Volume 146, No. 100 covering the 2nd Session of the 106th Congress (1999 - 2000) was published by the Congressional Record.
The Congressional Record is a unique source of public documentation. It started in 1873, documenting nearly all the major and minor policies being discussed and debated.
“INTRODUCTION OF THE FEDERAL INFORMATION POLICY ACT OF 2000” mentioning the Environmental Protection Agency was published in the Extensions of Remarks section on pages E1355-E1357 on July 27, 2000.
The publication is reproduced in full below:
INTRODUCTION OF THE FEDERAL INFORMATION POLICY ACT OF 2000
______
HON. THOMAS M. DAVIS
of virginia
in the house of representatives
Thursday, July 27, 2000
Mr. DAVIS of Virginia. Mr. Speaker, I rise today to introduce legislation that will endow the Federal Government with the ability to better coordinate and manage information technology policies governmentwide and transform the Federal Government into a national model for information resources management and information security practices. The Federal Information Policy Act [FIPA] of 2000 establishes an Office of Information Policy with a Chief Information Officer [CIO] for the United States and creates within that body, an Office of Information Security and Technical Protection [IN STEP]. This legislation harmonizes existing information resources management responsibilities now held by OMB and provides IN STEP with the responsibility for facilitating the development of a comprehensive, federal framework for devising and implementing effective, mandatory controls over government information security. In this latter respect, the Act is the logical complement to legislation I introduced in April, the Cyber Security Information Act of 2000, which seeks to encourage private sector information sharing with government in order to protect our national critical infrastructure. The Federal Information Policy Act will force the Federal Government to put its house in order and become a reliable public partner for protecting America's information highways.
For nearly four decades, information technology has been an integral component of information resources management [IRM] by the Federal Government. The Government's role as the single largest procurer of IT products and services in the 1960s and 1970s spurred the development of the U.S. computer industries that now form the backbone of our nation's New Economy. A decade ago, technology stood as one of many factors important to the mission and performance objectives of the Federal Government. Now both our economy and our society have become information-driven, such that IT plays the critical role in facilitating the Federal Government's ability to be effective and efficient in managing federal programs and spending, communicating with and providing services to citizens, and protecting America's critical infrastructure.
Five years ago, Congress recognized the crucial role played by technology when we called on the Administration to appoint a top-level officer to focus exclusively on the Year 2000 computer problem that threatened to undermine national commerce and government. This determination--that a single individual was needed to coordinate national and local cooperation to remediate computer systems and develop contingency plans--was based in part on an understanding of the interconnectivity of information systems within government, between government and the private sector, and within the private sector. The President heeded our
Moreover, the Year 2000 computer problem highlighted two important deficiencies in the current Federal IRM structure. First, the Y2K scenario presented an important reminder that technology does not fill some amorphous role within the Federal Government. It is the ubiquitous thread that binds the operations of the Federal Government, and its efficient or inefficient use will make or break the ability of government to perform everything from the most mundane of governmental functions to the most critical national security measures. Second, the high degree of interdepence between information systems, both internally and externally, exposes the vulnerability of the Federal Government's computer networks to both benign and destructive disruptions. This factor is tremendously important to understanding how we devise a comprehensive and flexible strategy for coordinating, implementing and maintaining federal information security practices throughout the Federal Government as the rising threat of electronic terrorism emerges.
In following the lessons learned from the Y2K problem as well as the recent Love Bug viruses that affected many federal computer systems, the Federal Information Policy Act accomplishes four main purposes: (1) to revise chapter 35 of title 44 of the U.S. Code to establish a Federal Chief Information Officer to head the Office of Information Policy (OIP) within the Executive Office of the President; (2) to consolidate and centralize IRM powers currently allotted to the Office of Management and Budget [OMB] within the OIP; (3) to establish within the OIP the Office of Information Security and Technical Protection [IN STEP]; and (4) to establish a comprehensive framework implementing mandatory information security standards, and annual independent evaluations of agency practices in order to provide effective controls over Federal information resources. The Act creates a new chapter 36 to retain OMB's paperwork clearance functions that are currently contained in chapter 35 and are performed by the Office of Information and Regulatory Affairs.
