Ask AI
Public Law113th CongressGovernment Operations and Politics
S. 2521Became Law

Federal Information Security Modernization Act of 2014

This bill became law

Filed
Comm.
Floor
Both
Law

What it doesSummary public law (Dec 18, 2014)

(This measure has not been amended since it was passed by the Senate on December 8, 2014. The summary of that version is repeated here.)

Federal Information Security Modernization Act of 2014 - Amends the Federal Information Security Management Act of 2002 (FISMA) to: (1) reestablish the oversight authority of the Director of the Office of Management and Budget (OMB) with respect to agency information security policies and practices, and (2) set forth authority for the Secretary of Homeland Security (DHS) to administer the implementation of such policies and practices for information systems.

Requires the Secretary to develop and oversee implementation of operational directives requiring agencies to implement the Director's standards and guidelines for safeguarding federal information and systems from a known or reasonably suspected information security threat, vulnerability, or risk. Authorizes the Director to revise or repeal operational directives that are not in accordance with the Director's policies.

Requires the Secretary (currently, the Director) to ensure the operation of the federal information security incident center (FISIC).

Directs the Secretary to administer procedures to deploy technology, upon request by an agency, to assist the agency to continuously diagnose and mitigate against cyber threats and vulnerabilities.

Requires the Director's annual report to Congress regarding the effectiveness of information security policies to assess agency compliance with OMB data breach notification procedures.

Provides for OMB's information security authorities to be delegated to the Director of National Intelligence (DNI) for certain systems operated by an element of the intelligence community.

Directs the Secretary to consult with and consider guidance developed by the National Institute of Standards and Technology (NIST) to ensure that operational directives do not conflict with NIST information security standards.

Directs agency heads to ensure that: (1) information security management processes are integrated with budgetary planning; (2) senior agency officials, including chief information officers, carry out their information security responsibilities; and (3) all personnel are held accountable for complying with the agency-wide information security program.

Provides for the use of automated tools in agencies' information security programs, including for periodic risk assessments, testing of security procedures, and detecting, reporting, and responding to security incidents.

Requires agencies to include offices of general counsel as recipients of security incident notices. Requires agencies to notify Congress of major security incidents within seven days after there is a reasonable basis to conclude that a major incident has occurred.

Directs agencies to submit an annual report regarding major incidents to OMB, DHS, Congress, and the Comptroller General (GAO). Requires such reports to include: (1) threats and threat actors, vulnerabilities, and impacts; (2) risk assessments of affected systems before, and the status of compliance of the systems at the time of, major incidents; (3) detection, response, and remediation actions; (4) the total number of incidents; and (5) a description of the number of individuals affected by, and the information exposed by, major incidents involving a breach of personally identifiable information.

Authorizes GAO to provide technical assistance to agencies and inspectors general, including by testing information security controls and procedures.

Requires OMB to ensure the development of guidance for: (1) evaluating the effectiveness of information security programs and practices, and (2) determining what constitutes a major incident.

Directs FISIC to provide agencies with intelligence about cyber threats, vulnerabilities, and incidents for risk assessments.

Directs OMB, during the two-year period after enactment of this Act, to include in an annual report to Congress an assessment of the adoption by agencies of continuous diagnostics technologies and other advanced security tools.

Requires OMB to ensure that data breach notification policies require agencies, after discovering an unauthorized acquisition or access, to notify: (1) Congress within 30 days, and (2) affected individuals as expeditiously as practicable. Allows the Attorney General, heads of elements of the intelligence community, or the DHS Secretary to delay notice to affected individuals for purposes of law enforcement investigations, national security, or security remediation actions.

Requires OMB to amend or revise OMB Circular A-130 to eliminate inefficient and wasteful reporting.

Directs the Information Security and Privacy Advisory Board to advise and provide annual reports to DHS.

What just happenedDec 18, 2014

Became Public Law No: 113-283.

Who’s behind it

Sen. Carper, Thomas R. [D-DE](D-DE)Sponsor
1 cosponsor1 R
Read on Congress.gov
1cosponsors2committees23actions1amendments1related bills9subjects
  • Enrolled Bill
  • Engrossed in SenateDec 8, 2014
  • Reported to SenateSep 15, 2014
  • Introduced in SenateJun 24, 2014
  • Public LawDec 19, 2014
  1. Dec 18, 2014President

    Became Public Law No: 113-283.

