skip to main content

H.R. 6066 (114th): Cybersecurity Responsibility and Accountability Act of 2016

The text of the bill below is as of Sep 19, 2016 (Introduced).


I

114th CONGRESS

2d Session

H. R. 6066

IN THE HOUSE OF REPRESENTATIVES

September 19, 2016

(for himself and Mr. Smith of Texas) introduced the following bill; which was referred to the Committee on Oversight and Government Reform, and in addition to the Committee on Science, Space, and Technology, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned

A BILL

To enforce Federal cybersecurity responsibility and accountability.

1.

Short title

This Act may be cited as the Cybersecurity Responsibility and Accountability Act of 2016.

2.

Definitions

Section 3552 of title 44, United States Code, is amended—

(1)

by redesignating paragraphs (6) and (7) as paragraphs (7) and (8), respectively; and

(2)

by inserting after paragraph (5) the following new paragraph:

(6)

The term major cybersecurity incident has the meaning given the term major incident in Office of Management and Budget Memorandum M–16–03, dated October 30, 2015, or any successor document.

.

3.

Authority and functions of the Director of NIST

(a)

Amendment

Section 3553 of title 44, United States Code, is amended—

(1)

by redesignating subsections (c) through (j) as subsections (d) through (k), respectively; and

(2)

by inserting after subsection (b) the following new subsection:

(c)

Director of the National Institute of Standards and Technology

The Director of the National Institute of Standards and Technology shall further develop and update as necessary the standards and guidelines under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) to fulfill the additional objectives and requirements of the Cy­ber­se­cu­ri­ty Responsibility and Accountability Act of 2016. Further, the Director of the National Institute of Standards and Technology shall—

(1)

provide to the Director of the Office of Management and Budget a framework and process for agency implementation of such standards and guidelines;

(2)

provide support to agency heads for the implementation of such standards and guidelines and their application to information security policies and principles, as well as with the development of information security training and certification for agency heads;

(3)

conduct cybersecurity research—

(A)

to identify and address prevalent information security challenges, concerns, and knowledge gaps identified by agencies, including those manifested in any of the reports, evaluations, assessments, and plans described in this subchapter that may undermine agencies’ information security policies and practices;

(B)

to assess the sufficiency of the current statutory requirements of the Federal Information Security Management Act of 2002 and the Federal Information Security Modernization Act of 2014, and their effectiveness in requiring agencies to implement standards and guidelines developed under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) and authorized by the Cybersecurity Responsibility and Accountability Act of 2016 regarding information security policies and practices; and

(C)

that shall require the Director of the Office of Management and Budget, the Secretary of Homeland Security, and the heads of other Federal agencies to provide the Director of the National Institute of Standards and Technology any resources, including reports, evaluations, assessments, and plans, that may be required for such research; and

(4)

develop, publish, and update as necessary information security standards and guidelines for national security systems based on established standards and guidelines for information systems.

.

(b)

Conforming amendments

Subchapter II of chapter 35 of title 44, United States Code, is amended—

(1)

in the item relating to section 3553 in the table of sections, by striking and the Secretary and inserting , the Secretary, and the Director of the National Institute of Standards and Technology;

(2)

in the section heading for section 3553, by striking and the Secretary and inserting , the Secretary, and the Director of the National Institute of Standards and Technology;

(3)

in section 3553(e), as so redesignated by subsection (a)(1) of this section, by striking subsection (c) and inserting subsection (d);

(4)

in section 3553(i)(1)(B), as so redesignated by subsection (a)(1) of this section—

(A)

by striking subsection (d) and inserting subsection (e); and

(B)

by striking subsection (e) and inserting subsection (f);

(5)

in section 3554(a)(1)(B)(v), by striking section 3553(h) and inserting section 3553(i); and

(6)

in section 3555(g)(1), by striking section 3553(c) and inserting section 3553(d).

4.

Agency heads

Section 2(d) of the Federal Information Security Modernization Act of 2014 (44 U.S.C. 3553 note) is amended—

(1)

in paragraph (1)—

(A)

in subparagraph (A)—

(i)

in the matter before clause (i), by inserting head after affected agency; and

(ii)

in clause (ii)(IV), by inserting head after when the agency; and

(B)

in subparagraph (B)—

(i)

by inserting head of the after notice by the; and

(ii)

by striking agency discovers and inserting agency head discovers;

(2)

in paragraph (3)(A)(ii), by striking section 3553(c) and inserting section 3553(d); and

(3)

in paragraph (4), by inserting the National Institute of Standards and Technology and after such notice to.

5.

