[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3032 Introduced in House (IH)]
113th CONGRESS
1st Session
H. R. 3032
To amend chapter 35 of title 44, United States Code, to create the
National Office for Cyberspace, to revise requirements relating to
Federal information security, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
August 2, 2013
Mr. Langevin (for himself, Mr. Castro of Texas, Mr. Ruppersberger, Ms.
Loretta Sanchez of California, Mr. Pocan, Mr. Andrews, Mr. Larsen of
Washington, and Mrs. Davis of California) introduced the following
bill; which was referred to the Committee on Oversight and Government
Reform, and in addition to the Committee on Homeland Security, for a
period to be subsequently determined by the Speaker, in each case for
consideration of such provisions as fall within the jurisdiction of the
committee concerned
_______________________________________________________________________
A BILL
To amend chapter 35 of title 44, United States Code, to create the
National Office for Cyberspace, to revise requirements relating to
Federal information security, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
(a) Short Title.--This Act may be cited as the ``Executive
Cyberspace Coordination Act of 2013''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title.
TITLE I--FEDERAL INFORMATION SECURITY AMENDMENTS
Sec. 101. Coordination of Federal information policy.
Sec. 102. Information security acquisition requirements.
Sec. 103. Technical and conforming amendments.
Sec. 104. Effective date.
TITLE II--FEDERAL CHIEF TECHNOLOGY OFFICER
Sec. 201. Office of the Chief Technology Officer.
TITLE III--STRENGTHENING CYBERSECURITY FOR CRITICAL INFRASTRUCTURE
Sec. 301. Definitions.
Sec. 302. Authority of Secretary.
TITLE I--FEDERAL INFORMATION SECURITY AMENDMENTS
SEC. 101. COORDINATION OF FEDERAL INFORMATION POLICY.
Chapter 35 of title 44, United States Code, is amended by striking
subchapters II and III and inserting the following:
``SUBCHAPTER II--INFORMATION SECURITY
``Sec. 3551. Purposes
``The purposes of this subchapter are to--
``(1) provide a comprehensive framework for ensuring the
effectiveness of information security controls over information
resources that support Federal operations and assets;
``(2) recognize the highly networked nature of the current
Federal computing environment and provide effective
Governmentwide management and oversight of the related
information security risks, including coordination of
information security efforts throughout the civilian, national
security, and law enforcement communities;
``(3) provide for development and maintenance of minimum
controls required to protect Federal information and
information infrastructure;
``(4) provide a mechanism for improved oversight of Federal
agency information security programs;
``(5) acknowledge that commercially developed information
security products offer advanced, dynamic, robust, and
effective information security solutions, reflecting market
solutions for the protection of critical information
infrastructures important to the national defense and economic
security of the Nation that are designed, built, and operated
by the private sector; and
``(6) recognize that the selection of specific technical
hardware and software information security solutions should be
left to individual agencies from among commercially developed
products.
``Sec. 3552. Definitions
``(a) Section 3502 Definitions.--Except as provided under
subsection (b), the definitions under section 3502 shall apply to this
subchapter.
``(b) Additional Definitions.--In this subchapter:
``(1) The term `adequate security' means security that
complies with the regulations promulgated under section 3554
and the standards promulgated under section 3558.
``(2) The term `incident' means an occurrence that actually
or potentially jeopardizes the confidentiality, integrity, or
availability of an information system, information
infrastructure, or the information the system processes,
stores, or transmits or that constitutes a violation or
imminent threat of violation of security policies, security
procedures, or acceptable use policies.
``(3) The term `information infrastructure' means the
underlying framework that information systems and assets rely
on in processing, storing, or transmitting information
electronically.
``(4) The term `information security' means protecting
information and information infrastructure from unauthorized
access, use, disclosure, disruption, modification, or
destruction in order to provide--
``(A) integrity, which means guarding against
improper information modification or destruction, and
includes ensuring information nonrepudiation and
authenticity;
``(B) confidentiality, which means preserving
authorized restrictions on access and disclosure,
including means for protecting personal privacy and
proprietary information;
``(C) availability, which means ensuring timely and
reliable access to and use of information; and
``(D) authentication, which means using digital
credentials to assure the identity of users and
validate access of such users.
``(5) The term `information technology' has the meaning
given that term in section 11101 of title 40.
``(6)(A) The term `national security system' means any
information infrastructure (including any telecommunications
system) used or operated by an agency or by a contractor of an
agency, or other organization on behalf of an agency--
``(i) the function, operation, or use of which--
``(I) involves intelligence activities;
``(II) involves cryptologic activities
related to national security;
``(III) involves command and control of
military forces;
``(IV) involves equipment that is an
integral part of a weapon or weapons system; or
``(V) subject to subparagraph (B), is
critical to the direct fulfillment of military
or intelligence missions; or
``(ii) is protected at all times by procedures
established for information that have been specifically
authorized under criteria established by an Executive
order or an Act of Congress to be kept classified in
the interest of national defense or foreign policy.
``(B) Subparagraph (A)(i)(V) does not include a system that
is to be used for routine administrative and business
applications (including payroll, finance, logistics, and
personnel management applications).
``Sec. 3553. National Office for Cyberspace
``(a) Establishment.--There is established within the Executive
Office of the President an office to be known as the National Office
for Cyberspace.
``(b) Director.--
``(1) In general.--There shall be at the head of the
National Office for Cyberspace a Director, who shall be
appointed by the President by and with the advice and consent
of the Senate. The Director of the National Office for
Cyberspace shall administer all functions designated to such
Director under this subchapter and collaborate to the extent
practicable with the heads of appropriate agencies, the private
sector, and international partners. The Office shall serve as
the principal office for coordinating issues relating to
cyberspace, including achieving an assured, reliable, secure,
and survivable information infrastructure and related
capabilities for the Federal Government, while promoting
national economic interests, security, and civil liberties.
