Most commented sections:

• Paragraph 55 (1 comments)

HR 5548 IHCommentsClose CommentsPermalink

To amend the Homeland Security Act of 2002 and other laws to enhance the security and resiliency of the cyber and communications infrastructure of the United States.CommentsClose CommentsPermalink

June 16, 2010CommentsClose CommentsPermalink

Ms. HARMAN (for herself and Mr. KING of New York) introduced the following bill; which was referred to the Committee on Oversight and Government Reform, and in addition to the Committees on Homeland Security, Select Intelligence (Permanent Select), Armed Services, the Judiciary, and Education and Labor, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concernedCommentsClose CommentsPermalink

To amend the Homeland Security Act of 2002 and other laws to enhance the security and resiliency of the cyber and communications infrastructure of the United States.CommentsClose CommentsPermalink

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,CommentsClose CommentsPermalink

SECTION 1. SHORT TITLE.

This Act may be cited as the ‘Protecting Cyberspace as a National Asset Act of 2010’.CommentsClose CommentsPermalink

SEC. 2. TABLE OF CONTENTS.

The table of contents for this Act is as follows:CommentsClose CommentsPermalink





Sec. 1. Short title.CommentsClose CommentsPermalink





Sec. 2. Table of contents.CommentsClose CommentsPermalink





Sec. 3. Definitions.CommentsClose CommentsPermalink

TITLE I--OFFICE OF CYBERSPACE POLICY

Sec. 101. Establishment of the Office of Cyberspace Policy.CommentsClose CommentsPermalink





Sec. 102. Appointment and responsibilities of the Director.CommentsClose CommentsPermalink





Sec. 103. Prohibition on political campaigning.CommentsClose CommentsPermalink





Sec. 104. Review of Federal agency budget requests relating to the National Strategy.CommentsClose CommentsPermalink





Sec. 105. Access to intelligence.CommentsClose CommentsPermalink





Sec. 106. Consultation.CommentsClose CommentsPermalink





Sec. 107. Reports to Congress.CommentsClose CommentsPermalink

TITLE II--NATIONAL CENTER FOR CYBERSECURITY AND COMMUNICATIONS

Sec. 201. Cybersecurity.CommentsClose CommentsPermalink

TITLE III--FEDERAL INFORMATION SECURITY MANAGEMENT

Sec. 301. Coordination of Federal information policy.CommentsClose CommentsPermalink

TITLE IV--RECRUITMENT AND PROFESSIONAL DEVELOPMENT

Sec. 401. Definitions.CommentsClose CommentsPermalink





Sec. 402. Assessment of cybersecurity workforce.CommentsClose CommentsPermalink





Sec. 403. Strategic cybersecurity workforce planning.CommentsClose CommentsPermalink





Sec. 404. Cybersecurity occupation classifications.CommentsClose CommentsPermalink





Sec. 405. Measures of cybersecurity hiring effectiveness.CommentsClose CommentsPermalink





Sec. 406. Training and education.CommentsClose CommentsPermalink





Sec. 407. Cybersecurity incentives.CommentsClose CommentsPermalink





Sec. 408. Recruitment and retention program for the National Center for Cybersecurity and Communications.CommentsClose CommentsPermalink

TITLE V--OTHER PROVISIONS

Sec. 501. Consultation on cybersecurity matters.CommentsClose CommentsPermalink





Sec. 502. Cybersecurity research and development.CommentsClose CommentsPermalink





Sec. 503. Prioritized critical information infrastructure.CommentsClose CommentsPermalink





Sec. 504. National Center for Cybersecurity and Communications acquisition authorities.CommentsClose CommentsPermalink





Sec. 505. Technical and conforming amendments.CommentsClose CommentsPermalink

SEC. 3. DEFINITIONS.

In this Act:CommentsClose CommentsPermalink





(1) APPROPRIATE CONGRESSIONAL COMMITTEES- The term ‘appropriate congressional committees’ means--CommentsClose CommentsPermalink





(A) the Committee on Homeland Security and Governmental Affairs of the Senate;CommentsClose CommentsPermalink





(B) the Committee on Homeland Security of the House of Representatives;CommentsClose CommentsPermalink





(C) the Committee on Oversight and Government Reform of the House of Representatives; andCommentsClose CommentsPermalink





(D) any other congressional committee with jurisdiction over the particular matter.CommentsClose CommentsPermalink





(2) CRITICAL INFRASTRUCTURE- The term ‘critical infrastructure’ has the meaning given that term in section 1016(e) of the USA PATRIOT Act (42 U.S.C. 5195c(e)).CommentsClose CommentsPermalink





