ring centered in New York. The agents determined that SSA employees sold identity information on 20,000 people whose credit cards then were fraudulently activated by a West African crime ring, resulting in bank losses of at least $70 million. ``Operation Pinch'' demonstrated the danger of the ``inside threat'' to agencies that do not adequately monitor and limit access to computer information by their own employees. Witnesses from GAO described the results of penetration testing at the VA and SSA. GAO would have been able, during its VA testing, to alter, disclose or delete sensitive information, such as financial data and personal information on veterans' medical records and benefit payments. GAO's penetration went undetected because the VA did not have a monitoring system. GAO's penetration testing of the SSA exposed vulnerabilities in the SSA computer system to both external and internal intrusions. These types of weakness place at risk private information held by SSA, including Social Security numbers, earnings, and benefits. Legislation S. 1993, the Government Information Security Act, was introduced on November 19, 1999, by Senator Thompson (for himself and Senator Lieberman). Senators Abraham, Voinovich, Akaka, Cleland, Collins, and Stevens became additional co- sponsors. On March 2, 2000, the Committee held a legislative hearing on S. 1993. The Committee sought general comments on S. 1993 and additional testimony on the security of Federal information systems including computer system vulnerabilities, how people exploit those weaknesses and what Federal agencies should be doing to strengthen the management of information systems. Thefollowing witnesses presented testimony on S. 1993: Mr. Kevin Mitnick, a self-described reformed hacker; Mr. Jack Brock, Director, Governmentwide and Defense Information Systems, General Accounting Office; Ms. Roberta Gross, Inspector General, National Aeronautics and Space Administration; Mr. James Adams, Chief Executive Officer, iDefense; and Mr. Ken Watson, Manager, Critical Infrastructure, Cisco Systems. Mr. Mitnick provided testimony which outlined four components of information security: physical security, network security, computer systems security, and personnel security. After detailing the first three elements, Mr. Mitnick highlighted the most complex element of information security-- personnel security--noting that weaknesses in personnel security negate the effort and cost of the other three types of security efforts. He said, ``The human side of computer security is easily exploited and constantly overlooked. Companies spend millions of dollars on firewalls, encryption, and secure access devices and it is money wasted because none of these measures address the link in the security chain, the people who use, administer, operate and account for computer systems that contain protected information.'' Mr. Mitnick's testimony provided the Committee with examples of how all of the elements of information security can be compromised. He explained to the Committee how he successfully tricked the employees of a multi-national company into giving him pass codes to the company's security access devices. Mr. Mitnick characterized S. 1993 as a good first step toward the goal of increasing information security for government systems and recommended increased oversight, education and training. Mr. James Adams provided testimony supporting S. 1993. He said, ``By stepping up to the plate and tackling computer security with an innovative, bold approach the Thompson- Lieberman bill significantly boosts the chances of reversing the current bureaucratic approach to a dynamic problem.'' His testimony focused on current threats and vulnerabilities within the nation's critical infrastructure and his belief that total cultural reform is needed. One of Mr. Adams's proposals for reform included the establishment of a Business Assurance Office to better manage governmentwide information security. This Office would draw on the skills of individuals such as Chief Information Officers, Chief Financial Officers, and Chief Security Officers, in order for policies to be devised which take into account the whole environment of a public sector organization. Mr. Watson's testimony focused on ``best practices'' and the management approach applied within Cisco Systems. For example, Mr. Watson highlighted the need for a continuous management approach which includes assessing information, determining the level of risk of exposure of that data, and applying the appropriate solutions. Mr. Watson emphasized that each Federal agency and department should execute its own programs based on tailored mission and risk analyses because no two departments will have the same requirements at the same time. And those requirements and solutions will change over time. During the hearing Senator Thompson said, ``Hopefully the recent breaches of security at the various dot.com companies is the wake up call needed to focus attention on the security of government computer systems. We know that federal agencies continue to use a band-aid approach to computer security rather than addressing the systemic problems which make government systems vulnerable to repeated computer attacks.'' Senator Lieberman said, ``The security of our digital information is something that affects every one of us on a daily basis and should be taken as seriously as the security of our property, of our neighborhoods, of our communities, of our Nation, and in the worst case, as seriously as the security of our lives * * * the intention of the bill is to raise up computer security as a priority consideration for Federal agencies and individual Federal employees who have responsibility.'' committee action The Committee considered a substitute amendment to S. 1993 offered by Chairman Thompson, on behalf of himself and Senator Lieberman, at a business meeting on March 23, 2000. The Thompson/Lieberman substitute included changes made based on comments received from the witnesses at the hearing held on March 2, 2000, and working with the Office of Management and Budget, the agency Inspectors General, the Department of Defense and others in the intelligence community, and industry. The substitute amendment requires that the same management framework be applied to all systems including national security systems. However, in order to ensure that national security concerns were adequately addressed and that the appropriate individuals have oversight over national security information, the substitute amendment vests responsibility for approving the security plan for these systems in the Secretary of Defense and the Director of Central Intelligence, rather than the Director of OMB. Additionally, for these systems, the Secretary of Defense or the Director of Central Intelligence shall designate who conducts the evaluation of these systems, with the IG conducting an audit of the evaluation. Finally, the amendment also allows defense and intelligence agencies to develop their own procedures for detecting, reporting and responding to security incidents. And, it gives the Director of the Office of Management and Budget and agency heads the discretion to apply more stringent policies and procedures where appropriate for systems critical to the missions of Federal agencies. In addition, the amendment includes language which the Committee intends to lay the foundation for the education and training of a Federal Cyber Service. As envisioned under the President's National Plan for Information Systems Protection, the Committee intends that the program will, at a minimum, provide for a ROTC-like scholarships-for-service program to get educated information security professionals straight from their university training into