I
114th CONGRESS
2d Session
H. R. 6066
IN THE HOUSE OF REPRESENTATIVES
September 19, 2016
Mr. Abraham (for himself and Mr. Smith of Texas) introduced the following bill; which was referred to the Committee on Oversight and Government Reform, and in addition to the Committee on Science, Space, and Technology, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned
A BILL
To enforce Federal cybersecurity responsibility and accountability.
Short title
This Act may be cited as the Cybersecurity Responsibility and Accountability Act of 2016
.
Definitions
Section 3552 of title 44, United States Code, is amended—
by redesignating paragraphs (6) and (7) as paragraphs (7) and (8), respectively; and
by inserting after paragraph (5) the following new paragraph:
The term major cybersecurity incident
has the meaning given the term major incident
in Office of Management and Budget Memorandum M–16–03, dated October 30, 2015, or any successor document.
.
Authority and functions of the Director of NIST
Amendment
Section 3553 of title 44, United States Code, is amended—
by redesignating subsections (c) through (j) as subsections (d) through (k), respectively; and
by inserting after subsection (b) the following new subsection:
Director of the National Institute of Standards and Technology
The Director of the National Institute of Standards and Technology shall further develop and update as necessary the standards and guidelines under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) to fulfill the additional objectives and requirements of the Cybersecurity Responsibility and Accountability Act of 2016. Further, the Director of the National Institute of Standards and Technology shall—
provide to the Director of the Office of Management and Budget a framework and process for agency implementation of such standards and guidelines;
provide support to agency heads for the implementation of such standards and guidelines and their application to information security policies and principles, as well as with the development of information security training and certification for agency heads;
conduct cybersecurity research—
to identify and address prevalent information security challenges, concerns, and knowledge gaps identified by agencies, including those manifested in any of the reports, evaluations, assessments, and plans described in this subchapter that may undermine agencies’ information security policies and practices;
to assess the sufficiency of the current statutory requirements of the Federal Information Security Management Act of 2002 and the Federal Information Security Modernization Act of 2014, and their effectiveness in requiring agencies to implement standards and guidelines developed under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) and authorized by the Cybersecurity Responsibility and Accountability Act of 2016 regarding information security policies and practices; and
that shall require the Director of the Office of Management and Budget, the Secretary of Homeland Security, and the heads of other Federal agencies to provide the Director of the National Institute of Standards and Technology any resources, including reports, evaluations, assessments, and plans, that may be required for such research; and
develop, publish, and update as necessary information security standards and guidelines for national security systems based on established standards and guidelines for information systems.
.
Conforming amendments
Subchapter II of chapter 35 of title 44, United States Code, is amended—
in the item relating to section 3553 in the table of sections, by striking and the Secretary
and inserting , the Secretary, and the Director of the National Institute of Standards and Technology
;
in the section heading for section 3553, by striking and the Secretary
and inserting , the Secretary, and the Director of the National Institute of Standards and Technology
;
in section 3553(e), as so redesignated by subsection (a)(1) of this section, by striking subsection (c)
and inserting subsection (d)
;
in section 3553(i)(1)(B), as so redesignated by subsection (a)(1) of this section—
by striking subsection (d)
and inserting subsection (e)
; and
by striking subsection (e)
and inserting subsection (f)
;
in section 3554(a)(1)(B)(v), by striking section 3553(h)
and inserting section 3553(i)
; and
in section 3555(g)(1), by striking section 3553(c)
and inserting section 3553(d)
.
Agency heads
Section 2(d) of the Federal Information Security Modernization Act of 2014 (44 U.S.C. 3553 note) is amended—
in paragraph (1)—
in subparagraph (A)—
in the matter before clause (i), by inserting head
after affected agency
; and
in clause (ii)(IV), by inserting head
after when the agency
; and
in subparagraph (B)—
by inserting head of the
after notice by the
; and
by striking agency discovers
and inserting agency head discovers
;
in paragraph (3)(A)(ii), by striking section 3553(c)
and inserting section 3553(d)
; and
in paragraph (4), by inserting the National Institute of Standards and Technology and
after such notice to
.