``(2) Basic pay.--The Director of the National Office for
Cyberspace shall be paid at the rate of basic pay for level III
of the Executive Schedule.
``(c) Staff.--The Director of the National Office for Cyberspace
may appoint and fix the pay of additional personnel as the Director
considers appropriate.
``(d) Experts and Consultants.--The Director of the National Office
for Cyberspace may procure temporary and intermittent services under
section 3109(b) of title 5.
``Sec. 3554. Federal Cybersecurity Practice Board
``(a) Establishment.--Within the National Office for Cyberspace,
there shall be established a board to be known as the `Federal
Cybersecurity Practice Board' (in this section referred to as the
`Board').
``(b) Members.--The Board shall be chaired by the Director of the
National Office for Cyberspace and consist of not more than 10 members,
with at least one representative from--
``(1) the Office of Management and Budget;
``(2) civilian agencies;
``(3) the Department of Defense;
``(4) the Federal law enforcement community;
``(5) the Federal Chief Technology Office; and
``(6) such additional military and civilian agencies as the
Director considers appropriate.
``(c) Responsibilities.--
``(1) Development of policies and procedures.--Subject to
the authority, direction, and control of the Director of the
National Office for Cyberspace, the Board shall be responsible
for developing and periodically updating information security
policies and procedures relating to the matters described in
paragraph (2). In developing such policies and procedures, the
Board shall require that all matters addressed in the policies
and procedures are consistent, to the maximum extent
practicable and in accordance with applicable law, among the
civilian, military, intelligence, and law enforcement
communities.
``(2) Specific matters covered in policies and
procedures.--
``(A) Minimum security controls.--The Board shall
be responsible for developing and periodically updating
information security policies and procedures relating
to minimum security controls for information
technology, in order to--
``(i) provide Governmentwide protection of
Government-networked computers against common
attacks; and
``(ii) provide agencywide protection
against threats, vulnerabilities, and other
risks to the information infrastructure within
individual agencies.
``(B) Measures of effectiveness.--The Board shall
be responsible for developing and periodically updating
information security policies and procedures relating
to measurements needed to assess the effectiveness of
the minimum security controls referred to in
subparagraph (A). Such measurements shall include a
risk scoring system to evaluate risk to information
security both Governmentwide and within contractors of
the Federal Government.
``(C) Products and services.--The Board shall be
responsible for developing and periodically updating
information security policies, procedures, and minimum
security standards relating to criteria for products
and services to be used in agency information systems
and information infrastructure that will meet the
minimum security controls referred to in subparagraph
(A). In carrying out this subparagraph, the Board shall
act in consultation with the Office of Management and
Budget and the General Services Administration.
``(D) Remedies.--The Board shall be responsible for
developing and periodically updating information
security policies and procedures relating to methods
for providing remedies for security deficiencies
identified in agency information infrastructure.
``(3) Additional considerations.--The Board shall also
consider--
``(A) opportunities to engage with the
international community to set policies, principles,
training, standards, or guidelines for information
security;
``(B) opportunities to work with agencies and
industry partners to increase information sharing and
policy coordination efforts in order to reduce
vulnerabilities in the national information
infrastructure; and
``(C) options necessary to encourage and maintain
accountability of any agency, or senior agency
official, for efforts to secure the information
infrastructure of such agency.
``(4) Relationship to other standards.--The policies and
procedures developed under paragraph (1) are supplemental to
the standards promulgated by the Director of the National
Office for Cyberspace under section 3558.
``(5) Recommendations for regulations.--The Board shall be
responsible for making recommendations to the Director of the
National Office for Cyberspace on regulations to carry out the
policies and procedures developed by the Board under paragraph
(1).
``(d) Regulations.--The Director of the National Office for
Cyberspace, in consultation with the Director of the Office of
Management and the Administrator of General Services, shall promulgate
and periodically update regulations to carry out the policies and
procedures developed by the Board under subsection (c).
``(e) Annual Report.--The Director of the National Office for
Cyberspace shall provide to Congress a report containing a summary of
agency progress in implementing the regulations promulgated under this
section as part of the annual report to Congress required under section
3555(a)(8).
``(f) No Disclosure by Board Required.--The Board is not required
to disclose under section 552 of title 5 information submitted by
agencies to the Board regarding threats, vulnerabilities, and risks.
``Sec. 3555. Authority and functions of the Director of the National
Office for Cyberspace
``(a) In General.--The Director of the National Office for
Cyberspace shall oversee agency information security policies and
practices, including--
``(1) developing and overseeing the implementation of
policies, principles, standards, and guidelines on information
security, including through ensuring timely agency adoption of
and compliance with standards promulgated under section 3558;
``(2) requiring agencies, consistent with the standards
promulgated under section 3558 and other requirements of this
subchapter, to identify and provide information security
protections commensurate with the risk and magnitude of the
harm resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of--
``(A) information collected or maintained by or on
behalf of an agency; or
``(B) information infrastructure used or operated
by an agency or by a contractor of an agency or other
organization on behalf of an agency;
``(3) coordinating the development of standards and
guidelines under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3) with agencies
and offices operating or exercising control of national
security systems (including the National Security Agency) to
assure, to the maximum extent feasible, that such standards and
guidelines are complementary with standards and guidelines
developed for national security systems;
``(4) overseeing agency compliance with the requirements of
this subchapter, including through any authorized action under
section 11303 of title 40, to enforce accountability for
compliance with such requirements;
``(5) reviewing at least annually, and approving or
disapproving, agency information security programs required
under section 3556(b);
``(6) coordinating information security policies and
procedures of the Federal Government with related information
resources management policies and procedures on the security
and resiliency of cyberspace;
``(7) overseeing the operation of the Federal information
security incident center required under section 3559;
``(8) reporting to Congress no later than March 1 of each
year on agency compliance with the requirements of this
subchapter, including--
``(A) a summary of the findings of audits required
by section 3557;
``(B) an assessment of the development,
promulgation, and adoption of, and compliance with,
standards developed under section 20 of the National
Institute of Standards and Technology Act (15 U.S.C.
