Short title

This Act may be cited as the

Homeland Security Network Defense and Accountability Act of 2008

Authority of Chief Information Officer; qualifications for appointment

Section 703(a) of the Homeland Security Act of 2002 (6 U.S.C. 343(a)) is amended— (1)by inserting before the first sentence the following:

(1)

Authorities and duties

The Secretary shall delegate to the Chief Information Officer such authority necessary for the development, approval, implementation, integration, and oversight of policies, procedures, processes, activities, funding, and systems of the Department relating to the management of information and information infrastructure for the Department, including the management of all related mission applications, information resources, and personnel. (2)

Line authority

; and

(2)by adding at the end the following new paragraphs:

(3)

Qualifications for appointment

An individual may not be appointed as Chief Information Officer unless the individual has— (A)demonstrated ability in and knowledge of information technology and information security; and (B)not less than 5 years of executive leadership and management experience in information technology and information security in the public or private sector. (4)

Functions

The Chief Information Officer shall— (A)establish and maintain an incident response team that provides a continuous, real-time capability within the Department of Homeland Security to— (i)detect, respond to, contain, investigate, attribute, and mitigate any computer incident, as defined by the National Institute of Standards and Technology, that could violate or pose an imminent threat of violation of computer security policies, acceptable use policies, or standard security practices of the Department; and (ii)deliver timely notice of any incident to individuals responsible for information infrastructure of the Department, and to the United States Computer Emergency Readiness Team; (B)establish, maintain, and update a network architecture, including a diagram detailing how security controls are positioned throughout the information infrastructure of the Department to maintain the confidentiality, integrity, availability, accountability, and assurance of electronic information; and (C)ensure that vulnerability assessments are conducted on a regular basis for any Department information infrastructure connected to the Internet or another external network, and that vulnerabilities are mitigated in a timely fashion.

Attack-based testing protocols

Section 703 of the Homeland Security Act of 2002 (6 U.S.C. 343) is amended by adding at the end the following new subsection:

(c)

Attack-based testing protocols

The Chief Information Officer, in consultation with the Inspector General, the Assistant Secretary for Cybersecurity, and the heads of other appropriate Federal agencies, shall— (1)establish security control testing protocols that ensure that the Department’s information infrastructure is effectively protected against known attacks against and exploitations of Federal and contractor information infrastructure; (2)oversee the deployment of such protocols throughout the information infrastructure of the Department; and (3)update such protocols on a regular basis.

Inspector General reviews of information infrastructure

Section 703 of the Homeland Security Act of 2002 (6 U.S.C. 343) is further amended by adding at the end the following new subsection:

(d)

Inspector General reviews

(1)

In general

The Inspector General of the Department shall use authority under the Inspector General Act of 1978 (5 App. U.S.C.) to conduct announced and unannounced performance reviews and programmatic reviews of the information infrastructure of the Department to determine the effectiveness of security policies and controls of the Department. (2)

Performance reviews

Performance reviews under this subsection shall test and validate a system’s security controls using the protocols created under subsection (c), beginning not later than 270 days after the date of enactment of the Homeland Security Network Defense and Accountability Act of 2008. (3)

Programmatic reviews

Programmatic reviews under this subsection shall— (A)determine whether an agency of the Department is complying with policies, processes, and procedures established by the Chief Information Officer; and (B)focus primarily on authentication, access control, risk management, intrusion detection and prevention, incident response, risk assessment, remote access, and any other controls the Inspector General considers necessary. (4)

Information security report

The Inspector General shall submit a security report containing the results of each review under this subsection and prioritized recommendations for improving security controls based on that review, including recommendations regarding funding changes and personnel management, to— (A)the Secretary; (B)the Chief Information Officer; and (C)the head of the Department component that was the subject of the review, and other appropriate individuals responsible for the information infrastructure of such agency. (5)

Corrective action report

(A)

In general

Within 60 days after receiving a security report under paragraph (4), the head of the Department component that was the subject of the review and the Chief Information Officer shall jointly submit a corrective action report to the Secretary and the Inspector General. (B)

Contents

The corrective action report— (i)shall contain a plan for addressing recommendations and mitigating vulnerabilities contained in the security report, including a timeline and budget for implementing such plan; and (ii)shall note any matters in disagreement between the head of the Department component and the Chief Information Officer. (6)

Reports to Congress

(A)

Annual reports

In conjunction with the reporting requirements of section 3545 of title 44, United States Code, the Inspector General shall submit an annual report to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate— (i)summarizing the performance and programmatic reviews performed during the preceding fiscal year, the results of those reviews, and any actions that remain to be taken under plans included in corrective action reports under paragraph (5); and (ii)describing the effectiveness of the testing protocols developed under subsection (c) in reducing successful exploitations of the Department’s information infrastructure. (B)

Security reports and corrective action reports

The Inspector General shall make all security reports and corrective action reports available to any member of the Committee on Homeland Security of the House of Representatives, any member of the Committee on Homeland Security and Governmental Affairs of the Senate, and the Comptroller General of the United States, upon request.

