Home > 106th Congressional Bills > S. 1994 (is) To amend the Internal Revenue Code of 1986 to provide assistance to first-time homebuyers. [Introduced in Senate] ...S. 1994 (is) To amend the Internal Revenue Code of 1986 to provide assistance to first-time homebuyers. [Introduced in Senate] ...
Calendar No. 489
106th CONGRESS
2d Session
S. 1993
[Report No. 106-259]
_______________________________________________________________________
A BILL
To reform Government information security by strengthening information
security practices throughout the Federal Government.
_______________________________________________________________________
April 10, 2000
Reported with an amendment
Calendar No. 489
106th CONGRESS
2d Session
S. 1993
[Report No. 106-259]
To reform Government information security by strengthening information
security practices throughout the Federal Government.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
November 19, 1999
Mr. Thompson (for himself, Mr. Lieberman, Mr. Abraham, Mr. Voinovich,
Mr. Akaka, Mr. Cleland, Ms. Collins, Mr. Stevens, and Mr. Helms)
introduced the following bill; which was read twice and referred to the
Committee on Governmental Affairs
April 10, 2000
Reported by Mr. Thompson, with an amendment
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To reform Government information security by strengthening information
security practices throughout the Federal Government.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE.</DELETED>
<DELETED> This Act may be cited as the ``Government Information
Security Act of 1999''.</DELETED>
<DELETED>SEC. 2. COORDINATION OF FEDERAL INFORMATION POLICY.</DELETED>
<DELETED> Chapter 35 of title 44, United States Code, is amended by
inserting at the end the following:</DELETED>
<DELETED>``SUBCHAPTER II--INFORMATION SECURITY</DELETED>
<DELETED>``Sec. 3531. Purposes</DELETED>
<DELETED> ``The purposes of this subchapter are to--</DELETED>
<DELETED> ``(1) provide a comprehensive framework for
establishing and ensuring the effectiveness of controls over
information resources that support Federal operations and
assets;</DELETED>
<DELETED> ``(2)(A) recognize the highly networked nature of
the Federal computing environment including the need for
Federal Government interoperability and, in the implementation
of improved security management measures, assure that
opportunities for interoperability are not adversely affected;
and</DELETED>
<DELETED> ``(B) provide effective governmentwide management
and oversight of the related information security risks,
including coordination of information security efforts
throughout the civilian, national security, and law enforcement
communities;</DELETED>
<DELETED> ``(3) provide for development and maintenance of
minimum controls required to protect Federal information and
information systems; and</DELETED>
<DELETED> ``(4) provide a mechanism for improved oversight
of Federal agency information security programs.</DELETED>
<DELETED>``Sec. 3532. Definitions</DELETED>
<DELETED> ``(a) Except as provided under subsection (b), the
definitions under section 3502 shall apply to this
subchapter.</DELETED>
<DELETED> ``(b) As used in this subchapter the term `information
technology' has the meaning given that term in section 5002 of the
Clinger-Cohen Act of 1996 (40 U.S.C. 1401).</DELETED>
<DELETED>``Sec. 3533. Authority and functions of the Director</DELETED>
<DELETED> ``(a)(1) Consistent with subchapter I, the Director shall
establish governmentwide policies for the management of programs that
support the cost-effective security of Federal information systems by
promoting security as an integral component of each agency's business
operations.</DELETED>
<DELETED> ``(2) Policies under this subsection shall--</DELETED>
<DELETED> ``(A) be founded on a continuing risk management
cycle that recognizes the need to--</DELETED>
<DELETED> ``(i) identify, assess, and understand
risk; and</DELETED>
<DELETED> ``(ii) determine security needs
commensurate with the level of risk;</DELETED>
<DELETED> ``(B) implement controls that adequately address
the risk;</DELETED>
<DELETED> ``(C) promote continuing awareness of information
security risk;</DELETED>
<DELETED> ``(D) continually monitor and evaluate policy;
and</DELETED>
<DELETED> ``(E) control effectiveness of information
security practices.</DELETED>
<DELETED> ``(b) The authority under subsection (a) includes the
authority to--</DELETED>
<DELETED> ``(1) oversee and develop policies, principles,
standards, and guidelines for the handling of Federal
information and information resources to improve the efficiency
and effectiveness of governmental operations, including
principles, policies, and guidelines for the implementation of
agency responsibilities under applicable law for ensuring the
privacy, confidentiality, and security of Federal
information;</DELETED>
<DELETED> ``(2) consistent with the standards and guidelines
promulgated under section 5131 of the Clinger-Cohen Act of 1996
(40 U.S.C. 1441) and sections 5 and 6 of the Computer Security
Act of 1987 (40 U.S.C. 759 note; Public Law 100-235; 101 Stat.
1729), require Federal agencies to identify and afford security
protections commensurate with the risk and magnitude of the
harm resulting from the loss, misuse, or unauthorized access to
or modification of information collected or maintained by or on
behalf of an agency;</DELETED>
<DELETED> ``(3) direct the heads of agencies to coordinate
such agencies and coordinate with industry to--</DELETED>
<DELETED> ``(A) identify, use, and share best
security practices; and</DELETED>
<DELETED> ``(B) develop voluntary consensus-based
standards for security controls, in a manner consistent
with section 2(b)(13) of the National Institute of
Standards and Technology Act (15 U.S.C.
272(b)(13));</DELETED>
<DELETED> ``(4) oversee the development and implementation
of standards and guidelines relating to security controls for
Federal computer systems by the Secretary of Commerce through
the National Institute of Standards and Technology under
section 5131 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1441)
and section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3);</DELETED>
<DELETED> ``(5) oversee and coordinate compliance with this
section in a manner consistent with--</DELETED>
<DELETED> ``(A) sections 552 and 552a of title
5;</DELETED>
<DELETED> ``(B) sections 20 and 21 of the National
Institute of Standards and Technology Act (15 U.S.C.