  2. Dec 18, 2014BecameLaw36000

    Became Public Law No: 113-283.

  3. Dec 18, 2014President

    Signed by President.

  4. Dec 18, 2014BecameLaw36000

    Signed by President.

  5. Dec 12, 2014Floor

    Presented to President.

  6. Dec 12, 2014President28000

    Presented to President.

  7. Dec 10, 2014FloorH38310

    Motion to reconsider laid on the table Agreed to without objection.

  8. Dec 10, 2014FloorH37100

    On passage Passed without objection. (text: CR H8994-8998)

  9. Dec 10, 2014Floor8000

    Passed/agreed to in House: On passage Passed without objection.(text: CR H8994-8998)

  10. Dec 10, 2014FloorH30000

    Considered by unanimous consent. (consideration: CR H8994-8998)

  11. Dec 10, 2014FloorH30200

    Mr. Meadows asked unanimous consent to take from the Speaker's table and consider.

  12. Dec 9, 2014FloorH15000

    Held at the desk.

  13. Dec 9, 2014Floor

    Message on Senate action sent to the House.

  14. Dec 9, 2014FloorH14000

    Received in the House.

  15. Dec 8, 2014Floor

    Passed Senate with an amendment by Voice Vote.

  16. Dec 8, 2014Floor17000

    Passed/agreed to in Senate: Passed Senate with an amendment by Voice Vote.

  17. Dec 8, 2014Floor

    Measure laid before Senate by unanimous consent. (consideration: CR S6395)

  18. Sep 15, 2014Calendars

    Placed on Senate Legislative Calendar under General Orders. Calendar No. 564.

  19. Sep 15, 2014Committee

    Committee on Homeland Security and Governmental Affairs. Reported by Senator Carper without amendment. With written report No. 113-256.

  20. Sep 15, 2014Committee14000

    Committee on Homeland Security and Governmental Affairs. Reported by Senator Carper without amendment. With written report No. 113-256.

  21. Jun 25, 2014Committee

    Committee on Homeland Security and Governmental Affairs. Ordered to be reported without amendment favorably.

  22. Jun 24, 2014IntroReferral

    Read twice and referred to the Committee on Homeland Security and Governmental Affairs.

  23. Jun 24, 2014IntroReferral10000

    Introduced in Senate

Public LawDec 18, 201449

(This measure has not been amended since it was passed by the Senate on December 8, 2014. The summary of that version is repeated here.)

Federal Information Security Modernization Act of 2014 - Amends the Federal Information Security Management Act of 2002 (FISMA) to: (1) reestablish the oversight authority of the Director of the Office of Management and Budget (OMB) with respect to agency information security policies and practices, and (2) set forth authority for the Secretary of Homeland Security (DHS) to administer the implementation of such policies and practices for information systems.

Requires the Secretary to develop and oversee implementation of operational directives requiring agencies to implement the Director's standards and guidelines for safeguarding federal information and systems from a known or reasonably suspected information security threat, vulnerability, or risk. Authorizes the Director to revise or repeal operational directives that are not in accordance with the Director's policies.

Requires the Secretary (currently, the Director) to ensure the operation of the federal information security incident center (FISIC).

Directs the Secretary to administer procedures to deploy technology, upon request by an agency, to assist the agency to continuously diagnose and mitigate against cyber threats and vulnerabilities.

Requires the Director's annual report to Congress regarding the effectiveness of information security policies to assess agency compliance with OMB data breach notification procedures.

Provides for OMB's information security authorities to be delegated to the Director of National Intelligence (DNI) for certain systems operated by an element of the intelligence community.

Directs the Secretary to consult with and consider guidance developed by the National Institute of Standards and Technology (NIST) to ensure that operational directives do not conflict with NIST information security standards.

Directs agency heads to ensure that: (1) information security management processes are integrated with budgetary planning; (2) senior agency officials, including chief information officers, carry out their information security responsibilities; and (3) all personnel are held accountable for complying with the agency-wide information security program.

