26 November 1999 Source: http://gpo.sailor.lib.md.us/bin/GPOAccess.cgi ------------------------------------------------------------------------- [Congressional Record: November 19, 1999 (Senate)] [Page S15090-S15113] From the Congressional Record Online via GPO Access [wais.access.gpo.gov] [DOCID:cr19no99pt2-212] STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS ______ By Mr. THOMPSON (for himself, and Mr. Lieberman): S. 1993. A bill to reform Government information security by strengthening information security practices throughout the Federal Government; to the Committee on Governmental Affairs. government information security act of 1999 Mr. THOMPSON. Mr. President, I rise today to introduce a bill on behalf of myself as chairman of the Governmental Affairs Committee and Senator Lieberman, the Committee's ranking minority member, on an issue of great importance to our committee and the nation--the security of Federal government computer systems. Over the last decade, the Federal Government, like most private- sector organizations, has become enormously dependent on interconnected computer systems, including the Internet, to support its operations and account for its assets. This explosion in interconnectivity has resulted in many benefits. In particular, it has increased productivity, made enormous amounts of useful information instantly available to millions of people, and contributed to the economic boom of the 1990s. However, the factors that generate these benefits--widely accessible data and instantaneous communication--also increase the risks that information will be misused, possibly to commit fraud or other crimes, or that sensitive information will be in appropriately disclosed. In addition, our government's, as well as our nation's, dependence on this computer support makes it susceptible to devastating disruptions in critical services, as well as in computer-based safety and financial controls. Such disruptions could be caused by sabotage, natural disasters, or widespread system faults, as illustrated by the Y2K date conversion concerns. The Governmental Affairs Committee spent considerable time during the last Congress on this issue with a specific emphasis on information security and cyberterrorism. We uncovered and identified failures of information security affecting our international security and vulnerability to domestic and international terrorism. We highlighted our nation's vulnerability to computer attacks--from international and domestic terrorists to crime rings to everyday hackers. We directed GAO to prepare a ``best practices'' guide on computer security for Federal agencies to use, and we asked GAO to study computer security vulnerabilities at several Federal agencies including the Internal Revenue Service, the State Department, the Federal Aviation Administration, the Social Security Administration, and the Veterans' Administration. As a result of its work, GAO identified many specific weaknesses in agency controls and concluded that the underlying cause was inadequate security program planning and management. In particular, agencies were addressing identified weaknesses on a piecemeal basis rather than proactively addressing systemic causes that diminished security effectiveness throughout the agency. That is not to say that nothing is being done. Many in the executive branch recognize that action is needed to improve Federal information security, and several efforts have been initiated. For example, in May 1998, Presidential Decision Directive (PDD) 63 directed the National Security Council to lead a variety of efforts intended to improve critical infrastructure protection, including protection of Federal agency information infrastructures, and required major agencies to develop plans to protect their own critical computer-based systems. But despite a flurry of activity in this area and a number of statutes already on the books which deal with the issues, we have concluded that a more complete and meaningful statutory foundation for improvement is needed. The primary objective of this legislation is to update existing information security statutory requirements to address the management challenges associated with operating in the current interconnected computing environment. We begin where the Paperwork Reduction Act of 1995 and the Clinger- Cohen Act of 1996 left off. These laws, and the computer Security Act of 1987, provided the basic framework for managing information security. This legislation which we introduce today will update and clarify existing requirements and responsibilities of Federal agencies in dealing with information security. The Government Information Security Act: Strengthens the Office of Management and Budget's information security duties, consistent with its existing responsibilities under the Paperwork Reduction Act; Establishes Federal agency accountability for information security as needed to cost-effectively protect the assets and operations of the agency by creating a set of management requirements derived from GAO ``Best Practices'' audit work; Requires agencies to have an annual independent evaluation of their information security programs and practices to assess compliance with authorized requirements and to test effectiveness of information security control techniques; Provides for the application of a unified and logical set of governmentwide controls by including national security systems within the application of the legislation; and Focuses on the importance of training programs and governmentwide incident handling. We recognize that these aren't the only things that need to be done. Some have suggested we provide specific standards in the