Safe and Secure Federal Websites Act of 2017

Safe and Secure Federal Websites Act of 2017

This bill prohibits a federal agency from deploying or making available to the public a new federal personally identifiable information website (new Federal PII Website) until the chief information officer of the agency submits a certification to Congress that the website is fully functional and secure. "New Federal PII website" is defined as a website that: (1) is operated by (or under contract with) an agency; (2) elicits, collects, stores, or maintains personally identifiable information (i.e., information that can be used to identify an individual, such as a social security number, a date and place of birth, a mother's maiden name, biometric records, or other information linked to an individual); and (3) is first made accessible to the public and collects or stores personally identifiable information on or after October 1, 2012.

Beta websites designed for testing and development are exempted if users execute an agreement acknowledging the risks involved.

The Office of Management and Budget (OMB) must establish and oversee policies and procedures for federal agencies to follow in the event of a breach of information security involving the disclosure of personally identifiable information, including: (1) notice, by 72 hours after discovery of a breach or possible breach, to individuals whose personally identifiable information could be compromised as a result of such breach; (2) timely reporting to a federal cybersecurity center designated by this bill; and (3) any additional actions that the OMB finds necessary and appropriate.

The bill requires: (1) agency heads to ensure that agency actions taken in response to a breach comply with OMB policies and procedures established by this bill; and (2) the OMB to report to Congress, by March 1 of each year, on agency compliance with such policies and procedures.