278g-3 and 278g-4);</DELETED>
<DELETED> ``(C) section 5131 of the Clinger-Cohen
Act of 1996 (40 U.S.C. 1441);</DELETED>
<DELETED> ``(D) sections 5 and 6 of the Computer
Security Act of 1987 (40 U.S.C. 759 note; Public Law
100-235; 101 Stat. 1729); and</DELETED>
<DELETED> ``(E) related information management laws;
and</DELETED>
<DELETED> ``(6) take any authorized action that the Director
considers appropriate, including any action involving the
budgetary process or appropriations management process, to
enforce accountability of the head of an agency for information
resources management and for the investments made by the agency
in information technology, including--</DELETED>
<DELETED> ``(A) recommending a reduction or an
increase in any amount for information resources that
the head of the agency proposes for the budget
submitted to Congress under section 1105(a) of title
31;</DELETED>
<DELETED> ``(B) reducing or otherwise adjusting
apportionments and reapportionments of appropriations
for information resources; and</DELETED>
<DELETED> ``(C) using other authorized
administrative controls over appropriations to restrict
the availability of funds for information
resources.</DELETED>
<DELETED> ``(c) The authority under this section may be delegated
only to the Deputy Director for Management of the Office of Management
and Budget.</DELETED>
<DELETED>``Sec. 3534. Federal agency responsibilities</DELETED>
<DELETED> ``(a) The head of each agency shall--</DELETED>
<DELETED> ``(1) be responsible for--</DELETED>
<DELETED> ``(A) adequately protecting the integrity,
confidentiality, and availability of information and
information systems supporting agency operations and
assets; and</DELETED>
<DELETED> ``(B) developing and implementing
information security policies, procedures, and control
techniques sufficient to afford security protections
commensurate with the risk and magnitude of the harm
resulting from unauthorized disclosure, disruption,
modification, or destruction of information collected
or maintained by or for the agency;</DELETED>
<DELETED> ``(2) ensure that each senior program manager is
responsible for--</DELETED>
<DELETED> ``(A) assessing the information security
risk associated with the operations and assets of such
manager;</DELETED>
<DELETED> ``(B) determining the levels of
information security appropriate to protect the
operations and assets of such manager; and</DELETED>
<DELETED> ``(C) periodically testing and evaluating
information security controls and techniques;</DELETED>
<DELETED> ``(3) delegate to the agency Chief Information
Officer established under section 3506, or a comparable
official in an agency not covered by such section, the
authority to administer all functions under this subchapter
including--</DELETED>
<DELETED> ``(A) designating a senior agency
information security officer;</DELETED>
<DELETED> ``(B) developing and maintaining an
agencywide information security program as required
under subsection (b);</DELETED>
<DELETED> ``(C) ensuring that the agency effectively
implements and maintains information security policies,
procedures, and control techniques;</DELETED>
<DELETED> ``(D) training and overseeing personnel
with significant responsibilities for information
security with respect to such responsibilities;
and</DELETED>
<DELETED> ``(E) assisting senior program managers
concerning responsibilities under paragraph
(2);</DELETED>
<DELETED> ``(4) ensure that the agency has trained personnel
sufficient to assist the agency in complying with the
requirements of this subchapter and related policies,
procedures, standards, and guidelines; and</DELETED>
<DELETED> ``(5) ensure that the agency Chief Information
Officer, in coordination with senior program managers,
periodically--</DELETED>
<DELETED> ``(A)(i) evaluates the effectiveness of
the agency information security program, including
testing control techniques; and</DELETED>
<DELETED> ``(ii) implements appropriate remedial
actions based on that evaluation; and</DELETED>
<DELETED> ``(B) reports to the agency head on--
</DELETED>
<DELETED> ``(i) the results of such tests
and evaluations; and</DELETED>
<DELETED> ``(ii) the progress of remedial
actions.</DELETED>
<DELETED> ``(b)(1) Each agency shall develop and implement an
agencywide information security program to provide information security
for the operations and assets of the agency, including information
security provided or managed by another agency.</DELETED>
<DELETED> ``(2) Each program under this subsection shall include--
</DELETED>
<DELETED> ``(A) periodic assessments of information security
risks that consider internal and external threats to--
</DELETED>
<DELETED> ``(i) the integrity, confidentiality, and
availability of systems; and</DELETED>
<DELETED> ``(ii) data supporting critical operations
and assets;</DELETED>
<DELETED> ``(B) policies and procedures that--</DELETED>
<DELETED> ``(i) are based on the risk assessments
required under paragraph (1) that cost-effectively
reduce information security risks to an acceptable
level; and</DELETED>
<DELETED> ``(ii) ensure compliance with--</DELETED>
<DELETED> ``(I) the requirements of this
subchapter;</DELETED>
<DELETED> ``(II) policies and procedures as
may be prescribed by the Director;
and</DELETED>
<DELETED> ``(III) any other applicable
requirements;</DELETED>
<DELETED> ``(C) security awareness training to inform
personnel of--</DELETED>
<DELETED> ``(i) information security risks
associated with personnel activities; and</DELETED>
<DELETED> ``(ii) responsibilities of personnel in
complying with agency policies and procedures designed
to reduce such risks;</DELETED>
Other Popular 106th Congressional Bills Documents:
|
| GovRecords.org presents information on various agencies of the United States Government. Even though all information is believed to be credible and accurate, no guarantees are made on the complete accuracy of our government records archive. Care should be taken to verify the information presented by responsible parties. Please see our reference page for congressional, presidential, and judicial branch contact information. GovRecords.org values visitor privacy. Please see the privacy page for more information. |
 |