[House Report 110-777] [From the U.S. Government Publishing Office] 110th Congress Report HOUSE OF REPRESENTATIVES 2d Session 110-777 ====================================================================== HOMELAND SECURITY NETWORK DEFENSE AND ACCOUNTABILITY ACT OF 2008 _______ July 24, 2008.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. Thompson of Mississippi, from the Committee on Homeland Security, submitted the following R E P O R T [To accompany H.R. 5983] [Including cost estimate of the Congressional Budget Office] The Committee on Homeland Security, to whom was referred the bill (H.R. 5983) to amend the Homeland Security Act of 2002 to enhance the information security of the Department of Homeland Security, and for other purposes, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass. CONTENTS Page Purpose and Summary.............................................. 5 Background and Need for Legislation.............................. 5 Hearings......................................................... 5 Committee Consideration.......................................... 6 Committee Votes.................................................. 7 Committee Oversight Findings..................................... 7 New Budget Authority, Entitlement Authority, and Tax Expenditures 7 Congressional Budget Office Estimate............................. 7 Statement of General Performance Goals and Objectives............ 8 Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits....................................................... 9 Federal Mandates Statement....................................... 9 Advisory Committee Statement..................................... 9 Constitutional Authority Statement............................... 9 Applicability to Legislative Branch.............................. 9 Section-by-Section Analysis of the Legislation................... 9 Changes in Existing Law Made by the Bill, as Reported............ 12 Committee Correspondence......................................... 18 The amendment is as follows: Strike all after the enacting clause and insert the following: SECTION 1. SHORT TITLE. This Act may be cited as the ``Homeland Security Network Defense and Accountability Act of 2008''. SEC. 2. AUTHORITY OF CHIEF INFORMATION OFFICER; QUALIFICATIONS FOR APPOINTMENT. Section 703(a) of the Homeland Security Act of 2002 (6 U.S.C. 343(a)) is amended-- (1) by inserting before the first sentence the following: ``(1) Authorities and duties.--The Secretary shall delegate to the Chief Information Officer such authority necessary for the development, approval, implementation, integration, and oversight of policies, procedures, processes, activities, funding, and systems of the Department relating to the management of information and information infrastructure for the Department, including the management of all related mission applications, information resources, and personnel. ``(2) Line authority.--''; and (2) by adding at the end the following new paragraphs: ``(3) Qualifications for appointment.--An individual may not be appointed as Chief Information Officer unless the individual has-- ``(A) demonstrated ability in and knowledge of information technology and information security; and ``(B) not less than 5 years of executive leadership and management experience in information technology and information security in the public or private sector. ``(4) Functions.--The Chief Information Officer shall-- ``(A) establish and maintain an incident response team that provides a continuous, real-time capability within the Department of Homeland Security to-- ``(i) detect, respond to, contain, investigate, attribute, and mitigate any computer incident, as defined by the National Institute of Standards and Technology, that could violate or pose an imminent threat of violation of computer security policies, acceptable use policies, or standard security practices of the Department; and ``(ii) deliver timely notice of any incident to individuals responsible for information infrastructure of the Department, and to the United States Computer Emergency Readiness Team; ``(B) establish, maintain, and update a network architecture, including a diagram detailing how security controls are positioned throughout the information infrastructure of the Department to maintain the confidentiality, integrity, availability, accountability, and assurance of electronic information; and ``(C) ensure that vulnerability assessments are conducted on a regular basis for any Department information infrastructure connected to the Internet or another external network, and that vulnerabilities are mitigated in a timely fashion.''. SEC. 3. ATTACK-BASED TESTING PROTOCOLS. Section 703 of the Homeland Security Act of 2002 (6 U.S.C. 343) is amended by adding at the end the following new subsection: ``(c) Attack-Based Testing Protocols.--The Chief Information Officer, in consultation with the Inspector General, the Assistant Secretary for Cybersecurity, and the heads of other appropriate Federal agencies, shall-- ``(1) establish security control testing protocols that ensure that the Department's information infrastructure is effectively protected against known attacks against and exploitations of Federal and contractor information infrastructure; ``(2) oversee the deployment of such protocols throughout the information infrastructure of the Department; and ``(3) update such protocols on a regular basis.''. SEC. 4. INSPECTOR GENERAL REVIEWS OF INFORMATION INFRASTRUCTURE. Section 703 of the Homeland Security Act of 2002 (6 U.S.C. 343) is further amended by adding at the end the following new subsection: ``(d) Inspector General Reviews.-- ``(1) In general.--The Inspector General of the Department shall use authority under the Inspector General Act of 1978 (5 App. U.S.C.) to conduct announced and unannounced performance reviews and programmatic reviews of the information infrastructure of the Department to determine the effectiveness of security policies and controls of the Department. ``(2) Performance reviews.