278g-3) and promulgated under section 3558;
``(C) significant deficiencies in agency
information security practices;
``(D) planned remedial action to address such
deficiencies; and
``(E) a summary of, and the views of the Director
of the National Office for Cyberspace on, the report
prepared by the National Institute of Standards and
Technology under section 20(d)(10) of the National
Institute of Standards and Technology Act (15 U.S.C.
278g-3);
``(9) coordinating the defense of information
infrastructure operated by agencies in the case of a large-
scale attack on information infrastructure, as determined by
the Director;
``(10) establishing a national strategy not later than 120
days after the date of the enactment of this section;
``(11) coordinating information security training for
Federal employees with the Office of Personnel Management;
``(12) ensuring the adequacy of protections for privacy and
civil liberties in carrying out the responsibilities of the
Director under this subchapter;
``(13) making recommendations that the Director determines
are necessary to ensure risk-based security of the Federal
information infrastructure and information infrastructure that
is owned, operated, controlled, or licensed for use by, or on
behalf of, the Department of Defense, a military department, or
another element of the intelligence community to--
``(A) the Director of the Office of Management and
Budget;
``(B) the head of an agency; or
``(C) to Congress with regard to the reprogramming
of funds;
``(14) ensuring, in consultation with the Administrator of
the Office of Information and Regulatory Affairs, that the
efforts of agencies relating to the development of regulations,
rules, requirements, or other actions applicable to the
national information infrastructure are complementary;
``(15) when directed by the President, carrying out the
responsibilities for national security and emergency
preparedness communications described in section 706 of the
Communications Act of 1934 (47 U.S.C. 606) to ensure
integration and coordination; and
``(16) as assigned by the President, other duties relating
to the security and resiliency of cyberspace.
``(b) Recruitment Program.--Not later than 1 year after
appointment, the Director of the National Office for Cyberspace shall
establish a national program to conduct competitions and challenges
that instruct United States students in cybersecurity education and
computer literacy.
``(c) Budget Oversight and Reporting.--(1) The head of each agency
shall submit to the Director of the National Office for Cyberspace a
budget each year for the following fiscal year relating to the
protection of information infrastructure for such agency, by a date
determined by the Director that is before the submission of such budget
by the head of the agency to the Office of Management and Budget.
``(2) The Director shall review and offer a non-binding approval or
disapproval of each agency's annual budget to each such agency before
the submission of such budget by the head of the agency to the Office
of Management and Budget.
``(3) If the Director offers a non-binding disapproval of an
agency's budget, the Director shall transmit recommendations to the
head of such agency for strengthening its proposed budget with regard
to the protection of such agency's information infrastructure.
``(4) Each budget submitted by the head of an agency pursuant to
paragraph (1) shall include--
``(A) a review of any threats to information technology for
such agency;
``(B) a plan to secure the information infrastructure for
such agency based on threats to information technology, using
the National Institute of Standards and Technology guidelines
and recommendations;
``(C) a review of compliance by such agency with any
previous year plan described in subparagraph (B); and
``(D) a report on the development of the credentialing
process to enable secure authentication of identity and
authorization for access to the information infrastructure of
such agency.
``(5) The Director of the National Office for Cyberspace may
recommend to the President monetary penalties or incentives necessary
to encourage and maintain accountability of any agency, or senior
agency official, for efforts to secure the information infrastructure
of such agency.
``Sec. 3556. Agency responsibilities
``(a) In General.--The head of each agency shall--
``(1) be responsible for--
``(A) providing information security protections
commensurate with the risk and magnitude of the harm
resulting from unauthorized access, use, disclosure,
disruption, modification, or destruction of--
``(i) information collected or maintained
by or on behalf of the agency; and
``(ii) information infrastructure used or
operated by an agency or by a contractor of an
agency or other organization on behalf of an
agency;
``(B) complying with the requirements of this
subchapter and related policies, procedures, standards,
and guidelines, including--
``(i) the regulations promulgated under
section 3554 and the information security
standards promulgated under section 3558;
``(ii) information security standards and
guidelines for national security systems issued
in accordance with law and as directed by the
President; and
``(iii) ensuring the standards implemented
for information infrastructure and national
security systems under the agency head are
complementary and uniform, to the extent
practicable; and
``(C) ensuring that information security management
processes are integrated with agency strategic and
operational planning processes;
``(2) ensure that senior agency officials provide
information security for the information and information
infrastructure that support the operations and assets under
their control, including through--
``(A) assessing the risk and magnitude of the harm
that could result from the unauthorized access, use,
disclosure, disruption, modification, or destruction of
such information or information infrastructure;
``(B) determining the levels of information
security appropriate to protect such information and
information infrastructure in accordance with
regulations promulgated under section 3554 and
standards promulgated under section 3558, for
information security classifications and related
requirements;
``(C) implementing policies and procedures to cost
effectively reduce risks to an acceptable level; and
``(D) continuously testing and evaluating
information security controls and techniques to ensure
that they are effectively implemented;
``(3) delegate to an agency official, designated as the
`Chief Information Security Officer', under the authority of
the agency Chief Information Officer the responsibility to
oversee agency information security and the authority to ensure
and enforce compliance with the requirements imposed on the
agency under this subchapter, including--
``(A) overseeing the establishment and maintenance
of a security operations capability on an automated and
continuous basis that can--
``(i) assess the state of compliance of all
networks and systems with prescribed controls
issued pursuant to section 3558 and report
immediately any variance therefrom and, where
appropriate and with the approval of the agency
Chief Information Officer, shut down systems
that are found to be non-compliant;
``(ii) detect, report, respond to, contain,
and mitigate incidents that impair adequate
security of the information and information
infrastructure, in accordance with policy
provided by the Director of the National Office
for Cyberspace, in consultation with the Chief
Information Officers Council, and guidance from
the National Institute of Standards and
Technology;
``(iii) collaborate with the National
Office for Cyberspace and appropriate public
and private sector security operations centers
to address incidents that impact the security
of information and information infrastructure
that extend beyond the control of the agency;
and
``(iv) not later than 24 hours after
discovery of any incident described under
subparagraph (A)(ii), unless otherwise directed
by policy of the National Office for
Cyberspace, provide notice to the appropriate
security operations center, the National Cyber
Investigative Joint Task Force, and the
Inspector General of the agency;
``(B) developing, maintaining, and overseeing an
agency wide information security program as required by
subsection (b);
``(C) developing, maintaining, and overseeing
information security policies, procedures, and control
techniques to address all applicable requirements,
including those issued under sections 3555 and 3558;
``(D) training and overseeing personnel with
significant responsibilities for information security
with respect to such responsibilities; and
``(E) assisting senior agency officials concerning
their responsibilities under paragraph (2);
``(4) ensure that the agency has trained and cleared
personnel sufficient to assist the agency in complying with the
requirements of this subchapter and related policies,
procedures, standards, and guidelines;
``(5) ensure that the Chief Information Security Officer,
in coordination with other senior agency officials, reports
biannually to the agency head on the effectiveness of the
agency information security program, including progress of
remedial actions; and
``(6) ensure that the Chief Information Security Officer
possesses necessary qualifications, including education,
professional certifications, training, experience, and the
security clearance required to administer the functions
described under this subchapter; and has information security
duties as the primary duty of that official.
