HR 3635, Safe and Secure Federal Websites Act of 2014

Congressional Budget Office estimates that enacting the Safe and Secure Federal Websites Act of 2014 (HR 3635) would have no significant effect on the federal budget.

The legislation would amend federal laws that protect the privacy of personally identifiable information collected by the government. Personally identifiable information includes any information that identifies an individual such as name, Social Security number, and medical or financial records. The legislation would prohibit an agency from deploying a new website until the agency’s Chief Information Officer certifies that all such information is safe and secure.

Existing federal websites would have 90 days following enactment of HR 3635 to comply with this requirement. The legislation also would require the Office of Management and Budget (OMB) to issue policies and procedures for agencies to follow in the event of a security breach of a federal data system that contains personally identifiable information.

OMB’s “Breach Notification Policy” requires all agencies to implement a policy to safeguard personally identifiable information and to provide notification of a security breach. Because laws and policies regarding the security of personally identifiable information are already in place, CBO estimates that the cost of certifying the safety of information collected by federal websites would be less than $500,000 over the next five years.

Enacting the bill could affect direct spending by agencies not funded through annual appropriations; therefore, pay-as-you-go procedures apply. CBO estimates, however, that any net change in spending by those agencies would be negligible. Enacting the bill would not affect revenues.

HR 3635 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act and would impose no costs on state, local, or tribal governments.