government service. Finally, by unanimous consent, the Committee added language on behalf of Senator Akaka to require agencies to identify specific actions necessary to implement the security program and include this as part of the agency's Government Performance and Results Act performance plan. These actions include budget, staffing and training requirements and could include specific funding necessary to perform the independent evaluation. The Committee passed the Thompson/Lieberman substitute amendment by voice vote and voted to report it to the full Senate. Senators present were: Thompson, Collins, Stevens, Domenici, Cochran, Voinovich, Lieberman, Akaka, and Cleland. IV. Section-by-Section Section 1. Short Title This section states the short title of the bill. Section 2. Coordination of Federal Information Policy This section would add a new subchapter II to chapter 35 of title 44, United States Code, which currently contains the information resources management requirements of the Paperwork Reduction Act. The new subchapter II, entitled ``Information Security,'' would establish comprehensive and coordinated information security requirements for Federal agencies to be implemented under the guidance of the Office of Management and Budget (OMB), the Secretary of Defense and the Director of Central Intelligence. It also would coordinate information security provisions under the new subchapter II with other information resources management requirements in title 44 and other laws. The new subchapter II would add sections 3531 through 3535 to title 44, as follows: Section 3531. Purposes This section would establish as the purposes of subchapter II: (1) providing a comprehensive framework for managing the security of information resources that support Federal operations and assets; (2) assuring that implementation of improved security management measures does not adversely affect opportunities for interoperability in the Federal computing environment, and providing effective governmentwide management and oversight of information security risks and coordination of information security efforts; (3) establishing minimum controls to protect Federal information and information systems; and (4) improving oversight of Federal agency information security programs. Section 3532. Definitions (a) This section would apply to subchapter II the definitions now contained in the Paperwork Reduction Act, except that-- (b)(1) the term ``information technology'' would be defined by section 5002 of the Clinger-Cohen Act (40 U.S.C. 1401); and (2) the term ``mission critical system'' would be defined as (A) a national security system pursuant to section 5142 of the Clinger-Cohen Act; (B) a system that is protected as secret at all times by procedures established by an Executive Order or an Act of Congress in the interest of national defense or foreign policy; or (C) a system which processes information, the loss, misuse, disclosure, unauthorized access to or modification of which would have a debilitating impact on an agency's mission. Section 3533. Authority and functions of the Director This section would prescribe the authority and functions of the Director of OMB with respect to information security. Subsection 3533(a) would require the Director to establish governmentwide policies for the management of programs that support the cost-effective security of government information systems by promoting security as an integral part of agency business operations, including information technology architectures. The policies would require a continuing cycle of risk management to include risk assessments, implementation of controls to address risks, promotion of continuing awareness of risks, and continual monitoring and evaluation of information security policies and practices. Subsection 3533(b) would include within the Director's authority under subsection (a)-- (1) overseeing and developing policies to implement agency responsibilities under applicable law to ensure the privacy, confidentiality, and security of Federal information; (2) requiring agencies to develop information security protections that are commensurate with the risk and magnitude of harm resulting from unauthorized disclosure, disruption, modification, or destruction of information and consistent with specified provisions of law; (3) directing agency heads to (A) identify, use, and share best security practices; (B) develop an agency- wide information security plan; (C) incorporate information security principles and practices throughout the agency's information systems' life cycles; and (D) ensure that the agency's information security plan is practiced throughout all agency information systems' life cycles; (4) overseeing the development and implementation of standards relating to Federal computer system security controls by the Commerce Department's National Institute of Standards and Technology (NIST); (5) overseeing and coordinating compliance with this section in a manner consistent with the Freedom of Information Act, the Privacy Act, and other information management laws; and (6) taking any authorized action under 40 U.S.C. section 1413(b)(5) which the Director considers appropriate, including budget or appropriations-related actions, to enforce the accountability of agency heads for information resources management, including the requirements of this subchapter and information technology investments. Subsection 3533(c) would limit delegation of the Director's authority under this section to the Director of Central Intelligence and the Secretary of Defense for systems identified under (A) and (B) of section 3532(b)(2) and to the OMB Deputy Director for Management for all other systems. Section 3534. Federal agency responsibilities Subsection (a)(1) of this section would assign agency heads responsibility for: (A) ensuring the integrity, confidentiality, authenticity, availability, and non- repudiation of the information in their systems; (B) adopting information security policies, procedures, and control techniques commensurate with the risk and magnitude of harm resulting from unauthorized disclosure, disruption, modification, or destruction of information; and (C) ensuring that the agency's information security plan is practiced throughout each system's life cycle. Subsection (a)(2) would ensure that the appropriate senior agency officials are responsible for: (A) assessing information security risks associated with the operations and assets for programs and systems over which such officials have control; (B) determining appropriate levels of information security for the operations and assets; and (C) periodically testing and evaluating information security controls and techniques. Subsection (a)(3) would require agency heads to delegate administration of all functions under subchapter II to the agency's Chief Information Officer (CIO), or a comparable official if the agency does not have a CIO. These functions include (A) designating a senior agency information security official who would report back to the CIO or comparable official; (B) developing and maintaining an agencywide information security program; (C) ensuring that the agency effectively implements and maintains information security policies, procedures and control techniques; (D) training and overseeing personnel with information security responsibilities; and (E) assisting senior agency officials with their responsibilities under paragraph (2). Subsection (a)(4) would require agency heads to ensure that the agency has sufficiently trained personnel to assist in complying with subchapter II and related administrative requirements. Subsection (a)(5) would require agency heads to ensure that the CIO, in coordination with senior agency officials, periodically