``(b) Agency Program.--Each agency shall develop, document, and
implement an agencywide information security program, approved by the
Director of the National Office for Cyberspace under section
3555(a)(5), to provide information security for the information and
information infrastructure that support the operations and assets of
the agency, including those provided or managed by another agency,
contractor, or other source, that includes--
``(1) continuous automated technical monitoring of
information infrastructure used or operated by an agency or by
a contractor of an agency or other organization on behalf of an
agency to assure conformance with regulations promulgated under
section 3554 and standards promulgated under section 3558;
``(2) testing of the effectiveness of security controls
that are commensurate with risk (as defined by the National
Institute of Standards and Technology and the National Office
for Cyberspace) for agency information infrastructure;
``(3) policies and procedures that--
``(A) mitigate and remediate, to the extent
practicable, information security vulnerabilities based
on the risk posed to the agency;
``(B) cost effectively reduce information security
risks to an acceptable level;
``(C) ensure that information security is addressed
throughout the life cycle of each agency information
system and information infrastructure;
``(D) ensure compliance with--
``(i) the requirements of this subchapter;
``(ii) policies and procedures as may be
prescribed by the Director of the National
Office for Cyberspace, and information security
standards promulgated under section 3558;
``(iii) minimally acceptable system
configuration requirements, as determined by
the Director of the National Office for
Cyberspace; and
``(iv) any other applicable requirements,
including--
``(I) standards and guidelines for
national security systems issued in
accordance with law and as directed by
the President;
``(II) the policy of the Director
of the National Office for Cyberspace;
``(III) the National Institute of
Standards and Technology guidance; and
``(IV) the Chief Information
Officers Council recommended
approaches;
``(E) develop, maintain, and oversee information
security policies, procedures, and control techniques
to address all applicable requirements, including those
issued under sections 3555 and 3558; and
``(F) ensure the oversight and training of
personnel with significant responsibilities for
information security with respect to such
responsibilities;
``(4) ensuring that the agency has trained and cleared
personnel sufficient to assist the agency in complying with the
requirements of this subchapter and related policies,
procedures, standards, and guidelines;
``(5) to the extent practicable, automated and continuous
technical monitoring for testing, and evaluation of the
effectiveness and compliance of information security policies,
procedures, and practices, including--
``(A) management, operational, and technical
controls of every information infrastructure identified
in the inventory required under section 3505(b); and
``(B) management, operational, and technical
controls relied on for an evaluation under section
3556;
``(6) a process for planning, implementing, evaluating, and
documenting remedial action to address any deficiencies in the
information security policies, procedures, and practices of the
agency;
``(7) to the extent practicable, continuous automated
technical monitoring for detecting, reporting, and responding
to security incidents, consistent with standards and guidelines
issued by the Director of the National Office for Cyberspace,
including--
``(A) mitigating risks associated with such
incidents before substantial damage is done;
``(B) notifying and consulting with the appropriate
security operations response center; and
``(C) notifying and consulting with, as
appropriate--
``(i) law enforcement agencies and relevant
Offices of Inspectors General;
``(ii) the National Office for Cyberspace;
and
``(iii) any other agency or office, in
accordance with law or as directed by the
President; and
``(8) plans and procedures to ensure continuity of
operations for information infrastructure that support the
operations and assets of the agency.
``(c) Agency Reporting.--Each agency shall--
``(1) submit an annual report on the adequacy and
effectiveness of information security policies, procedures, and
practices, and compliance with the requirements of this
subchapter, including compliance with each requirement of
subsection (b) to--
``(A) the National Office for Cyberspace;
``(B) the Committee on Homeland Security and
Governmental Affairs of the Senate;
``(C) the Committee on Oversight and Government
Reform of the House of Representatives;
``(D) other appropriate authorization and
appropriations committees of Congress; and
``(E) the Comptroller General;
``(2) address the adequacy and effectiveness of information
security policies, procedures, and practices in plans and
reports relating to--
``(A) annual agency budgets;
``(B) information resources management of this
subchapter;
``(C) information technology management under this
chapter;
``(D) program performance under sections 1105 and
1115 through 1119 of title 31, and sections 2801 and
2805 of title 39;
``(E) financial management under chapter 9 of title
31, and the Chief Financial Officers Act of 1990 (31
U.S.C. 501 note; Public Law 101-576) (and the
amendments made by that Act);
``(F) financial management systems under the
Federal Financial Management Improvement Act (31 U.S.C.