legislation. Others [[Page S15109]] have recommended we establish a new position of a National Chief Information Officer. These and, no doubt, many other proposals will be considered as we debate this important issue. But this legislation is intended as a good first step to better define roles among Federal agencies in order to develop a fully secure government. I ask unanimous consent that the full text of the bill we are introducing be printed in the Record. S. 1993 Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Government Information Security Act of 1999''. SEC. 2. COORDINATION OF FEDERAL INFORMATION POLICY. Chapter 35 of title 44, United States Code, is amended by inserting at the end the following: ``SUBCHAPTER II--INFORMATION SECURITY ``Sec. 3531. Purposes ``The purposes of this subchapter are to-- ``(1) provide a comprehensive framework for establishing and ensuring the effectiveness of controls over information resources that support Federal operations and assets; ``(2)(A) recognize the highly networked nature of the Federal computing environment including the need for Federal Government interoperability and, in the implementation of improved security management measures, assure that opportunities for interoperability are not adversely affected; and ``(B) provide effective governmentwide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities; ``(3) provide for development and maintenance of minimum controls required to protect Federal information and information systems; and ``(4) provide a mechanism for improved oversight of Federal agency information security programs. ``Sec. 3532. Definitions ``(a) Except as provided under subsection (b), the definitions under section 3502 shall apply to this subchapter. ``(b) As used in this subchapter the term `information technology' has the meaning given that term in section 5002 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1401). ``Sec. 3533. Authority and functions of the Director ``(a)(1) Consistent with subchapter I, the Director shall establish governmentwide policies for the management of programs that support the cost-effective security of Federal information systems by promoting security as an integral component of each agency's business operations. ``(2) Policies under this subsection shall-- ``(A) be founded on a continuing risk management cycle that recognizes the need to-- ``(i) identify, assess, and understand risk; and ``(ii) determine security needs commensurate with the level of risk; ``(B) implement controls that adequately address the risk; ``(C) promote continuing awareness of information security risk; ``(D) continually monitor and evaluate policy; and ``(E) control effectiveness of information security practices. ``(b) The authority under subsection (a) includes the authority to-- ``(1) oversee and develop policies, principles, standards, and guidelines for the handling of Federal information and information resources to improve the efficiency and effectiveness of governmental operations, including principles, policies, and guidelines for the implementation of agency responsibilities under applicable law for ensuring the privacy, confidentiality, and security of Federal information; ``(2) consistent with the standards and guidelines promulgated under section 5131 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1441) and sections 5 and 6 of the Computer Security Act of 1987 (40 U.S.C. 759 note; Public Law 100-235; 101 Stat. 1729), require Federal agencies to identify and afford security protections commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information collected or maintained by or on behalf of an agency; ``(3) direct the heads of agencies to coordinate such agencies and coordinate with industry to-- ``(A) identify, use, and share best security practices; and ``(B) develop voluntary consensus-based standards for security controls, in a manner consistent with section 2(b)(13) of the National Institute of Standards and Technology Act (15 U.S.C. 272(b)(13)); ``(4) oversee the development and implementation of standards and guidelines relating to security controls for Federal computer systems by the Secretary of Commerce through the National Institute of Standards and Technology under section 5131 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1441) and section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3); ``(5) oversee and coordinate compliance with this section in a manner consistent with-- ``(A) sections 552 and 552a of title 5; ``(B) sections 20 and 21 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3 and 278g-4); ``(C) section 5131 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1441); ``(D) sections 5 and 6 of the Computer Security Act of 1987 (40 U.S.C. 759 note; Public Law 100-235; 101 Stat. 1729); and ``(E) related information management laws; and ``(6) take any authorized action that the Director considers appropriate, including any action involving the budgetary process or appropriations management process, to enforce accountability of the head of an agency for information resources management and for the investments made by the agency in information technology, including-- ``(A) recommending a reduction or an increase in any amount for information resources that the head of the agency proposes for the budget submitted to Congress under section 1105(a) of title 31; ``(B) reducing or otherwise adjusting apportionments and reapportionments of appropriations for information resources; and ``(C) using other authorized administrative controls over appropriations to restrict the availability of funds for information resources. ``(c) The authority under this section may be delegated only