evaluates the effectiveness of the agency's information security program, including testing control techniques; implements appropriate remedial actions based on those evaluations; and reports to the agency head on the results of tests and evaluations and the progress of remedial actions. Subsection 3534(b) would require each agency to develop and implement an agencywide information security program. The program would include: (A) periodic risk assessments; (B) policies and procedures that cost-effectively reduce risks to an acceptable level and ensure compliance with subchapter II and related requirements; (C) security awareness training; (D) periodic management testing and evaluation of the effectiveness of security policies and procedures and a process for remedying significant deficiencies; and (E) procedures for detecting, reporting, and responding to security incidents for all systems including a separate process for systems identified under (A) and (B) of section 3532(b)(2). Each information security program would be subject to the approval of the OMB Director, or the Secretary of Defense or Director, Central Intelligence (in the case of systems identified under (A) and (B) of section 3532(b)(2)) and would be reviewed at least annually by agency program officials in consultation with the CIO. Subsection 3534(c) would require agencies to examine the adequacy and effectiveness of information security policies, procedures, and practices in their plans and reports relating to their annual budget, information resources management under the Paperwork Reduction Act, the Clinger-Cohen Act, the Government Performance and Results Act, and financial management laws. Any significant deficiency would be reported as a material weakness under the applicable reporting requirement. Section 3535. Annual independent evaluation This section would require each agency to obtain annually an independent evaluation of its information security program and practices.The evaluation would include an assessment of compliance with subchapter II and related requirements as well as tests of the effectiveness of information security control techniques. The evaluator conducting the evaluation may use the results of other audits or evaluations relating to agency programs or practices. The annual evaluation would be performed by the agency Inspector General or by an independent evaluator determined by the Inspector General. An agency that does not have an Inspector General would contract with an independent evaluator for the annual evaluation. A General Accounting Office (GAO) evaluation may be used in lieu of the evaluation under this section. In the case of systems described in paragraphs (A) and (B) of section 3532(b)(2), the evaluation required under the section, shall be performed only by an entity designated by the Secretary of Defense or the Director of Central Intelligence, as appropriate and, an audit of the evaluation shall be performed by the Inspector General. The results of the annual evaluation or audit (in the case of systems identified under (A) or (B) of section 3532(b)(2)) would be submitted to OMB within one year of enactment of this Act and on that date every year thereafter. The GAO would annually review the evaluations required under this section or an audit of the evaluation in the case of systems described in paragraphs (A) and (B) of section 3532(b)(2) and other information security evaluation results, and report to Congress on the adequacy of agency information programs and practices. Consistent with applicable law and commensurate with risk, agencies and evaluators would protect information from disclosure if such disclosure would adversely affect information security. section 3. responsibilities of certain agencies This section would assign responsibilities to specified Federal agencies as follows: Department of Commerce Subsection (a) provides that the National Institute of Standards and Technology, with requested or required technical assistance from the National Security Agency shall (except as provided in subsection (b))-- (1) establish standards and guidance for the security of information in Federal computer systems, including methods and techniques for security systems and validation programs; (2) establish guidelines for training in computer security awareness and practices, with assistance from the Office of Personnel Management (OPM); (3) provide guidance to agencies on security planning; (4) provide guidance and assistance to agencies on cost-effective controls when interconnecting with other systems; and (5) evaluate information technologies to assess and alert agencies to security vulnerabilities as soon as possible. Department of Defense and the Intelligence Community Subsection (b) provides that the Secretary of Defense and the Director of Central Intelligence shall (notwithstanding section 2 of this Act), consistent with their respective authorities-- (1) develop and issue information security policies, standards and guidelines for systems described in paragraphs (A) and (B) of subsection 3532(b)(2) that provide more stringent protection than policies, principles, standards, and guidelines required under section 2 of this Act, as amended; and (2) ensure the implementation of information security policies, principles, standards, and guidelines as prescribed by subsection (1). Department of Justice Subsection (c) would require the Justice Department to review and update guidance to agencies on: (1) legal remedies regarding security incidents and ways to work with law enforcement agencies concerning such incidents; and (2) lawful uses of security techniques and technologies. General Services Administration Subsection (d) would require the General Services Administration to: (1) assist agencies in fulfilling their responsibilities under section 3534(b)(2)(E) and in acquiring cost-effective security products, services, and incident response capabilities. Office of Personnel Management Subsection (e) would require the Office of Personnel Management to: (1) review and update its regulations on computer security training and (2) assist the Commerce Department in updating and maintaining guidelines for training in computer security awareness and best practices and (3) work with the National Science Foundation in providing agencies with the appropriate personnel and training initiatives, including scholarships and fellowships to ensure that the Federal government has adequate sources of information security training and education and qualified personnel. Subsection (f) would require that, notwithstanding any provision in this Act, the Secretary of Defense and the Director of Central Intelligence shall develop policies, principles, procedures and guidelines for mission critical systems subject to their control, and these policies may be adopted by the Director of OMB, or by an agency head, as appropriate, to the mission critical systems of all agencies or of that agency if consistent with other OMB and Commerce Department guidance. Further, agencies may use the more stringent policies, principles, procedures and guidelines for any information system if consistent with other OMB and Commerce Department guidance. Section 4. Technical and Conforming Amendments This section would make technical and conforming changes to chapter 35 of title 44, United States Code. Section 5. Effective Date This section would provide for the bill to become effective 30 days after the date of its enactment into law. V. Regulatory Impact Statement Paragraph 11(b)(1) of the Standing Rules of the Senate requires that each report accompanying a bill evaluate ``the regulatory impact which would be incurred in carrying out this bill.'' The enactment of this legislation will not have significant regulatory impact. S. 1993 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act and would have no impact on state, local or tribal governments. VI. CBO Cost Estimate U.S. Congress, Congressional Budget Office, Washington, DC, March 29, 2000. Hon. Fred Thompson, Chairman, Committee on Governmental Affairs, U.S. Senate, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for S. 1993, the Government Information Security Act. