Ask AI
Bill113th CongressFiled Mar 14, 2013Government Operations and Politics
H.R. 1163

Federal Information Security Amendments Act of 2013

Bill journey · stage 2 of 5

Under committee review

Filed
Comm.
Floor
Both
Law

What it doesSummary passed house without amendment (Apr 16, 2013)

Federal Information Security Amendments Act of 2013 - (Sec. 2) Amends the Federal Information Security Management Act of 2002 (FISMA) to reestablish the oversight authority of the Director of the Office of Management and Budget (OMB) with respect to agency information and security policies and practices.

Extends the security requirements of federal agencies to include responsibilities for: (1) complying with computer standards developed by the National Institute of Standards and Technology (NIST); (2) ensuring complementary and uniform standards for information systems and national security systems; (3) ensuring that information security management processes are integrated with budget processes; (4) securing facilities for classified information; (5) maintaining sufficient personnel with security clearances; and (6) ensuring that information security performance indicators are included in the annual performance evaluations of all managers, senior managers, senior executive service personnel, and political appointees.

Directs senior agency officials, with a frequency sufficient to support risk-based security decisions, to: (1) test and evaluate information security controls and techniques, and (2) conduct threat assessments by monitoring information systems and identifying potential system vulnerabilities. (Current law requires only periodic testing and evaluation.)

Defines "information system" as a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Includes in such definition: (1) computers and computer networks; (2) ancillary equipment; (3) software, firmware, and related procedures; (4) support services; and (5) related resources and services.

Directs agencies to determine information security levels in accordance with information security classifications and standards promulgated under the National Institute of Standards and Technology Act.

Directs agencies to collaborate with OMB and appropriate public and private sector security operations centers on security incidents that extend beyond the control of an agency. Requires that security incidents be reported, through an automated and continuous monitoring capability, when possible, to the federal information security incident center (the incident center), appropriate security operations centers, and agency Inspector General.

Directs agencies to conduct vulnerability assessments and penetration tests commensurate with the risk posed to agency information systems.

Requires each agency to delegate to its Chief Information Officer the authority and primary responsibility for developing, implementing, and overseeing an agencywide information security (AIS) program.

Directs agencies to implement an OMB-approved AIS program that is consistent with components across and within agencies. Requires that such program include automated and continuous monitoring, when possible, to: (1) mitigate risks associated with security incidents before substantial damage is done; and (2) notify and consult with the incident center, appropriate security operations response centers, law enforcement agencies, Inspectors General, and other entities or as directed by the President.

Directs the OMB Director to review and approve information security policies and procedures to ensure that the incident center has the capability to detect, correlate, and respond to incidents that impair the security of multiple agencies' information systems. Requires the capability, where practicable, to be continuous and technically automated.

(Sec. 4) Specifies that no additional funds are authorized for agencies to carry out their responsibilities under this Act. Requires agencies to carry out such responsibilities using amounts otherwise authorized or appropriated.

What just happenedApr 17, 2013

Received in the Senate and Read twice and referred to the Committee on Homeland Security and Governmental Affairs.

Who’s behind it

Rep. Issa, Darrell E. [R-CA-49](R-CA)Sponsor
5 cosponsors3 D2 R
Read on Congress.gov
5cosponsors3committees17actions2related bills9subjects
  • Referred in SenateApr 17, 2013
  • Engrossed in HouseApr 16, 2013
  • Reported in HouseApr 16, 2013
  • Introduced in HouseMar 14, 2013
  1. Apr 17, 2013IntroReferral

    Received in the Senate and Read twice and referred to the Committee on Homeland Security and Governmental Affairs.

  2. Apr 16, 2013FloorH38310

    Motion to reconsider laid on the table Agreed to without objection.

  3. Apr 16, 2013FloorH37300

    On motion to suspend the rules and pass the bill Agreed to by the Yeas and Nays: (2/3 required): 416 - 0 (Roll no. 106). (text: CR H2037-2039)

  4. Apr 16, 2013Floor8000

    Passed/agreed to in House: On motion to suspend the rules and pass the bill Agreed to by the Yeas and Nays: (2/3 required): 416 - 0 (Roll no. 106).(text: CR H2037-2039)

  5. Apr 16, 2013FloorH30000

    Considered as unfinished business. (consideration: CR H2053-2054)

  6. Apr 16, 2013FloorH37220

    At the conclusion of debate, the Yeas and Nays were demanded and ordered. Pursuant to the provisions of clause 8, rule XX, the Chair announced that further proceedings on the motion would be postponed.