--Performance reviews under this subsection shall test and validate a system's security controls using the protocols created under subsection (c), beginning not later than 270 days after the date of enactment of the Homeland Security Network Defense and Accountability Act of 2008. ``(3) Programmatic reviews.--Programmatic reviews under this subsection shall-- ``(A) determine whether an agency of the Department is complying with policies, processes, and procedures established by the Chief Information Officer; and ``(B) focus on risk assessment, risk management, and risk mitigation, with primary regard to the implementation of best practices such as authentication, access control (including remote access), intrusion detection and prevention, data protection and integrity, and any other controls that the Inspector General considers necessary. ``(4) Information security report.--The Inspector General shall submit a security report containing the results of each review under this subsection and prioritized recommendations for improving security controls based on that review, including recommendations regarding funding changes and personnel management, to-- ``(A) the Secretary; ``(B) the Chief Information Officer; and ``(C) the head of the Department component that was the subject of the review, and other appropriate individuals responsible for the information infrastructure of such agency. ``(5) Corrective action report.-- ``(A) In general.--Within 60 days after receiving a security report under paragraph (4), the head of the Department component that was the subject of the review and the Chief Information Officer shall jointly submit a corrective action report to the Secretary and the Inspector General. ``(B) Contents.--The corrective action report-- ``(i) shall contain a plan for addressing recommendations and mitigating vulnerabilities contained in the security report, including a timeline and budget for implementing such plan; and ``(ii) shall note any matters in disagreement between the head of the Department component and the Chief Information Officer. ``(6) Reports to congress.-- ``(A) Annual reports.--In conjunction with the reporting requirements of section 3545 of title 44, United States Code, the Inspector General shall submit an annual report to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate-- ``(i) summarizing the performance and programmatic reviews performed during the preceding fiscal year, the results of those reviews, and any actions that remain to be taken under plans included in corrective action reports under paragraph (5); and ``(ii) describing the effectiveness of the testing protocols developed under subsection (c) in reducing successful exploitations of the Department's information infrastructure. ``(B) Security reports and corrective action reports.--The Inspector General shall make all security reports and corrective action reports available to any member of the Committee on Homeland Security of the House of Representatives, any member of the Committee on Homeland Security and Governmental Affairs of the Senate, and the Comptroller General of the United States, upon request.''. SEC. 5. INFORMATION INFRASTRUCTURE DEFINED. Section 703 of the Homeland Security Act of 2002 (6 U.S.C. 343) is further amended by adding at the end the following: ``(e) Information Infrastructure Defined.--In this section, the term `information infrastructure' means systems and assets used in processing, transmitting, receiving, or storing information electronically.''. SEC. 6. NETWORK SERVICE PROVIDERS. (a) In General.--Subtitle D of title VIII of the Homeland Security Act of 2002 (6 U.S.C. 391 et seq.) is amended by adding at the end the following new section: ``SEC. 836. REQUIREMENTS FOR NETWORK SERVICE PROVIDERS. ``(a) Compatibility Determination.-- ``(1) In general.--Before entering into or renewing a covered contract, the Secretary, acting through the Chief Information Officer, must determine that the contractor has an internal information systems security policy that complies with the Department's information security requirements for risk assessment, risk management, and risk mitigation, with primary regard to the implementation of best practices such as authentication, access control (including remote access), intrusion detection and prevention, data protection and integrity, and any other policies that the Secretary considers necessary to ensure the security of the Department's information infrastructure. ``(2) Limitation on public disclosures.--The Chief Information Officer shall not disclose to the public any information provided for purposes of such determination, notwithstanding any other provision of Federal, State, or local law, including section 552 of title 5, United States Code. ``(b) Contract Requirements Regarding Security.--The Secretary shall include in each covered contract provisions requiring the contractor to-- ``(1) implement and regularly update the internal information systems security policy required under subsection (a); ``(2) maintain the capability to provide contracted services on a continuing and ongoing basis to the Department in the event of unplanned or disruptive event; and ``(3) deliver timely notice of any internal computer incident, as defined by the National Institute of Standards and Technology, that could violate or pose an imminent threat of violation of computer security policies, acceptable use policies, or standard security practices at the Department, to the United States Computer Emergency Readiness Team and the incident response team established under section 703(a)(4). ``(c) Contract Requirements Regarding Subcontracting.