Information infrastructure defined

Section 703 of the Homeland Security Act of 2002 (6 U.S.C. 343) is further amended by adding at the end the following:

(e)

Information infrastructure defined

In this section, the term information infrastructure means systems and assets used in processing, transmitting, receiving, or storing information electronically.

Network service providers

(a)

In general

Subtitle D of title VIII of the Homeland Security Act of 2002 (6 U.S.C. 391 et seq.) is amended by adding at the end the following new section:

836.

Requirements for network service providers

(a)

Compatibility determination

(1)

In general

Before entering into or renewing a covered contract, the Secretary, acting through the Chief Information Officer, must determine that the contractor has an internal information systems security policy that complies with the Department’s information security requirements, including with regard to authentication, access control, risk management, intrusion detection and prevention, incident response, risk assessment, and remote access, and any other policies that the Secretary considers necessary to ensure the security of the Department’s information infrastructure. (2)

Limitation on public disclosures

The Chief Information Officer shall not disclose to the public any information provided for purposes of such determination, notwithstanding any other provision of Federal, State, or local law, including section 552 of title 5, United States Code. (b)

Contract requirements regarding security

The Secretary shall include in each covered contract provisions requiring the contractor to— (1)implement and regularly update the internal information systems security policy required under subsection (a); (2)maintain the capability to provide contracted services on a continuing and ongoing basis to the Department in the event of unplanned or disruptive event; and (3)deliver timely notice of any internal computer incident, as defined by the National Institute of Standards and Technology, that could violate or pose an imminent threat of violation of computer security policies, acceptable use policies, or standard security practices at the Department, to the United States Computer Emergency Readiness Team and the incident response team established under section 703(a)(4). (c)

Contract requirements regarding subcontracting

The Secretary shall include in each covered contract— (1)a requirement that the contractor develop and implement a plan for the award of subcontracts, as appropriate, to small business concerns and disadvantaged business concerns in accordance with other applicable requirements, including the terms of such plan, as appropriate; and (2)a requirement that the contractor submit to the Secretary, during performance of the contract, periodic reports describing the extent to which the contractor has complied with such plan, including specification (by total dollar amount and by percentage of the total dollar value of the contract) of the value of subcontracts awarded at all tiers of subcontracting to small business concerns, including socially and economically disadvantaged small businesses concerns, small business concerns owned and controlled by service-disabled veterans, HUBZone small business concerns, small business concerns eligible to be awarded contracts pursuant to section 8(a) of the Small Business Act (15 U.S.C. 637(a)), and historically Black colleges and universities and Hispanic-serving institutions, tribal colleges and universities, and other minority institutions. (d)

Existing contracts

The Secretary shall, to the extent practicable under the terms of existing contracts, require each contractor who provides covered information services under a contract in effect on the date of the enactment of the Homeland Security Network Defense and Accountability Act of 2008 to comply with the requirements described in subsection (b). (e)

Definitions

For purposes of this section: (1)

Socially and economically disadvantaged small businesses concern, small business concern owned and controlled by service-disabled veterans, and HUBZone small business concern

The terms socially and economically disadvantaged small businesses concern, small business concern owned and controlled by service-disabled veterans, and HUBZone small business concern have the meanings given such terms under the Small Business Act (15 U.S.C. 631 et seq.). (2)

Contractor

The term contractor includes each subcontractor of a contractor. (3)

Covered contract

The term covered contract means a contract entered into or renewed after the date of the enactment of the Homeland Security Network Defense and Accountability Act of 2008 for the provision of covered information services. (4)

Covered information services

The term covered information services means creation, management, maintenance, control, or operation of information networks or Internet Web sites for the Department. (5)

Historically Black colleges and universities

The term historically Black colleges and universities means part B institutions under title III of the Higher Education Act of 1965 (20 U.S.C. 1061). (6)

Hispanic-serving institution

The term Hispanic-serving institution has the meaning given such term under title V of the Higher Education Act of 1965 (20 U.S.C. 1101a(a)(5)). (7)

Information infrastructure

The term information infrastructure has the meaning that term has under section 703. (8)

Tribal colleges and universities

The term tribal colleges and universities has the meaning given such term under the Tribally Controlled College or University Assistance Act of 1978 (25 U.S.C. 1801 et seq.).

(b)

Clerical amendment

The table of contents in section 1(b) of such Act is amended by inserting after the item relating to section 835 the following new item:

Sec. 836. Requirements for network service providers.

(c)

Report

Within 90 days after the date of enactment of this Act, the Secretary of Homeland Security shall transmit to the Committee on Homeland Security of the House of Representatives and the Homeland Security and Governmental Affairs Committee of the Senate a report describing— (1)the progress in implementing requirements issued by the Office of Management and Budget for encryption, authentication, Internet Protocol version 6, and Trusted Internet Connections, including a timeline for completion; (2)a plan, including an estimated budget and a timeline, to investigate breaches against the Department of Homeland Security’s information infrastructure for purposes of counterintelligence assessment, attribution, and response; (3)a proposal to increase threat information sharing with cleared and uncleared contractors and provide specialized damage assessment training to private sector information security professionals; and (4)a process to coordinate the Department of Homeland Security’s information infrastructure protection activities.