Bill SponsorBILLSPONSOR
Bill Sponsor
Politicians
Bills
Senate Bill 5008
116th Congress(2019-2020)
Federal System Incident Response Act of 2020
Introduced
Introduced
Introduced in Senate on Dec 10, 2020
Overview
Text
Introduced in Senate 
Dec 10, 2020
Not Scanned for Linkage
About Linkage
Multiple bills can contain the same text. This could be an identical bill in the opposite chamber or a smaller bill with a section embedded in a larger bill.
Bill Sponsor regularly scans bill texts to find sections that are contained in other bill texts. When a matching section is found, the bills containing that section can be viewed by clicking "View Bills" within the bill text section.
Bill Sponsor is currently only finding exact word-for-word section matches. In a future release, partial matches will be included.
Introduced in Senate(Dec 10, 2020)
Dec 10, 2020
Not Scanned for Linkage
About Linkage
Multiple bills can contain the same text. This could be an identical bill in the opposite chamber or a smaller bill with a section embedded in a larger bill.
Bill Sponsor regularly scans bill texts to find sections that are contained in other bill texts. When a matching section is found, the bills containing that section can be viewed by clicking "View Bills" within the bill text section.
Bill Sponsor is currently only finding exact word-for-word section matches. In a future release, partial matches will be included.
Jump To
S. 5008 (Introduced-in-Senate)


116th CONGRESS
2d Session
S. 5008


To require notification of incidents at agencies involving sensitive personal information, and for other purposes.

IN THE SENATE OF THE UNITED STATES

December 10, 2020

Mr. Peters (for himself and Mr. Portman) introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental Affairs

A BILL

To require notification of incidents at agencies involving sensitive personal information, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “Federal System Incident Response Act of 2020”.

SEC. 2. Definitions.

In this Act:

(1) APPROPRIATE CONGRESSIONAL COMMITTEES.—The term “appropriate congressional committees” means—

(A) the Committee on Homeland Security and Governmental Affairs of the Senate;

(B) the Committee on Oversight and Reform of the House of Representatives; and

(C) the Committee on Homeland Security of the House of Representatives.

(2) DIRECTOR.—The term “Director” means the Director of the Office of Management and Budget.

SEC. 3. Federal information system incident response.

(a) In general.—Chapter 35 of title 44, United States Code, is amended by adding at the end the following:

“SUBCHAPTER IVFEDERAL INFORMATION SYSTEM INCIDENT RESPONSE

§ 3591. Definitions

“(a) In general.—Except as provided under subsection (b), the definitions under section 3502 shall apply to this subchapter.

“(b) Additional definitions.—As used in this subchapter:

“(1) APPROPRIATE NOTIFICATION ENTITIES.—The term ‘appropriate notification entities’ means—

“(A) the Committee on Homeland Security and Governmental Affairs of the Senate;

“(B) the Committee on Commerce, Science, and Transportation of the Senate;

“(C) the Committee on Oversight and Reform of the House of Representatives;

“(D) the Committee on Homeland Security of the House of Representatives;

“(E) the Committee on Science, Space, and Technology of the House of Representatives;

“(F) the appropriate authorization and appropriations committees of Congress;

“(G) the Director;

“(H) the Secretary of Homeland Security; and

“(I) the Comptroller General of the United States.

“(2) INCIDENT.—The term ‘incident’ has the meaning given the term in section 3552 of this title.

“(3) CONTRACTOR.—The term ‘contractor’—

“(A) means any person or business that collects or maintains information that includes personally identifiable information or sensitive personal information on behalf of an agency; and

“(B) includes any subcontractor of a person or business described in subparagraph (A).

“(4) COVERED INCIDENT.—The term ‘covered incident’ means, with respect to any information collected or maintained by or on behalf of an agency or information system used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency—

“(A) a major incident, as defined by the Director pursuant to section 2(b) of the Federal Information Security Modernization Act of 2014 (44 U.S.C. 3554 note);

“(B) any incident determined likely to have a significant impact on national security, homeland security, or economic security of the United States;

“(C) any incident determined likely to have a significant impact on the operations of the agency or the Federal Government; or

“(D) any incident that is determined to have involved any sensitive personal information, regardless of the number of impacted individuals.