  7. Apr 16, 2013FloorH8D000

    DEBATE - The House proceeded with forty minutes of debate on H.R. 1163.

  8. Apr 16, 2013FloorH30000

    Considered under suspension of the rules. (consideration: CR H2037-2042)

  9. Apr 16, 2013FloorH30300

    Mr. Issa moved to suspend the rules and pass the bill, as amended.

  10. Apr 16, 2013CalendarsH12410

    Placed on the Union Calendar, Calendar No. 26.

  11. Apr 16, 2013CommitteeH12200

    Reported (Amended) by the Committee on Oversight and Government Reform. H. Rept. 113-40.

  12. Apr 16, 2013Committee5000

    Reported (Amended) by the Committee on Oversight and Government Reform. H. Rept. 113-40.

  13. Mar 20, 2013Committee

    Ordered to be Reported by Voice Vote.

  14. Mar 20, 2013Committee

    Committee Consideration and Mark-up Session Held.

  15. Mar 14, 2013IntroReferralH11100

    Referred to the House Committee on Oversight and Government Reform.

  16. Mar 14, 2013IntroReferralIntro-H

    Introduced in House

  17. Mar 14, 2013IntroReferral1000

    Introduced in House

Passed House without amendmentApr 16, 201381

Federal Information Security Amendments Act of 2013 - (Sec. 2) Amends the Federal Information Security Management Act of 2002 (FISMA) to reestablish the oversight authority of the Director of the Office of Management and Budget (OMB) with respect to agency information and security policies and practices.

Extends the security requirements of federal agencies to include responsibilities for: (1) complying with computer standards developed by the National Institute of Standards and Technology (NIST); (2) ensuring complementary and uniform standards for information systems and national security systems; (3) ensuring that information security management processes are integrated with budget processes; (4) securing facilities for classified information; (5) maintaining sufficient personnel with security clearances; and (6) ensuring that information security performance indicators are included in the annual performance evaluations of all managers, senior managers, senior executive service personnel, and political appointees.

Directs senior agency officials, with a frequency sufficient to support risk-based security decisions, to: (1) test and evaluate information security controls and techniques, and (2) conduct threat assessments by monitoring information systems and identifying potential system vulnerabilities. (Current law requires only periodic testing and evaluation.)

Defines "information system" as a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Includes in such definition: (1) computers and computer networks; (2) ancillary equipment; (3) software, firmware, and related procedures; (4) support services; and (5) related resources and services.

Directs agencies to determine information security levels in accordance with information security classifications and standards promulgated under the National Institute of Standards and Technology Act.

Directs agencies to collaborate with OMB and appropriate public and private sector security operations centers on security incidents that extend beyond the control of an agency. Requires that security incidents be reported, through an automated and continuous monitoring capability, when possible, to the federal information security incident center (the incident center), appropriate security operations centers, and agency Inspector General.

Directs agencies to conduct vulnerability assessments and penetration tests commensurate with the risk posed to agency information systems.

Requires each agency to delegate to its Chief Information Officer the authority and primary responsibility for developing, implementing, and overseeing an agencywide information security (AIS) program.

Directs agencies to implement an OMB-approved AIS program that is consistent with components across and within agencies. Requires that such program include automated and continuous monitoring, when possible, to: (1) mitigate risks associated with security incidents before substantial damage is done; and (2) notify and consult with the incident center, appropriate security operations response centers, law enforcement agencies, Inspectors General, and other entities or as directed by the President.

Directs the OMB Director to review and approve information security policies and procedures to ensure that the incident center has the capability to detect, correlate, and respond to incidents that impair the security of multiple agencies' information systems. Requires the capability, where practicable, to be continuous and technically automated.

(Sec. 4) Specifies that no additional funds are authorized for agencies to carry out their responsibilities under this Act. Requires agencies to carry out such responsibilities using amounts otherwise authorized or appropriated.

Reported to House with amendment(s)Apr 16, 201317

Federal Information Security Amendments Act of 2013 - (Sec. 2) Amends the Federal Information Security Management Act of 2002 (FISMA) to reestablish the oversight authority of the Director of the Office of Management and Budget (OMB) with respect to agency information and security policies and practices.