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is John R. Righter. Sincerely, Barry B. Anderson (For Dan L. Crippen, Director). Enclosure. S. 1993--Government Information Security Act S. 1993 would require federal agencies to perform certain tasks to improve the security of their computer systems. Subject to the availability of appropriated funds, CBO estimates that implementing S. 1993 would cost federal agencies between $10 million and $15 million annually to audit their security programs and practices. While this work should both increase the cost-effectiveness of federal security systems and reduce the likelihood of costly service disruptions, CBO has no basis for estimating the amount of potential savings from such improvements. The bill would not affect direct spending or receipts, so pay-as-you-go procedures would not apply. S. 1993 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act and would not affect the budgets of state, local, or tribal governments. S. 1993 would require federal agencies to develop a risk- based program for ensuring the security of their information systems, including designating a senior official to oversee the program, periodically assessing and testing their systems, and providing training to personnel. In addition, the bill would require that either an inspector general or independent evaluator annually audit an agency's security programs and practices. S. 1993 also would specify the responsibilities of particular agencies in securing the government's information systems, including the National Institute of Standards and Technology, the Department of Justice, and the General Services Administration. Finally, the bill would require the Office of Management and Budget (OMB) to establish policies for implementing its provisions. Most of S. 1993 would codify and centralize current practice, including directions provided in the Government Security Act, OMB Circular No. A-130 (Management of Federal Information Resources), and Presidential Decision Directive 63, concerning the protection of critical infrastructure. While some agencies already evaluate portions of their information systems through the financial audits required by the Chief Financial Officers (CFO) Act and the security reviews required by OMB Circular No. A-130, the bill would call for agencies to audit their systems more extensively and regularly. Based on information from the General Accounting Office, which has reviewed the security practices of federal agencies, and OMB, CBO estimates that requiring the annual audits would increase agency costs by between $10 million and $15 million annually, subject to the availability of appropriated funds. That estimate assumes that the 25 largest federal departments and agencies those with appointed CFOs) would regularly test the general and management controls of critical, nonfinancial operations. We estimate that the evaluation of between 55 and 75 computer systems operated by these agencies would cost around $150,000 each, or a total of around $10 million annually. Although much uncertainty exists as to the number and complexity of computer operations that smaller agencies would need to evaluate, as well as the extent that such evaluations already take place, CBO expects that applying the audit requirement to them would increase the provision's cost by as much as 50 percent. In addition, the audits should both improve the cost- effectiveness of federal security systems and decrease the likelihood of costly service disruptions. CBO, however, cannot estimate the amount of potential savings from such improvements. The CBO staff contact is John R. Righter. This estimate was approved by Peter H. Fontaine, Deputy Assistant Director for Budget Analysis. VII. Changes to Existing Law In compliance with paragraph 12 of rule XXVI of the Standing Rules of the Senate, changes in existing law made by the bill, as reported, are shown as follows, (existing law proposed to be omitted is enclosed in black brackets, new material is printed in italic, existing law in which no change is proposed is shown in roman). UNITED STATES CODE TITLE 44--PUBLIC PRINTING AND DOCUMENTS * * * * * * * CHAPTER 35--COORDINATION OF FEDERAL INFORMATION POLICY Subchapter I_Federal Information Policy Sec. 3501. Purposes. 3502. Definitions. 3503. Office of Information and Regulatory Affairs. 3504. Authority and functions of Director. 3505. Assignment of tasks and deadlines. 3506. Federal agency responsibilities. 3507. Public information collection activities; submission to Director; approval and delegation. 3508. Determination of necessity for information; hearing. 3509. Designation of central collection agency. 3510. Cooperation of agencies in making information available. 3511. Establishment and operation of Government Information Locator Service. 3512. Public protection. 3513. Director review of agency activities; reporting; agency response. 3514. Responsiveness to Congress. 3515. Administrative powers. 3516. Rules and regulations. 3517. Consultation with other agencies and the public. 3518. Effect on existing laws and regulations. 3519. Access to information. 3520. Authorization of appropriations. Subchapter II--Information Security 3531. Purposes. 3532. Definitions. 3533. Authority and functions of the Director. 3534. Federal agency responsibilities. 3535. Annual independent evaluation. Subchapter I_Federal Information Policy Sec. 3501. Purposes The purposes of this [chapter] subchapter are to-- * * * * * * * (11) improve the responsibility and accountability of the Office of Management and Budget and all other Federal agencies to Congress and to the public for implementing the information collection review process, information resources management, and related policies and guidelines established under this [chapter] subchapter. Sec. 3502. Definitions As used in this [chapter] subchapter- * * * * * * * Sec. 3503. Office of Information and Regulatory Affairs * * * * * * * (b) There shall be at the head of the Office an Administrator who shall be appointed by the President, by and with the advice and consent of the Senate. The Director shall delegate to the Administrator the authority to administer all functions under this [chapter] subchapter, except that any such delegation shall not relieve the Director of responsibility for the administration of such functions. The Administrator shall serve as principal adviser to the Director on Federal information resources management policy. Sec. 3504. Authority and functions of Director (a)(1) The Director shall oversee the use of information resources to improve the efficiency and effectiveness of governmental operations to serve agency missions, including burden reduction and service delivery to the public. In performing such oversight, the Director shall-- (A) develop, coordinate and oversee the implementation of Federal information resources management policies, principles, standards, and guidelines; and (B) provide direction and oversee-- (i) the review and approval of the collection of information and the reduction of the information collection burden; (ii) agency dissemination of and public access to information; (iii) statistical activities; (iv) records management activities; (v) privacy, confidentiality, security, disclosure, and sharing of information; and (vi) the