Ask AI
Bill114th CongressFiled Jan 21, 2015Government Operations and Politics
H.R. 451

Safe and Secure Federal Websites Act of 2015

Bill journey · stage 2 of 5

Under committee review

Filed
Comm.
Floor
Both
Law

What it doesSummary reported to house with amendment(s) (Jan 6, 2016)

Safe and Secure Federal Websites Act of 2015

This bill establishes security and privacy requirements for new federal websites that collect personally identifiable information (PII) (i.e., information that can be used to distinguish or trace the identity of an individual or that is linked or linkable to an individual).

(Sec. 2) A federal agency may not deploy or make available to the public a new federal PII website until the agency's chief information officer (CIO) certifies to Congress that the website is fully functional and secure. The CIO must make such certification within 90 days after enactment of this Act. After such 90-day period, any new federal PII website that has not been certified must be rendered inaccessible until certification is submitted.

The prohibition does not apply to a website that is: (1) operated entirely by an entity that is independent of the federal government, or (2) in a development or testing phase (beta website). The exemption for beta websites applies only if: (1) a member of the public may access PII-related portions of the website only after executing an agreement that acknowledges the risks involved; and (2) no agency compelled, enjoined, or otherwise provided incentives for a member of the public to access such website.

The bill defines a "new federal PII website" as a website that: (1) is operated by (or under contract with) an agency; (2) elicits, collects, stores, or maintains PII and is accessible to the public; and (3) is first made accessible to the public and collects or stores PII on or after October 1, 2012. The bill also sets forth requirements that must be met to deem a new federal PII website as "secure."

(Sec. 3) The Director of the Office of Management and Budget (OMB) must establish and oversee policies and procedures for federal agencies to follow in the event of a breach of information security involving the disclosure of PII, including: (1) notice, not later than 72 hours after discovery of a breach or possible breach, to individuals whose PII could be compromised; and (2) timely reporting to a federal cybersecurity center designated by the OMB and defined in this Act.

Agency heads must ensure that agency actions taken in response to a breach of information security involving the disclosure of PII comply with OMB policies and procedures established by this Act. The OMB must report to Congress, not later than March 1 of each year, on agency compliance with such policies and procedures.

A "federal cybersecurity center" is defined to include: (1) the Department of Defense Cyber Crime Center, (2) the Intelligence Community Incident Response Center, (3) the U.S. Cyber Command Joint Operations Center, (4) the National Cyber Investigative Task Force, (5) the Central Security Service Threat Operations Center of the National Security Agency, (6) the U.S. Computer Emergency Readiness Team, and (7) any center that the OMB determines is appropriate to carry out privacy breach notice and reporting requirements.

What just happenedJan 6, 2016

Placed on the Union Calendar, Calendar No. 293.

Who’s behind it

Rep. Fleischmann, Charles J. "Chuck" [R-TN-3](R-TN)Sponsor
38 cosponsors38 R
Read on Congress.gov
38cosponsors1committees8actions7subjects
  1. Jan 6, 2016CalendarsH12410

    Placed on the Union Calendar, Calendar No. 293.

  2. Jan 6, 2016CommitteeH12200

    Reported (Amended) by the Committee on Oversight and Government Reform. H. Rept. 114-390.

    Oversight and Accountability Committee
  3. Jan 6, 2016Committee5000

    Reported (Amended) by the Committee on Oversight and Government Reform. H. Rept. 114-390.

    Oversight and Accountability Committee
  4. May 19, 2015Committee

    Ordered to be Reported (Amended) by Voice Vote.

    Oversight and Accountability Committee
  5. May 19, 2015Committee

    Committee Consideration and Mark-up Session Held.

    Oversight and Accountability Committee
  6. Jan 21, 2015IntroReferralH11100

    Referred to the House Committee on Oversight and Government Reform.