to the Deputy Director for Management of the Office of Management and Budget. ``Sec. 3534. Federal agency responsibilities ``(a) The head of each agency shall-- ``(1) be responsible for-- ``(A) adequately protecting the integrity, confidentiality, and availability of information and information systems supporting agency operations and assets; and ``(B) developing and implementing information security policies, procedures, and control techniques sufficient to afford security protections commensurate with the risk and magnitude of the harm resulting from unauthorized disclosure, disruption, modification, or destruction of information collected or maintained by or for the agency; ``(2) ensure that each senior program manager is responsible for-- ``(A) assessing the information security risk associated with the operations and assets of such manager; ``(B) determining the levels of information security appropriate to protect the operations and assets of such manager; and ``(C) periodically testing and evaluating information security controls and techniques; ``(3) delegate to the agency Chief Information Officer established under section 3506, or a comparable official in an agency not covered by such section, the authority to administer all functions under this subchapter including-- ``(A) designating a senior agency information security officer; ``(B) developing and maintaining an agencywide information security program as required under subsection (b); ``(C) ensuring that the agency effectively implements and maintains information security policies, procedures, and control techniques; ``(D) training and overseeing personnel with significant responsibilities for information security with respect to such responsibilities; and ``(E) assisting senior program managers concerning responsibilities under paragraph (2); ``(4) ensure that the agency has trained personnel sufficient to assist the agency in complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines; and ``(5) ensure that the agency Chief Information Officer, in coordination with senior program managers, periodically-- ``(A)(i) evaluates the effectiveness of the agency information security program, including testing control techniques; and ``(ii) implements appropriate remedial actions based on that evaluation; and ``(B) reports to the agency head on-- ``(i) the results of such tests and evaluations; and ``(ii) the progress of remedial actions. ``(b)(1) Each agency shall develop and implement an agencywide information security program to provide information security for the operations and assets of the agency, including information security provided or managed by another agency. ``(2) Each program under this subsection shall include-- ``(A) periodic assessments of information security risks that consider internal and external threats to-- ``(i) the integrity, confidentiality, and availability of systems; and ``(ii) data supporting critical operations and assets; ``(B) policies and procedures that-- ``(i) are based on the risk assessments required under paragraph (1) that cost-effectively reduce information security risks to an acceptable level; and ``(ii) ensure compliance with-- ``(I) the requirements of this subchapter; ``(II) policies and procedures as may be prescribed by the Director; and ``(III) any other applicable requirements; ``(C) security awareness training to inform personnel of-- ``(i) information security risks associated with personnel activities; and [[Page S15110]] ``(ii) responsibilities of personnel in complying with agency policies and procedures designed to reduce such risks; ``(D)(i) periodic management testing and evaluation of the effectiveness of information security policies and procedures; and ``(ii) a process for ensuring remedial action to address any deficiencies; and ``(E) procedures for detecting, reporting, and responding to security incidents, including-- ``(i) mitigating risks associated with such incidents before substantial damage occurs; ``(ii) notifying and consulting with law enforcement officials and other offices and authorities; and ``(iii) notifying and consulting with an office designated by the Administrator of General Services within the General Services Administration. ``(3) Each program under this subsection is subject to the approval of the Director and is required to be reviewed at least annually by agency program officials in consultation with the Chief Information Officer. ``(c)(1) Each agency shall examine the adequacy and effectiveness of information security policies, procedures, and practices in plans and reports relating to-- ``(A) annual agency budgets; ``(B) information resources management under the Paperwork Reduction Act of 1995 (44 U.S.C. 101 note); ``(C) program performance under sections 1105 and 1115 through 1119 of title 31, and sections 2801 through 2805 of title 39; and ``(D) financial management under-- ``(i) chapter 9 of title 31, United States Code, and the Chief Financial Officers Act of 1990 (31 U.S.C. 501 note; Public Law 101-576) (and the amendments made by that Act); ``(ii) the Federal Financial Management Improvement Act of 1996 (31 U.S.C. 3512 note) (and the amendments made by that Act); and ``(iii) the internal controls conducted under section 3512 of title 31. ``(2) Any deficiency in a policy, procedure, or practice identified under paragraph (1) shall be reported as a material weakness in reporting required under the applicable provision of law under paragraph (1). ``Sec. 3535. Annual independent evaluation ``(a)(1) Each year each agency shall have an independent evaluation performed of the information security program and practices of that agency. ``(2) Each evaluation under