3512 note); and
``(G) internal accounting and administrative
controls under section 3512 of title 31; and
``(3) report any significant deficiency in a policy,
procedure, or practice identified under paragraph (1) or (2)--
``(A) as a material weakness in reporting under
section 3512 of title 31; and
``(B) if relating to financial management systems,
as an instance of a lack of substantial compliance
under the Federal Financial Management Improvement Act
(31 U.S.C. 3512 note).
``(d) Performance Plan.--(1) In addition to the requirements of
subsection (c), each agency, in consultation with the National Office
for Cyberspace, shall include as part of the performance plan required
under section 1115 of title 31 a description of the resources,
including budget, staffing, and training, that are necessary to
implement the program required under subsection (b).
``(2) The description under paragraph (1) shall be based on the
risk assessments required under subsection (a)(2).
``(e) Public Notice and Comment.--Each agency shall provide the
public with timely notice and opportunities for comment on proposed
information security policies and procedures to the extent that such
policies and procedures affect communication with the public.
``Sec. 3557. Annual independent audit
``(a) In General.--(1) Each year each agency shall have performed
an independent audit of the information security program and practices
of that agency to determine the effectiveness of such program and
practices.
``(2) Each audit under this section shall include--
``(A) testing of the effectiveness of the information
infrastructure of the agency for automated, continuous
monitoring of the state of compliance of its information
infrastructure with regulations promulgated under section 3554
and standards promulgated under section 3558 in a
representative subset of--
``(i) the information infrastructure used or
operated by the agency; and
``(ii) the information infrastructure used,
operated, or supported on behalf of the agency by a
contractor of the agency, a subcontractor (at any tier)
of such contractor, or any other entity;
``(B) an assessment (made on the basis of the results of
the testing) of compliance with--
``(i) the requirements of this subchapter; and
``(ii) related information security policies,
procedures, standards, and guidelines;
``(C) separate assessments, as appropriate, regarding
information security relating to national security systems; and
``(D) a conclusion regarding whether the information
security controls of the agency are effective, including an
identification of any significant deficiencies in such
controls.
``(3) Each audit under this section shall be performed in
accordance with applicable generally accepted Government auditing
standards.
``(b) Independent Auditor.--Subject to subsection (c)--
``(1) for each agency with an Inspector General appointed
under the Inspector General Act of 1978 or any other law, the
annual audit required by this section shall be performed by the
Inspector General or by an independent external auditor, as
determined by the Inspector General of the agency; and
``(2) for each agency to which paragraph (1) does not
apply, the head of the agency shall engage an independent
external auditor to perform the audit.
``(c) National Security Systems.--For each agency operating or
exercising control of a national security system, that portion of the
audit required by this section directly relating to a national security
system shall be performed--
``(1) only by an entity designated head; and
``(2) in such a manner as to ensure appropriate protection
for information associated with any information security
vulnerability in such system commensurate with the risk and in
accordance with all applicable laws.
``(d) Existing Audits.--The audit required by this section may be
based in whole or in part on another audit relating to programs or
practices of the applicable agency.
``(e) Agency Reporting.--(1) Each year, not later than such date
established by the Director of the National Office for Cyberspace, the
head of each agency shall submit to the Director the results of the
audit required under this section.
``(2) To the extent an audit required under this section directly
relates to a national security system, the results of the audit
submitted to the Director of the National Office for Cyberspace shall
contain only a summary and assessment of that portion of the audit
directly relating to a national security system.
``(f) Protection of Information.--Agencies and auditors shall take
appropriate steps to ensure the protection of information which, if
disclosed, may adversely affect information security. Such protections
shall be commensurate with the risk and comply with all applicable laws
and regulations.
``(g) National Office for Cyberspace Reports to Congress.--(1) The
Director of the National Office for Cyberspace shall summarize the
results of the audits conducted under this section in the annual report
to Congress required under section 3555(a)(8).
``(2) The Director's report to Congress under this subsection shall
summarize information regarding information security relating to
national security systems in such a manner as to ensure appropriate
protection for information associated with any information security
vulnerability in such system commensurate with the risk and in
accordance with all applicable laws.
``(3) Audits and any other descriptions of information
infrastructure under the authority and control of the Director of
Central Intelligence or of National Foreign Intelligence Programs
systems under the authority and control of the Secretary of Defense
shall be made available to Congress only through the appropriate
oversight committees of Congress, in accordance with applicable laws.
``(h) Comptroller General.--The Comptroller General shall
periodically evaluate and report to Congress on--
``(1) the adequacy and effectiveness of agency information
security policies and practices; and
``(2) implementation of the requirements of this
subchapter.
``(i) Contractor Audits.--Each year each contractor that operates,
uses, or supports an information system or information infrastructure
on behalf of an agency and each subcontractor of such contractor--
``(1) shall conduct an audit using an independent external
auditor in accordance with subsection (a), including an
assessment of compliance with the applicable requirements of
this subchapter; and
``(2) shall submit the results of such audit to such agency
not later than such date established by the Agency.
``Sec. 3558. Responsibilities for Federal information systems standards
``(a) Requirement To Prescribe Standards.--
``(1) In general.--
``(A) Requirement.--Except as provided under
paragraph (2), the Secretary of Commerce shall, on the
basis of proposed standards developed by the National
Institute of Standards and Technology pursuant to
paragraphs (2) and (3) of section 20(a) of the National
Institute of Standards and Technology Act (15 U.S.C.
278g-3(a)) and in consultation with the Secretary of
Homeland Security, promulgate information security
standards pertaining to Federal information systems.