(3) CYBERSPACE- The term ‘cyberspace’ means the interdependent network of information infrastructure, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries.CommentsClose CommentsPermalink





(4) DIRECTOR- The term ‘Director’ means the Director of Cyberspace Policy established under section 101.CommentsClose CommentsPermalink





(5) FEDERAL AGENCY- The term ‘Federal agency’--CommentsClose CommentsPermalink





(A) means any executive department, Government corporation, Government-controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency; andCommentsClose CommentsPermalink





(B) does not include the governments of the District of Columbia and of the territories and possessions of the United States and their various subdivisions.CommentsClose CommentsPermalink





(6) FEDERAL INFORMATION INFRASTRUCTURE- The term ‘Federal information infrastructure’--CommentsClose CommentsPermalink





(A) means information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, any Federal agency, including information systems used or operated by another entity on behalf of a Federal agency; andCommentsClose CommentsPermalink





(B) does not include--CommentsClose CommentsPermalink





(i) a national security system; orCommentsClose CommentsPermalink





(ii) information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community.CommentsClose CommentsPermalink





(7) INCIDENT- The term ‘incident’ means an occurrence that--CommentsClose CommentsPermalink





(A) actually or potentially jeopardizes--CommentsClose CommentsPermalink





(i) the information security of information infrastructure; orCommentsClose CommentsPermalink





(ii) the information that information infrastructure processes, stores, receives, or transmits; orCommentsClose CommentsPermalink





(B) constitutes a violation or threat of violation of security policies, security procedures, or acceptable use policies applicable to information infrastructure.CommentsClose CommentsPermalink





(8) INFORMATION INFRASTRUCTURE- The term ‘information infrastructure’ means the underlying framework that information systems and assets rely on to process, transmit, receive, or store information electronically, including programmable electronic devices and communications networks and any associated hardware, software, or data.CommentsClose CommentsPermalink





(9) INFORMATION SECURITY- The term ‘information security’ means protecting information and information systems from disruption or unauthorized access, use, disclosure, modification, or destruction in order to provide--CommentsClose CommentsPermalink





(A) integrity, by guarding against improper information modification or destruction, including by ensuring information nonrepudiation and authenticity;CommentsClose CommentsPermalink





(B) confidentiality, by preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; andCommentsClose CommentsPermalink





(C) availability, by ensuring timely and reliable access to and use of information.CommentsClose CommentsPermalink





(10) INFORMATION TECHNOLOGY- The term ‘information technology’ has the meaning given that term in section 11101 of title 40, United States Code.CommentsClose CommentsPermalink





(11) INTELLIGENCE COMMUNITY- The term ‘intelligence community’ has the meaning given that term under section 3(4) of the National Security Act of 1947 (50 U.S.C. 401a(4)).CommentsClose CommentsPermalink





(12) KEY RESOURCES- The term ‘key resources’ has the meaning given that term in section 2 of the Homeland Security Act of 2002 (6 U.S.C. 101).CommentsClose CommentsPermalink





(13) NATIONAL CENTER FOR CYBERSECURITY AND COMMUNICATIONS- The term ‘National Center for Cybersecurity and Communications’ means the National Center for Cybersecurity and Communications established under section 242(a) of the Homeland Security Act of 2002, as added by this Act.CommentsClose CommentsPermalink





(14) NATIONAL INFORMATION INFRASTRUCTURE- The term ‘national information infrastructure’ means information infrastructure--CommentsClose CommentsPermalink





(A)(i) that is owned, operated, or controlled within or from the United States; orCommentsClose CommentsPermalink





(ii) if located outside the United States, the disruption of which could result in national or regional catastrophic damage in the United States; andCommentsClose CommentsPermalink





(B) that is not owned, operated, controlled, or licensed for use by a Federal agency.CommentsClose CommentsPermalink





(15) NATIONAL SECURITY SYSTEM- The term ‘national security system’ has the meaning given that term in section 3551 of title 44, United States Code, as added by this Act.CommentsClose CommentsPermalink





(16) NATIONAL STRATEGY- The term ‘National Strategy’ means the national strategy to increase the security and resiliency of cyberspace developed under section 101(a)(1).CommentsClose CommentsPermalink





(17) OFFICE- The term ‘Office’ means the Office of Cyberspace Policy established under section 101.CommentsClose CommentsPermalink





(18) RISK- The term ‘risk’ means the potential for an unwanted outcome resulting from an incident, as determined by the likelihood of the occurrence of the incident and the associated consequences, including potential for an adverse outcome assessed as a function of threats, vulnerabilities, and consequences associated with an incident.CommentsClose CommentsPermalink





(19) RISK-BASED SECURITY- The term ‘risk-based security’ has the meaning given that term in section 3551 of title 44, United States Code, as added by this Act.CommentsClose CommentsPermalink

TITLE I--OFFICE OF CYBERSPACE POLICYCommentsClose CommentsPermalink

SEC. 101. ESTABLISHMENT OF THE OFFICE OF CYBERSPACE POLICY.