Federal agency head responsibilities
Section 3554 of title 44, United States Code, is amended—
in subsection (a)(3)(A)—
by striking designating a senior agency information security officer
and inserting collaborating with the agency head to designate a Chief Information Security Officer
;
by redesignating clauses (i) through (iv) as clauses (ii) through (v), respectively;
by inserting before clause (ii), as so redesignated, the following new clause:
have the job description and responsibilities that shall be provided in guidance issued by the Director, developed in consultation with the Director of the National Institute of Standards and Technology and the Secretary, within 6 months after the date of enactment of the Cybersecurity Responsibility and Accountability Act of 2016;
;
in clause (iv), as so redesignated, by striking and
at the end;
in clause (v), as so redesignated, by inserting and
after the semicolon at the end; and
by adding at the end the following new clause:
be designated without increasing the number of full-time equivalent employee positions at the agency;
;
in subsection (b)—
by redesignating paragraphs (5) through (8) as paragraphs (6) through (9), respectively; and
by inserting after paragraph (4) the following new paragraph:
mandatory annual information security training and certification designed specifically for the agency head, developed and updated as necessary by the National Institute of Standards and Technology, the purpose of which shall be to ensure that the agency head has an understanding of Federal cybersecurity policy, including an understanding of—
the information and information systems that support the operations and assets of the agency, using nontechnical terms as much as possible;
the potential impact of common types of cyber-attacks and data breaches on the agency’s operations and assets;
how cyber-attacks and data breaches occur;
steps the agency head and agency employees should take to protect their information and information systems, including not using private messaging system software or private e-mail servers for official communications; and
the annual reporting requirements required of the agency head under subsection (c), including the certifications required under subsection (c)(1)(A)(iv);
;
in subsection (c)—
in paragraph (1)(A)—
by striking Each agency
and inserting The head of each agency
;
by inserting the Director of the National Institute of Standards and Technology,
after the Director, the Secretary,
;
by inserting , Space, and Technology
after the Committee on Science
;
by striking and
at the end of clause (iii)(II);
by redesignating clause (iv) as clause (v); and
by inserting after clause (iii) the following new clause:
specific written certification by the agency head that—
certifies that information security standards developed under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) are being met by the agency;
identifies the security controls in place at the agency and how they each meet the relevant information security standard;
may be based on or informed by the assessment described in section 3553(d)(4); and
for any information security standard that the agency does not meet, provides the reasons therefor and includes documentation of the Director’s certification of the agency not meeting the standard; and
; and
in paragraph (2), by striking Each agency
and inserting The head of each agency
;
in subsection (d), by striking each agency
and inserting the head of each agency
;
by redesignating subsection (e) as subsection (f);
by inserting after subsection (d) the following new subsection:
Plans for implementation of recommendations
Comptroller General recommendations
In general
In addition to the requirements of subsections (c) and (d), each agency head shall, not later than 6 months after the date of enactment of the Cybersecurity Responsibility and Accountability Act of 2016, develop a plan, in consultation with the Comptroller General, to implement all of the Comptroller General’s recommendations regarding information security controls relevant to that agency.
Plan
The plan required under subparagraph (A)—
shall be submitted to the agencies and committees described in subsection (c)(1)(A);
shall include a schedule for implementation of the Comptroller General’s recommendations, including a completion deadline;
shall be updated annually, and such annual updates shall be included in the annual report described in subsection (c)(1)(A); and
may, as appropriate, be based on or informed by recommendations included in the evaluation and report described in section 3555(h).
If no recommendations
If the Comptroller General does not have any relevant recommendations for an agency head to implement relative to information security controls, then the agency head shall accordingly notify the agencies and committees described in subsection (c)(1)(A).
Reasons for failure to implement
If there are any Comptroller General recommendations that an agency head does not implement, the agency head shall provide the reasons for that failure to the Director for the Director’s approval. For each unimplemented recommendation, the plan shall include either the Director’s approval or a certification by the Director of the agency head’s failure to implement such recommendation.
Inspector General recommendations
In general
In addition to the requirements of subsections (c) and (d), each agency head shall, not later than 6 months after the date of enactment of the Cybersecurity Responsibility and Accountability Act of 2016, develop a plan, in consultation with its Inspector General, to implement all of the Inspector General’s recommendations regarding the agency’s information security program.
Plan
The plan required under subparagraph (A)—
shall be submitted to the agencies and committees described in subsection (c)(1)(A);
shall include a schedule for implementation of the Inspector General’s recommendations, including a completion deadline;
shall be updated annually, and such annual updates shall be included in the annual report described in subsection (c)(1)(A); and
may, as appropriate, be based on or informed by recommendations included in—
the evaluation described in section 3555(b)(1); or
if the agency does not have an Inspector General, the evaluation described in section 3555(b)(2).