--The Secretary shall include in each covered contract-- ``(1) a requirement that the contractor develop and implement a plan for the award of subcontracts, as appropriate, to small business concerns and disadvantaged business concerns in accordance with other applicable requirements, including the terms of such plan, as appropriate; and ``(2) a requirement that the contractor submit to the Secretary, during performance of the contract, periodic reports describing the extent to which the contractor has complied with such plan, including specification (by total dollar amount and by percentage of the total dollar value of the contract) of the value of subcontracts awarded at all tiers of subcontracting to small business concerns, including socially and economically disadvantaged small businesses concerns, small business concerns owned and controlled by service-disabled veterans, HUBZone small business concerns, small business concerns eligible to be awarded contracts pursuant to section 8(a) of the Small Business Act (15 U.S.C. 637(a)), and Historically Black Colleges and Universities and Hispanic-serving institutions, tribal colleges and universities, and other minority institutions. ``(d) Existing Contracts.--The Secretary shall, to the extent practicable under the terms of existing contracts, require each contractor who provides covered information services under a contract in effect on the date of the enactment of the Homeland Security Network Defense and Accountability Act of 2008 to comply with the requirements described in subsection (b). ``(e) Definitions.--For purposes of this section: ``(1) Socially and economically disadvantaged small businesses concern, small business concern owned and controlled by service-disabled veterans, and hubzone small business concern.--The terms `socially and economically disadvantaged small businesses concern', `small business concern owned and controlled by service-disabled veterans', and `HUBZone small business concern' have the meanings given such terms under the Small Business Act (15 U.S.C. 631 et seq.). ``(2) Contractor.--The term `contractor' includes each subcontractor of a contractor. ``(3) Covered contract.--The term `covered contract' means a contract entered into or renewed after the date of the enactment of the Homeland Security Network Defense and Accountability Act of 2008 for the provision of covered information services. ``(4) Covered information services.--The term `covered information services' means creation, management, maintenance, control, or operation of information networks or Internet Web sites for the Department. ``(5) Historically black colleges and universities.--The term `Historically Black Colleges and Universities' means part B institutions under title III of the Higher Education Act of 1965 (20 U.S.C. 1061). ``(6) Hispanic-serving institution.--The term `Hispanic- serving institution' has the meaning given such term under title V of the Higher Education Act of 1965 (20 U.S.C. 1101a(a)(5)). ``(7) Information infrastructure.--The term `information infrastructure' has the meaning that term has under section 703. ``(8) Tribal colleges and universities.--The term `tribal colleges and universities' has the meaning given such term under the Tribally Controlled College or University Assistance Act of 1978 (25 U.S.C. 1801 et seq.).''. (b) Clerical Amendment.--The table of contents in section 1(b) of such Act is amended by inserting after the item relating to section 835 the following new item: ``Sec. 836. Requirements for network service providers.''. (c) Report.--Within 90 days after the date of enactment of this Act, the Secretary of Homeland Security shall transmit to the Committee on Homeland Security of the House of Representatives and the Homeland Security and Governmental Affairs Committee of the Senate a report describing-- (1) the progress in implementing requirements issued by the Office of Management and Budget for encryption, authentication, Internet Protocol version 6, and Trusted Internet Connections, including a timeline for completion; (2) a plan, including an estimated budget and a timeline, to investigate breaches against the Department of Homeland Security's information infrastructure for purposes of counterintelligence assessment, attribution, and response; (3) a proposal to increase threat information sharing with cleared and uncleared contractors and provide specialized damage assessment training to private sector information security professionals; and (4) a process to coordinate the Department of Homeland Security's information infrastructure protection activities. Purpose and Summary The purpose of H.R. 5983 is to amend the Homeland Security Act of 2002 to enhance the information security of the Department of Homeland Security, and for other purposes. Background and Need for Legislation During the course of the 110th Congress, the Subcommittee on Emerging Threats, Cybersecurity, Science and Technology of the Committee on Homeland Security conducted dozens of hearings and investigations into cybersecurity issues affecting Federal and critical infrastructure networks, with the goal of increasing public awareness, fixing vulnerabilities, and holding individuals, agencies, and private sector entities responsible and accountable for their actions. The Committee became particularly concerned with improving the information security posture of the Department of Homeland Security, regarded by many experts--including the Government Accountability Office--as having inadequate security controls in place to safeguard the existing information infrastructure. For instance, during one investigation into the Department's information security practices, the Committee found that weaknesses in security practices resulted in the exfiltration of Departmental data to foreign-language websites. The Committee believes that over time, the theft of critical information from Government servers like those operated by the Department could be harmful to the national and economic security of the United States. The Committee believes the Department of Homeland Security should be the nation's leader in information security, and seeks to hold the Department to higher standards than other executive agencies through this legislation. Hearings No hearings were held on H.R. 5983, however the Committee conducted oversight hearings on cybersecurity issues. On February 15, 2007, the Committee on Homeland Security held a hearing entitled ``Lessons Learned and Grading Goals: The Department of Homeland Security in 2007.'' The Committee received testimony from Michael Jackson, Deputy Secretary, Department of Homeland Security. On April 19, 2007, the Subcommittee on Emerging Threats, Cybersecurity and