this section shall include-- ``(A) an assessment of compliance with-- ``(i) the requirements of this subchapter; and ``(ii) related information security policies, procedures, standards, and guidelines; and ``(B) tests of the effectiveness of information security control techniques. ``(b)(1) For agencies with Inspectors General appointed under the Inspector General Act of 1978 (5 U.S.C. App.), annual evaluations required under this section shall be performed by the Inspector General or by an independent external auditor, as determined by the Inspector General of the agency. ``(2) For any agency to which paragraph (1) does not apply, the head of the agency shall contract with an independent external auditor to perform the evaluation. ``(3) An evaluation of agency information security programs and practices performed by the Comptroller General may be in lieu of the evaluation required under this section. ``(c) Not later than March 1, 2001, and every March 1 thereafter, the results of an evaluation required under this section shall be submitted to the Director. ``(d) Each year the Comptroller General shall-- ``(1) review the evaluations required under this section and other information security evaluation results; and ``(2) report to Congress regarding the adequacy of agency information programs and practices. ``(e) Agencies and auditors shall take appropriate actions to ensure the protection of information, the disclosure of which may adversely affect information security. Such protections shall be commensurate with the risk and comply with all applicable laws.''. SEC. 3. RESPONSIBILITIES OF CERTAIN AGENCIES. (a) Department of Commerce.--The Secretary of Commerce, through the National Institute of Standards and Technology and with technical assistance from the National Security Agency, shall-- (1) develop, issue, review, and update standards and guidance for the security of information in Federal computer systems, including development of methods and techniques for security systems and validation programs; (2) develop, issue, review, and update guidelines for training in computer security awareness and accepted computer security practices, with assistance from the Office of Personnel Management; (3) provide agencies with guidance for security planning to assist in the development of applications and system security plans for such agencies; (4) provide guidance and assistance to agencies concerning cost-effective controls when interconnecting with other systems; and (5) evaluate information technologies to assess security vulnerabilities and alert Federal agencies of such vulnerabilities. (b) Department of Justice.--The Department of Justice shall review and update guidance to agencies on-- (1) legal remedies regarding security incidents and ways to report to and work with law enforcement agencies concerning such incidents; and (2) permitted uses of security techniques and technologies. (c) General Services Administration.--The General Services Administration shall-- (1) review and update General Services Administration guidance to agencies on addressing security considerations when acquiring information technology; and (2) assist agencies in the acquisition of cost-effective security products, services, and incident response capabilities. (d) Office of Personnel Management.--The Office of Personnel Management shall-- (1) review and update Office of Personnel Management regulations concerning computer security training for Federal civilian employees; and (2) assist the Department of Commerce in updating and maintaining guidelines for training in computer security awareness and computer security best practices. SEC. 4. TECHNICAL AND CONFORMING AMENDMENTS. (a) In General.--Chapter 35 of title 44, United States Code, is amended-- (1) in the table of sections-- (A) by inserting after the chapter heading the following: ``SUBCHAPTER I--FEDERAL INFORMATION POLICY''; and (B) by inserting after the item relating to section 3520 the following: ``SUBCHAPTER II--INFORMATION SECURITY ``Sec. ``3531. Purposes. ``3532. Definitions. ``3533. Authority and functions of the Director. ``3534. Federal agency responsibilities. ``3535. Annual independent evaluation.''; and (2) by inserting before section 3501 the following: ``SUBCHAPTER I--FEDERAL INFORMATION POLICY''. (b) References to Chapter 35.--Chapter 35 of title 44, United States Code, is amended-- (1) in section 3501-- (A) in the matter preceding paragraph (1), by striking ``chapter'' and inserting ``subchapter''; and (B) in paragraph (11), by striking ``chapter'' and inserting ``subchapter''; (2) in section 3502, in the matter preceding paragraph (1), by striking ``chapter'' and inserting ``subchapter''; (3) in section 3503, in subsection (b), by striking ``chapter'' and inserting ``subchapter''; (4) in section 3504-- (A) in subsection (a)(2), by striking ``chapter'' and inserting ``subchapter''; (B) in subsection (d)(2), by striking ``chapter'' and inserting ``subchapter''; and (C) in subsection (f)(1), by striking ``chapter'' and inserting ``subchapter''; (5) in section 3505-- (A) in subsection (a), in the matter preceding paragraph (1), by striking ``chapter'' and inserting ``subchapter''; (B) in subsection (a)(2), by striking ``chapter'' and inserting ``subchapter''; and (C) in subsection (a)(3)(B)(iii), by striking ``chapter'' and inserting ``subchapter''; (6) in section 3506-- (A) in subsection (a)(1)(B), by striking ``chapter'' and inserting ``subchapter''; (B) in subsection (a)(2)(A), by striking ``chapter'' and inserting ``subchapter''; (C) in subsection (a)(2)(B), by striking ``chapter'' and inserting ``subchapter''; (D) in subsection (a)(3)-- (i) in the first sentence, by