Federal Cybersecurity Enhancement Act of 2016

1/11/2023, 1:30 PM

Congressional Summary of S 1869

Federal Cybersecurity Enhancement Act of 2016

(Sec. 3) This bill amends the Homeland Security Act of 2002 to require the Department of Homeland Security (DHS) to coordinate with the Office of Management and Budget (OMB) to implement an intrusion assessment plan to identify and remove intruders in federal agency information systems.

DHS must deploy and operate, for use by other agencies, capabilities to detect and prevent or remove cybersecurity risks in network traffic transiting or traveling to or from agency information systems. DHS may access, and agencies may disclose to DHS, information transiting agency systems, regardless of the location from which the information is accessed, notwithstanding any laws that would otherwise restrict or prevent such disclosures. Agencies must utilize such capabilities and adopt subsequent improvements.

DHS must establish a pilot to test and deploy advanced technologies to improve detection and prevention.

DHS must ensure that: (1) activities are reasonably necessary to protect agency information and systems from cybersecurity risks, (2) information accessed by DHS will be retained no longer than reasonably necessary, (3) notice has been provided to users of agency information systems concerning access to their communications, and (4) activities are implemented pursuant to policies governing the operation of the intrusion detection and prevention capabilities.

Liability protections are provided to private entities authorized to assist DHS with such capabilities. But such liability protections shall not be construed to authorize an Internet service provider to break a user agreement with a customer.

The Department of Justice must ensure that guidelines for such capabilities are consistent with laws governing the acquisition, interception, retention, use, and disclosure of communications.

The OMB and DHS must update government-wide policies and brief Congress regarding the prioritization and use of network security monitoring tools within agency networks.

The Department of Defense and the intelligence community are exempt from this bill's procedures.

(Sec. 4) DHS must include in the Continuous Diagnostics and Mitigation Program advanced network security tools to improve visibility of network activity to detect and mitigate intrusions and anomalous activity. The OMB must implement a plan to ensure that agencies utilize such advanced tools.

DHS must collaborate with the OMB to update government information security metrics to include measures of intrusion and incident detection and response times. The OMB must display additional agency metrics on federal government performance websites.

Upon an agency's request, DHS may operate and maintain technology that is deployed to agencies to diagnose and mitigate against cyber threats and vulnerabilities.

(Sec. 5) DHS must require implementation of best practices for securing agency information systems against intrusion and preventing data exfiltration in the event of an intrusion. Agencies must: (1) identify their stored sensitive and mission critical data, (2) assess data access controls, (3) encrypt data consistent with federal information system standards, (4) implement a single sign-on trusted identity platform for individuals accessing each public website of the agency that requires user authentication, and (5) implement multifactor authentication for remote access to agency systems and for user accounts with elevated privileges.

(Sec. 6) The Government Accountability Office must report on the effectiveness of the federal government's strategy to secure agency information systems. On an annual basis: (1) DHS must report on the implementation status of intrusion detection and prevention capabilities, and (2) the OMB must report on agency application of such capabilities.

The OMB must submit updated intrusion assessment plans to Congress and report annually on intrusion assessment findings, advanced network security tools, and agency compliance.

(Sec. 7) The authority for operating such federal intrusion detection and prevention capabilities terminates seven years after enactment of this bill.

(Sec. 8) The Office of the Director of National Intelligence (ODNI) must submit to Congress an assessment of: (1) the risks that would result from the breach of unclassified information systems that provide access to information that, when combined with other unclassified information, may comprise classified information; and (2) the cost and impact on the mission carried out by each agency if such systems were subsequently classified.

(Sec. 9) DHS and the ODNI must coordinate with agencies to conduct an ongoing damage and risk assessment relating to data breaches at the Office of Personnel Management (OPM). The ODNI must report on: (1) the extent to which federal data was compromised, exfiltrated, or manipulated by the same entity that caused the OPM data breach; (2) national security impacts; and (3) whether information accessed through the breach has been released or deployed.

(Sec. 10) DHS may issue an emergency directive to an agency to take any lawful action regarding the operation of the agency's information system (including systems owned or operated by another entity on behalf of an agency) in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to information security. DHS must report annually to Congress regarding specific actions taken pursuant to such directives.