Science and Technology held a hearing entitled ``Cyber Insecurity: Hackers are Penetrating Federal Systems and Critical Infrastructure.'' The Subcommittee received testimony from Mr. Greg Wilshusen, Director, Information Security Issues, Government Accountability Office; Mr. Donald Reid, Senior Coordinator for Security Infrastructure, Bureau of Diplomatic Security, Department of State; Mr. Dave Jarrell, Manager, Critical Infrastructure Protection Program, Department of Commerce; Mr. Jerry Dixon, Director, National Cyber Security Division, Department of Homeland Security; Mr. Aaron Turner, Cybersecurity Strategist, National & Homeland Security, Idaho National Laboratory; and Mr. Ken Silva, Chief Security Officer, VeriSign. On April 25, 2007, the Subcommittee on Emerging Threats, Cybersecurity and Science and Technology held a hearing entitled ``Addressing the Nation's Cybersecurity Challenges: Reducing Vulnerabilities Requires Strategic Investment and Immediate Action.'' The Subcommittee received testimony from Dr. Daniel E. Geer, Jr., Principal, Geer Risk Services, LLC; Dr. James Andrew Lewis, Director and Senior Fellow, Technology and Public Policy Program, Center for Strategic and International Studies; Dr. Douglas Maughan, Program Manager, Cyber Security R&D, science and Technology Directorate, Department of Homeland Security; and Mr. O. Sami Saydjari, President, Professionals for Cyber Defense Chief Executive Officer, Cyber Defense Agency, LLC. On June 20, 2007, the Subcommittee on Emerging Threats, Cybersecurity and Science and Technology held a hearing entitled ``Hacking the Homeland: Investigating Cybersecurity Vulnerabilities at the Department of Homeland Security.'' The Subcommittee received testimony from Mr. Scott Charbo, Chief Information Officer, Department of Homeland Security; Mr. Greg Wilshusen, Director, Information Security Issues, Government Accountability Office; and Mr. Keith A. Rhodes, Chief Technologist, Director, Center for Technology and Engineering, Government Accountability Office. Committee Consideration H.R. 5983 was introduced in the House by Mr. Langevin and Mr. Thompson of Mississippi on May 7, 2008, and referred solely to the Committee on Homeland Security. The Committee on Homeland Security considered H.R. 5983 on June 26, 2008, and ordered the measure to be reported to the House favorably, as amended, by voice vote. The following amendment was offered: An Amendment in the Nature of a Substitute offered by Mr. Langevin (#1); was AGREED TO by unanimous consent. Committee Votes Clause 3(b) of Rule XIII of the Rules of the House of Representatives requires the Committee to list the recorded votes on the motion to report legislation and amendments thereto. No recorded votes were requested during Committee consideration. Committee Oversight Findings Pursuant to clause 3(c)(1) of Rule XIII of the Rules of the House of Representatives, the Committee has held oversight hearings and made findings that are reflected in this report. New Budget Authority, Entitlement Authority, and Tax Expenditures In compliance with clause 3(c)(2) of Rule XIII of the Rules of the House of Representatives, the Committee finds that H.R. 5983, the Homeland Security Network Defense and Accountability Act of 2008, would result in no new or increased budget authority, entitlement authority, or tax expenditures or revenues. Congressional Budget Office Estimate The Committee adopts as its own the cost estimate prepared by the Director of the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974. U.S. Congress, Congressional Budget Office, Washington, DC, July 10, 2008. Hon. Benny G. Thompson, Chairman, Committee on Homeland Security, House of Representatives, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for H.R. 5983, the Homeland Security Network Defense and Accountability Act of 2008. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Mark Grabowicz. Sincerely, Robert A. Sunshine (For Peter R. Orszag, Director). Enclosure. H.R. 5983--Homeland Security Network Defense and Accountability Act of 2008 Summary: H.R. 5983 would direct the Department of Homeland Security (DHS) to improve the security of its computer networks and increase oversight of contractors that provide network services to the department. Assuming appropriation of the necessary amounts, CBO estimates that implementing H.R. 5983 would cost $163 million over the 2009-2013 period for DHS to hire additional staff to carry out the bill's provisions. Enacting H.R. 5983 would not affect direct spending or revenues. H.R. 5983 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act (UMRA) and would not affect the budgets of state, local, or tribal governments. Estimated cost to the Federal Government: The estimated budgetary impact of H.R. 5983 is shown in the following table. The costs of this legislation fall within budget function 750 (administration of justice). ---------------------------------------------------------------------------------------------------------------- By fiscal year, in millions of dollars-- -------------------------------------------------- 2009 2010 2011 2012 2013 2009-2013 ---------------------------------------------------------------------------------------------------------------- CHANGES IN SPENDING SUBJECT TO APPROPRIATION Estimated Authorization Level................................ 27 34 34 35 36 166 Estimated Outlays............................................ 