skip to main content

H.R. 6066 (114th): Cybersecurity Responsibility and Accountability Act of 2016

We don’t have a summary available yet.

The summary below was written by the Congressional Research Service, which is a nonpartisan division of the Library of Congress, and was published on Sep 19, 2016.

Cybersecurity Responsibility and Accountability Act of 2016

This bill requires the National Institute of Standards and Technology (NIST) to incorporate additional cybersecurity requirements in its computer standards for agency information systems and provide the Office of Management and Budget (OMB) with a process for agencies to implement those standards.

NIST must also: (1) support development of information security training and certification for agency heads, (2) address agency-identified information security challenges and knowledge gaps, (3) assess information security statutory requirements, and (4) develop security standards for national security systems.

The OMB must require the heads of agencies (currently, agencies generally) to: (1) report on the adequacy of their information security procedures, (2) provide for independent evaluations of information security practices, and (3) notify Congress and affected individuals of data breaches. Intelligence community agencies affected by data breaches must notify NIST.

Chief information officers of agencies must collaborate with their agency head to designate chief information security officers (positions with job responsibilities to be developed by the OMB and NIST) to replace their current senior agency information security officers.

Agencies must develop mandatory annual information security training and certification to ensure that agency heads understand federal cybersecurity policy regarding: (1) agency systems, (2) cyber-attacks and data breaches, and (3) not using private email servers or messaging systems for official communications.

Agency heads must certify that their agencies meet information security standards and provide reasons for not meeting any standards.

Agency heads must also develop annual plans to implement information security recommendations of the Government Accountability Office (GAO) and inspectors general. If an agency head fails to implement such a recommendation, the reasons for the failure must be provided to the OMB for approval.

For each OMB-defined "major cybersecurity incident" (e.g., an incident involving classified information) that an agency experiences, the agency head must transmit an inspector general-performed independent evaluation to the OMB, the Department of Homeland Security, NIST, Congress, and the GAO. If the evaluation determines that the incident occurred because the agency head failed to comply sufficiently with NIST certification standards or recommendations of the GAO or agency inspectors general, then the OMB must hold the agency head accountable through an enforcement action, which may include actions under the budgetary or appropriations process, a recommendation for the President to remove or demote the agency head, or actions to ensure that the agency head does not receive cash or pay awards or bonuses for one year.