Bill > S1990

This bill, the Federal Computer Security Act, requires the Inspector General of each executive agency that operates a federal computer system with access to classified information or personally identifiable information (meaning sensitive personal data like social security numbers) to submit a report. This report, due within 240 days of the bill's enactment, must detail the agency's logical access standards, which are the processes for granting or denying access to information and services, including whether they use multi-factor logical access controls (requiring at least two forms of verification like a password, a physical token, or a biometric scan). If multi-factor controls aren't used, the agency must explain why. The report also needs to describe the agency's data security management practices, such as how they track software and licenses, and whether they've licensed software to monitor and detect threats, or provide reasons for not doing so. Furthermore, agencies must report on their policies to ensure that any entities providing them services also implement these data security practices. Additionally, the Comptroller General, the head of the Government Accountability Office (GAO), will submit a separate report within one year, examining any obstacles to agencies using effective security software and devices. Both reports can include classified annexes but will otherwise be unclassified and available to members of Congress.