acquisition and use of information technology. (2) The authority of the Director under this [chapter] subchapter shall be exercised consistent with applicable law. * * * * * * * (d) With respect to information dissemination, the Director shall develop and oversee the implementation of policies, principles, standards, and guidelines to-- (1) apply to Federal agency dissemination of public information, regardless of the form or format in which such information is disseminated; and (2) promote public access to public information and fulfill the purposes of this [chapter] subchapter, including through the effective use of information technology. * * * * * * * (f) With respect to records management, the Director shall-- (1) provide advice and assistance to the Archivist of the United States and the Administrator of General Services to promote coordination in the administration of chapters 29, 31, and 33 of this title with the information resources management policies, principles, standards, and guidelines established under this [chapter] subchapter; * * * * * * * Sec. 3505. Assignment of tasks and deadlines (a) In carrying out the functions under this [chapter] subchapter, the Director shall-- (1) in consultation with agency heads, set an annual Governmentwide goal for the reduction of information collection burdens by at least 10 percent during each of fiscal years 1996 and 1997 and 5 percent during each of fiscal years 1998, 1999, 2000, and 2001, and set annual agency goals to-- (A) reduce information collection burdens imposed on the public that-- (i) represent the maximum practicable opportunity in each agency; and (ii) are consistent with improving agency management of the process for the review of collections of information established under section 3506(c); and (B) improve information resources management in ways that increase the productivity, efficiency and effectiveness of Federal programs, including service delivery to the public; (2) with selected agencies and non-Federal entities on a voluntary basis, conduct pilot projects to test alternative policies, practices, regulations, and procedures to fulfill the purposes of this [chapter] subchapter, particularly with regard to minimizing the Federal information collection burden; and * * * * * * * Sec. 3506. Federal agency responsibilities (a)(1) The head of each agency shall be responsible for-- (A) carrying out the agency's information resources management activities to improve agency productivity, efficiency, and effectiveness; and (B) complying with the requirements of this [chapter] subchapter and related policies established by the Director. (2)(A) Except as provided under subparagraph (B), the head of each agency shall designate a senior official who shall report directly to such agency head to carry out the responsibilities of the agency under this [chapter] subchapter. (B) The Secretary of the Department of Defense and the Secretary of each military department may each designate senior officials who shall report directly to such Secretary to carry out the responsibilities of the department under this [chapter] subchapter. If more than one official is designated, the respective duties of the officials shall be clearly delineated. (3) The senior official designated under paragraph (2) shall head an office responsible for ensuring agency compliance with and prompt, efficient, and effective implementation of the information policies and information resources management responsibilities established under this [chapter] subchapter, including the reduction of information collection burdens on the public. The senior official and employees of such office shall be selected with special attention to the professional qualifications required to administer the functions described under this [chapter] subchapter. * * * * * * * (4) in consultation with the Director, the Administrator of General Services, and the Archivist of the United States, maintain a current and complete inventory of the agency's information resources, including directories necessary to fulfill the requirements of section 3511 of this [chapter] subchapter; and (5) in consultation with the Director and the Director of the Office of Personnel Management, conduct formal training programs to educate agency program and management officials about information resources management. (c) With respect to the collection of information and the control of paperwork, each agency shall-- (1) establish a process within the office headed by the official designated under subsection (a), that is sufficiently independent of program responsibility to evaluate fairly whether proposed collections of information should be approved under this [chapter] subchapter, to-- (A) review each collection of information before submission to the Director for review under this [chapter] subchapter, including-- * * * * * * * Sec. 3507. Public information collection activities; submission to Director; approval and delegation * * * * * * * (e)(1) Any decision by the Director under subsection (c), (d), (h), or (j) to disapprove a collection of information, or to instruct the agency to make substantive or material change to a collection of information, shall be publicly available and include an explanation of the reasons for such decision. (2) Any written communication between the Administrator of the Office of Information and Regulatory Affairs, or any employee of the Office of Information and Regulatory Affairs, and an agency or person not employed by the Federal Government concerning a proposed collection of information shall be made available to the public. (3) This subsection shall not require the disclosure of-- (A) any information which is protected at all times by procedures established for information which has been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy; or (B) any communication relating to a collection of information which is not approved under this [chapter] subchapter, the disclosure of which could lead to retaliation or discrimination against the communicator. * * * * * * * (h)(1) If an agency decides to seek extension of the Directors approval granted for a currently approved collection of information, the agency shall-- (A) conduct the review established under section 3506(c), including the seeking of comment from the public on the continued need for, and burden imposed by the collection of information; and (B) after having made a reasonable effort to seek public comment, but no later than 60 days before the expiration date of the control number assigned by the Director for the currently approved collection of information, submit the collection of information for review and approval under this section, which shall include an explanation of how the agency has used the information that it has collected. (2) If under the provisions of this section, the Director disapproves a collection of information contained in an existing rule, or recommends or instructs the agency to make a substantive or material change to a collection of information contained in an existing rule, the Director shall-- (A) publish an explanation thereof in the Federal Register; and (B) instruct the agency to undertake a rulemaking within a reasonable time limited to consideration of changes to the collection of information contained in the rule and thereafter to submit the collection of information for approval or disapproval under this [chapter] subchapter. (3) An agency may not make a substantive or material modification of a collection of information after such collection has been approved by the Director, unless the modification has been submitted to the Director for review and approval under this [chapter] subchapter. * * * * * * * (j)(1) The agency head may request the Director to