    Oversight and Accountability Committee
  7. Jan 21, 2015IntroReferralIntro-H

    Introduced in House

  8. Jan 21, 2015IntroReferral1000

    Introduced in House

Reported to House with amendment(s)Jan 6, 201617

Safe and Secure Federal Websites Act of 2015

This bill establishes security and privacy requirements for new federal websites that collect personally identifiable information (PII) (i.e., information that can be used to distinguish or trace the identity of an individual or that is linked or linkable to an individual).

(Sec. 2) A federal agency may not deploy or make available to the public a new federal PII website until the agency's chief information officer (CIO) certifies to Congress that the website is fully functional and secure. The CIO must make such certification within 90 days after enactment of this Act. After such 90-day period, any new federal PII website that has not been certified must be rendered inaccessible until certification is submitted.

The prohibition does not apply to a website that is: (1) operated entirely by an entity that is independent of the federal government, or (2) in a development or testing phase (beta website). The exemption for beta websites applies only if: (1) a member of the public may access PII-related portions of the website only after executing an agreement that acknowledges the risks involved; and (2) no agency compelled, enjoined, or otherwise provided incentives for a member of the public to access such website.

The bill defines a "new federal PII website" as a website that: (1) is operated by (or under contract with) an agency; (2) elicits, collects, stores, or maintains PII and is accessible to the public; and (3) is first made accessible to the public and collects or stores PII on or after October 1, 2012. The bill also sets forth requirements that must be met to deem a new federal PII website as "secure."

(Sec. 3) The Director of the Office of Management and Budget (OMB) must establish and oversee policies and procedures for federal agencies to follow in the event of a breach of information security involving the disclosure of PII, including: (1) notice, not later than 72 hours after discovery of a breach or possible breach, to individuals whose PII could be compromised; and (2) timely reporting to a federal cybersecurity center designated by the OMB and defined in this Act.

Agency heads must ensure that agency actions taken in response to a breach of information security involving the disclosure of PII comply with OMB policies and procedures established by this Act. The OMB must report to Congress, not later than March 1 of each year, on agency compliance with such policies and procedures.

A "federal cybersecurity center" is defined to include: (1) the Department of Defense Cyber Crime Center, (2) the Intelligence Community Incident Response Center, (3) the U.S. Cyber Command Joint Operations Center, (4) the National Cyber Investigative Task Force, (5) the Central Security Service Threat Operations Center of the National Security Agency, (6) the U.S. Computer Emergency Readiness Team, and (7) any center that the OMB determines is appropriate to carry out privacy breach notice and reporting requirements.

Introduced in HouseJan 21, 2015

Safe and Secure Federal Websites Act of 2015

Prohibits a federal agency from deploying or making available to the public a new federal personally identifiable information website (new Federal PII Website) until the chief information officer of the agency submits a certification to Congress that the website is fully functional and secure, as those terms are defined by this Act. Defines "new Federal PII website" as a website that: (1) is operated by (or under contract with) an agency; (2) elicits, collects, stores, or maintains personally identifiable information (i.e., information that can be used to identify an individual, such as a social security number, a date and place of birth, a mother's maiden name, biometric records, or other information linked to an individual); and (3) is first made accessible to the public and collects or stores personally identifiable information on or after October 1, 2012.

Exempts beta websites designed for testing and development if users execute an agreement acknowledging the risks involved.

Directs the Director of the Office of Management and Budget (OMB) to establish and oversee policies and procedures for federal agencies to follow in the event of a breach of information security involving the disclosure of personally identifiable information, including: (1) notice, not later than 72 hours after discovery of a breach or possible breach, to individuals whose personally identifiable information could be compromised as a result of such breach; (2) timely reporting to a federal cyber security center designated by this Act; and (3) any additional actions that the Director finds necessary and appropriate.

Requires: (1) agency heads to ensure that agency actions taken in response to a breach comply with OMB policies and procedures established by this Act; and (2) the OMB Director to report to Congress, not later than March 1 of each year, on agency compliance with such policies and procedures.

Safe and Secure Federal Websites Act of 2015 — Informed