H.R. 1163: Federal Information Security Amendments Act of 2013

Introduced:
Mar 14, 2013 (113th Congress, 2013–2015)
Sponsor:
Rep. Darrell Issa [R-CA49]
Status:
Passed House

The bill’s title was written by the bill’s sponsor. H.R. stands for House of Representatives bill.

Track this bill
(About Ads | Advertise Here)
Status

This bill passed in the House on April 16, 2013 and goes to the Senate next for consideration.

Progress
Introduced Mar 14, 2013
Referred to Committee Mar 14, 2013
Reported by Committee Mar 20, 2013
Passed House Apr 16, 2013
Passed Senate ...
Signed by the President ...
Votes

House Vote on Passage
Apr 16, 2013 2:05 p.m.
Passed 416/0

Prognosis

29% chance of being enacted.

Only 28% of House bills that made it past committee in 2011–2013 were enacted. [show factors | methodology]

Cosponsors
5 cosponsors (3D, 2R) (show)
Committees

House Oversight and Government Reform

Senate Homeland Security and Governmental Affairs

The committee chair determines whether a bill will move past the committee stage.

Full Title

To amend chapter 35 of title 44, United States Code, to revise requirements relating to Federal information security, and for other purposes.

Summary

No summaries available.

Text

Read Bill Text »

Last updated Apr 17, 2013.
27 pages

Primary Source

View on THOMAS (The Library of Congress)

GovTrack gets most information from THOMAS, which is updated generally one day after events occur. Activity since the last update may not be reflected here.

Citation

Click a format for a citation suggestion:

GovTrack’s Bill Summary

We don’t have a summary available yet.

Library of Congress Summary

The summary below was written by the Congressional Research Service, which is a nonpartisan division of the Library of Congress.

3/14/2013--Introduced.
Federal Information Security Amendments Act of 2013 - Amends the Federal Information Security Management Act of 2002 (FISMA) to reestablish the oversight authority of the Director of the Office of Management and Budget (OMB) with respect to agency information and security policies and practices.
Extends the security requirements of federal agencies to include responsibilities for:
(1) complying with computer standards developed by the National Institute of Standards and Technology (NIST);
(2) ensuring complementary and uniform standards for information systems and national security systems;
(3) ensuring that information security management processes are integrated with budget processes;
(4) securing facilities for classified information;
(5) maintaining sufficient personnel with security clearances; and
(6) ensuring that information security performance indicators are included in the annual performance evaluations of all managers, senior managers, senior executive service personnel, and political appointees.
Directs senior agency officials, with a frequency sufficient to support risk-based security decisions, to:
(1) test and evaluate information security controls and techniques, and
(2) conduct threat assessments by monitoring information systems and identifying potential system vulnerabilities.
(Current law requires only periodic testing and evaluation.) Directs agencies to collaborate with OMB and appropriate public and private sector security operations centers on security incidents that extend beyond the control of an agency.
Requires that security incidents be reported, through an automated and continuous monitoring capability, when possible, to the federal information security incident center, appropriate security operations centers, and agency Inspector General. Directs agencies to conduct vulnerability assessments and penetration tests commensurate with the risk posed to agency information systems.
Requires each agency to delegate to its Chief Information Officer the authority and primary responsibility for developing, implementing, and overseeing an agencywide information security (AIS) program.
Directs agencies to implement an OMB-approved AIS program that is consistent with components across and within agencies.
Requires that such program include automated and continuous monitoring, when possible, to:
(1) mitigate risks associated with security incidents before substantial damage is done; and
(2) notify and consult with the incident center, appropriate security operations response centers, law enforcement agencies, Inspectors General, and other entities or as directed by the President.

House Republican Conference Summary

The summary below was written by the House Republican Conference, which is the caucus of Republicans in the House of Representatives.

This summary can be found at http://www.gop.gov/bill/113/1/hr1163.