This past May, at the Center for Innovative Technology in my congressional district, the House Government Reform Subcommittee on Government Management, Information, and Technology held a hearing in which we explored the strategies and challenges facing government in implementing electronic government initiatives. We learned that while electronic government initiatives promise to provide faster, more efficient, and convenient services, the Internet sets forth a wide array of challenges that must be addressed in order for the lower costs and improved customer service associated with electronic government to be realized. These include theft, fraud, consumer privacy protection, and the destruction of assets. To meet those challenges, the General Accounting Office
[GAO] testified that ``effective top management leadership, involvement, and ownership are a cornerstone of any information technology investment strategy.''
The Paperwork Reduction Act [PRA] established the Office of Information and Regulatory Affairs [OIRA] within OMB and gave the Office the authority to reduce unnecessary
I am deeply concerned that current federal IRM policies are suffering from the lack of a focused, coordinating body. The Clinger-Cohen Act, passed in the 104th Congress, made an important contribution to Federal IT policy by mandating that federal agencies appoint Chief Information Officers and by recognizing the need to coordinate and facilitate interagency IT communication and policies, a role given to OMB. But having each agency develop IT policies independently of one another poses the potential risk of having a government unable to communicate and function and function amongst its own parts. A central IT management process is essential if government is going to be able to successfully achieve cost benefits similar to those experienced in the private sector and improve its responsiveness to the public through e-
government initiatives and better-performing Federal operations. And that coordinating entity must be capable of deploying comprehensive policies that reflect the interdependence of federal information systems.
With its many management responsibilities, OMB is simply unable to devote the attention need for effective IRM. FIPA creates a CIO of the United States to fulfill that coordinating role, acting as the principal adviser to the President on the development, application and management of information technology government-wide. He or she will be able to encourage innovation in technology uses, coordinate inter-
agency IRM initiatives and communication, and promote cost-effective investments in information technologies. The Act also formalizes the establishment of the Chief Information Officers Council, which currently exists by virtue of a 1996 Executive Order. Made up of the CIOs from the major Federal agencies, the CIO Council provides an important forum for interagency communication and for improving IT management policies, procedures, and standards. The Federal CIO will chair the Council, a position now held by the Deputy Director for Management at OMB, and must submit an annual report to the President and Congress on its achievements and recommendations for future initiatives.
A Federal CIO will allow OIRA to concentrate and improve on the critical function of paperwork reduction that is so important to our continued efforts to minimize bureaucratic burdens on individuals, small businesses, and others resulting from the collection of information by or for the Federal Government. It is for this reason that the paperwork clearance functions are maintained in FIPA.
Equally critical is the ability of the Federal Government to anticipate, monitor, and recover from intrusions into Federal computer networks. This important objective was detailed in the President's National Plan for Information Systems Protection, Version 1.0, issued in January 2000. Many sectors of the government have experienced, at one time or another, cyber security breaches. Under current law, rules and regulations governing the security of federal computer
Certainly, each Federal agency must bear the responsibility for assessing risk, detecting and responding to security incidents, and protecting its own operations and assets. It is for this reason that this legislation also adapts many of the provisions contained in the Government Information Security Act championed by Senate Governmental Affairs Committee Chairman Fred Thompson. It requires every Federal agency to develop and implement security policies that include risk assessment, risk-based policies, security awareness training, and periodic reviews.
However, in a March 2000 Senate hearing on the Government Information Security Act, the GAO pointed to compelling reasons for establishing strong central leadership for coordinating information security-related activities across government. Foremost is the inadequacy of information-sharing among agencies regarding vulnerabilities and solutions to those weaknesses, as well as the lack of a clear mandate for handling and reporting security incidents affecting federal information systems.