Provides for the use of automated tools in agencies' information security programs, including for periodic risk assessments, testing of security procedures, and detecting, reporting, and responding to security incidents.

Requires agencies to include offices of general counsel as recipients of security incident notices. Requires agencies to notify Congress of major security incidents within seven days after there is a reasonable basis to conclude that a major incident has occurred.

Directs agencies to submit an annual report regarding major incidents to OMB, DHS, Congress, and the Comptroller General (GAO). Requires such reports to include: (1) threats and threat actors, vulnerabilities, and impacts; (2) risk assessments of affected systems before, and the status of compliance of the systems at the time of, major incidents; (3) detection, response, and remediation actions; (4) the total number of incidents; and (5) a description of the number of individuals affected by, and the information exposed by, major incidents involving a breach of personally identifiable information.

Authorizes GAO to provide technical assistance to agencies and inspectors general, including by testing information security controls and procedures.

Requires OMB to ensure the development of guidance for: (1) evaluating the effectiveness of information security programs and practices, and (2) determining what constitutes a major incident.

Directs FISIC to provide agencies with intelligence about cyber threats, vulnerabilities, and incidents for risk assessments.

Directs OMB, during the two-year period after enactment of this Act, to include in an annual report to Congress an assessment of the adoption by agencies of continuous diagnostics technologies and other advanced security tools.

Requires OMB to ensure that data breach notification policies require agencies, after discovering an unauthorized acquisition or access, to notify: (1) Congress within 30 days, and (2) affected individuals as expeditiously as practicable. Allows the Attorney General, heads of elements of the intelligence community, or the DHS Secretary to delay notice to affected individuals for purposes of law enforcement investigations, national security, or security remediation actions.

Requires OMB to amend or revise OMB Circular A-130 to eliminate inefficient and wasteful reporting.

Directs the Information Security and Privacy Advisory Board to advise and provide annual reports to DHS.

Passed House without amendmentDec 10, 201481

(This measure has not been amended since it was passed by the Senate on December 8, 2014. The summary of that version is repeated here.)

Federal Information Security Modernization Act of 2014 - Amends the Federal Information Security Management Act of 2002 (FISMA) to: (1) reestablish the oversight authority of the Director of the Office of Management and Budget (OMB) with respect to agency information security policies and practices, and (2) set forth authority for the Secretary of Homeland Security (DHS) to administer the implementation of such policies and practices for information systems.

Requires the Secretary to develop and oversee implementation of operational directives requiring agencies to implement the Director's standards and guidelines for safeguarding federal information and systems from a known or reasonably suspected information security threat, vulnerability, or risk. Authorizes the Director to revise or repeal operational directives that are not in accordance with the Director's policies.

Requires the Secretary (currently, the Director) to ensure the operation of the federal information security incident center (FISIC).

Directs the Secretary to administer procedures to deploy technology, upon request by an agency, to assist the agency to continuously diagnose and mitigate against cyber threats and vulnerabilities.

Requires the Director's annual report to Congress regarding the effectiveness of information security policies to assess agency compliance with OMB data breach notification procedures.

Provides for OMB's information security authorities to be delegated to the Director of National Intelligence (DNI) for certain systems operated by an element of the intelligence community.

Directs the Secretary to consult with and consider guidance developed by the National Institute of Standards and Technology (NIST) to ensure that operational directives do not conflict with NIST information security standards.

Directs agency heads to ensure that: (1) information security management processes are integrated with budgetary planning; (2) senior agency officials, including chief information officers, carry out their information security responsibilities; and (3) all personnel are held accountable for complying with the agency-wide information security program.

Provides for the use of automated tools in agencies' information security programs, including for periodic risk assessments, testing of security procedures, and detecting, reporting, and responding to security incidents.

Requires agencies to include offices of general counsel as recipients of security incident notices. Requires agencies to notify Congress of major security incidents within seven days after there is a reasonable basis to conclude that a major incident has occurred.

Directs agencies to submit an annual report regarding major incidents to OMB, DHS, Congress, and the Comptroller General (GAO). Requires such reports to include: (1) threats and threat actors, vulnerabilities, and impacts; (2) risk assessments of affected systems before, and the status of compliance of the systems at the time of, major incidents; (3) detection, response, and remediation actions; (4) the total number of incidents; and (5) a description of the number of individuals affected by, and the information exposed by, major incidents involving a breach of personally identifiable information.