``(B) Required standards.--Standards promulgated
under subparagraph (A) shall include--
``(i) standards that provide minimum
information security requirements as determined
under section 20(b) of the National Institute
of Standards and Technology Act (15 U.S.C.
278g-3(b)); and
``(ii) such standards that are otherwise
necessary to improve the efficiency of
operation or security of Federal information
systems.
``(C) Required standards binding.--Information
security standards described under subparagraph (B)
shall be compulsory and binding.
``(2) Standards and guidelines for national security
systems.--Standards and guidelines for national security
systems, as defined under section 3552(b), shall be developed,
promulgated, enforced, and overseen as otherwise authorized by
law and as directed by the President.
``(b) Application of More Stringent Standards.--The head of an
agency may employ standards for the cost-effective information security
for all operations and assets within or under the supervision of that
agency that are more stringent than the standards promulgated by the
Secretary of Commerce under this section, if such standards--
``(1) contain, at a minimum, the provisions of those
applicable standards made compulsory and binding by the
Secretary; and
``(2) are otherwise consistent with policies and guidelines
issued under section 3555.
``(c) Requirements Regarding Decisions by the Secretary.--
``(1) Deadline.--The decision regarding the promulgation of
any standard by the Secretary of Commerce under subsection (b)
shall occur not later than 6 months after the submission of the
proposed standard to the Secretary by the National Institute of
Standards and Technology, as provided under section 20 of the
National Institute of Standards and Technology Act (15 U.S.C.
278g-3).
``(2) Notice and comment.--A decision by the Secretary of
Commerce to significantly modify, or not promulgate, a proposed
standard submitted to the Secretary by the National Institute
of Standards and Technology, as provided under section 20 of
the National Institute of Standards and Technology Act (15
U.S.C. 278g-3), shall be made after the public is given an
opportunity to comment on the Secretary's proposed decision.
``Sec. 3559. Federal information security incident center
``(a) In General.--The Director of the National Office for
Cyberspace shall ensure the operation of a central Federal information
security incident center to--
``(1) provide timely technical assistance to operators of
agency information systems and information infrastructure
regarding security incidents, including guidance on detecting
and handling information security incidents;
``(2) compile and analyze information about incidents that
threaten information security;
``(3) inform operators of agency information systems and
information infrastructure about current and potential
information security threats, and vulnerabilities; and
``(4) consult with the National Institute of Standards and
Technology, agencies or offices operating or exercising control
of national security systems (including the National Security
Agency), and such other agencies or offices in accordance with
law and as directed by the President regarding information
security incidents and related matters.
``(b) National Security Systems.--Each agency operating or
exercising control of a national security system shall share
information about information security incidents, threats, and
vulnerabilities with the Federal information security incident center
to the extent consistent with standards and guidelines for national
security systems, issued in accordance with law and as directed by the
President.
``(c) Review and Approval.--In coordination with the Administrator
for Electronic Government and Information Technology, the Director of
the National Office for Cyberspace shall review and approve the
policies, procedures, and guidance established in this subchapter to
ensure that the incident center has the capability to effectively and
efficiently detect, correlate, respond to, contain, mitigate, and
remediate incidents that impair the adequate security of the
information systems and information infrastructure of more than one
agency. To the extent practicable, the capability shall be continuous
and technically automated.
``Sec. 3560. National security systems
``The head of each agency operating or exercising control of a
national security system shall be responsible for ensuring that the
agency--
``(1) provides information security protections
commensurate with the risk and magnitude of the harm resulting
from the unauthorized access, use, disclosure, disruption,
modification, or destruction of the information contained in
such system;
``(2) implements information security policies and
practices as required by standards and guidelines for national
security systems, issued in accordance with law and as directed
by the President; and
``(3) complies with the requirements of this subchapter.''.
SEC. 102. INFORMATION SECURITY ACQUISITION REQUIREMENTS.
Chapter 113 of title 40, United States Code, is amended by adding
at the end of subchapter II the following new section:
``Sec. 11319. Information security acquisition requirements.
``(a) Prohibition.--Notwithstanding any other provision of law,
beginning one year after the date of the enactment of the Executive
Cyberspace Coordination Act of 2013, no agency may enter into a
contract, an order under a contract, or an interagency agreement for--
``(1) the collection, use, management, storage, or
dissemination of information on behalf of the agency;
``(2) the use or operation of an information system or
information infrastructure on behalf of the agency; or
``(3) information technology;
unless such contract, order, or agreement includes requirements to
provide effective information security that supports the operations and
assets under the control of the agency, in compliance with the
policies, standards, and guidance developed under subsection (b), and
otherwise ensures compliance with this section.
``(b) Coordination of Secure Acquisition Policies.--
``(1) In general.--The Director of the Office of Management
and Budget, in consultation with the Director of the National
Institute of Standards and Technology, the Director of the
National Office for Cyberspace, and the Administrator of
General Services, shall oversee the development and
implementation of policies, standards, and guidance, including
through revisions to the Federal Acquisition Regulation and the
Department of Defense supplement to the Federal Acquisition
Regulation, to cost effectively enhance agency information
security, including--
``(A) minimum information security requirements for
agency procurement of information technology products
and services; and
``(B) approaches for evaluating and mitigating
significant supply chain security risks associated with
products or services to be acquired by agencies.
``(2) Report.--Not later than two years after the date of
the enactment of the Executive Cyberspace Coordination Act of
2013, the Director of the Office of Management and Budget shall
submit to Congress a report describing--
``(A) actions taken to improve the information
security associated with the procurement of products
and services by the Federal Government; and
``(B) plans for overseeing and coordinating efforts
of agencies to use best practice approaches for cost-
effectively purchasing more secure products and
services.