For instance, in a March 29, 2000 hearing, the House Government Reform Subcommittee on Government Management, Information and Technology examined the state of information security practices throughout the Federal Government. GAO shared its most recent review at that time of the Environmental Protection Agency [EPA]. Its tests found
``numerous security weaknesses associated with the computer operating systems and the agencywide computer network that support most of EPA's mission-related and financial operations.'' Indeed, the EPA had recorded several serious computer incidents within the last two years but the GAO indicated that EPA's subsequent methods for strengthening its security procedures were inadequate. In an earlier report, the GAO stated that ``resolving EPA's information security problems will require substantial ongoing management attention since security program planning and management to date have largely been a paper exercise doing little to substantively identify, evaluate, and mitigate risks to the agency's data and systems.''
As part of its testimony, the GAO referred to earlier findings that 22 of the largest federal agencies were providing inadequate protection for critical federal operations and assets from computer-based attacks. GAO reported that within the past year, it was able to identify systemic weaknesses in the information security practices of the Department of Defense, the National Aeronautics and Space Administration, the Department of State, and the Department of Veterans Affairs. In each instance, sensitive data and/or mission-critical systems were penetrable by unauthorized users.
These results reflect government-wide systemic weaknesses and follow numerous GAO audits which have repeatedly identified serious failures in the most basic access controls for Federal information systems. In its May 1999 tests of NASA's computer-based controls, GAO was able to successfully gain access to several mission-critical systems, and could have easily disrupted command and control operations conducted through orbiting spacecraft. An independent auditor found last August that the State Department's mainframe computer was extremely vulnerable to unauthorized access that could expose, in turn, other computer operations connected to those mainframe computers. These are just a few examples of the many troubling indicators that currently plague Federal agency information security practices.
Another key challenge to making the Federal Government more secure lies in the mind set of many federal agencies vis-a-vis the importance of information security to their operations and assets. For many, implementing best practices for controlling and protecting information resources is a low priority. A centralized leader would be able to make information security one of the top priority missions of the Federal Government. It is this overarching responsibility that is given to the United States CIO in the Act, and is subsequently delegated to the Director of IN STEP. In establishing government-wide policies, the IN STEP Director will direct the implementation of a continuing risk management cycle within each Federal agency, implement effective controls on information to address identified risks, promote awareness of information security risks among users, and act as a continual monitor and evaluator of policy and control effectiveness of information security practices.
In addition, the Federal Information Policy Act tightens the responsibilities of each Federal agency for implementing security procedures and policies that ensure the protection of its information systems. The CIO, in consultation with the Director of IN STEP, will have enforcement authority over individual agencies through his or her ability to make recommendations to the Director of OMB with respect to funding for information resources. This provision is necessary to ensuring that IN STEP can ensure accountability within each agency for information security management.
And finally, two other important features are included that are vital for the long-term development of flexible and responsive information security controls. The first is investing authority in the Director of IN STEP, through the CIO, to require Federal agencies to identify and classify the security risks associated with each of their information operations, and to calculate the risk and magnitude of harm that would result from an intrusion. IN STEP will have simultaneous authority to oversee the development and implementation of mandatory minimum control standards developed by NIST, that would be required for each classification. For this purpose, final authority is given to the CIO, in consultation with the Secretary of Commerce, to decide and officially issue the standards. And the Act requires the Inspector General or an independent evaluator to conduct an independent evaluation of the information security program and practices of each agency on an annual basis, which will subsequently be reported to the U.S. CIO.
At the time when the growth and success of our competitive national economy is clearly demonstrating a correlation to the Information Revolution, the Federal Information Policy Act will secure the ability of our Federal Government to fully utilize information technology in order to better serve American citizens. And in a time when any entity-
including government-that is connected to a computer needs to make information security a priority, we are finding that the Federal Government is dangerously behind the curve. We are losing time. FIPA will spur the actions needed to achieve readiness against future cyber security threats in a uniform and coordinated process. It is my hope that Congress will act on this measure as soon as possible so that the Federal Government will move forward and become a leader in the management and protection of governmental information systems.
____________________