authorize a collection of information, if an agency head determines that-- (A) a collection of information-- (i) is needed prior to the expiration of time periods established under this [chapter] subchapter; and (ii) is essential to the mission of the agency; and (B) the agency cannot reasonably comply with the provisions of this [chapter] subchapter because-- (i) public harm is reasonably likely to result if normal clearance procedures are followed; (ii) an unanticipated event has occurred; or (iii) the use of normal clearance procedures is reasonably likely to prevent or disrupt the collection of information or is reasonably likely to cause a statutory or court ordered deadline to be missed. (2) The Director shall approve or disapprove any such authorization request within the time requested by the agency head and, if approved, shall assign the collection of information a control number. Any collection of information conducted under this subsection may be conducted without compliance with the provisions of this [chapter] subchapter for a maximum of 90 days after the date on which the Director received the request to authorize such collection. * * * * * * * Sec. 3509. Designation of central collection agency The Director may designate a central collection agency to obtain information for two or more agencies if the Director determines that the needs of such agencies for information will be adequately served by a single collection agency, and such sharing of data is not inconsistent with applicable law. In such cases the Director shall prescribe (with reference to the collection of information) the duties and functions of the collection agency so designated and of the agencies for which it is to act as agent (including reimbursement for costs). While the designation is in effect, an agency covered by the designation may not obtain for itself information for the agency which is the duty of the collection agency to obtain. The Director may modify the designation from time to time as circumstances require. The authority to designate under this section is subject to the provisions of section 3507(f) of this [chapter] subchapter. * * * * * * * Sec. 3512. Public protection (a) Notwithstanding any other provision of law, no person shall be subject to any penalty for failing to comply with a collection of information that is subject to this [chapter] subchapter if-- (1) the collection of information does not display a valid control number assigned by the Director in accordance with this [chapter] subchapter; * * * * * * * Sec. 3514. Responsiveness to Congress (a)(1) The Director shall-- (A) keep the Congress and congressional committees fully and currently informed of the major activities under this [chapter] subchapter; and (B) submit a report on such activities to the President of the Senate and the Speaker of the House of Representatives annually and at such other times as the Director determines necessary. (2) The Director shall include in any such report a description of the extent to which agencies have-- (A) reduced information collection burdens on the public, including-- (i) a summary of accomplishments and planned initiatives to reduce collection of information burdens; (ii) a list of all violations of this [chapter] subchapter and of any rules, guidelines, policies, and procedures issued pursuant to this [chapter] subchapter; * * * * * * * Sec. 3515. Administrative powers Upon the request of the Director, each agency (other than an independent regulatory agency) shall, to the extent practicable, make its services, personnel, and facilities available to the Director for the performance of functions under this [chapter] subsection. Sec. 3516. Rules and regulations The Director shall promulgate rules, regulations, or procedures necessary to exercise the authority provided by this [chapter] subchapter. Sec. 3517. Consultation with other agencies and the public (a) In developing information resources management policies, plans, rules, regulations, procedures, and guidelines and in reviewing collections of information, the Director shall provide interested agencies and persons early and meaningful opportunity to comment. (b) Any person may request the Director to review any collection of information conducted by or for an agency to determine, if, under this [chapter] subchapter, a person shall maintain, provide, or disclose the information to or for the agency. Unless the request is frivolous, the Director shall, in coordination with the agency responsible for the collection of information-- (1) respond to the request within 60 days after receiving the request, unless such period is extended by the Director to a specified date and the person making the request is given notice of such extension; and (2) take appropriate remedial action, if necessary. Sec. 3518. Effect on existing laws and regulations (a) Except as otherwise provided in this [chapter] subchapter, the authority of an agency under any other law to prescribe policies, rules, regulations, and procedures for Federal information resources management activities is subject to the authority of the Director under this [chapter] subchapter. (b) Nothing in this [chapter] subchapter shall be deemed to affect or reduce the authority of the Secretary of Commerce or the Director of the Office of Management and Budget pursuant to Reorganization Plan No. 1 of 1977 (as amended) and Executive order, relating to telecommunications and information policy, procurement and management of telecommunications and information systems, spectrum use, and related matters. (c)(1) Except as provided in paragraph (2), this [chapter] subchapter shall not apply to the collection of information-- (A) during the conduct of a Federal criminal investigation or prosecution, or during the disposition of a particular criminal matter; (B) during the conduct of-- (i) a civil action to which the United States or any official or agency thereof is a party; or (ii) an administrative action or investigation involving an agency against specific individuals or entities; (C) by compulsory process pursuant to the Antitrust Civil Process Act and section 13 of the Federal Trade Commission Improvements Act of 1980; or (D) during the conduct of intelligence activities as defined in section 3.4(e) of Executive Order No. 12333, issued December 4, 1981, or successor orders, or during the conduct of cryptologic activities that are communications security activities. (2) This [chapter] subchapter applies to the collection of information during the conduct of general investigations (other than information collected in an antitrust investigation to the extent provided in subparagraph (C) of paragraph (1)) undertaken with reference to a category of individuals or entities such as a class of licensees or an entire industry. (d) Nothing in this [chapter] subchapter shall be interpreted as increasing or decreasing the authority conferred by Public Law 89-306 on the Administrator of the General Services Administration, the Secretary of Commerce, or the Director of the Office of Management and Budget. (e) Nothing in this [chapter] subchapter shall be interpreted as increasing or decreasing the authority of the President, the Office of Management and Budget or the Director thereof, under the laws of the United States, with respect to the substantive policies and programs of departments, agencies and offices, including the substantive authority of any Federal agency to enforce the civil rights laws. * * * * * * * Sec. 3520. Authorization of appropriations There are authorized to be appropriated to the Office of Information and Regulatory Affairs to carry out the provisions ofthis [chapter] subchapter, and for no other purpose, $8,000,000 for each of the fiscal years 1996, 1997, 