(a) Establishment of Office- There is established in the Executive Office of the President an Office of Cyberspace Policy which shall--CommentsClose CommentsPermalink





(1) develop, not later than 1 year after the date of enactment of this Act, and update as needed, but not less frequently than once every 2 years, a national strategy to increase the security and resiliency of cyberspace, that includes goals and objectives relating to--CommentsClose CommentsPermalink





(A) computer network operations, including offensive activities, defensive activities, and other activities;CommentsClose CommentsPermalink





(B) information assurance;CommentsClose CommentsPermalink





(C) protection of critical infrastructure and key resources;CommentsClose CommentsPermalink





(D) research and development priorities;CommentsClose CommentsPermalink





(E) law enforcement;CommentsClose CommentsPermalink





(F) diplomacy;CommentsClose CommentsPermalink





(G) homeland security; andCommentsClose CommentsPermalink





(H) military and intelligence activities;CommentsClose CommentsPermalink





(2) oversee, coordinate, and integrate all policies and activities of the Federal Government across all instruments of national power relating to ensuring the security and resiliency of cyberspace, including--CommentsClose CommentsPermalink





(A) diplomatic, economic, military, intelligence, homeland security, and law enforcement policies and activities within and among Federal agencies; andCommentsClose CommentsPermalink





(B) offensive activities, defensive activities, and other policies and activities necessary to ensure effective capabilities to operate in cyberspace;CommentsClose CommentsPermalink





(3) ensure that all Federal agencies comply with appropriate guidelines, policies, and directives from the Department of Homeland Security, other Federal agencies with responsibilities relating to cyberspace security or resiliency, and the National Center for Cybersecurity and Communications; andCommentsClose CommentsPermalink





(4) ensure that Federal agencies have access to, receive, and appropriately disseminate law enforcement information, intelligence information, terrorism information, and any other information (including information relating to incidents provided under subsections (a)(4) and (c) of section 246 of the Homeland Security Act of 2002, as added by this Act) relevant to--CommentsClose CommentsPermalink





(A) the security of the Federal information infrastructure or the national information infrastructure; andCommentsClose CommentsPermalink





(B) the security of--CommentsClose CommentsPermalink





(i) information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community; orCommentsClose CommentsPermalink





(ii) a national security system.CommentsClose CommentsPermalink





(b) Director of Cyberspace Policy-CommentsClose CommentsPermalink





(1) IN GENERAL- There shall be a Director of Cyberspace Policy, who shall be the head of the Office.CommentsClose CommentsPermalink





(2) EXECUTIVE SCHEDULE POSITION- Section 5312 of title 5, United States Code, is amended by adding at the end the following:CommentsClose CommentsPermalink





‘Director of Cyberspace Policy.’.CommentsClose CommentsPermalink

SEC. 102. APPOINTMENT AND RESPONSIBILITIES OF THE DIRECTOR.

(a) Appointment-CommentsClose CommentsPermalink





(1) IN GENERAL- The Director shall be appointed by the President, by and with the advice and consent of the Senate.CommentsClose CommentsPermalink





(2) QUALIFICATIONS- The President shall appoint the Director from among individuals who have demonstrated ability and knowledge in information technology, cybersecurity, and the operations, security, and resiliency of communications networks.CommentsClose CommentsPermalink





(3) PROHIBITION- No person shall serve as Director while serving in any other position in the Federal Government.CommentsClose CommentsPermalink





(b) Responsibilities- The Director shall--CommentsClose CommentsPermalink





(1) advise the President regarding the establishment of policies, goals, objectives, and priorities for securing the information infrastructure of the Nation;CommentsClose CommentsPermalink





(2) advise the President and other entities within the Executive Office of the President regarding mechanisms to build, and improve the resiliency and efficiency of, the information and communication industry of the Nation, in collaboration with the private sector, while promoting national economic interests;CommentsClose CommentsPermalink





