H. R. 404
IN THE HOUSE OF REPRESENTATIVES
January 10, 2017
Mr. Fleischmann introduced the following bill; which was referred to the Committee on Oversight and Government Reform
To ensure the functionality and security of new Federal websites that collect personally identifiable information, and for other purposes.
This Act may be cited as the
Safe and Secure Federal Websites Act of 2017.
Ensuring functionality and security of new Federal websites that collect personally identifiable information
Except as otherwise provided under this subsection, an agency may not deploy or make available to the public a new Federal PII website until the date on which the chief information officer of the agency submits a certification to Congress that the website is fully functional and secure.
In the case of a new Federal PII website that is operational on the date of the enactment of this Act, paragraph (1) shall not apply until the end of the 90-day period beginning on such date of enactment. If the certification required under paragraph (1) for such website has not been submitted to Congress before the end of such period, the head of the responsible agency shall render the website inaccessible to the public until such certification is submitted to Congress.
Exception for beta website with explicit permission
Paragraph (1) shall not apply to a website (or portion thereof) that is in a development or testing phase, if the following conditions are met:
A member of the public may access PII-related portions of the website only after executing an agreement that acknowledges the risks involved.
No agency compelled, enjoined, or otherwise provided incentives for such a member to access the website for such purposes.
Nothing in this section shall be construed as applying to a website that is operated entirely by an entity (such as a State or locality) that is independent of the Federal Government, regardless of the receipt of funding in support of such website from the Federal Government.
In this section:
The term agency has the meaning given that term under section 551 of title 5, United States Code.
The term fully functional means, with respect to a new Federal PII website, that the website can fully support the activities for which it is designed or intended with regard to the eliciting, collection, storage, or maintenance of personally identifiable information, including handling a volume of queries relating to such information commensurate with the purpose for which the website is designed.
New Federal personally identifiable information website (New Federal PII website)
The terms new Federal personally identifiable information website and new Federal PII website mean a website that—
is operated by (or under a contract with) an agency;
elicits, collects, stores, or maintains personally identifiable information of individuals and is accessible to the public; and
is first made accessible to the public and collects or stores personally identifiable information of individuals, on or after October 1, 2012.
The term operational means, with respect to a website, that such website elicits, collects, stores, or maintains personally identifiable information of members of the public and is accessible to the public.
Personally identifiable information (PII)
The terms personally identifiable information and PII mean any information about an individual elicited, collected, stored, or maintained by an agency, including—
any information that can be used to distinguish or trace the identity of an individual, such as a name, a social security number, a date and place of birth, a mother’s maiden name, or biometric records; and
any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
The term responsible agency means, with respect to a new Federal PII website, the agency that is responsible for the operation (whether directly or through contracts with other entities) of the website.
The term secure means, with respect to a new Federal PII website, that the following requirements are met:
The website is in compliance with subchapter II of chapter 35 of title 44, United States Code.
The website ensures that personally identifiable information elicited, collected, stored, or maintained in connection with the website is captured at the latest possible step in a user input sequence.
The responsible agency for the website has encrypted, masked, or taken other similar actions to protect personally identifiable information elicited, collected, stored, or maintained in connection with the website.
The responsible agency for the website has taken reasonable efforts to minimize domain name confusion, including through additional domain registrations.
The responsible agency requires all personnel who have access to personally identifiable information in connection with the website to have completed a Standard Form 85P and signed a nondisclosure agreement with respect to personally identifiable information, and the agency takes proper precautions to ensure that only the fewest reasonable number of trustworthy persons may access such information.
The responsible agency maintains (either directly or through contract) sufficient personnel to respond in a timely manner to issues relating to the proper functioning and security of the website, and to monitor on an ongoing basis existing and emerging security threats to the website.
The term State means each State of the United States, the District of Columbia, each territory or possession of the United States, and each federally recognized Indian tribe.
Privacy breach requirements
Information security amendment
Subchapter II of chapter 35 of title 44, United States Code, is amended by adding at the end the following:
Privacy breach requirements
Policies and Procedures
The Director of the Office of Management and Budget shall establish and oversee policies and procedures for agencies to follow in the event of a breach of information security involving the disclosure of personally identifiable information, including requirements for—
not later than 72 hours after the agency discovers such a breach, or discovers evidence that reasonably indicates such a breach has occurred, notice to the individuals whose personally identifiable information could be compromised as a result of such breach;
timely reporting to a Federal cybersecurity center, as designated by the Director of the Office of Management and Budget; and
any additional actions that the Director finds necessary and appropriate, including data breach analysis, fraud resolution services, identity theft insurance, and credit protection or monitoring services.
Required Agency Action
The head of each agency shall ensure that actions taken in response to a breach of information security involving the disclosure of personally identifiable information under the authority or control of the agency comply with policies and procedures established by the Director of the Office of Management and Budget under subsection (a).
Not later than March 1 of each year, the Director of the Office of Management and Budget shall report to Congress on agency compliance with the policies and procedures established under subsection (a).
Federal cybersecurity center defined
The term Federal cybersecurity center means any of the following:
The Department of Defense Cyber Crime Center.
The Intelligence Community Incident Response Center.
The United States Cyber Command Joint Operations Center.
The National Cyber Investigative Joint Task Force.
Central Security Service Threat Operations Center of the National Security Agency.
The United States Computer Emergency Readiness Team.
Any successor to a center, team, or task force described in paragraphs (1) through (6).
Any center that the Director of the Office of Management and Budget determines is appropriate to carry out the requirements of this section.
Technical and Conforming Amendment
The table of sections for subchapter II of chapter 35 of title 44, United States Code, is amended by adding at the end the following:
3559. Privacy breach requirements.