Senator Orrin Hatch, R-Utah, the senior Republican in the United States Senate and longest-serving member in the history of the Senate Intelligence Committee, and Senator Tom Carper, D-Del., the most senior Democrat on the Senate Homeland Security and Government Affairs Committee, introduced the Federal Computer Security Act of 2015, a bill that promotes good "cyber hygiene" within the federal government.
Major cybersecurity attacks on government agencies and organizations in recent years have revealed deep vulnerabilities in the federal government’s cybersecurity infrastructure. Those breaches include the IRS data breach in which hackers stole the detailed tax return information of 104,000 Americans, and the recent breach of the Office of Personnel Management, in which hackers stole the personal information of 21.5 million Americans. The Federal Computer Security Act of 2015 will require Inspectors General to report on the security practices and software used by federal agencies to safeguard classified and personally identifiable information. It will also then instruct the Government Accountability Office to provide a report, including an economic analysis, of any impediments to agency use of effective security software and security devices.
“The Federal Computer Security Act of 2015 will shine light on whether our federal agencies are using the most up-to-date security practices and software to safeguard our nation’s most sensitive information,” Hatch said. “Given the recent federal data breaches, this bill is critical to getting our computer networks in order and to promoting good cyber hygiene across the federal government.”
“The troubling reality is that cyber attacks and intrusions continue to occur at an increasing rate, and federal agencies need to be better prepared,” Senator Carper said. “This legislation builds on our ongoing efforts to bolster the federal government’s cyber defenses by adding another important layer of oversight to make sure agencies are doing all that they can to protect their critical networks and to ensure that sensitive information is properly secured. I look forward to working with Senator Hatch, our Congressional colleagues, and the Administration to address the very serious cyber threats facing our nation, and to help restore confidence in our government’s ability to keep personal, sensitive information safe and secure.”
The full text of the bill can be found here, and a section-by-section can be found here.
Statement of Support from Victoria Espinel, President and CEO of BSA | The Software Alliance
“To safeguard our government’s most sensitive information, our federal agencies must use the most up-to-date security practices. In order to accomplish this goal, Congress needs a better understanding of the security-related practices and software currently in use by our agencies. Ensuring that agencies and their contractors are using the best security practices, including using only genuine and fully licensed software on their systems, will help strengthen their cybersecurity efforts and keep sensitive information out of the wrong hands. BSA and our member companies look forward to working with Senators Hatch and Carper to continue to improve the security of our government’s computer systems, and this bill represents an important first step to achieving this goal.”
The two major components of this bill are the inspector general reports on the security practices and software used by federal agencies to safeguard classified and personal identifiable information, and a GAO economic analysis and report on federal computer systems.
Inspector General Report on Federal Computer Systems
Not later than 240 days after enactment, the Inspector General for each covered agency shall submit a report to Congress and the Government Accountability Office (GAO) that includes:
- A description of the logical access standards used by the agency to access Federal computer systems, including whether the agency uses multi-factor logical access controls.
- A description of the policies and procedures the agency uses to conduct inventories of security software on its computers and the licenses associated with such security software.
- A description of the data security management software used by the agency, including whether the agency has entered into licensing agreements for software security controls such as data loss prevention software or digital rights management software.
- A description of the policies used by the agency to ensure that entities, including contractors, that provide services to the agency are implementing data management practices.
GAO Economic Analysis and Report on Federal Computer Systems
Within one year of enactment, GAO shall provide Congress a report, including an economic analysis, of any impediments to agency use of effective security software and security devices.