25 33 34 35 36 163 ---------------------------------------------------------------------------------------------------------------- Basis of estimate: H.R. 5983 would direct DHS to improve the security of its computer networks and increase oversight of contractors that provide network services to the department. The bill would require the department to establish and maintain an incident response team capable of responding at any time to a threat to the security of the department's computers. Based on information provided by DHS on how the department would likely carry out the bill's provisions, CBO expects that the department would need to hire about 150 additional staff. Additional personnel would be hired by the Chief Information Officer, the Inspector General, and the procurement office. We estimate that annual costs would reach $33 million by 2010, including salaries, benefits, training and support costs, and new hardware and software components. Estimated intergovernmental and private-sector impact: H.R. 5983 contains no intergovernmental or private-sector mandates as defined in UMRA and would not affect the budgets of state, local, or tribal governments. Estimate prepared by: Federal Costs: Mark Grabowicz; Impact on State, Local, and Tribal Governments: Burke Doherty; Impact on the Private Sector: Paige Piper/Bach. Estimate approved by: Theresa Gullo, Deputy Assistant Director for Budget Analysis. Statement of General Performance Goals and Objectives Pursuant to clause 3(c)(4) of rule XIII of the Rules of the House of Representatives, H.R. 5983 contains the following general performance goals, and objectives, including outcome related goals and objectives authorized. This legislation takes a critical step toward improving the cybersecurity posture at the Department of Homeland Security by ensuring a robust defense-in-depth of the Department's information systems, and holding individuals at all levels accountable for mitigating vulnerabilities within the information technology infrastructure. The legislation establishes authorities and qualifications for the Chief Information Officer (CIO) position at the Department, including specific operational security practices for the CIO to implement. The bill also establishes testing protocols, to reduce the number of successful vulnerability exploitations throughout the Department's networks. Finally, the legislation requires the Secretary of the Department of Homeland Security to make determinations about the security posture of contractors prior to entering into network service agreements with them; create a detailed counter-intelligence plan to investigate all cyber breaches; and report on a program to increase threat information sharing with cleared contractors. Each of these measures will improve the overall information security at the Department. Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits In compliance with rule XXI of the Rules of the House of Representatives, this bill, as reported, contains no congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9(d), 9(e), or 9(f) of the rule XXI. Federal Mandates Statement The Committee adopts as its own the estimate of Federal mandates prepared by the Director of the Congressional Budget Office pursuant to section 423 of the Unfunded Mandates Reform Act. Advisory Committee Statement No advisory committees within the meaning of section 5(b) of the Federal Advisory Committee Act were created by this legislation. Constitutional Authority Statement Pursuant to clause 3(d)(1) of rule XIII of the Rules of the House of Representatives, the Committee finds that the Constitutional authority for this legislation is provided in Article I, section 8, clause 1, which grants Congress the power to provide for the common defense of the United States. Applicability to Legislative Branch The Committee finds that the legislation does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(b)(3) of the Congressional Accountability Act. Section-by-Section Analysis of the Legislation Section 1. Short title This section cites the measure as the ``Homeland Security Network Defense and Accountability Act of 2008.'' Section 2. Authority of CIO and qualifications This section requires the Secretary to delegate authorities essential for the Chief Information Officer (CIO) to manage the information and information infrastructure for the Department and requires a CIO to possess certain qualifications, including a background in information security and management. The Committee believes the inclusion of professional requirements will provide the Department with requisite expertise for such an important executive position. Similarly, the Committee is concerned that information security has not received the attention it deserves. Therefore, the Committee directs the CIO to establish and maintain a continuous real-time incident response team, a network architecture with security controls, and regularly perform vulnerability assessments on the infrastructure. Section 3. Attack-based testing protocols This section requires the CIO to consult with the Department of Homeland Security Inspector General, the Assistant Secretary for Cybersecurity, and the heads of other appropriate Federal agencies_including, for instance, the Department of Defense and the experienced practitioners at the National Security Agency's Information Assurance Division_to establish security control testing protocols that will protect the Department's information infrastructure against known attacks and exploitations. The Committee is concerned that the Federal Information Security Management Act (FISMA), while bringing much needed public scrutiny to the information security practices across the Federal Government, has not been as effective in curtailing sophisticated attacks against the Federal information infrastructure. Network administrators must be able to identify and mitigate ongoing exploitations of the Department's infrastructure in order to limit the exfiltration of sensitive information out of the Federal government. The Committee expects this section will transition information security requirements from a paperwork exercise into operational improvements on the enterprise level. The Committee believes the creation and deployment of new testing protocols throughout the Department's infrastructure will help guard against ongoing attacks. Section 4. Inspector General reviews of information infrastructure This section requires the Department of Homeland Security Inspector General to conduct announced and unannounced performance and programmatic reviews of the information infrastructure of the Department to determine the effectiveness of security policies and controls. The Committee seeks to expand upon the model that exists at the Department of Energy's Office of Independent Oversight, requiring the Inspector