PDF(PDF provides a complete and accurate display of this text.)Tip?
115th Congress } { Report
HOUSE OF REPRESENTATIVES
2d Session } { 115-622
======================================================================
STB INFORMATION SECURITY IMPROVEMENT ACT
_______
April 5, 2018.--Committed to the Committee of the Whole House on the
State of the Union and ordered to be printed
_______
Mr. Shuster, from the Committee on Transportation and Infrastructure,
submitted the following
R E P O R T
[To accompany H.R. 4921]
[Including cost estimate of the Congressional Budget Office]
The Committee on Transportation and Infrastructure, to whom
was referred the bill (H.R. 4921) to require the Surface Board
of Transportation to implement certain recommendations of the
Inspector General of the Department of Transportation, having
considered the same, report favorably thereon with amendments
and recommend that the bill as amended do pass.
CONTENTS
Page
Purpose of Legislation........................................... 2
Background and Need for Legislation.............................. 2
Hearings......................................................... 3
Legislative History and Consideration............................ 3
Committee Votes.................................................. 3
Committee Oversight Findings..................................... 3
New Budget Authority and Tax Expenditures........................ 3
Congressional Budget Office Cost Estimate........................ 4
Performance Goals and Objectives................................. 5
Advisory of Earmarks............................................. 5
Duplication of Federal Programs.................................. 5
Disclosure of Directed Rule Makings.............................. 5
Federal Mandate Statement........................................ 5
Preemption Clarification......................................... 5
Advisory Committee Statement..................................... 5
Applicability of Legislative Branch.............................. 6
Section-by-Section Analysis of Legislation....................... 6
Changes in Existing Law Made by the Bill, as Reported............ 6
The amendments are as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``STB Information Security Improvement
Act''.
SEC. 2. REQUIREMENTS.
(a) In General.--The Surface Transportation Board (in this section
referred to as the ``STB'') shall develop a timeline and plan to
implement the recommendations of the Inspector General of the
Department of Transportation in Report No. FI2018002, including
improvements--
(1) to identify controls, including risk management, weakness
remediation, and security authorization;
(2) to protect controls, including configuration management,
user identity and access management, and security training;
(3) to detect controls, including continuous monitoring;
(4) to respond controls, including incident handling and
reporting;
(5) to recover controls for contingency planning; and
(6) any additional tools that will improve the implementation
of the recommendations.
(b) Implementation.--
(1) In general.--Not later than 180 days after the date of
enactment of this Act, the STB shall submit the plan and
timeline developed under subsection (a) to the Committee on
Transportation and Infrastructure of the House of
Representatives and the Committee on Commerce of the Senate.
(2) Report.--The STB shall report annually to such Committees
on the progress on implementation of the recommendations until
the implementation is complete.
(3) Plan implementation.--The STB shall designate an
individual to implement the plan developed under subsection
(a).
SEC. 3. NO ADDITIONAL FUNDS AUTHORIZED.
No additional funds are authorized to carry out the requirements of
this Act. Such requirements shall be carried out using amounts
otherwise authorized.
Amend the title so as to read:
A bill to require the Surface Transportation Board to
implement certain recommendations of the Inspector General of
the Department of Transportation.
PURPOSE OF LEGISLATION
H.R. 4921, the STB Information Security Improvement Act,
requires the Surface Transportation Board (STB) to develop a
timeline and plan to modernize its information security
program. The bill requires the STB to implement recommendations
from the Department of Transportation Inspector General (DOT
IG) Report Number FI2018002.
BACKGROUND AND NEED FOR LEGISLATION
In October 2017, the DOT IG published a report that
identified the STB's information security system to be at the
Ad Hoc maturity level. The Ad Hoc maturity level means that
policies, procedures, and strategy are not formalized and
activities are performed in a reactive manner. The report
outlined recommendations necessary for the STB to develop an
effective information security program. The DOT IG's report
made a series of recommendations to help STB improve its
information security systems. The DOT IG outlined issues with
the following:
(1) STB's Identify controls--risk management, weakness
remediation, and security authorization--were inadequate. STB
did not have a risk management program and its process to
reauthorize systems was inadequate.
