H.R. 1163: “The Federal Information Security Amendments Act of 2013”, which orders standards and oversight of information security systems, has a good chance of becoming law as it passed the House unanimously.
Passed the House on Tuesday, April 16, 2013.
*Get all the details on this bill in podcast episode CD024: Let’s Gut the STOCK Act
Section 2: Replaces language in the U.S. Code
The new language says:
- Provide a framework for the coordination of information security between civilian, national security, and law enforcement communities.
- Focus on automated and continuous monitoring of information systems.
- Acknowledge “market solutions for the protection of critical information systems important to the national defense and economic security of the National that are designed, built, and operated by the private sector.”
‘Information systems” include:
- Computer networks
- Technical support services
‘National Security System’ includes:
- Any information system, including telecommunications systems, used or operated by a government agency or private contractor with government contracts which involves intelligence gathering, code breaking, command and control of military forces, equipment important to weapons systems.
The government will:
- Implement information security policies and compliance standards, taking the seriousness of risk in account, and review their effectiveness annually.
- Provide information security protections “commensurate with the risk” associated with unauthorized access use, sharing, modification, or destruction of information collected by or for the government by private contractors.
- Maintain secure facilities for storing classified information.
- Maintain a enough staff with classified clearance to analyze classified information.
- Test and evaluate information security systems.
- Conduct threat assessments.
- Establish an automated and continuous monitoring system that will detect, report within 48 hours, and respond to incidents non-stop.
Every agency needs to submit a detailed annual report on their information security systems and policies.
The bill creates a federal information security incident center.
Bill would make the changes to the U.S. code effective 30 days after the bill’s passage.