The Federal Computer Security Act of 2015, a bill that promotes good "cyber hygiene" within the federal government, has been introduced by Sen. Orrin Hatch (R-Utah), the senior Republican in the Senate, and Sen. Tom Carper (D-Del.) the ranking member and former chairman of the Senate Committee on Homeland Security and Government Affairs.
“The Federal Computer Security Act of 2015 will shine light on whether our federal agencies are using the most up-to-date security practices and software to safeguard our nation’s most sensitive information,” Hatch said. “Given the recent federal data breaches, this bill is critical to getting our computer networks in order and to promoting good cyber hygiene across the federal government.”
“The troubling reality is that cyber attacks and intrusions continue to occur at an increasing rate, and federal agencies need to be better prepared,” Carper added, saying, “This legislation builds on our ongoing efforts to bolster the federal government’s cyber defenses by adding another important layer of oversight to make sure agencies are doing all that they can to protect their critical networks and to ensure that sensitive information is properly secured.”
Carper said “the very serious cyber threats facing our nation, and to help restore confidence in our government’s ability to keep personal, sensitive information safe and secure” need to be addressed by Congress and the administration.
Their joint announcement stated, “Major cybersecurity attacks on government agencies and organizations in recent years have revealed deep vulnerabilities in the federal government’s cybersecurity infrastructure. Those breaches include the IRS data breach in which hackers stole the detailed tax return information of 104,000 Americans, and the recent breach of the Office of Personnel Management, in which hackers stole the personal information of 21.5 million Americans. The Federal Computer Security Act of 2015 will require Inspectors General to report on the security practices and software used by federal agencies to safeguard classified and personally identifiable information. It will also then instruct the Government Accountability Office [GAO] to provide a report, including an economic analysis, of any impediments to agency use of effective security software and security devices.”
“To safeguard our government’s most sensitive information, our federal agencies must use the most up-to-date security practices,” said Victoria Espinel, president and CEO of BSA-The Software Alliance in support of the legislation.
“In order to accomplish thisgoal, Congress needs a better understanding of the security-related practices and software currently in use by our agencies,” Espinel said. “Ensuring that agencies and their contractors are using the best security practices, including using only genuine and fully licensed software on their systems, will help strengthen their cybersecurity efforts and keep sensitive information out of the wrong hands. BSA and our member companies look forward to working with Senators Hatch and Carper to continue to improve the security of our government’s computer systems, and this bill represents an important first step to achieving this goal.”
The two major components of this bill are the inspector general reports on the security practices and software used by federal agencies to safeguard classified and personal identifiable information, and a GAO economic analysis and report on federal computer systems.
The bill would require that not later than 240 days after enactment, the Inspector General for each covered agency shall submit a report to Congress and the GAO that would include:
- A description of the logical access standards used by the agency to access federal computer systems, including whether the agency uses multi-factor logical access controls;
- A description of the policies and procedures the agency uses to conduct inventories of security software on its computers and the licenses associated with such security software;
- A description of the data security management software used by the agency, including whether the agency has entered into licensing agreements for software security controls such as data loss prevention software or digital rights management software;
- A description of the policies used by the agency to ensure that entities, including contractors, that provide services to the agency are implementing data management practices; and
- Within one year of enactment, GAO shall provide Congress a report, including an economic analysis, of any impediments to agency use of effective security software and security devices.
A section by section analysis of the bill can be read here.