(2) STB's Protect controls--configuration management, user
identity management, and security training--were inadequate.
Policy and procedures did not cover software patch installation
or parts of user identity management. Only 66 percent of STB
employees completed 2017 security awareness training.
(3) STB did not have policy for Detect controls--to
identify cybersecurity incidents in an information security
continuous monitoring program--and lacked a monitoring
strategy.
(4) STB's Respond controls--incident handling and
reporting--were inadequate. The policy did not cover incident
response planning and analysis. STB had not collaborated with
DHS on incident response.
(5) STB had not implemented Recover controls for
contingency planning. STB lacked a plan for system recovery
after emergency shutdowns, impact analysis, alternative sites,
or data back-up
As a result of its separation from DOT in December 2015,
the STB gained full control over its information security
program. With that control, a need to place security controls
now resides within the STB. While the STB issued policies in
May 2017 to create a cybersecurity program, the STB never
completed its implementation, leaving its information security
program encumbered by a number of weaknesses in five different
function areas. Effective information security programs are
necessary to ensure the STB can execute its mission safely and
effectively. The STB must strive to improve information
security systems to avoid an increasing risk of attack or
compromise.
HEARINGS
There were no hearings related to this legislation in the
House.
LEGISLATIVE HISTORY AND CONSIDERATION
On February 5, 2018, Representative Paul Mitchell (R-MI)
introduced H.R. 4921, the STB Information Security Improvement
Act. On February 14, 2018, the Committee on Transportation and
Infrastructure met in open session to consider H.R. 4921. An
amendment was offered in Committee by Representative Mitchell,
which was adopted by voice vote. The amendment made technical
corrections and added a recommendation from the DOT IG report.
The Committee ordered H.R. 4921, as amended, reported favorably
to the House by voice vote with a quorum present.
COMMITTEE VOTES
Clause 3(b) of rule XIII of the Rules of the House of
Representatives requires each committee report to include the
total number of votes cast for and against on each record vote
on a motion to report and on any amendment offered to the
measure or matter, and the names of those members voting for
and against. There were no recorded votes associated with this
bill.
COMMITTEE OVERSIGHT FINDINGS
With respect to the requirements of clause 3(c)(1) of rule
XIII of the Rules of the House of Representatives, the
Committee's oversight findings and recommendations are
reflected in this report.
NEW BUDGET AUTHORITY AND TAX EXPENDITURES
In compliance with clause 3(c)(2) of rule XIII of the Rules
of the House of Representatives, the Committee adopts as its
own the estimate of new budget authority, entitlement
authority, or tax expenditures or revenues contained in the
cost estimate prepared by the Director of the Congressional
Budget Office pursuant to section 402 of the Congressional
Budget Act of 1974, included below.
CONGRESSIONAL BUDGET OFFICE COST ESTIMATE
With respect to the requirement of clause 3(c)(3) of rule
XIII of the Rules of the House of Representatives and section
402 of the Congressional Budget Act of 1974, the Committee has
received the enclosed cost estimate for H.R. 4921, as amended,
from the Director of the Congressional Budget Office:
U.S. Congress,
Congressional Budget Office,
Washington, DC, March 20, 2018.
Hon. Bill Shuster,
Chairman, Committee on Transportation and Infrastructure,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 4921, the STB
Information Security Improvement Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Sarah Puro.
Sincerely,
Keith Hall,
Director.
Enclosure.
H.R. 4921--STB Information Security Improvement Act
H.R. 4921 would require the Surface Transportation Board
(STB) to develop a plan to comply with recommendations made by
the Department of Transportation's inspector general regarding
its information security system. The bill would require the STB
to report annually to the Congress on the status of its
compliance with the inspector general's report.