General to conduct performance reviews based on the protocols created by the CIO and other officials in accordance with the previous section and programmatic reviews to determine the extent to which a Department agency is complying with the policies and procedures established by the CIO. It is important to note that these performance and programmatic reviews are in addition to those reports required by FISMA, and are not an alternative to those mandates. After conducting a performance or programmatic review, the Inspector General will issue a security report containing the results of the review, including recommendations regarding funding and personnel management to the Secretary, the CIO, the head of the Department component subject to the review, and other appropriate individuals who are responsible for information security at these components. Within 60 days of receiving the security report, the head of the Department component subject to the review and the CIO must submit a corrective action report which includes a plan to address the recommendations of the Inspector General and mitigate the vulnerabilities uncovered during the review. The Committee recognizes that mitigating vulnerabilities requires appropriate plans and budgets, something that only comes from appropriate executive involvement and oversight and which has not been a priority of the Department. The Committee seeks to create accountability among all Department employees, especially executives responsible for information security within their agencies. Section 5. Requirements for network service providers This section requires the CIO_prior to entering into or renewing a covered contract_to determine that the contractor's internal information systems security policy complies with the Department's information security requirements. The Committee found that this common private sector best practice often does not occur at the Department; nevertheless, these efforts are vital to reduce vulnerabilities and successful exploitations at the Department, and must become a part of the procurement language. To help identify the most important aspects of information security management, the Committee directs the CIO to focus his review on risk assessment, risk management, and risk mitigation, with primary regard to the implementation of best practices such as authentication, access control (including remote access), intrusion detection and prevention, data protection and integrity, and any other policy that the Secretary considers necessary to secure the Department's information infrastructure. The Committee believes that by ensuring a high level of security of its contractors, the Department can elevate its own security. Furthermore, the provision requiring the contractor to implement and update its own internal information systems security policy will give the Department legal recourse in the event that it wishes to hold contractors liable for security breaches of contractor-owned networks that affect Department information. This section also requires the Secretary to include in each covered contract, provisions requiring the contractor to deliver timely notice of any internal computer incident that could violate or pose an imminent threat of violation of computer security policies or practices at the Department to the United States Computer Emergency Readiness Teams (US-CERT) and the CIO's incident response team. These practices are designed to ensure situational awareness of the Department and enhance the security of Government-wide networks. Because the requirements in this section apply only to contracts entered into after the date of enactment, the Secretary is instructed to obtain this information from current contractors to the extent practicable under the terms of existing contracts. Furthermore, this section requires the Secretary to issue within 90 days of enactment, a report to the appropriate House and Senate Committees describing: (1) the progress in implementing requirements issued by the Office of Management and Budget for encryption, authentication, Internet Protocol version 6, and Trusted Internet Connections, including a timeline for completion; (2) a plan, including an estimated budget and a timeline, to investigate breaches against the Department of Homeland Security's information infrastructure for the purposes of counterintelligence assessment, attribution, and response; (3) a proposal to increase threat information sharing with cleared and uncleared contractors and provide specialized damage assessment training to private sector information security professionals; and (4) a process to coordinate the Department's information infrastructure protection activities as required in the recent report by the Office of the Inspector General. The Committee is alarmed at the Department's lack of progress in implementing encryption and Internet Protocol Version 6 (IPV6) transition requirements, and believes this should be a top priority for the Secretary. In light of the Committee's investigation into data exfiltration out of the Department's networks, the Committee remains concerned that the Department's Office of Security does not have the resources or manpower to develop an agency-wide counter-intelligence plan, and expects to see a comprehensive initiative developed by both the Office of Security and the Chief Information Officer. The Committee expects the Department will develop a program similar to the ongoing initiative between the Department of Defense and the Defense Industrial Base. Changes in Existing Law Made by the Bill, as Reported In compliance with clause 3(e) of rule XIII of the Rules of the House of Representatives, changes in existing law made by the bill, as reported, are shown as follows (new matter is printed in italic and existing law in which no change is proposed is shown in roman): HOMELAND SECURITY ACT OF 2002 SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) * * * (b) Table of Contents.