H.R. 4257: Federal Information Security Amendments Act of 2012

H.R. 4257

Federal Information Security Amendments Act of 2012

Date
April 26, 2012 (112th Congress, 2nd Session)

Staff Contact
Sarah Makin

Floor Situation

On Thursday, April 26, 2012, the House is scheduled to consider H.R. 4257, the Federal Information Security Amendments Act of 2012, under a suspension of the rules requiring a two-thirds majority for approval.  The bill was introduced on March 26, 2012, by Rep. Darrell Issa (R-CA) and referred to the Committee on Oversight and Government Reform, which reported the bill on April 18, 2012.

Bill Summary

H.R. 4257 would authorize the Director of the Office of Management and Budget (OMB) to do the following:

 

(1) Oversee the development and implementation of policies, principles, standards, and guidelines on information security;

 

(2) Require agencies to identify and provide information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or information systems;

 

(3) Coordinate the development of standards and guidelines under section 20 of the National Institute of Standards and Technology Act with agencies and offices operating or exercising control of national security systems;

 

(4) Oversee agency compliance with the requirements of this subchapter, including through any authorized action under section 11303 of title 40, to enforce accountability for compliance with such requirements;

 

(5) Review and approve or disapprove, agency information security programs required under section 3554(b);

 

(6) Coordinate information security policies and procedures with related information resources management policies and procedures;

 

(7) Oversee the operation of the Federal information security incident center required under section 3555; and

 

(8) Report to Congress on agency compliance with the requirements of the bill.

 

The bill would clarify that certain authorities of the Director be delegated to the Secretary of Defense in the case of systems that are operated by the Department of Defense, a contractor of the Department of Defense, or another entity on behalf of the Department of Defense; and that certain authorities of the Director shall be delegated to the Director of Central Intelligence in the case of systems that are operated by the Central Intelligence Agency, a contractor of the Central Intelligence Agency, or another entity on behalf of the Central Intelligence Agency.

 

The bill would direct the head of each agency to do the following: 

 

(1) Provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of the agency;

 

(2) Ensure that senior agency officials provide information security for the information and information systems that support the operations and assets under their control;

 

(3) Designate a Chief Information Security Officer with the authority and primary responsibility to develop, implement and oversee an agency-wide information security program to ensure and enforce compliance with the requirements imposed on the agency;

 

(4) Ensure that the agency has a sufficient number of trained and cleared personnel to assist the agency in complying with the requirements of the bill, other applicable laws, and related policies, procedures, standards, and guidelines;

 

(5) Ensure that the Chief Information Security Officer reports periodically, but not less than annually, to the agency head on the effectiveness of the agency information security program, along with information derived from automated and continuous monitoring , when possible, and threat assessments, including progress of remedial actions;

 

(6) Ensure that the Chief Information Security Officer possesses the necessary qualifications and the security clearance required; and

 

(7) Ensure that components of that agency establish and maintain an automated reporting mechanism that allows the Chief Information Security Officer to implement, monitor, and hold senior agency officers accountable for the implementation of appropriate security policies, procedures, and controls of agency components.

 

The bill would direct each agency to develop, document, and implement an agency-wide information security program that includes the following:

 

(1) Automated and continuous monitoring, when possible;

 

(2) Vulnerability assessments and penetration tests commensurate with the risk posed to  agency information systems;

 

(3) Policies and procedures that cost effectively reduce information security risks and ensure compliance with the requirements of this subchapter and any other applicable policies, procedures and requirements;

 

(4) Automated and continuous monitoring, when possible for testing, and evaluation of the effectiveness and compliance of information security policies, procedures, and practices;

 

(5) A process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency;

 

(6) Automated and continuous monitoring, when possible, for detecting, reporting, and responding to security incidents, consistent with standards and guidelines issued by the National Institute of Standards and Technology, to include notifying and, as appropriate, consulting with law enforcement agencies, relevant Offices of Inspectors General, and any other agency, office or entity; in accordance with the law or as directed by the President; and

 

(7) Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.

 

H.R. 4257 would also require the Director of OMB to ensure that the operation of a central Federal information security incident center:

 

(1) Provides timely technical assistance to operators of agency information systems regarding security incidents;

 

(2) Compiles and analyzes information about incidents that threaten information security;

 

(3) Informs operators of agency information systems about current and potential information security threats, and vulnerabilities; and

 

(4) Consults with the National Institute of Standards and Technology, agencies or offices operating or exercising control of national security systems regarding information security incidents and related matters.

 

The bill would direct agencies operating or exercising control of a national security system to share information about information security incidents, threats, and vulnerabilities with the Federal information security incident center to the extent consistent with standards and guidelines for national security systems.

 

H.R. 4257 would require the Director of OMB to review and approve the policies, procedures, and guidance to ensure that the Federal information security incident center has the capability to detect, correlate, respond to, contain, mitigate, and remediate  incidents that impair the adequate security of the information systems of more than one agency.

 

Lastly, the bill would make responsible the head of each agency operating or exercising control of a national security system to ensure that the agency does the following:

 

(1) Provides information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information contained in such system; and

 

(2) Implements information security policies and practices as required by standards and guidelines for national security systems, issued in accordance with law and as directed by the President.

Background

According to the House Committee on Oversight and Government Reform, the bill would enhance the Federal Information Security Management Act (FISMA) of 2002 by improving the framework for securing information technology systems.  It would also establish a mechanism for stronger oversight of information technology systems by focusing on “automated and continuous monitoring” of cybersecurity threats and regular “threat assessments.” 

Since its enactment, FISMA has become a compliance activity, in which “check-the-box” compliance often takes precedence over security.  As a necessary update to FISMA, the bill would aim to incorporate the last decade of technological innovation, while addressing the apparent shortcomings of FISMA.

The Government Accountability Office recently found that security incidents among 24 key agencies had increased more than 650 percent during the last five years.   To address these challenges, the bill would call for automated and continuous monitoring, when possible, and ensures that control monitoring finally incorporates regular threat assessments.  HR 4257 would also emphasize the importance of commercially developed information security products to national security efforts.    

Pursuant to FISMA, the Director of the Office of Management and Budget (OMB) is directly responsible for “oversee[ing] agency information security policies and practices,” including the full implementation of FISMA.  Because some confusion currently exists as to: 1) who is actually in charge of FISMA and; 2) to what degree one agency must be responsive to another agency, HR 4257 would reaffirm the current law stipulation that OMB – part of the Executive Office of the President (EOP) – is primarily responsible for FISMA activity. 

Following the White House’s unilateral efforts to transfer some of the responsibility for FISMA from OMB to DHS, agency compliance with FISMA has deteriorated.  Individual agencies are historically reluctant to respond to the demands of another agency, since such agencies tend to view one another as having equal footing within the bureaucracy.  Thus, in order to ensure all agencies attain comparable success with FISMA, the bill would reaffirm the role of OMB with respect to FISMA, recognizing that the budgetary leverage of the Executive Office of the President is necessary to ensuring effective security over information technology systems. 

By permitting some flexibility, though, HR 4257 would still allow DHS, under the direction of OMB, to exercise responsibility within the executive branch for many of the operational aspects of FISMA.  This is done while allowing EOP to be held firmly accountable for ensuring that individual agencies meet the new standards.

Cost

No cost statement was available at press time.