striking ``chapter'' and inserting ``subchapter''; and (ii) in the second sentence, by striking ``chapter'' and inserting ``subchapter''; (E) in subsection (b)(4), by striking ``chapter'' and inserting ``subchapter''; (F) in subsection (c)(1), by striking ``chapter, to'' and inserting ``subchapter, to''; and (G) in subsection (c)(1)(A), by striking ``chapter'' and inserting ``subchapter''; (7) in section 3507-- (A) in subsection (e)(3)(B), by striking ``chapter'' and inserting ``subchapter''; (B) in subsection (h)(2)(B), by striking ``chapter'' and inserting ``subchapter''; (C) in subsection (h)(3), by striking ``chapter'' and inserting ``subchapter''; (D) in subsection (j)(1)(A)(i), by striking ``chapter'' and inserting ``subchapter''; (E) in subsection (j)(1)(B), by striking ``chapter'' and inserting ``subchapter''; and (F) in subsection (j)(2), by striking ``chapter'' and inserting ``subchapter''; (8) in section 3509, by striking ``chapter'' and inserting ``subchapter''; (9) in section 3512-- (A) in subsection (a), by striking ``chapter if'' and inserting ``subchapter if''; and (B) in subsection (a)(1), by striking ``chapter'' and inserting ``subchapter''; (10) in section 3514-- (A) in subsection (a)(1)(A), by striking ``chapter'' and inserting ``subchapter''; and (B) in subsection (a)(2)(A)(ii), by striking ``chapter'' and inserting ``subchapter'' each place it appears; (11) in section 3515, by striking ``chapter'' and inserting ``subchapter''; (12) in section 3516, by striking ``chapter'' and inserting ``subchapter''; (13) in section 3517(b), by striking ``chapter'' and inserting ``subchapter''; (14) in section 3518-- (A) in subsection (a), by striking ``chapter'' and inserting ``subchapter'' each place it appears; [[Page S15111]] (B) in subsection (b), by striking ``chapter'' and inserting ``subchapter''; (C) in subsection (c)(1), by striking ``chapter'' and inserting ``subchapter''; (D) in subsection (c)(2), by striking ``chapter'' and inserting ``subchapter''; (E) in subsection (d), by striking ``chapter'' and inserting ``subchapter''; and (F) in subsection (e), by striking ``chapter'' and inserting ``subchapter''; and (15) in section 3520, by striking ``chapter'' and inserting ``subchapter''. SEC. 5. EFFECTIVE DATE. This Act and the amendments made by this Act shall take effect 30 days after the date of enactment of this Act. Mr. LIEBERMAN. Mr. President, I am pleased to join today with Senator Thompson in introducing the Government Information Security Act of 1999. This bill would put a management structure in place for the implementation of risk-based computer security measures across the government. We are introducing this bill in the closing days of this session with the hope that it will serve as the basis for launching a discussion about the most effective ways to improve government's approach to computer security. We invite and look forward to comments from government agencies, industry and academic experts, think tanks and others who have been involved in this field. Like the rest of the nation,the government is increasingly dependent on computer and other electronic information systems to collect, analyze and preserve important data and perform vital tasks. Government computer systems are rife with sensitive information pertaining to the fundamentals of our existence--our national security, the strength of our economy, transportation and communications systems, and the personal lives of millions of individual citizens. The Department of Defense and other national security agencies control our weapons of mass destruction and track the offensive movements of enemy states through complex computer programs; the Internal Revenue Service maintains an automated systems wage information on every working American; the Federal Reserve calculates key economic indicators electronically and the Center for Disease Control relies on computers to tracks threats to the nation's public health. And yet, this computer-reliant infrastructure is frighteningly vulnerable to exploitation not only by trouble-makers and professional hackers but by organized crime and international terrorists. Indeed, a disruption of our communications, transportation and energy sections could prove as destructive as any conventional weapons attack to our ability to defend our privacy, our safety, even our freedom. Indeed, witnesses before the Governmental Affairs Committee last Congress testified that the government's reliance on computer systems is not matched by a concomitant growth in the security of those systems. A series of Government Accounting Office studies found government computer security so lax that it landed on the GAO's list of ``high risk'' government programs. For example, this year, GAO reported that one of its test teams gained access to mission critical computer systems at NASA which would have allowed the team to control spacecraft or alter data returned from space. In May 1998, the GAO was able to gain unauthorized access to the State Department's networks which would have enabled GAO to modify, delete or download important data and shutdown services. And the GAO reported in September 1998 that inadequate information system controls by the Veterans Administration threatened the disruption or misuse of service delivery to the men and women who have fought our wars. Less significant on a global scale, but of utmost concern to individual citizens is the extent to which inadequate security leaves personal information, and therefore people, vulnerable to exposure and exploitation. Our legislation will address personal information maintained by the government such as benefits and tax data and demographics culled from personal