--The table of contents for this Act is as follows: * * * * * * * TITLE VIII--COORDINATION WITH NON-FEDERAL ENTITIES; INSPECTOR GENERAL; UNITED STATES SECRET SERVICE; COAST GUARD; GENERAL PROVISIONS * * * * * * * Subtitle D--Acquisitions * * * * * * * Sec. 836. Requirements for network service providers. * * * * * * * TITLE VII--MANAGEMENT * * * * * * * SEC. 703. CHIEF INFORMATION OFFICER. (a) In General.-- (1) Authorities and duties.--The Secretary shall delegate to the Chief Information Officer such authority necessary for the development, approval, implementation, integration, and oversight of policies, procedures, processes, activities, funding, and systems of the Department relating to the management of information and information infrastructure for the Department, including the management of all related mission applications, information resources, and personnel. (2) Line authority.--The Chief Information Officer shall report to the Secretary, or to another official of the Department, as the Secretary may direct. (3) Qualifications for appointment.--An individual may not be appointed as Chief Information Officer unless the individual has-- (A) demonstrated ability in and knowledge of information technology and information security; and (B) not less than 5 years of executive leadership and management experience in information technology and information security in the public or private sector. (4) Functions.--The Chief Information Officer shall-- (A) establish and maintain an incident response team that provides a continuous, real- time capability within the Department of Homeland Security to-- (i) detect, respond to, contain, investigate, attribute, and mitigate any computer incident, as defined by the National Institute of Standards and Technology, that could violate or pose an imminent threat of violation of computer security policies, acceptable use policies, or standard security practices of the Department; and (ii) deliver timely notice of any incident to individuals responsible for information infrastructure of the Department, and to the United States Computer Emergency Readiness Team; (B) establish, maintain, and update a network architecture, including a diagram detailing how security controls are positioned throughout the information infrastructure of the Department to maintain the confidentiality, integrity, availability, accountability, and assurance of electronic information; and (C) ensure that vulnerability assessments are conducted on a regular basis for any Department information infrastructure connected to the Internet or another external network, and that vulnerabilities are mitigated in a timely fashion. * * * * * * * (c) Attack-Based Testing Protocols.--The Chief Information Officer, in consultation with the Inspector General, the Assistant Secretary for Cybersecurity, and the heads of other appropriate Federal agencies, shall-- (1) establish security control testing protocols that ensure that the Department's information infrastructure is effectively protected against known attacks against and exploitations of Federal and contractor information infrastructure; (2) oversee the deployment of such protocols throughout the information infrastructure of the Department; and (3) update such protocols on a regular basis. (d) Inspector General Reviews.-- (1) In general.--The Inspector General of the Department shall use authority under the Inspector General Act of 1978 (5 App. U.S.C.) to conduct announced and unannounced performance reviews and programmatic reviews of the information infrastructure of the Department to determine the effectiveness of security policies and controls of the Department. (2) Performance reviews.--Performance reviews under this subsection shall test and validate a system's security controls using the protocols created under subsection (c), beginning not later than 270 days after the date of enactment of the Homeland Security Network Defense and Accountability Act of 2008. (3) Programmatic reviews.--Programmatic reviews under this subsection shall-- (A) determine whether an agency of the Department is complying with policies, processes, and procedures established by the Chief Information Officer; and (B) focus on risk assessment, risk management, and risk mitigation, with primary regard to the implementation of best practices such as authentication, access control (including remote access), intrusion detection and prevention, data protection and integrity, and any other controls that the Inspector General considers necessary. (4) Information security report.--The Inspector General shall submit a security report containing the results of each review under this subsection and prioritized recommendations for improving security controls based on that review, including recommendations regarding funding changes and personnel management, to-- (A) the Secretary; (B) the Chief Information Officer; and (C) the head of the Department component that was the subject of the review, and other appropriate individuals responsible for the information infrastructure of such agency. (5) Corrective action report.-- (A) In general.--Within 60 days after receiving a security report under paragraph (4), the head of the Department component that was the subject of the review and the Chief Information Officer shall jointly submit a corrective action report to the Secretary and the Inspector General. (B) Contents.--The corrective action report-- (i) shall contain a plan for addressing recommendations and mitigating vulnerabilities contained in the security report, including a timeline and budget for implementing such plan; and (ii) shall note any matters in disagreement between the head of the Department component and the Chief Information Officer. (6) Reports to congress.-- (A) Annual reports.--In conjunction with the reporting requirements of section 3545 of title 44, United States Code, the Inspector General shall submit an annual report to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate-- (i) summarizing the performance and programmatic reviews performed during the preceding fiscal year, the results of those reviews, and any actions that remain to be taken under plans included in corrective action reports under paragraph (5); and (ii) describing the effectiveness of the testing protocols developed under subsection (c) in reducing successful exploitations of the Department's information infrastructure. (B) Security reports and corrective action reports.