“(5) INTELLIGENCE COMMUNITY.—The term ‘intelligence community’ has the meaning given the term in section 3 of the National Security Act of 1947 (50 U.S.C. 3003).

“(6) NATIONWIDE CONSUMER REPORTING AGENCY.—The term ‘nationwide consumer reporting agency’ means a consumer reporting agency described in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)).

“(7) SENSITIVE PERSONAL INFORMATION.—The term ‘sensitive personal information’ means, with respect to an individual—

“(A) any combination of data or information that, if exposed, could result in substantial harm, physical harm, embarrassment, or unfairness to the individual, including biometric, genetic, or other data; and

“(B) any other information as determined by the Director.

“(8) SUBSTANTIAL HARM.—The term ‘substantial harm’, with respect to an individual, means identity theft, financial fraud, or other financial harm to the individual.

§ 3592. Notification to impacted individuals involving sensitive personal information

“(a) Notification.—As expeditiously as practicable and without unreasonable delay, and in any case not later than 30 days after an agency has a reasonable basis to conclude that a covered incident described in section 3591(b)(4)(D) has occurred, the head of the agency shall provide notice of the incident in accordance with subsection (b) in writing to the last known home mailing address of each impacted individual.

“(b) Contents of notice.—Each notice required under subsection (a) shall include—

“(1) a description of the categories of sensitive personal information that were, or are reasonably believed to have been, involved in the covered incident, including a list of all data elements;

“(2) a description of the substantial harm, embarrassment, inconvenience, or unfairness to the individual that an individual may reasonably expect to experience based on the information or combination of information involved in the covered incident;

“(3) contact information for the Federal Bureau of Investigation or other appropriate entity;

“(4) the contact information of each nationwide consumer reporting agency;

“(5) the contact information for questions to the agency, including a telephone number, e-mail address, and website;

“(6) information on any remedy being offered by the agency;

“(7) consolidated Federal Government recommendations on what to do in the event of a covered incident; and

“(8) any other appropriate information as determined by the head of the agency.

“(c) Delay of notification.—

“(1) IN GENERAL.—The Inspector General of the agency that experienced the covered incident, the Attorney General, the Director of National Intelligence, or the Secretary of Homeland Security may impose a delay of a notification required under subsection (a) if the notification would disrupt a law enforcement investigation, endanger national security, or hamper security remediation actions.

“(2) DOCUMENTATION.—

“(A) IN GENERAL.—Any delay under paragraph (1) shall be reported in writing to the head of the agency, the Director, the Director of the Cybersecurity and Infrastructure Security Agency, and the Office of Inspector General of the agency that experienced the covered incident.

“(B) CONTENTS.—A statement required under subparagraph (A) shall include a written statement from the entity that delayed the notification explaining the need for the delay.

“(C) FORM.—The statement required under subparagraph (A) shall be unclassified, but may include a classified annex.

“(3) RENEWAL.—A delay under paragraph (1) shall be for a period of 2 months and may be renewed.

“(d) Exemption for notification.—

“(1) IN GENERAL.—The head of an agency, in consultation with the Inspector General of the agency, may request an exemption from the Director from complying with the notification requirements under subsection (a) if—

“(A) the information affected by the covered incident is determined by an independent evaluation to be unreadable, including instances when the information is encrypted or when the encryption key has not been acquired; or

“(B) the covered incident has otherwise been determined by an independent evaluation to be of de minimis threat to those individuals whose sensitive personal information was involved in the incident.

“(2) APPROVAL.—The Director shall make a determination for granting an exemption in consultation with—

“(A) the Director of the Cybersecurity and Infrastructure Security Agency; and

“(B) the Attorney General.

“(3) DOCUMENTATION.—Any exemption granted by the Director under subparagraph (A) or (B) of paragraph (1) shall be reported in writing to the head of the agency that experienced the covered incident, the Office of Inspector General of the agency that experienced the covered incident, and the Director of the Cybersecurity and Infrastructure Security Agency.