1998, 1999, 2000, and 2001. Subchapter II--Information Security Sec. 3531. Purposes The purposes of this subchapter are to-- (1) provide a comprehensive framework for establishing and ensuring the effectiveness of controls over information resources that support Federal operations and assets; (2)(A) recognize the highly networked nature of the Federal computing environment including the need for Federal Government interoperability and, in the implementation of improved security management measures, assure that opportunities for interoperability are not adversely affected; and (B) provide effective governmentwide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities; (3) provide for development and maintenance of minimum controls required to protect Federal information and information systems; and (4) provide a mechanism for improved oversight of Federal agency information security programs. Sec. 3532. Definitions (a) Except as provided under subsection (b), the definitions under section 3502 shall apply to this subchapter. (b) As used in this subchapter the term-- (1) ``information technology'' has the meaning given that term in section 5002 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1401); and (2) ``mission critical system'' means any telecommunications or information system used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency, that-- (A) is defined as a national security system under section 5142 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1452); (B) is protected at all times by procedures established for information which has been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy; or (C) processes any information, the loss, misuse, disclosure, or unauthorized access to or modification of, would have a debilitating impact on the mission of an agency. Sec. 3533. Authority and functions of the Director (a)(1) The Director shall establish governmentwide policies for the management of programs that-- (A) support the cost-effective security of Federal information systems by promoting security as an integral component of each agency's business operations; and (B) include information technology architectures as defined under section 5125 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1425). (2) Policies under this subsection shall-- (A) be founded on a continuing risk management cycle that recognizes the need to-- (i) identify, assess, and understand risk; and (ii) determine security needs commensurate with the level of risk; (B) implement controls that adequately address the risk; (C) promote continuing awareness of information security risk; and (D) continually monitor and evaluate policy and control effectiveness of information security practices. (b) The authority under subsection (a) includes the authority to-- (1) oversee and develop policies, principles, standards, and guidelines for the handling of Federal information and information resources to improve the efficiency and effectiveness of governmental operations, including principles, policies, and guidelines for the implementation of agency responsibilities under applicable law for ensuring the privacy, confidentiality, and security of Federal information; (2) consistent with the standards and guidelines promulgated under section 5131 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1441) and sections 5 and 6 of the Computer Security Act of 1987 (40 U.S.C. 1441 note; Public Law 100-235; 101 Stat. 1729), require Federal agencies to identify and afford security protections commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information collected or maintained by or on behalf of an agency; (3) direct the heads of agencies to (A) identify, use, and share best security practices; (B) develop an agency-wide information security plan; (C) incorporate information security principles and practices throughout the life cycles of the agency's information systems; and (D) ensure that the agency's information security plan is practiced throughout all life cycles of the agency's information systems; (4) oversee the development and implementation of standards and guidelines relating to security controls for Federal computer systems by the Secretary of Commerce through the National Institute of Standards and Technology under section 5131 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1441) and section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3); (5) oversee and coordinate compliance with this section in a manner consistent with-- (A) sections 552 and 552a of title 5; (B) sections 20 and 21 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3 and 278g-4); (C) section 5131 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1441); (D) sections 5 and 6 of the Computer Security Act of 1987 (40 U.S.C. 1441 note; Public Law 100-235; 101 Stat. 1729); and (E) related information management laws; and (6) take any authorized action under section 5113(b)(5) of the Clinger-Cohen Act of 1996 (40 U.S.C. 1413(b)(5)) that the Director considers appropriate, including any action involving the budgetary process or appropriations management process, to enforce accountability of the head of an agency for information resources management, including the requirements of this subchapter, and for the investments made by the agency in information technology, including-- (A) recommending a reduction or an increase in any amount for information resources that the head of the agency proposes for the budget submitted to Congress under section 1105(a) of title 31; (B) reducing or otherwise adjusting apportionments and reapportionments of appropriations for information resources; and (C) using other authorized administrative controls over appropriations to restrict the availability of funds for information resources. (c) The authorities of the Director under this section may be delegated-- (1) to the Secretary of Defense and the Director of Central Intelligence in the case of systems described under subparagraphs (A) and (B) of section 3532(b)(2); and (2) in the case of all other Federal information systems, only to the Deputy Director for Management of the Office of Management and Budget. Sec. 3534. Federal agency responsibilities (a) The head of each agency shall-- (1) be responsible for-- (A) adequately ensuring the integrity, confidentiality, authenticity, availability, and nonrepudiation of information and information systems supporting agency operations and assets; (B) developing and implementing information security policies, procedures, and control techniques sufficient to afford security protections commensurate with the risk and magnitude of the harm resulting from unauthorized disclosure, disruption, modification, or destruction of information collected or maintained by or for the agency; and (C) ensuring that the agency's information security plan is practiced throughout the life cycle of each agency system; (2) ensure that appropriate senior agency officials are responsible for-- (A) assessing the information security risks associated with the operations and assets for programs and systems over which such officials have control; (B) determining the levels of information security appropriate to protect such operations and assets; and (C) periodically testing and evaluating information security controls and techniques; (3) delegate to the agency Chief Information Officer established under section 3506, or a comparable official in an agency not covered by such section, the authority to administer all functions under this subchapter including-- (A) designating a senior agency information security official who shall report to the Chief Information Officer or a comparable official; (B) developing and maintaining an agencywide information security program as required under