H. R. 3402
IN THE HOUSE OF REPRESENTATIVES
July 29, 2015
Mr. Ruppersberger introduced the following bill; which was referred to the Committee on Oversight and Government Reform
To strengthen the ability of the Secretary of Homeland Security to detect and prevent intrusions against, and to use countermeasures to protect, government agency information systems and for other purposes.
This Act may be cited as the
Federal Information Security Management Reform Act of 2015.
Duties of the Secretary of Homeland Security related to information security
Section 3553(b)(6) of title 44, United States Code, is amended by striking subparagraphs (B), (C), and (D) and inserting the following:
operating consolidated intrusion detection, prevention, or other protective capabilities and use of associated countermeasures for the purpose of protecting agency information and information systems from information security threats;
providing incident detection, analysis, mitigation, and response information and remote or onsite technical assistance to the head of an agency;
compiling and analyzing data on agency information security;
developing and conducting targeted risk assessments and operational evaluations for agency information and information systems in consultation with the heads of other agencies or governmental and private entities that own and operate such systems, that may include threat, vulnerability, and impact assessments;
in conjunction with other agencies and the private sector, assessing and fostering the development of information security technologies and capabilities for use across multiple agencies; and
coordinating with appropriate agencies and officials to ensure, to the maximum extent feasible, that policies and directives issued under paragraph (2) are complementary with—
standards and guidelines developed for national security systems; and
policies and directives issued by the Secretary of Defense and the Director of National Intelligence under subsection (e)(1); and
Communications and system traffic and direction to agencies
Section 3553 of title 44, United States Code, is amended by adding at the end the following:
Communications and systems traffic
Acquisition by the Secretary
Notwithstanding any other provision of law and subject to subparagraph (B), in carrying out the responsibilities under subparagraphs (B), (C), and (E) of subsection (b)(6), if the Secretary makes a certification described in paragraph (2), the Secretary may acquire, intercept, retain, use, and disclose communications and other system traffic that are transiting to or from or stored on agency information systems and deploy countermeasures with regard to the communications and system traffic.
The authorities of the Secretary under this subsection shall not apply to a communication or other system traffic that is transiting to or from or stored on a system described in paragraph (2) or (3) of subsection (e).
Disclosure by Federal agency heads
The head of a Federal agency or department is authorized to disclose to the Secretary or a private entity providing assistance to the Secretary under paragraph (A), information traveling to or from or stored on an agency information system, notwithstanding any other law that would otherwise restrict or prevent agency heads from disclosing such information to the Secretary.
A certification described in this paragraph is a certification by the Secretary that—
the acquisitions, interceptions, and other countermeasures are reasonably necessary for the purpose of protecting agency information systems from information security threats;
the content of communications will be retained only if the communication is associated with a known or reasonably suspected information security threat, and communications and system traffic will not be subject to the operation of a countermeasure unless associated with the threats;
information obtained under activities authorized under this subsection will only be retained, used, or disclosed to protect agency information systems from information security threats, mitigate against such threats, or, with the approval of the Attorney General, for law enforcement purposes when the information is evidence of a crime which has been, is being, or is about to be committed;
notice has been provided to users of agency information systems concerning the potential for acquisition, interception, retention, use, and disclosure of communications and other system traffic; and
the activities are implemented pursuant to policies and procedures governing the acquisition, interception, retention, use, and disclosure of communications and other system traffic that have been reviewed and approved by the Attorney General.
The Secretary may enter into contracts or other agreements, or otherwise request and obtain the assistance of, private entities that provide electronic communication or information security services to acquire, intercept, retain, use, and disclose communications and other system traffic in accordance with this subsection.
No cause of action
No cause of action shall exist against a private entity for assistance provided to the Secretary in accordance with paragraph (3).
Direction to agencies
Notwithstanding section 3554, and subject to subparagraph (B), in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, the Secretary may issue a directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems owned or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.
The authorities of the Secretary under this subsection shall not apply to a system described in paragraph (2) or (3) of subsection (e).
Procedures for use of authority
The Secretary shall—
in coordination with the Director and in consultation with Federal contractors, as appropriate, establish procedures governing the circumstances under which a directive may be issued under this subsection, which shall include—
thresholds and other criteria;
privacy and civil liberties protections; and
providing notice to potentially affected third parties;
specify the reasons for the required action and the duration of the directive;
minimize the impact of a directive under this subsection by—
adopting the least intrusive means possible under the circumstances to secure the agency information systems; and
limiting directives to the shortest period practicable; and
notify the Director and the head of any affected agency immediately upon the issuance of a directive under this subsection.
If the Secretary determines that there is an imminent threat to agency information systems and a directive under this subsection is not reasonably likely to result in a timely response to the threat, the Secretary may authorize the use of protective capabilities under the control of the Secretary for communications or other system traffic transiting to or from or stored on an agency information system without prior consultation with the affected agency for the purpose of ensuring the security of the information or information system or other agency information systems.
Limitation on delegation
The authority under this paragraph may not be delegated to an official in a position lower than an Assistant Secretary of the Department of Homeland Security.
The Secretary shall immediately notify the Director and the head and chief information officer (or equivalent official) of each affected agency of—
any action taken under this subsection; and
the reasons for and duration and nature of the action.
Any action of the Secretary under this paragraph shall be consistent with applicable law.
The Secretary may direct or authorize lawful action or protective capability under this subsection only to—
protect agency information from unauthorized access, use, disclosure, disruption, modification, or destruction; or
require the remediation of or protect against identified information security risks with respect to—
information collected or maintained by or on behalf of an agency; or
that portion of an information system used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.
Report to Congress regarding office of management and budget enforcement action
Section 3553 of title 44, United States Code, as amended by section 3, is further amended by inserting the following at the end the following new subsection:
Annual report to Congress
Not later than February 1 of every year, the Director shall report to the appropriate congressional committee regarding the specific actions the Director has taken pursuant to subsection (a)(5), including any actions taken pursuant to paragraph (5) of title 40 section 11303(b).
Appropriate congressional committee
In this subsection, the term
appropriate congressional committee means—
the Committee on Appropriations and the Committee on Homeland Security and Governmental Affairs of the Senate; and
the Committee on Appropriations and the Committee on Homeland Security Committee of the House of Representatives.