``(c) Vulnerability Assessments of Major Systems.--
``(1) Requirement for initial vulnerability assessments.--
The Director of the Office of Management and Budget shall
require each agency to conduct an initial vulnerability
assessment for any major system and its significant items of
supply prior to the development of the system. The initial
vulnerability assessment of a major system and its significant
items of supply shall include use of an analysis-based approach
to--
``(A) identify vulnerabilities;
``(B) define exploitation potential;
``(C) examine the system's potential effectiveness;
``(D) determine overall vulnerability; and
``(E) make recommendations for risk reduction.
``(2) Subsequent vulnerability assessments.--
``(A) The Director shall require a subsequent
vulnerability assessment of each major system and its
significant items of supply within a program if the
Director determines that circumstances warrant the
issuance of an additional vulnerability assessment.
``(B) Upon the request of a congressional
committee, the Director may require a subsequent
vulnerability assessment of a particular major system
and its significant items of supply within the program.
``(C) Any subsequent vulnerability assessment of a
major system and its significant items of supply shall
include use of an analysis-based approach and, if
applicable, a testing-based approach, to monitor the
exploitation potential of such system and reexamine the
factors described in subparagraphs (A) through (E) of
paragraph (1).
``(3) Congressional oversight.--The Director shall provide
to the appropriate congressional committees a copy of each
vulnerability assessment conducted under paragraph (1) or (2)
not later than 10 days after the date of the completion of such
assessment.
``(d) Definitions.--In this section:
``(1) Item of supply.--The term `item of supply'--
``(A) means any individual part, component,
subassembly, assembly, or subsystem integral to a major
system, and other property which may be replaced during
the service life of the major system, including a spare
part or replenishment part; and
``(B) does not include packaging or labeling
associated with shipment or identification of an item.
``(2) Vulnerability assessment.--The term `vulnerability
assessment' means the process of identifying and quantifying
vulnerabilities in a major system and its significant items of
supply.
``(3) Major system.--The term `major system' has the
meaning given that term in section 4 of the Office of Federal
Procurement Policy Act (41 U.S.C. 403).''.
SEC. 103. TECHNICAL AND CONFORMING AMENDMENTS.
(a) Table of Sections in Title 44.--The table of sections for
chapter 35 of title 44, United States Code, is amended by striking the
matter relating to subchapters II and III and inserting the following:
``subchapter ii--information security
``3551. Purposes.
``3552. Definitions.
``3553. National Office for Cyberspace.
``3554. Federal Cybersecurity Practice Board.
``3555. Authority and functions of the Director of the National Office
for Cyberspace.
``3556. Agency responsibilities.
``3557. Annual independent audit.
``3558. Responsibilities for Federal information systems standards.
``3559. Federal information security incident center.
``3560. National security systems.''.
(b) Table of Sections in Title 40.--The table of sections for
chapter 113 of title 40, United States Code, is amended by inserting
after the item relating to section 11318 the following new item:
``Sec. 11319. Information security acquisition requirements.''.
(c) Other References.--
(1) Section 1001(c)(1)(A) of the Homeland Security Act of
2002 (6 U.S.C. 511(c)(1)(A)) is amended by striking ``section
3532(3)'' and inserting ``section 3552(b)''.
(2) Section 2222(j)(6) of title 10, United States Code, is
amended by striking ``section 3542(b)(2))'' and inserting
``section 3552(b)''.
(3) Section 2223(c)(3) of title 10, United States Code, is
amended, by striking ``section 3542(b)(2))'' and inserting
``section 3552(b)''.
(4) Section 2315 of title 10, United States Code, is
amended by striking ``section 3542(b)(2))'' and inserting
``section 3552(b)''.
(5) Section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3) is amended--
(A) in subsections (a)(2) and (e)(5), by striking
``section 3532(b)(2)'' and inserting ``section
3552(b)'';
(B) in subsection (e)(2), by striking ``section
3532(1)'' and inserting ``section 3552(b)''; and
(C) in subsections (c)(3) and (d)(1), by striking
``section 11331 of title 40'' and inserting ``section
3558 of title 44''.
(6) Section 8(d)(1) of the Cyber Security Research and
Development Act (15 U.S.C. 7406(d)(1)) is amended by striking
``section 3534(b)'' and inserting ``section 3556(b)''.
(d) Repeal.--
(1) Subchapter III of chapter 113 of title 40, United
States Code, is repealed.
(2) The table of sections for chapter 113 of such title is
amended by striking the matter relating to subchapter III.
(e) Executive Schedule Pay Rate.--Section 5314 of title 5, United
States Code, is amended by adding at the end the following:
``Director of the National Office for Cyberspace.''.
(f) Membership on the National Security Council.--Section 101(a) of
the National Security Act of 1947 (50 U.S.C. 402(a)) is amended--
(1) by redesignating paragraphs (7) and (8) as paragraphs
(8) and (9), respectively; and
(2) by inserting after paragraph (6) the following:
``(7) the Director of the National Office for
Cyberspace;''.
SEC. 104. EFFECTIVE DATE.
(a) In General.--Unless otherwise specified in this section, this
title (including the amendments made by this title) shall take effect
30 days after the date of enactment of this Act.
(b) National Office for Cyberspace.--Section 3553 of title 44,
United States Code, as added by section 101 of this title, shall take
effect 180 days after the date of enactment of this Act.
(c) Federal Cybersecurity Practice Board.--Section 3554 of title
44, United States Code, as added by section 101 of this title, shall
take effect one year after the date of enactment of this Act.
TITLE II--FEDERAL CHIEF TECHNOLOGY OFFICER
SEC. 201. OFFICE OF THE CHIEF TECHNOLOGY OFFICER.
(a) Establishment and Staff.--
(1) Establishment.--
(A) In general.--There is established in the
Executive Office of the President an Office of the
Federal Chief Technology Officer (in this section
referred to as the ``Office'').
(B) Head of the office.--
(i) Federal chief technology officer.--The
President shall appoint a Federal Chief
Technology Officer (in this section referred to
as the ``Federal CTO'') who shall be the head
of the Office.