Authorizes GAO to provide technical assistance to agencies and inspectors general, including by testing information security controls and procedures.

Requires OMB to ensure the development of guidance for: (1) evaluating the effectiveness of information security programs and practices, and (2) determining what constitutes a major incident.

Directs FISIC to provide agencies with intelligence about cyber threats, vulnerabilities, and incidents for risk assessments.

Directs OMB, during the two-year period after enactment of this Act, to include in an annual report to Congress an assessment of the adoption by agencies of continuous diagnostics technologies and other advanced security tools.

Requires OMB to ensure that data breach notification policies require agencies, after discovering an unauthorized acquisition or access, to notify: (1) Congress within 30 days, and (2) affected individuals as expeditiously as practicable. Allows the Attorney General, heads of elements of the intelligence community, or the DHS Secretary to delay notice to affected individuals for purposes of law enforcement investigations, national security, or security remediation actions.

Requires OMB to amend or revise OMB Circular A-130 to eliminate inefficient and wasteful reporting.

Directs the Information Security and Privacy Advisory Board to advise and provide annual reports to DHS.

Passed Senate amendedDec 8, 201435

Federal Information Security Modernization Act of 2014 - Amends the Federal Information Security Management Act of 2002 (FISMA) to: (1) reestablish the oversight authority of the Director of the Office of Management and Budget (OMB) with respect to agency information security policies and practices, and (2) set forth authority for the Secretary of Homeland Security (DHS) to administer the implementation of such policies and practices for information systems.

Requires the Secretary to develop and oversee implementation of operational directives requiring agencies to implement the Director's standards and guidelines for safeguarding federal information and systems from a known or reasonably suspected information security threat, vulnerability, or risk. Authorizes the Director to revise or repeal operational directives that are not in accordance with the Director's policies.

Requires the Secretary (currently, the Director) to ensure the operation of the federal information security incident center (FISIC).

Directs the Secretary to administer procedures to deploy technology, upon request by an agency, to assist the agency to continuously diagnose and mitigate against cyber threats and vulnerabilities.

Requires the Director's annual report to Congress regarding the effectiveness of information security policies to assess agency compliance with OMB data breach notification procedures.

Provides for OMB's information security authorities to be delegated to the Director of National Intelligence (DNI) for certain systems operated by an element of the intelligence community.

Directs the Secretary to consult with and consider guidance developed by the National Institute of Standards and Technology (NIST) to ensure that operational directives do not conflict with NIST information security standards.

Directs agency heads to ensure that: (1) information security management processes are integrated with budgetary planning; (2) senior agency officials, including chief information officers, carry out their information security responsibilities; and (3) all personnel are held accountable for complying with the agency-wide information security program.

Provides for the use of automated tools in agencies' information security programs, including for periodic risk assessments, testing of security procedures, and detecting, reporting, and responding to security incidents.

Requires agencies to include offices of general counsel as recipients of security incident notices. Requires agencies to notify Congress of major security incidents within seven days after there is a reasonable basis to conclude that a major incident has occurred.

Directs agencies to submit an annual report regarding major incidents to OMB, DHS, Congress, and the Comptroller General (GAO). Requires such reports to include: (1) threats and threat actors, vulnerabilities, and impacts; (2) risk assessments of affected systems before, and the status of compliance of the systems at the time of, major incidents; (3) detection, response, and remediation actions; (4) the total number of incidents; and (5) a description of the number of individuals affected by, and the information exposed by, major incidents involving a breach of personally identifiable information.

Authorizes GAO to provide technical assistance to agencies and inspectors general, including by testing information security controls and procedures.

Requires OMB to ensure the development of guidance for: (1) evaluating the effectiveness of information security programs and practices, and (2) determining what constitutes a major incident.

Directs FISIC to provide agencies with intelligence about cyber threats, vulnerabilities, and incidents for risk assessments.

Directs OMB, during the two-year period after enactment of this Act, to include in an annual report to Congress an assessment of the adoption by agencies of continuous diagnostics technologies and other advanced security tools.