subsection (b); (C) ensuring that the agency effectively implements and maintains information security policies, procedures, and control techniques; (D) training and overseeing personnel with significant responsibilities for information security with respect to such responsibilities; and (E) assisting senior agency officials concerning responsibilities under paragraph (2); (4) ensure that the agency has trained personnel sufficient to assist the agency in complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines; and (5) ensure that the agency Chief Information Officer, in coordination with senior agency officials, periodically-- (A)(i) evaluates the effectiveness of the agency information security program, including testing control techniques; and (ii) implements appropriate remedial actions based on that evaluation; and (B) reports to the agency head on-- (i) the results of such tests and evaluations; and (ii) the progress of remedial actions. (b)(1) Each agency shall develop and implement an agencywide information security program to provide information security for the operations and assets of the agency, including operations and assets provided or managed by another agency. (2) Each program under this subsection shall include-- (A) periodic risk assessments that consider internal and external threats to-- (i) the integrity, confidentiality, and availability of systems; and (ii) data supporting critical operations and assets; (B) policies and procedures that-- (i) are based on the risk assessments required under subparagraph (A) that cost- effectively reduce information security risks to an acceptable level; and (ii) ensure compliance with-- (I) the requirements of this subchapter; (II) policies and procedures as may be prescribed by the Director; and (III) any other applicable requirements; (C) security awareness training to inform personnel of-- (i) information security risks associated with the activities of personnel; and (ii) responsibilities of personnel in complying with agency policies and procedures designed to reduce such risks; (D)(i) periodic management testing and evaluation of the effectiveness of information security policies and procedures; and (ii) a process for ensuring remedial action to address any significant deficiencies; and (E) procedures for detecting, reporting, and responding to security incidents, including-- (i) mitigating risks associated with such incidents before substantial damage occurs; (ii) notifying and consulting with law enforcement officials and other offices and authorities; (iii) notifying and consulting with an office designated by the Administrator of General Services within the General Services Administration; and (iv) notifying and consulting with an office designated by the Secretary of Defense and the Director of Central Intelligence for incidents involving systems described under subparagraphs (A) and (B) of section 3532(b)(2). (3) Each program under this subsection is subject to the approval of the Director and is required to be reviewed at least annually by agency program officials in consultation with the Chief Information Officer. In the case of systems described under subparagraphs (A) and (B) of section 3532(b)(2), the Director shall delegate approval authority under this paragraph to the Secretary of Defense and the Director of Central Intelligence. (c)(1) Each agency shall examine the adequacy and effectiveness of information security policies, procedures, and practices in plans and reports relating to-- (A) annual agency budgets; (B) information resources management under the Paperwork Reduction Act of 1995 (44 U.S.C. 101 note); (C) performance and results based management under the Clinger-Cohen Act of 1996 (40 U.S.C. 1401 et seq.); (D) program performance under sections 1105 and 1115 through 1119 of title 31, and sections 2801 through 2805 of title 39; and (E) financial management under-- (i) chapter 9 of title 31, United States Code, and the Chief Financial Officers Act of 1990 (31 U.S.C. 501 note; Public Law 101-576) (and the amendments made by that Act); (ii) the Federal Financial Management Improvement Act of 1996 (31 U.S.C. 3512 note) (and the amendments made by that Act); and (iii) the internal controls conducted under section 3512 of title 31. (2) Any significant deficiency in a policy, procedure, or practice identified under paragraph (1) shall be reported as a material weakness in reporting required under the applicable provision of law under paragraph (1). (d)(1) In addition to the requirements of subsection (c), each agency, in consultation with the Chief Information Officer, shall include as part of the performance plan required under section 1115 of title 31 a description of-- (A) the time periods; and (B) the resources, including budget, staffing, and training, which are necessary to implement the program required under subsection (b)(1). (2) The description under paragraph (1) shall be based on the risk assessment required under subsection (b)(2)(A). Sec. 3535. Annual independent evaluation (a)(1) Each year each agency shall have performed an independent evaluation of the information security program and practices of that agency. (2) Each evaluation under this section shall include-- (A) an assessment of compliance with-- (i) the requirements of this subchapter; and (ii) related information security policies, procedures, standards, and guidelines; and (B) tests of the effectiveness of information security control techniques. (3) The Inspector General or the independent evaluator performing an evaluation under this section including the Comptroller General may use any audit, evaluation, or report relating to programs or practices of the applicable agency. (b)(1)(A) Subject to subparagraph (B), for agencies with Inspectors General appointed under the Inspector General Act of 1978 (5 U.S.C. App.) or any other law, the annual evaluation required under this section or, in the case of systems described under subparagraphs (A) and (B) of section 3532(b)(2), an audit of the annual evaluation required under this section, shall be performed by the Inspector General or by an independent evaluator, as determined by the Inspector General of the agency. (B) For systems described under subparagraphs (A) and (B) of section 3532(b)(2), the evaluation required under this section shall be performed only by an entity designated by the Secretary of Defense of the Director of Central Intelligence as appropriate. (2) For any agency to which paragraph (1) does not apply, the head of the agency shall contract with an independent evaluator to perform the evaluation. (3) An evaluation of agency information security programs and practices performed by the Comptroller General may be in lieu of the evaluation required under this section. (c) Not later than 1 year after the date of enactment of this subchapter, and on that date every year thereafter, the applicable agency head shall submit to the Director-- (1) the results of each evaluation required under this section, other than an evaluation of a system described under subparagraph (A) or (B) of section 3532(b)(2); and (2) the results of each audit of an evaluation required under this section of a system described under subparagraph (A) or (B) of section 3532(b)(2). (d) Each year the Comptroller General shall-- (1) review the evaluations required under this section and other information security evaluation results; and (2) report to Congress regarding the adequacy of agency information programs and practices. (e) Agencies and evaluators shall take appropriate actions to ensure the protection of information, the disclosure of which may adversely affect information security. Such protections shall be commensurate with the risk and comply with all applicable laws.