If DHS determines that there is an imminent threat for which a directive is unlikely to result in a timely response, DHS may authorize the use of protective capabilities under DHS control for communications or system traffic transiting to or from, or stored on, an agency information system without prior consultation with the affected agency. But DHS must immediately notify the OMB, each affected agency, and Congress of the use of such imminent threat authority and the reasons for, and duration of, the action.

DHS may direct or authorize such lawful action or protective capability only: (1) to protect agency information from unauthorized access, use, disclosure, disruption, modification, or destruction; or (2) to require the remediation of, or to protect against, identified information security risks for information collected or maintained by or on behalf of an agency or that portion of an information system used or operated by an agency or other organization on an agency's behalf.

The OMB must report annually regarding specific actions it has taken to enforce agency compliance and accountability.

Read the Full Bill

Formatted TextPDFFormatted XML

Current Status of Bill S 1869

Bill S 1869 is currently in the status of Bill Introduced since July 27, 2015. Bill S 1869 was introduced during Congress 114 and was introduced to the Senate on July 27, 2015.  Bill S 1869's most recent activity was Placed on Senate Legislative Calendar under General Orders. Calendar No. 673. as of November 17, 2016

Bipartisan Support of Bill S 1869

Total Number of Sponsors
1
Democrat Sponsors
1
Republican Sponsors
0
Unaffiliated Sponsors
0
Total Number of Cosponsors
1
Democrat Cosponsors
0
Republican Cosponsors
1
Unaffiliated Cosponsors
0

Policy Area and Potential Impact of Bill S 1869

Primary Policy Focus

Government Operations and Politics

Potential Impact Areas

Civil actions and liabilityComputer security and identity theftCongressional oversightGovernment information and archivesGovernment studies and investigationsPerformance measurementTechnology assessment

Alternate Title(s) of Bill S 1869

Federal Cybersecurity Enhancement Act of 2016A bill to improve Federal network security and authorize and enhance an existing intrusion detection and prevention system for civilian Federal networks.Federal Cybersecurity Enhancement Act of 2015Federal Cybersecurity Enhancement Act of 2016
Start holding our government accountable!

Comments

Sponsors and Cosponsors of S 1869

Thomas R. Carper
Thomas R. Carper
Delaware(Democrat)
Ron Johnson
Ron Johnson
Wisconsin(Republican)

Latest Bills

Providing for congressional disapproval under chapter 8 of title 5, United States Code, of the rule submitted by the Environmental Protection Agency relating to "Waste Emissions Charge for Petroleum and Natural Gas Systems: Procedures for Facilitating Compliance, Including Netting and Exemptions".
Bill HJRES 35March 29, 2025
Providing for congressional disapproval under chapter 8 of title 5, United States Code, of the rule submitted by the Office of Energy Efficiency and Renewable Energy, Department of Energy relating to "Energy Conservation Program: Energy Conservation Standards for Commercial Refrigerators, Freezers, and Refrigerator-Freezers".
Bill HJRES 75March 29, 2025
Providing for congressional disapproval under chapter 8 of title 5, United States Code, of the rule submitted by the Department of Energy relating to "Energy Conservation Program: Energy Conservation Standards for Walk-In Coolers and Walk-In Freezers".
Bill HJRES 24March 29, 2025
No 340B Savings for Transgender Care Act
Bill HR 2197March 29, 2025
Major Richard Star Act
Bill HR 2102March 29, 2025
Ending China’s Unfair Advantage Act of 2025
Bill HR 2115March 29, 2025
IMPACT Act 2.0
Bill HR 2122March 29, 2025
Protecting Individuals with Down Syndrome Act
Bill HR 2251March 29, 2025
To amend title 14, United States Code, to require the retention of certain enlisted members of the Coast Guard who have completed 18 or more, but less than 20, years of service, and for other purposes.
Bill HR 2200March 29, 2025
Feed Hungry Veterans Act of 2025
Bill HR 2195March 29, 2025
To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.
Bill S 754January 11, 2023
Consolidated Appropriations Act, 2016
Bill HR 2029April 5, 2023