Requires OMB to ensure that data breach notification policies require agencies, after discovering an unauthorized acquisition or access, to notify: (1) Congress within 30 days, and (2) affected individuals as expeditiously as practicable. Allows the Attorney General, heads of elements of the intelligence community, or the DHS Secretary to delay notice to affected individuals for purposes of law enforcement investigations, national security, or security remediation actions.

Requires OMB to amend or revise OMB Circular A-130 to eliminate inefficient and wasteful reporting.

Directs the Information Security and Privacy Advisory Board to advise and provide annual reports to DHS.

Reported to Senate without amendmentSep 15, 201480

(This measure has not been amended since it was introduced. The summary of that version is repeated here.)

Federal Information Security Modernization Act of 2014 - Amends the Federal Information Security Management Act of 2002 (FISMA) to: (1) reestablish the oversight authority of the Director of the Office of Management and Budget (OMB) with respect to agency information security policies, and (2) set forth authority for the Secretary of Homeland Security (DHS) to carry out the operational aspects of such policies for information systems.

Requires the Secretary to develop and oversee implementation of operational directives to agencies to implement the Director's standards and guidelines, as well as the requirements of this Act. Authorizes the Director to repeal operational directives that are not in accordance with the Director's policies.

Requires the Secretary (currently, the Director) to ensure the operation of the federal information security incident center (FISIC).

Provides for OMB's information security authorities to be delegated to the Director of National Intelligence (DNI) for certain systems operated by an element of the intelligence community.

Directs agency heads to ensure that: (1) senior agency officials, including chief information officers, carry out their information security responsibilities; and (2) all personnel are held accountable for complying with the agency-wide information security program.

Requires agencies to notify Congress of discovered security incidents within seven days.

Directs agencies to submit an annual report regarding major incidents to OMB, DHS, Congress, and the Comptroller General (GAO).

Authorizes GAO to provide technical assistance to agencies and inspectors general, including by testing information security controls and procedures.

Directs FISIC to provide agencies with intelligence about cyber threats, vulnerabilities, and incidents for risk assessments.

Requires OMB to revise OMB Circular A-130 to eliminate inefficient and wasteful reporting.

Directs the Information Security and Privacy Advisory Board to advise and provide annual reports to DHS.

Requires OMB to establish procedures for agencies to follow in the event of a breach involving disclosure of personally identifiable information, including requirements for notice to affected individuals, FISIC, and Congress.

Introduced in SenateJun 24, 2014

Federal Information Security Modernization Act of 2014 - Amends the Federal Information Security Management Act of 2002 (FISMA) to: (1) reestablish the oversight authority of the Director of the Office of Management and Budget (OMB) with respect to agency information security policies, and (2) set forth authority for the Secretary of Homeland Security (DHS) to carry out the operational aspects of such policies for information systems.

Requires the Secretary to develop and oversee implementation of operational directives to agencies to implement the Director's standards and guidelines, as well as the requirements of this Act. Authorizes the Director to repeal operational directives that are not in accordance with the Director's policies.

Requires the Secretary (currently, the Director) to ensure the operation of the federal information security incident center (FISIC).

Provides for OMB's information security authorities to be delegated to the Director of National Intelligence (DNI) for certain systems operated by an element of the intelligence community.

Directs agency heads to ensure that: (1) senior agency officials, including chief information officers, carry out their information security responsibilities; and (2) all personnel are held accountable for complying with the agency-wide information security program.

Requires agencies to notify Congress of discovered security incidents within seven days.

Directs agencies to submit an annual report regarding major incidents to OMB, DHS, Congress, and the Comptroller General (GAO).

Authorizes GAO to provide technical assistance to agencies and inspectors general, including by testing information security controls and procedures.

Directs FISIC to provide agencies with intelligence about cyber threats, vulnerabilities, and incidents for risk assessments.

Requires OMB to revise OMB Circular A-130 to eliminate inefficient and wasteful reporting.

Directs the Information Security and Privacy Advisory Board to advise and provide annual reports to DHS.

Requires OMB to establish procedures for agencies to follow in the event of a breach involving disclosure of personally identifiable information, including requirements for notice to affected individuals, FISIC, and Congress.