Under current law, CBO expects that the STB will implement
the inspector general's recommendations regarding its
information security system. The agency has already hired an
employee to manage and implement the plan. As a result, CBO
estimates that implementing the provisions of H.R. 4921 would
have no significant effect on the federal budget over the 2018-
2022 period.
Enacting H.R. 4921 would not affect direct spending or
revenues; therefore, pay-as-you-go procedures do not apply.
CBO estimates that enacting H.R. 4921 would not increase
net direct spending or on-budget deficits in any of the four
consecutive 10-year periods beginning in 2028.
H.R. 4921 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act.
The CBO staff contact for this estimate is Sarah Puro. The
estimate was approved by H. Samuel Papenfuss, Deputy Assistant
Director for Budget Analysis.
PERFORMANCE GOALS AND OBJECTIVES
With respect to the requirement of clause 3(c)(4) of rule
XIII of the Rules of the House of Representatives, the
performance goals and objectives of this legislation are to
ensure adequate information security at the STB. This bill, as
amended, enhances cybersecurity by recommending specific
measures the STB may take to improve information security.
ADVISORY OF EARMARKS
Pursuant to clause 9 of rule XXI of the Rules of the House
of Representatives, the Committee is required to include a list
of congressional earmarks, limited tax benefits, or limited
tariff benefits as defined in clause 9(e), 9(f), and 9(g) of
rule XXI of the Rules of the House of Representatives. No
provision in the bill, as amended, includes an earmark, limited
tax benefit, or limited tariff benefit under clause 9(e), 9(f),
or 9(g) of rule XXI.
DUPLICATION OF FEDERAL PROGRAMS
Pursuant to section 3(g) of H. Res. 5, 114th Cong. (2015),
the Committee finds that no provision of H.R. 4921, as amended,
establishes or reauthorizes a program of the federal government
known to be duplicative of another federal program, a program
that was included in any report from the Government
Accountability Office to Congress pursuant to section 21 of
Public Law 111-139, or a program related to a program
identified in the most recent Catalog of Federal Domestic
Assistance.
DISCLOSURE OF DIRECTED RULE MAKINGS
Pursuant to section 3(i) of H. Res. 5, 113th Cong. (2015),
the Committee estimates that enacting H.R. 4921, as amended,
does not specifically direct the completion of a specific rule
making within the meaning of section 551 of title 5, United
States Code.
FEDERAL MANDATE STATEMENT
The Committee adopts as its own the estimate of federal
mandates prepared by the Director of the Congressional Budget
Office pursuant to section 423 of the Unfunded Mandates Reform
Act (Public Law 104-4).
PREEMPTION CLARIFICATION
Section 423 of the Congressional Budget Act of 1974
requires the report of any Committee on a bill or joint
resolution to include a statement on the extent to which the
bill or joint resolution is intended to preempt state, local,
or tribal law. The Committee states that H.R. 4921, as amended,
does not preempt any state, local, or tribal law. H.R. 4921, as
amended, preserves the rights and permitting authorities of
states.
ADVISORY COMMITTEE STATEMENT
No advisory committees within the meaning of section 5(b)
of the Federal Advisory Committee Act are created by this
legislation, as amended.
APPLICABILITY OF LEGISLATIVE BRANCH
The Committee finds that the legislation, as amended, does
not relate to the terms and conditions of employment or access
to public services or accommodations within the meaning of
section 102(b)(3) of the Congressional Accountability Act
(Public Law 104-1).
SECTION-BY-SECTION ANALYSIS OF LEGISLATION
Section 1. Short title
This section designates the short title of the bill as the
``STB Information Security Improvement Act''.
Section 2. Requirements
This section directs the STB to develop a timeline and plan
to implement the recommendations from the DOT IG Report Number
FI2018002.
No later than 180 days after the date of enactment, the STB
must submit the plan and timeline to Congress.
The STB must annually update Congress on its implementation
progress until it is completed.
Section 3. No additional funds authorized
This section lays out that no additional funds are
authorized to carry out the requirements of the bill.
CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED
H.R. 4921 makes no changes to existing law.
[all]