“(e) Update notification.—If an agency determines there is a change in the reasonable basis to conclude that a covered incident occurred, or that there is a change in the details of the information provided to impacted individuals as described in subsection (b), the agency shall as expeditiously as practicable and without unreasonable delay, and in any case not later than 30 days after such a determination, notify all such individuals who received a notification pursuant to subsection (a) of those changes.

“(f) Rule of construction.—Nothing in this section shall be construed to limit—

“(1) the Director from issuing guidance regarding notifications or the head of an agency from sending notifications to individuals impacted by incidents not determined to be covered incidents, as described in section 3591(b)(4)(D); or

“(2) the Director from issuing guidance regarding notifications for covered incidents meeting the criteria in section 3591(b)(4)(D) or the head of an agency from issuing notifications to individuals impacted by covered incidents meeting the criteria in section 3591(b)(4)(D) that contain more information than described in subsection (b).

§ 3593. Congressional notifications and reports

“(a) Initial report.—

“(1) IN GENERAL.—Not later than 7 days after the date on which an agency has a reasonable basis to conclude that a covered incident occurred, the head of the agency shall submit a written notification and, to the extent practicable, provide a briefing, to the appropriate notification entities, taking into account the information known at the time of the notification, the sensitivity of the details associated with the covered incident, and the classification level of the information contained in the notification.

“(2) CONTENTS.—A notification required under paragraph (1) shall include—

“(A) a summary of the information available about the covered incident, including how the covered incident occurred, based on information available to agency officials as of the date which the agency submits the report;

“(B) if applicable, an estimate of the number of individuals impacted by the covered incident, including an assessment of the risk of harm to impacted individuals based on information available to agency officials on the date on which the agency submits the report;

“(C) if applicable, a description and any associated documentation of any circumstances necessitating a delay in or exemption to notification granted under subsection (c) or (d) of section 3592; and

“(D) if applicable, an assessment of the impacts to the agency, the Federal Government, or the security of the United States as identified in section 3591(b)(4), based on information available to agency officials on the date on which the agency submits the report.

“(b) Supplemental report.—Within a reasonable amount of time, but not later than 45 days after the date on which additional information relating to a covered incident for which an agency submitted a written notification under subsection (a) is discovered by the agency, the head of the agency shall submit to the appropriate congressional committees updates to the written notification that include summaries of—

“(1) the threats and threat actors, vulnerabilities, means by which the covered incident occurred, and impacts to the agency relating to the covered incident;

“(2) any risk assessment and subsequent risk-based security implementation of the affected information system before the date on which the covered incident occurred;

“(3) the status of compliance of the affected information system with applicable security requirements at the time of the covered incident;

“(4) an estimate of the number of individuals affected by the covered incident based on information available to agency officials as of the date on which the agency submits the update;

“(5) an update to the assessment of the risk of harm to impacted individuals affected by the covered incident based on information available to agency officials as of the date on which the agency submits the update;

“(6) an update to the assessment of the risk to agency operations, or to impacts on other agency or non-Federal entity operations, affected by the covered incident based on information available to agency officials as of the date on which the agency submits the update; and

“(7) the detection, response, and remediation actions of the agency, including any support provided by the Cybersecurity and Infrastructure Security Agency under section 3594(d) and status updates on the notification process described in section 3592(a), including any delay or exemption described in subsection (c) or (d), respectively, of section 3592, if applicable.

“(c) Update Report.—If the agency determines that there is any significant change in the scope, scale, or consequence of the covered incident, or a change in the inclusion of the criteria described in section 3591(b)(4), the agency shall provide an updated report to the appropriate congressional committees that includes those changes.

“(d) Annual report.—Each agency shall submit as part of the annual report required under section 3554(c)(1) of this title a description of each covered incident that occurred during the 1-year period preceding the date on which the report is submitted.

“(e) Delay and exemption report.—The Director shall submit to the appropriate notification entities an annual report on all notification delays and exemptions granted pursuant to subsections (c) and (d) of section 3592.

“(f) Report delivery.—Any written notification or report required to be submitted under this section may be submitted in a paper or electronic format.