Federal agency head responsibilities

Section 3554 of title 44, United States Code, is amended—

(1)

in subsection (a)(3)(A)—

(A)

by striking designating a senior agency information security officer and inserting collaborating with the agency head to designate a Chief Information Security Officer;

(B)

by redesignating clauses (i) through (iv) as clauses (ii) through (v), respectively;

(C)

by inserting before clause (ii), as so redesignated, the following new clause:

(i)

have the job description and responsibilities that shall be provided in guidance issued by the Director, developed in consultation with the Director of the National Institute of Standards and Technology and the Secretary, within 6 months after the date of enactment of the Cy­ber­se­cu­ri­ty Responsibility and Accountability Act of 2016;

;

(D)

in clause (iv), as so redesignated, by striking and at the end;

(E)

in clause (v), as so redesignated, by inserting and after the semicolon at the end; and

(F)

by adding at the end the following new clause:

(vi)

be designated without increasing the number of full-time equivalent employee positions at the agency;

;

(2)

in subsection (b)—

(A)

by redesignating paragraphs (5) through (8) as paragraphs (6) through (9), respectively; and

(B)

by inserting after paragraph (4) the following new paragraph:

(5)

mandatory annual information security training and certification designed specifically for the agency head, developed and updated as necessary by the National Institute of Standards and Technology, the purpose of which shall be to ensure that the agency head has an understanding of Federal cybersecurity policy, including an understanding of—

(A)

the information and information systems that support the operations and assets of the agency, using nontechnical terms as much as possible;

(B)

the potential impact of common types of cyber-attacks and data breaches on the agency’s operations and assets;

(C)

how cyber-attacks and data breaches occur;

(D)

steps the agency head and agency employees should take to protect their information and information systems, including not using private messaging system software or private e-mail servers for official communications; and

(E)

the annual reporting requirements required of the agency head under subsection (c), including the certifications required under subsection (c)(1)(A)(iv);

;

(3)

in subsection (c)—

(A)

in paragraph (1)(A)—

(i)

by striking Each agency and inserting The head of each agency;

(ii)

by inserting the Director of the National Institute of Standards and Technology, after the Director, the Secretary,;

(iii)

by inserting , Space, and Technology after the Committee on Science;

(iv)

by striking and at the end of clause (iii)(II);

(v)

by redesignating clause (iv) as clause (v); and

(vi)

by inserting after clause (iii) the following new clause:

(iv)

specific written certification by the agency head that—

(I)

certifies that information security standards developed under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) are being met by the agency;

(II)

identifies the security controls in place at the agency and how they each meet the relevant information security standard;

(III)

may be based on or informed by the assessment described in section 3553(d)(4); and

(IV)

for any information security standard that the agency does not meet, provides the reasons therefor and includes documentation of the Director’s certification of the agency not meeting the standard; and

; and

(B)

in paragraph (2), by striking Each agency and inserting The head of each agency;

(4)

in subsection (d), by striking each agency and inserting the head of each agency;

(5)

by redesignating subsection (e) as subsection (f);

(6)

by inserting after subsection (d) the following new subsection:

(e)

Plans for implementation of recommendations

(1)

Comptroller General recommendations

(A)

In general

In addition to the requirements of subsections (c) and (d), each agency head shall, not later than 6 months after the date of enactment of the Cybersecurity Responsibility and Accountability Act of 2016, develop a plan, in consultation with the Comptroller General, to implement all of the Comptroller General’s recommendations regarding information security controls relevant to that agency.

(B)

Plan

The plan required under subparagraph (A)—

(i)

shall be submitted to the agencies and committees described in subsection (c)(1)(A);

(ii)

shall include a schedule for implementation of the Comptroller General’s recommendations, including a completion deadline;

(iii)

shall be updated annually, and such annual updates shall be included in the annual report described in subsection (c)(1)(A); and

(iv)

may, as appropriate, be based on or informed by recommendations included in the evaluation and report described in section 3555(h).

(C)

If no recommendations

If the Comptroller General does not have any relevant recommendations for an agency head to implement relative to information security controls, then the agency head shall accordingly notify the agencies and committees described in subsection (c)(1)(A).

(D)

Reasons for failure to implement

If there are any Comptroller General recommendations that an agency head does not implement, the agency head shall provide the reasons for that failure to the Director for the Director’s approval. For each unimplemented recommendation, the plan shall include either the Director’s approval or a certification by the Director of the agency head’s failure to implement such recommendation.

(2)

Inspector General recommendations

(A)

In general

In addition to the requirements of subsections (c) and (d), each agency head shall, not later than 6 months after the date of enactment of the Cybersecurity Responsibility and Accountability Act of 2016, develop a plan, in consultation with its Inspector General, to implement all of the Inspector General’s recommendations regarding the agency’s information security program.

(B)

Plan

The plan required under subparagraph (A)—

(i)

shall be submitted to the agencies and committees described in subsection (c)(1)(A);

(ii)

shall include a schedule for implementation of the Inspector General’s recommendations, including a completion deadline;

(iii)

shall be updated annually, and such annual updates shall be included in the annual report described in subsection (c)(1)(A); and

(iv)

may, as appropriate, be based on or informed by recommendations included in—

(I)

the evaluation described in section 3555(b)(1); or

(II)

if the agency does not have an Inspector General, the evaluation described in section 3555(b)(2).