(ii) Compensation.--Section 5314 of title
5, United States Code, is amended by adding at
the end the following:
``Federal Chief Technology Officer.''.
(2) Staff of the office.--The President may appoint
additional staff members to the Office.
(b) Duties of the Office.--The functions of the Federal CTO are the
following:
(1) Undertake fact-gathering, analysis, and assessment of
the Federal Government's information technology
infrastructures, information technology strategy, and use of
information technology, and provide advice on such matters to
the President, heads of Federal departments and agencies, and
government chief information officers and chief technology
officers.
(2) Lead an interagency effort, working with the chief
technology and chief information officers of each of the
Federal departments and agencies, to develop and implement a
planning process to ensure that they use best-in-class
technologies, share best practices, and improve the use of
technology in support of Federal Government requirements.
(3) Advise the President on information technology
considerations with regard to Federal budgets and with regard
to general coordination of the research and development
programs of the Federal Government for information technology-
related matters.
(4) Promote technological innovation in the Federal
Government, and encourage and oversee the adoption of robust
cross-governmental architectures and standards-based
information technologies, in support of effective operational
and management policies, practices, and services across Federal
departments and agencies and with the public and external
entities.
(5) Establish cooperative public-private sector partnership
initiatives to achieve knowledge of technologies available in
the marketplace that can be used for improving governmental
operations and information technology research and development
activities.
(6) Gather timely and authoritative information concerning
significant developments and trends in information technology,
and in national priorities, both current and prospective, and
analyze and interpret the information for the purpose of
determining whether the developments and trends are likely to
affect achievement of the priority goals of the Federal
Government.
(7) Develop, review, revise, and recommend criteria for
determining information technology activities warranting
Federal support, and recommend Federal policies designed to
advance the development and maintenance of effective and
efficient information technology capabilities, including human
resources, at all levels of government, academia, and industry,
and the effective application of the capabilities to national
needs.
(8) Any other functions and activities that the President
may assign to the Federal CTO.
(c) Policy Planning; Analysis and Advice.--The Office shall serve
as a source of analysis and advice for the President and heads of
Federal departments and agencies with respect to major policies, plans,
and programs of the Federal Government in accordance with the functions
described in subsection (b).
(d) Coordination of the Office With Other Entities.--
(1) Federal cto on domestic policy council.--The Federal
CTO shall be a member of the Domestic Policy Council.
(2) Federal cto on cyber security practice board.--The
Federal CTO shall be a member of the Federal Cybersecurity
Practice Board.
(3) Obtain information from agencies.--The Office may
secure, directly from any department or agency of the United
States, information necessary to enable the Federal CTO to
carry out this section. On request of the Federal CTO, the head
of the department or agency shall furnish the information to
the Office, subject to any applicable limitations of Federal
law.
(4) Staff of federal agencies.--On request of the Federal
CTO, to assist the Office in carrying out the duties of the
Office, the head of any Federal department or agency may detail
personnel, services, or facilities of the department or agency
to the Office.
(e) Annual Report.--
(1) Publication and contents.--The Federal CTO shall
publish, in the Federal Register and on a public Internet
website of the Federal CTO, an annual report that includes the
following:
(A) Information on programs to promote the
development of technological innovations.
(B) Recommendations for the adoption of policies to
encourage the generation of technological innovations.
(C) Information on the activities and
accomplishments of the Office in the year covered by
the report.
(2) Submission.--The Federal CTO shall submit each report
under paragraph (1) to--
(A) the President;
(B) the Committee on Oversight and Government
Reform of the House of Representatives;
(C) the Committee on Science and Technology of the
House of Representatives; and
(D) the Committee on Commerce, Science, and
Transportation of the Senate.
TITLE III--STRENGTHENING CYBERSECURITY FOR CRITICAL INFRASTRUCTURE
SEC. 301. DEFINITIONS.
In this title:
(1) Critical information infrastructure.--The term
``critical information infrastructure'' means the electronic
information and communications systems, software, and assets
that control, protect, process, transmit, receive, program, or
store information in any form, including data, voice, and
video, relied upon by critical infrastructure, industrial
control systems such as supervisory control and data
acquisition systems, and programmable logic controllers. This
shall also include such systems of the Federal Government.
(2) Secretary.--The term ``Secretary'' means the Secretary
of Homeland Security.
SEC. 302. AUTHORITY OF SECRETARY.
(a) In General.--The Secretary shall have primary authority, in
consultation with the Director of the National Office for Cyberspace
and the Federal Cyberspace Practice Board, in the executive branch of
the Federal Government in creation, verification, and enforcement of
measures with respect to the protection of critical information
infrastructure, including promulgating risk-informed information
security practices and standards applicable to critical information
infrastructures that are not owned by or under the direct control of
the Federal Government. The Secretary should consult with appropriate
private sector entities, including private owners and operators of the
affected infrastructure, to carry out this section.
(b) Other Federal Agencies.--In establishing measures with respect
to the protection of critical information infrastructure the Secretary
shall--
(1) consult with the Secretary of Commerce, the Secretary
of Defense, the National Institute of Standards and Technology,
and other sector specific Federal regulatory agencies in
exercising the authority referred to in subsection (a); and
(2) coordinate, though the Executive Office of the
President, with sector specific Federal regulatory agencies,
including the Federal Energy Regulatory Commission, in
establishing enforcement mechanisms under the authority
referred to in subsection (a).
(c) Auditing Authority.--The Secretary may--
(1) conduct such audits as are necessary to ensure that
appropriate measures are taken to secure critical information
infrastructure;
(2) issue such subpoenas as are necessary to determine
compliance with Federal regulatory requirements for securing
critical information infrastructure; and
(3) authorize sector specific Federal regulatory agencies
to undertake such audits.
<all>