information we supply to the Census Bureau. While the GAO's work is compelling, I am convinced by two other developments that legislation in this area needs to be addressed quickly. First, we have been intensely focused throughout the year on fixing the computer problems associated with Y2K. Ensuring that the information our government collects and produces is secure may seem similar to the Y2K issue because both reflect our dependency on computers and their vulnerability to programming failures and outside disruptions. The need for secure government computer systems, however, will not disappear in the first days and weeks of the year 2000. Indeed, it will be with us until we have a structure within the government dedicated to fixing these problems. Second,we have spent significant time this session digging into the Los Alamo National Laboratory espionage scandal and allegations that an employee improperly downloaded classified material to an unclassified computer. The Energy and Justice Departments are still looking into this breach of security, but it should focus everyone's attention on the vulnerability associated with extensive reliance computers and the undeniable need for improvements in how we manage and secure these systems. Mr. President, the goal of the bill we are introducing today is to protect the integrity, confidentiality and availability of information and ensure that critical improvements in the management of our computer security system take place. Specifically, our bill would: Require high-level accountability. The Director of the Office of Management and Budget will be accountable for overseeing policy while the agency heads will be accountable for developing specific security plans. Require agency heads to develop and implement security plans and policies based on the appropriate level of risk for the different type of information the agency maintains. We need to ensure that each agency's plan reflects an understanding that computer security must be an integral part of the development process for any new system. Agencies now tend to develop a system and consider security issues only as an afterthought, if at all. Establish an ongoing, periodic reporting, testing and evaluation process to gauge the effectiveness of the policies and procedures. This would be accomplished through agency budgets, program performance and financial management. Require an independent, annual audit of all information security practices and programs within an agency. The audit would be conducted either by the agency's Inspector General, GAO or an independent external auditor. GAO has told us that an audit requirement is essential to monitoring agencies' management of information security and to ensure that these systems are kept current. Require that agencies report unauthorized intrusions into government systems. GSA currently has a program where agencies can report and seek help to respond to intrusions into their information systems and share information concerning common vulnerabilities and threats. Our bill would require agencies to use this reporting and monitoring system. Mr. President, the provisions of this bill would apply to all information, including classified and unclassified information maintained on civilian and national security systems. We are also considering whether the bill's provisions should apply to government owned, contractor operated facilities including laboratories engaged in national defense research. We look forward to discussions with the defense and intelligence communities on how best to address these issues. There are a number of areas we have not addressed, and I welcome comments on how best to handle these areas. For example: We need to ensure that computer security systems will not interfere with the ability of agencies to share data and communicate with each other and the rest of the world. The new era of ``e-business'' and ``e- government'' holds untold opportunities for improving government efficiency, and that's something we want to encourage. The government needs to rapidly and safely increase the number of trained technical information security professionals. There are a range of approaches to addressing this need, including incentives to universities to train more people in this area; contracting out to the private sector; establishing a CyberCorps at universities based on the ROTC model; or establishing special career designations for personnel specializing in computer security. [[Page S15112]] We should consider whether current technology will meet the government's computer security needs or whether we need to develop incentives for technology development. A Presidential advisory committee is developing recommendations based on a national laboratory model to conduct research and development of security technology with a possible secondary focus on testing. We are interested in exploring whether provisions in this bill addressing risk and technology standards, which are now voluntary, consensus-based standards, should be issued as minimum mandatory requirements for successive levels of risk. And we will also consider issues relating to budgetary needs, privacy requirements, performance measures and how best to coordinate information security and management within the federal government. Mr. President, I expect what we have proposed will generate a hearty debate. As I have said, I consider this bill a work in progress, so I look forward to hearing from a wide range of interested parties and to working with the Chairman to craft the best possible legislation to protect the integrity and the confidentiality of the government's vast storehouse of information. ____________________