“(g) Rule of construction.—Nothing in this section shall be construed to limit—

“(1) the ability of an agency to provide additional reports or briefings to Congress; or

“(2) Congress from requesting additional information from agencies through reports, briefings, or other means.

§ 3594. Government information sharing and incident response

“(a) In general.—The head of each agency shall make available any information relating to an incident, whether obtained by the Federal Government or a private entity contracted by the Federal Government, to the Cybersecurity and Infrastructure Security Agency, the Department of Defense, and the Office of Management and Budget to help mitigate future incidents.

“(b) Compliance.—The information made available under subsection (a) shall—

“(1) take into account the level of classification of the information and any information sharing limitations relating to law enforcement; and

“(2) be in compliance with the requirements limiting the release of information under section 552a of title 5 (commonly known as the ‘Privacy Act of 1974’).

“(c) Responding to information requests from agencies experiencing incidents.—An agency that receives a request from another agency or Federal entity for information specifically intended to assist in the remediation or notification requirements due to an incident shall provide that information to the greatest extent possible, in accordance with guidance issued by the Director and taking into account classification, law enforcement, national security, and compliance with section 552a of title 5 (commonly known as the ‘Privacy Act of 1974’).

“(d) Incident response.—Each agency that has a reasonable basis to conclude that a covered incident occurred, regardless of delays or exemptions from notification granted for a covered incident, shall consult with the Cybersecurity and Infrastructure Security Agency regarding—

“(1) incident response and recovery; and

“(2) recommendations for mitigating future incidents.

§ 3595. Responsibilities of contractors and grant recipients

“(a) Notification.—

“(1) IN GENERAL.—Subject to paragraph (3), any contractor of an agency or recipient of a grant from an agency that has a reasonable basis to conclude that an incident involving Federal information has occurred shall immediately notify the agency.

“(2) PROCEDURES.—

“(A) COVERED INCIDENT.—Following notification of a covered incident by a contractor or recipient of a grant under paragraph (1), an agency, in consultation with the contractor or grant recipient, as applicable, shall carry out the requirements under sections 3592, 3593, and 3594 with respect to the covered incident.

“(B) INCIDENT.—Following notification of an incident by a contractor or recipient of a grant under paragraph (1), an agency, in consultation with the contractor or grant recipient, as applicable, shall carry out the requirements under section 3594 with respect to the incident.

“(3) APPLICABILITY.—This subsection shall apply to a contractor of an agency or a recipient of a grant from an agency that—

“(A) receives information from the agency that the contractor or recipient, as applicable, is not contractually authorized to receive;

“(B) experiences an incident relating to Federal information on an information system of the contractor or recipient, as applicable; or

“(C) identifies an incident involving a Federal information system.

“(b) Incident response.—Any contractor of an agency or recipient of a grant from an agency that has a reasonable basis to conclude that a covered incident occurred shall, in coordination with the agency, consult with the Cybersecurity and Infrastructure Security Agency regarding—

“(1) incident response assistance; and

“(2) recommendations for mitigating future incidents at the agency.

“(c) Effective date.—This section shall apply on and after the date that is 1 year after the date of enactment of the Federal System Incident Response Act of 2020.

§ 3596. Training

“(a) In general.—Each agency shall develop training for individuals at the agency with access to Federal information or information systems on how to identify and respond to an incident, including—

“(1) the internal process at the agency for reporting an incident; and

“(2) the obligation of the individual to report to the agency not only a confirmed covered incident, but also a suspected incident, involving information in any medium or form, including paper, oral, and electronic.

“(b) Applicability.—The training developed under subsection (a) shall—

“(1) be required for an individual before the individual may access Federal information or information systems; and

“(2) apply to individuals with temporary access to Federal information or information systems, such as detailees, contractors, subcontractors, grantees, volunteers, and interns.

“(c) Inclusion in annual training.—The training developed under subsection (a) may be included as part of an annual privacy or security awareness training of the agency, as applicable.

§ 3597. Analysis and report on Federal incidents

“(a) Analysis of Federal incidents.—

“(1) IN GENERAL.—The Director of the Cybersecurity and Infrastructure Security Agency shall perform continuous monitoring of incidents of Federal information systems.