--The Inspector General shall make all security reports and corrective action reports available to any member of the Committee on Homeland Security of the House of Representatives, any member of the Committee on Homeland Security and Governmental Affairs of the Senate, and the Comptroller General of the United States, upon request. (e) Information Infrastructure Defined.--In this section, the term ``information infrastructure'' means systems and assets used in processing, transmitting, receiving, or storing information electronically. * * * * * * * TITLE VIII--COORDINATION WITH NON-FEDERAL ENTITIES; INSPECTOR GENERAL; UNITED STATES SECRET SERVICE; COAST GUARD; GENERAL PROVISIONS * * * * * * * Subtitle D--Acquisitions * * * * * * * SEC. 836. REQUIREMENTS FOR NETWORK SERVICE PROVIDERS. (a) Compatibility Determination.-- (1) In general.--Before entering into or renewing a covered contract, the Secretary, acting through the Chief Information Officer, must determine that the contractor has an internal information systems security policy that complies with the Department's information security requirements for risk assessment, risk management, and risk mitigation, with primary regard to the implementation of best practices such as authentication, access control (including remote access), intrusion detection and prevention, data protection and integrity, and any other policies that the Secretary considers necessary to ensure the security of the Department's information infrastructure. (2) Limitation on public disclosures.--The Chief Information Officer shall not disclose to the public any information provided for purposes of such determination, notwithstanding any other provision of Federal, State, or local law, including section 552 of title 5, United States Code. (b) Contract Requirements Regarding Security.--The Secretary shall include in each covered contract provisions requiring the contractor to-- (1) implement and regularly update the internal information systems security policy required under subsection (a); (2) maintain the capability to provide contracted services on a continuing and ongoing basis to the Department in the event of unplanned or disruptive event; and (3) deliver timely notice of any internal computer incident, as defined by the National Institute of Standards and Technology, that could violate or pose an imminent threat of violation of computer security policies, acceptable use policies, or standard security practices at the Department, to the United States Computer Emergency Readiness Team and the incident response team established under section 703(a)(4). (c) Contract Requirements Regarding Subcontracting.--The Secretary shall include in each covered contract-- (1) a requirement that the contractor develop and implement a plan for the award of subcontracts, as appropriate, to small business concerns and disadvantaged business concerns in accordance with other applicable requirements, including the terms of such plan, as appropriate; and (2) a requirement that the contractor submit to the Secretary, during performance of the contract, periodic reports describing the extent to which the contractor has complied with such plan, including specification (by total dollar amount and by percentage of the total dollar value of the contract) of the value of subcontracts awarded at all tiers of subcontracting to small business concerns, including socially and economically disadvantaged small businesses concerns, small business concerns owned and controlled by service-disabled veterans, HUBZone small business concerns, small business concerns eligible to be awarded contracts pursuant to section 8(a) of the Small Business Act (15 U.S.C. 637(a)), and Historically Black Colleges and Universities and Hispanic-serving institutions, tribal colleges and universities, and other minority institutions. (d) Existing Contracts.--The Secretary shall, to the extent practicable under the terms of existing contracts, require each contractor who provides covered information services under a contract in effect on the date of the enactment of the Homeland Security Network Defense and Accountability Act of 2008 to comply with the requirements described in subsection (b). (e) Definitions.--For purposes of this section: (1) Socially and economically disadvantaged small businesses concern, small business concern owned and controlled by service-disabled veterans, and hubzone small business concern.--The terms ``socially and economically disadvantaged small businesses concern'', ``small business concern owned and controlled by service-disabled veterans'', and ``HUBZone small business concern'' have the meanings given such terms under the Small Business Act (15 U.S.C. 631 et seq.). (2) Contractor.--The term ``contractor'' includes each subcontractor of a contractor. (3) Covered contract.--The term ``covered contract'' means a contract entered into or renewed after the date of the enactment of the Homeland Security Network Defense and Accountability Act of 2008 for the provision of covered information services. (4) Covered information services.--The term ``covered information services'' means creation, management, maintenance, control, or operation of information networks or Internet Web sites for the Department. (5) Historically black colleges and universities.-- The term ``Historically Black Colleges and Universities'' means part B institutions under title III of the Higher Education Act of 1965 (20 U.S.C. 1061). (6) Hispanic-serving institution.--The term ``Hispanic-serving institution'' has the meaning given such term under title V of the Higher Education Act of 1965 (20 U.S.C. 1101a(a)(5)). (7) Information infrastructure.--The term ``information infrastructure'' has the meaning that term has under section 703. (8) Tribal colleges and universities.--The term ``tribal colleges and universities'' has the meaning given such term under the Tribally Controlled College or University Assistance Act of 1978 (25 U.S.C. 1801 et seq.). * * * * * * *![]()