HR 3906 IH

106th CONGRESS

2d Session

H. R. 3906

To ensure that the Department of Energy has appropriate mechanisms to independently assess the effectiveness of its policy and site performance in the areas of safeguards and security and cyber security.

IN THE HOUSE OF REPRESENTATIVES

March 14, 2000

Mr. BLILEY (for himself, Mr. UPTON, Mr. BARTON of Texas, and Mr. BURR of North Carolina) introduced the following bill; which was referred to the Committee on Commerce, and in addition to the Committees on Armed Services, and Science, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned

A BILL

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. OFFICE OF INDEPENDENT SECURITY OVERSIGHT.

(a) OFFICE- The Secretary of Energy shall maintain an Office of Independent Security Oversight, which shall be headed by a Director appointed by the Secretary without regard to political affiliation and solely on the basis of integrity and demonstrated ability in the oversight and evaluation of security for nuclear and classified programs. The Director shall report directly to and be under the general supervision of the Secretary, but shall not report to or be subject to supervision by any other office of the Department of Energy. The Secretary shall not prevent, prohibit, or delay the Director from initiating, carrying out, or completing any inspection, evaluation, or report undertaken pursuant to this Act. Such Office shall be responsible for carrying out the missions and functions described in subsections (b) and (c).

(b) SAFEGUARDS AND SECURITY EVALUATIONS-

(1) MISSION- The Office of Independent Security Oversight shall be responsible for the independent evaluation of the effectiveness of safeguards and security policies, practices, and programs throughout the Department of Energy (including the National Nuclear Security Administration), including protection of special nuclear material, protection of classified and sensitive information, personnel security, and foreign visits and assignments. The Office shall develop and validate reports that identify findings and issues, and make recommendations for improvement. It also shall perform timely followup reviews to ensure that corrective actions are effective, and conduct complex-wide studies of security issues and generic weaknesses in safeguards and security.

(2) FUNCTIONS- The Office of Independent Security Oversight shall perform the following functions:

(A) Conduct regular evaluations, at least once every 18 months at each site, of safeguards and security programs at Department of Energy sites that have significant amounts of special nuclear material, classified information, or other security interests. The scope of the evaluations shall include all aspects of safeguards and security, including physical protection of special nuclear material, accountability of special nuclear material, protection of classified and sensitive information, personnel security, and foreign visits and assignments.

(B) Perform regular assessments of nuclear materials assurance at Department of Energy sites.

(D) Perform timely followup reviews to ensure that corrective actions are effective.

(E) Perform complex-wide studies of issues and generic weaknesses in safeguards and security.

(F) Develop and validate reports that identify findings and issues, and make recommendations for improvement.

(G) Review other government and commercial safeguards and security programs to provide a benchmark for Department of Energy performance.

(H) Develop recommendations and opportunities for improving safeguards and security for submittal to the Secretary.

(I) Any other function the Secretary considers appropriate and consistent with the mission described in paragraph (1).

(1) MISSION- The Office of Independent Security Oversight shall be responsible for the independent evaluation of the effectiveness of classified and unclassified computer security policies and programs throughout the Department of Energy (including the National Nuclear Security Administration). This consists of establishing and maintaining a continuous program for assessing Internet security to include offsite scanning and controlled penetration attempts to detect vulnerabilities that could be exploited by hackers. The Office shall also conduct timely followup reviews to ensure that corrective actions are effective, and perform complex-wide studies and analyses of events associated with computer security programs.

(2) FUNCTIONS- The Office of Independent Security Oversight shall perform the following functions:

(A) Conduct regular evaluations of classified and unclassified computer security programs at Department of Energy sites, with sites having significant amounts of special nuclear material, classified information, or other security interests being evaluated at least once every 18 months.

(B) Establish and maintain a continuous program for assessing Internet security to include offsite scanning and controlled penetration attempts to detect vulnerabilities that could be exploited by hackers and ensure they are corrected by line management.

(D) Perform timely followup reviews to ensure that corrective actions are effective.

(E) Perform complex-wide studies of issues and generic weaknesses in computer security programs.

(F) Develop and validate reports that identify findings and issues, and make recommendations for improvement.

(G) Review other government and commercial computer security programs to provide a benchmark for Department of Energy performance.

(H) Develop recommendations and opportunities for improving cyber security for submittal to the Secretary.

(I) Any other function the Secretary considers appropriate and consistent with the mission described in paragraph (1).

SEC. 2. REPORTS TO CONGRESS.

(a) REPORT BY OFFICE- The Office of Independent Security Oversight shall, before February 15 of each year, transmit to the Secretary of Energy and to the Congress an unclassified report, with a classified appendix if requested or necessary, summarizing the activities of the Office during the immediately preceding calendar year. Such report shall include--

(1) an overview of the status of security at the Department of Energy in the areas of responsibility of that Office;

(2) a description of significant problems and deficiencies, by site if applicable, identified in such security areas;

(3) a description of recommendations for corrective action made by the Office during the reporting period with respect to significant problems or deficiencies identified pursuant to paragraph (2);

(4) the adequacy of corrective actions, if any, taken by the Department to address such problems and deficiencies;

(5) an identification of each significant problem or deficiency described in previous annual reports on which corrective action has not been effectively completed;

(6) a summary of each significant report made to the Secretary pursuant to this Act during the reporting period;

(7) a description and explanation of the reasons for any significant revisions to security policy decisions made during the reporting period; and

(8) a description of any significant security policy decision with which the Director is in disagreement.

(b) REPORT BY SECRETARY- The Secretary of Energy shall, before March 15 of each year, transmit to the Congress an unclassified report, with a classified appendix if requested or necessary, summarizing the Secretary's response to the Office's annual report submitted under subsection (a). Such report from the Secretary shall include--

(1) an identification of each significant problem, deficiency, or recommendation identified in the Office's annual report with which the Secretary is in disagreement;

(2) an explanation of the reasons for any failure on the part of the Department of Energy to complete effectively corrective actions recommended by the Office in its previous annual reports; and

(3) a description of the Secretary's response to each significant report made to the Secretary pursuant to this Act during the reporting period.

(c) PUBLIC AVAILABILITY- Within 60 days after the transmission of the annual report of the Office of Independent Security Oversight under subsection (a), the Secretary of Energy shall make copies of the unclassified portions of such report available to the public upon request and at a reasonable cost. Within 60 days after the transmission of the annual report of the Secretary under subsection (b), the Secretary shall make the unclassified portions of such report available to the public upon request and at a reasonable cost.

(d) SPECIAL REPORTS- The Director of the Office of Independent Security Oversight shall report immediately to the Secretary of Energy and the Congress whenever the Director becomes aware of particularly serious or flagrant problems or deficiencies relating to the security programs, practices, or operations of the Department of Energy. The Secretary shall, within 7 calendar days after receiving a report under this subsection, report to Congress on the corrective actions taken to address such problems.

(e) DIRECT REPORTING- The Director of the Office of Independent Security Oversight shall report directly to the Congress with respect to those matters identified in subsections (a) and (d), and the Secretary of Energy shall not alter, modify, or otherwise change the substance of any such report, nor shall the Secretary prevent, prohibit, or delay any such report.

(f) CONGRESSIONAL TESTIMONY AND BRIEFINGS- The Director of the Office of Independent Security Oversight, whenever called to testify before any Committee of Congress or to brief its Members or staff, shall provide the Secretary of Energy with advance notice of the subject matter of that testimony or briefing, but the Secretary shall not alter, modify, or otherwise change the substance of such testimony or briefing, or prevent, prohibit, or delay such testimony or briefing.

END