“(2) QUANTITATIVE AND QUALITATIVE ANALYSES.—The Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, shall develop and perform quantitative and qualitative analyses of incidents of Federal information systems, including—

“(A) the causes of incidents, including—

“(i) attacker tactics, techniques, and procedures; and

“(ii) system vulnerabilities, including zero days, unpatched systems, and information system misconfigurations;

“(B) the scope and scale of incidents within the agency networks and systems;

“(C) cross Federal Government root causes of incidents;

“(D) agency response, recovery, and remediation actions and effectiveness of incidents; and

“(E) lessons learned and recommendations in responding, recovering, remediating, and mitigating future incidents.

“(3) SHARING OF ANALYSIS.—The Director shall share on an ongoing basis the analyses required under this subsection with Federal agencies.

“(b) Report on Federal incidents.—Not later than 2 years after the date of enactment of this section, and not less frequently than every year thereafter, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director and the Director of the Federal Bureau of Investigation, shall submit to the appropriate congressional committees a report that includes—

“(1) a summary of causes of incidents from across the Federal Government; and

“(2) the quantitative and qualitative analyses of incidents developed under subsection (a)(2).

“(c) Publication.—A version of each report submitted under subsection (b) shall be made publicly available on the website of the Cybersecurity and Infrastructure Security Agency during the year in which the report is submitted.

“(d) Information provided by agencies.—The analysis required under subsection (a) and each report submitted under subsection (b) shall utilize information provided by agencies pursuant to section 3594(d).

“(e) Requirement To anonymize information.—In sharing the analysis required under subsection (a) and preparing each report under subsection (b), the Director of the Cybersecurity and Infrastructure Security Agency shall sufficiently anonymize and compile information such that no specific incidents of an agency can be identified, except with the concurrence of the Director of the Office of Management and Budget.”.

(b) Responsibilities of the Cybersecurity and Infrastructure Security Agency.—

(1) RECOMMENDATIONS.—Not later than 180 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency, in coordination with the Director of the Federal Trade Commission, the Director of the Securities and Exchange Commission, the Secretary of the Treasury, the Director of the Federal Bureau of Investigation, the Director of the National Institute of Standards and Technology, and the head of any other appropriate Federal or non-Federal entity, shall consolidate, maintain, and make publicly available recommendations for individuals whose sensitive personal information, as defined in section 3591 of title 44, United States Code, as added by this Act, is inappropriately exposed.

(2) PLAN FOR ANALYSIS OF, AND REPORT ON, FEDERAL INCIDENTS.—

(A) IN GENERAL.—Not later than 180 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall—

(i) develop a plan for the development of the analysis required under section 3597(a) of title 44, United States Code, as added by subsection (a), and the report required under subsection (b) of that section that includes—

(I) a description of any challenges the Director anticipates encountering; and

(II) the use of automation for collecting, compiling, monitoring, and analyzing data; and

(ii) provide to the appropriate congressional committees a briefing on the plan developed under clause (ii).

(B) BRIEFING.—Not later than 1 year after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall provide to the appropriate congressional committees a briefing on—

(i) the execution of the plan required under subparagraph (A); and

(ii) the development of the report required under section 3597(b) of title 44, United States Code, as added by this Act.

(c) Responsibilities of the Director of the Office of Management and Budget.—

(1) FISMA.—Section 2(b) of the Federal Information Security Modernization Act of 2014 (44 U.S.C. 3554 note) is amended to read as follows:

“(b) Major incident.—

“(1) IN GENERAL.—The Director of the Office of Management and Budget shall develop guidance on what constitutes a major incident for purposes of section 3554(b) of title 44, United States Code, as added by subsection (a).

“(2) EVALUATION AND UPDATES.—Not later than 2 years after the date of enactment of the Federal System Incident Response Act of 2020, and not less frequently than every 2 years thereafter, the Director of the Office of Management and Budget shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives an evaluation, which shall include—

“(A) an update, if necessary, the definition of a major incident, as defined by the Director pursuant to section 3554(b) of this title;

“(B) the criteria of an incident that designates such an incident as a major incident;

“(C) an explanation for the analysis leading to the criteria in subparagraph (B); and

“(D) an assessment of any additional datasets that may be considered sensitive personal information, as defined in section 3591 of this title.”.