(C)

If no recommendations

If the Inspector General does not have any relevant information security control recommendations for the agency head to implement, then the agency head shall accordingly notify the agencies and committees described in subsection (c)(1)(A).

(D)

Reasons for failure to implement

If there are any Inspector General recommendations that the agency head does not implement, the agency head shall provide the reasons for that failure to the Director for the Director’s approval. For each unimplemented recommendation, the plan shall include either the Director’s approval or a certification by the Director of the agency head’s failure to implement such recommendation.

; and

(7)

in subsection (f), as so redesignated, by striking Each agency and inserting The head of each agency.

6.

Annual independent evaluation

Section 3555 of title 44, United States Code, is amended—

(1)

in subsection (a)(1), by inserting head after each agency;

(2)

in subsection (b)(1), by inserting and evaluations required by section 3555a after required by this section;

(3)

in subsection (c), by striking that portion of the evaluation required by this section and inserting the portions of evaluations required by this section or section 3555a;

(4)

in subsection (e)(2), by inserting or section 3555a after required under this section;

(5)

in subsection (f), by striking Agencies and inserting In carrying out this section and section 3555a, agencies;

(6)

in subsection (g)(3), by inserting under this section or section 3555a after Evaluations;

(7)

in subsection (i)—

(A)

by striking the head of an agency and inserting an agency head;

(B)

by striking head of an agency and inserting agency head; and

(C)

by inserting or section 3555a after under this section; and

(8)

in subsection (j), by inserting the Director of the National Institute of Standards and Technology, after with the Secretary,.

7.

Major cybersecurity incident independent evaluations

(a)

Amendment

Subchapter II of chapter 35 of title 44, United States Code, is amended by inserting after section 3555 the following new section:

3555a.

Major cybersecurity incident independent evaluations

(a)

Requirement

Each time an agency experiences a major cybersecurity incident, the agency head shall have performed an independent evaluation of such incident.

(b)

Inclusions

An evaluation of a major cybersecurity incident under this section shall be transmitted by the agency head to the agencies and committees described in section 3554(c)(1)(A), and shall include—

(1)

a description of each major cybersecurity incident including—

(A)

threats and threat actors, vulnerabilities, and impacts, including whether the incident involved information that is classified, controlled unclassified information proprietary, controlled unclassified information privacy, or controlled unclassified information other, as these terms are defined in Office of Management and Budget Memorandum M–16–03, dated October 30, 2015, or any successor document;

(B)

risk assessments conducted on the system before the incident;

(C)

the status of compliance of the affected information system with information security requirements at the time of the incident, including—

(i)

information security control recommendations made by the agency’s Inspector General that are part of the plan described in section 3554(e)(2);

(ii)

information security control recommendations made by the Comptroller General that are part of the plan described in section 3554(e)(1); and

(iii)

National Institute of Standards and Technology information security standards that are part of the agency head’s certification described in section 3554(c)(1)(A)(iv);

(D)

the detection, response, and remediation actions the agency has completed; and

(E)

recommendations for research, process, and policy actions the agency should consider taking in response to the incident and to help prevent future incidents of a similar nature; and

(2)

for each major cybersecurity incident involving a breach of personally identifiable information—

(A)

the number of individuals whose information was affected by the incident and a description of the information that was breached or exposed;

(B)

an assessment of the risk of harm to affected individuals; and

(C)

details of whether and when the agency provided notice to affected individuals about the data breach, including what protections were offered by the breached agency.

(c)

Enforcement

(1)

In general

If an evaluation of a major cybersecurity incident described in subsection (a) determines that the major cybersecurity incident occurred in part or in whole because the agency head had failed to comply sufficiently with the information security requirements, recommendations, or standards described in subsection (b)(1)(C), the Director shall, within 60 days of receiving the evaluation, take action under paragraph (2).

(2)

Enforcement actions

Enforcement actions the Director may take under this subsection are—

(A)

actions described in section 11303(b)(5) of title 40, United States Code; and

(B)

either—

(i)

recommending to the President the removal or demotion of the agency head; or

(ii)

action to ensure the agency head does not receive any cash or pay awards or bonuses for a period of 1 year after submission of the explanation required under paragraph (3).

(3)

Explanation

The Director shall provide a detailed explanation for enforcement actions taken under paragraph (2), or for a decision not to act, to the committees described in section 3554(c)(1)(A).

.

(b)

Table of sections amendment

The table of sections for such subchapter is amended by inserting after the item relating to section 3555 the following new item:

3555a. Major cybersecurity incident independent evaluations.

.