Extends the security requirements of federal agencies to include responsibilities for: (1) complying with computer standards developed by the National Institute of Standards and Technology (NIST); (2) ensuring complementary and uniform standards for information systems and national security systems; (3) ensuring that information security management processes are integrated with budget processes; (4) securing facilities for classified information; (5) maintaining sufficient personnel with security clearances; and (6) ensuring that information security performance indicators are included in the annual performance evaluations of all managers, senior managers, senior executive service personnel, and political appointees.

Directs senior agency officials, with a frequency sufficient to support risk-based security decisions, to: (1) test and evaluate information security controls and techniques, and (2) conduct threat assessments by monitoring information systems and identifying potential system vulnerabilities. (Current law requires only periodic testing and evaluation.)

Defines "information system" as a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Includes in such definition: (1) computers and computer networks; (2) ancillary equipment; (3) software, firmware, and related procedures; (4) support services; and (5) related resources and services.

Directs agencies to determine information security levels in accordance with information security classifications and standards promulgated under the National Institute of Standards and Technology Act.

Directs agencies to collaborate with OMB and appropriate public and private sector security operations centers on security incidents that extend beyond the control of an agency. Requires that security incidents be reported, through an automated and continuous monitoring capability, when possible, to the federal information security incident center (the incident center), appropriate security operations centers, and agency Inspector General.

Directs agencies to conduct vulnerability assessments and penetration tests commensurate with the risk posed to agency information systems.

Requires each agency to delegate to its Chief Information Officer the authority and primary responsibility for developing, implementing, and overseeing an agencywide information security (AIS) program.

Directs agencies to implement an OMB-approved AIS program that is consistent with components across and within agencies. Requires that such program include automated and continuous monitoring, when possible, to: (1) mitigate risks associated with security incidents before substantial damage is done; and (2) notify and consult with the incident center, appropriate security operations response centers, law enforcement agencies, Inspectors General, and other entities or as directed by the President.

Directs the OMB Director to review and approve information security policies and procedures to ensure that the incident center has the capability to detect, correlate, and respond to incidents that impair the security of multiple agencies' information systems. Requires the capability, where practicable, to be continuous and technically automated.

(Sec. 4) Specifies that no additional funds are authorized for agencies to carry out their responsibilities under this Act. Requires agencies to carry out such responsibilities using amounts otherwise authorized or appropriated.

Introduced in HouseMar 14, 2013

Federal Information Security Amendments Act of 2013 - Amends the Federal Information Security Management Act of 2002 (FISMA) to reestablish the oversight authority of the Director of the Office of Management and Budget (OMB) with respect to agency information and security policies and practices.

Extends the security requirements of federal agencies to include responsibilities for: (1) complying with computer standards developed by the National Institute of Standards and Technology (NIST); (2) ensuring complementary and uniform standards for information systems and national security systems; (3) ensuring that information security management processes are integrated with budget processes; (4) securing facilities for classified information; (5) maintaining sufficient personnel with security clearances; and (6) ensuring that information security performance indicators are included in the annual performance evaluations of all managers, senior managers, senior executive service personnel, and political appointees.

Directs senior agency officials, with a frequency sufficient to support risk-based security decisions, to: (1) test and evaluate information security controls and techniques, and (2) conduct threat assessments by monitoring information systems and identifying potential system vulnerabilities. (Current law requires only periodic testing and evaluation.)

Directs agencies to collaborate with OMB and appropriate public and private sector security operations centers on security incidents that extend beyond the control of an agency. Requires that security incidents be reported, through an automated and continuous monitoring capability, when possible, to the federal information security incident center, appropriate security operations centers, and agency Inspector General.

Directs agencies to conduct vulnerability assessments and penetration tests commensurate with the risk posed to agency information systems.

Requires each agency to delegate to its Chief Information Officer the authority and primary responsibility for developing, implementing, and overseeing an agencywide information security (AIS) program.

Directs agencies to implement an OMB-approved AIS program that is consistent with components across and within agencies. Requires that such program include automated and continuous monitoring, when possible, to: (1) mitigate risks associated with security incidents before substantial damage is done; and (2) notify and consult with the incident center, appropriate security operations response centers, law enforcement agencies, Inspectors General, and other entities or as directed by the President.

Federal Information Security Amendments Act of 2013 — Informed