(2) INCIDENT DATA SHARING.—

(A) IN GENERAL.—The Director shall develop guidance, to be updated not less than frequently every 2 years, on the content and format of the data to be made available by agencies pursuant to section 3594(a) of title 44, United States Code, as added by this Act.

(B) REQUIREMENTS.—The guidance developed under subparagraph (A) shall—

(i) prioritize data availability necessary to understand and analyze—

(I) the causes of incidents, as defined in section 3591 of title 44, United States Code, as added by this Act;

(II) the scope and scale of incidents within the agency networks and systems;

(III) cross Federal Government root causes of incidents; and

(IV) agency response, recovery, and remediation actions and effectiveness of incidents;

(ii) enable the efficient development of—

(I) lessons learned and recommendations in responding, recovering, remediating, and mitigating future incidents; and

(II) the report of Federal incidents pursuant to section 3597 of title 44, United States Code, as added by this Act;

(iii) include requirements for the timeliness of data availability; and

(iv) include requirements for using automation for data sharing and availability.

(3) DEFINITION GUIDANCE.—Not later than 1 year after the date of enactment of this Act, the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency and in consultation with the Privacy and Civil Liberties Oversight Board, shall develop guidance, to be reviewed and, if necessary, updated not less frequently than once every 2 years, on the interpretation of the terms “substantial harm”, “physical harm”, “embarrassment”, or “unfairness to an individual”, as used in the definition of the term “sensitive personal information” in section 3591 of title 44, United States Code, as added by this Act.

(4) STANDARD GUIDANCE AND TEMPLATES.—Not later than 1 year after the date of enactment of this Act, the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall develop guidance and templates, to be reviewed and, if necessary, updated not less frequently than once every 2 years, for use by Federal agencies in the activities required under sections 3592, 3593, and 3596 of title 44, United States Code, as added by this Act.

(5) CONTRACTOR AND GRANTEE GUIDANCE.—

(A) IN GENERAL.—Not later than 1 year after the date of enactment of this Act, the Director, in coordination with the Secretary of Homeland Security, the Secretary of Defense, the Administrator of General Services, and the heads of other agencies determined appropriate by the Director, shall issue guidance to Federal agencies on how to deconflict existing regulations, policies, and procedures relating to the responsibilities of contractors and grant recipients established under section 3595 of title 44, United States Code, as added by this Act.

(B) EXISTING PROCESSES.—To the greatest extent practicable, the guidance issued under subparagraph (A) shall allow contractors and grantees to utilize existing processes for notifying Federal agencies of incidents involving information of the Federal Government.

(6) UPDATED BRIEFINGS.—Not less frequently than once every 2 years, the Director shall provide to the appropriate congressional committees an update on the guidance and templates developed under paragraphs (2), (3), and (4).

(d) Update to the Privacy Act of 1974.—Section 552a(b) of title 5, United States Code (commonly known as the “Privacy Act of 1974”) is amended—

(1) in paragraph (11), by striking “or” at the end;

(2) in paragraph (12), by striking the period at the end and inserting “; and”; and

(3) by adding at the end the following:

“(13) to another agency in furtherance of a response to an incident (as defined in section 3552 of title 44) and pursuant to the information sharing requirements in section 3594 of title 44 if the head of the requesting agency has made a written request to the agency that maintains the record specifying the particular portion desired and the activity for which the record is sought.”.

(e) Technical and conforming amendment.—The table of sections for chapter 35 of title 44, United States Code, is amended by adding at the end the following:

“SUBCHAPTER IV—FEDERAL INFORMATION SYSTEM INCIDENT RESPONSE


“3591. Definitions.
“3592. Notification to impacted individuals involving sensitive personal information.
“3593. Congressional notifications and reports.
“3594. Government information sharing and incident response.
“3595. Responsibilities of contractors and grant recipients.
“3596. Training.
“3597. Analysis and report on Federal incidents.”.