If no recommendations
If the Inspector General does not have any relevant information security control recommendations for the agency head to implement, then the agency head shall accordingly notify the agencies and committees described in subsection (c)(1)(A).
Reasons for failure to implement
If there are any Inspector General recommendations that the agency head does not implement, the agency head shall provide the reasons for that failure to the Director for the Director’s approval. For each unimplemented recommendation, the plan shall include either the Director’s approval or a certification by the Director of the agency head’s failure to implement such recommendation.
; and
in subsection (f), as so redesignated, by striking Each agency
and inserting The head of each agency
.
Annual independent evaluation
Section 3555 of title 44, United States Code, is amended—
in subsection (a)(1), by inserting head
after each agency
;
in subsection (b)(1), by inserting and evaluations required by section 3555a
after required by this section
;
in subsection (c), by striking that portion of the evaluation required by this section
and inserting the portions of evaluations required by this section or section 3555a
;
in subsection (e)(2), by inserting or section 3555a
after required under this section
;
in subsection (f), by striking Agencies
and inserting In carrying out this section and section 3555a, agencies
;
in subsection (g)(3), by inserting under this section or section 3555a
after Evaluations
;
in subsection (i)—
by striking the head of an agency
and inserting an agency head
;
by striking head of an agency
and inserting agency head
; and
by inserting or section 3555a
after under this section
; and
in subsection (j), by inserting the Director of the National Institute of Standards and Technology,
after with the Secretary,
.
Major cybersecurity incident independent evaluations
Amendment
Subchapter II of chapter 35 of title 44, United States Code, is amended by inserting after section 3555 the following new section:
Major cybersecurity incident independent evaluations
Requirement
Each time an agency experiences a major cybersecurity incident, the agency head shall have performed an independent evaluation of such incident.
Inclusions
An evaluation of a major cybersecurity incident under this section shall be transmitted by the agency head to the agencies and committees described in section 3554(c)(1)(A), and shall include—
a description of each major cybersecurity incident including—
threats and threat actors, vulnerabilities, and impacts, including whether the incident involved information that is classified, controlled unclassified information proprietary, controlled unclassified information privacy, or controlled unclassified information other, as these terms are defined in Office of Management and Budget Memorandum M–16–03, dated October 30, 2015, or any successor document;
risk assessments conducted on the system before the incident;
the status of compliance of the affected information system with information security requirements at the time of the incident, including—
information security control recommendations made by the agency’s Inspector General that are part of the plan described in section 3554(e)(2);
information security control recommendations made by the Comptroller General that are part of the plan described in section 3554(e)(1); and
National Institute of Standards and Technology information security standards that are part of the agency head’s certification described in section 3554(c)(1)(A)(iv);
the detection, response, and remediation actions the agency has completed; and
recommendations for research, process, and policy actions the agency should consider taking in response to the incident and to help prevent future incidents of a similar nature; and
for each major cybersecurity incident involving a breach of personally identifiable information—
the number of individuals whose information was affected by the incident and a description of the information that was breached or exposed;
an assessment of the risk of harm to affected individuals; and
details of whether and when the agency provided notice to affected individuals about the data breach, including what protections were offered by the breached agency.
Enforcement
In general
If an evaluation of a major cybersecurity incident described in subsection (a) determines that the major cybersecurity incident occurred in part or in whole because the agency head had failed to comply sufficiently with the information security requirements, recommendations, or standards described in subsection (b)(1)(C), the Director shall, within 60 days of receiving the evaluation, take action under paragraph (2).
Enforcement actions
Enforcement actions the Director may take under this subsection are—
actions described in section 11303(b)(5) of title 40, United States Code; and
either—
recommending to the President the removal or demotion of the agency head; or
action to ensure the agency head does not receive any cash or pay awards or bonuses for a period of 1 year after submission of the explanation required under paragraph (3).
Explanation
The Director shall provide a detailed explanation for enforcement actions taken under paragraph (2), or for a decision not to act, to the committees described in section 3554(c)(1)(A).
.
Table of sections amendment
The table of sections for such subchapter is amended by inserting after the item relating to section 3555 the following new item:
3555a. Major cybersecurity incident independent evaluations.
.