Background

Cybersecurity threats have significant national security and economic consequences, and the risks are rapidly and continuously evolving.  According to the Government Accountability Office (GAO), federal agencies have experienced a “dramatic increase in reports of security incidents,” with the total number of reported cybersecurity incidents increasing by 782 percent from 2006 to 2012.[1]

The Federal Information Security Management Act of 2002 (FISMA), which became Title III of the E-Government Act of 2002, tasked each federal agency with implementing security controls over information that supports federal operations and assets.[2]  In addition, FISMA gave the Director of the OMB authority for overseeing the agencies’ information security policies and practices.[3]  Since FISMA was enacted, compliance has become more of a routine formality than a rigorous means of enhancing security.  H.R. 1163 was introduced to update FISMA to account for the technological developments since its enactment, and to enhance “real-time” cybersecurity. 

The House passed identical legislation (H.R. 4257) in the 112th Congress on April 26, 2012 by a voice vote, but the Senate did not take up the measure.


[1] U.S. Government Accountability Office, Cybersecurity: National Strategy, Roles, and Responsibilities Need to Be Better Defined and More Effectively Implemented, Feb. 2013, http://www.gao.gov/assets/660/652170.pdf.

[2] See PL 107-347.

[3] Id.

Summary

H.R. 1163 enhances the Federal Information Security Management Act of 2002 (FISMA) by improving the framework for securing federal information technology (IT) systems.  The bill establishes stronger oversight of federal agency IT systems by focusing on “automated and continuous monitoring” of cybersecurity threats and by regular “threat assessments.”  In addition, H.R. 1163 reaffirms the authority of the Director of the Office of Management and Budget (OMB) to oversee agency information and security policies and practices.  By permitting some flexibility, though, H.R. 1163 continues to allow DHS, under the direction of OMB, to exercise responsibility within the executive branch for many of the operational aspects of FISMA.  This is done while allowing the Executive Office of the President to be held firmly accountable for ensuring that individual agencies meet the new standards. 

H.R. 1163 expands the security requirements of federal agencies, and directs senior agency officials—with a frequency sufficient to support risk-based security decisions—to 1) test and evaluate information security controls, and 2) conduct threat assessments by monitoring information systems and identifying potential vulnerabilities.  Current law requires only periodic testing and evaluation.

H.R. 1163 directs agencies to collaborate with OMB and appropriate public and private sector security operations centers on security incidents that go beyond the control of an agency.  The bill also requires that security incidents be reported, through an automated and continuous monitoring capability when possible, to the federal information security incident center, appropriate security operations centers, and agency Inspector General.

The bill requires the head of each agency to designate a Chief Information Security Officer, who has the authority and primary responsibility to develop, implement and oversee an agency-wide information security program, to ensure and enforce compliance with the requirements imposed on the agency.  This designation is already made by some agencies, but H.R. 1163 would make it uniform across the federal government.

Cost

The CBO estimates that implementing H.R. 1163 would cost $620 million over the 2014-2018 period, assuming that the necessary amounts are made available from appropriated funds.  Enacting the bill would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply.  For more information, see CBO’s cost estimate on H.R. 1163.

House Democratic Caucus Summary

The House Democratic Caucus does not provide summaries of bills.

So, yes, we display the House Republican Conference’s summaries when available even if we do not have a Democratic summary available. That’s because we feel it is better to give you as much information as possible, even if we cannot provide every viewpoint.

We’ll be looking for a source of summaries from the other side in the meanwhile.

The bill contains the following citations to other parts of U.S. law:

Slip Laws

Slip laws refer to enacted bills and joint resolutions in their original form as enacted by Congress, that is, before other laws amend them. Slip laws are cited as “Public Law XXX-YYY”, where XXX is the number of the Congress in which the bill or resolution was introduced.

United States Code

The United States Code is the compilation of permanent laws enacted by Congress. Temporary and other non-permanent laws do not appear in the United States Code. (About half of the United States Code is the law itself, called positive law. The other half is merely a compilation of the laws but has no legal significance.)

Other Citations

  • 44 U.S.C. Chapter 35