(3) work with Federal agencies to--CommentsClose CommentsPermalink





(A) oversee, coordinate, and integrate the implementation of the National Strategy, including coordination with--CommentsClose CommentsPermalink





(i) the Department of Homeland Security;CommentsClose CommentsPermalink





(ii) the Department of Defense;CommentsClose CommentsPermalink





(iii) the Department of Commerce;CommentsClose CommentsPermalink





(iv) the Department of State;CommentsClose CommentsPermalink





(v) the Department of Justice;CommentsClose CommentsPermalink





(vi) the Department of Energy;CommentsClose CommentsPermalink





(vii) through the Director of National Intelligence, the intelligence community; andCommentsClose CommentsPermalink





(viii) and any other Federal agency with responsibilities relating to the National Strategy; andCommentsClose CommentsPermalink





(B) resolve any disputes that arise between Federal agencies relating to the National Strategy or other matters within the responsibility of the Office;CommentsClose CommentsPermalink





(4) if the policies or activities of a Federal agency are not in compliance with the responsibilities of the Federal agency under the National Strategy--CommentsClose CommentsPermalink





(A) notify the Federal agency;CommentsClose CommentsPermalink





(B) transmit a copy of each notification under subparagraph (A) to the President and the appropriate congressional committees; andCommentsClose CommentsPermalink





(C) coordinate the efforts to bring the Federal agency into compliance;CommentsClose CommentsPermalink





(5) ensure the adequacy of protections for privacy and civil liberties in carrying out the responsibilities of the Director under this title, including through consultation with the Privacy and Civil Liberties Oversight Board established under section 1061 of the National Security Intelligence Reform Act of 2004 (42 U.S.C. 2000ee);CommentsClose CommentsPermalink





(6) upon reasonable request, appear before any duly constituted committees of the Senate or of the House of Representatives;CommentsClose CommentsPermalink





(7) recommend to the Office of Management and Budget or the head of a Federal agency actions (including requests to Congress relating to the reprogramming of funds) that the Director determines are necessary to ensure risk-based security of--CommentsClose CommentsPermalink





(A) the Federal information infrastructure;CommentsClose CommentsPermalink





(B) information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community; orCommentsClose CommentsPermalink





(C) a national security system;CommentsClose CommentsPermalink





(8) advise the Administrator of the Office of E-Government and Information Technology and the Administrator of the Office of Information and Regulatory Affairs on the development, and oversee the implementation, of policies, principles, standards, guidelines, and budget priorities for information technology functions and activities of the Federal Government;CommentsClose CommentsPermalink





(9) coordinate and ensure, to the maximum extent practicable, that the standards and guidelines developed for national security systems and the standards and guidelines under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) are complementary and unified;CommentsClose CommentsPermalink





(10) in consultation with the Administrator of the Office of Information and Regulatory Affairs, coordinate efforts of Federal agencies relating to the development of regulations, rules, requirements, or other actions applicable to the national information infrastructure to ensure, to the maximum extent practicable, that the efforts are complementary;CommentsClose CommentsPermalink





(11) coordinate the activities of the Office of Science and Technology Policy, the National Economic Council, the Office of Management and Budget, the National Security Council, the Homeland Security Council, and the United States Trade Representative related to the National Strategy and other matters within the purview of the Office; andCommentsClose CommentsPermalink





(12) as assigned by the President, other duties relating to the security and resiliency of cyberspace.CommentsClose CommentsPermalink

SEC. 103. PROHIBITION ON POLITICAL CAMPAIGNING.

Section 7323(b)(2)(B) of title 5, United States Code, is amended--CommentsClose CommentsPermalink





(1) in clause (i), by striking ‘or’ at the end;CommentsClose CommentsPermalink





(2) in clause (ii), by striking the period at the end and inserting ‘; or’; andCommentsClose CommentsPermalink





(3) by adding at the end the following:CommentsClose CommentsPermalink





‘(iii) notwithstanding the exception under subparagraph (A) (relating to an appointment made by the President, by and with the advice and consent of the Senate), the Director of Cyberspace Policy.’.CommentsClose CommentsPermalink

SEC. 104. REVIEW OF FEDERAL AGENCY BUDGET REQUESTS RELATING TO THE NATIONAL STRATEGY.

(a) In General- For each fiscal year, the head of each Federal agency shall transmit to the Director a copy of any portion of the budget of the Federal agency intended to implement the National Strategy at the same time as that budget request is submitted to the Office of Management and Budget in the preparation of the budget of the President submitted to Congress under section 1105 (a) of title 31, United States Code.CommentsClose CommentsPermalink





(b) Timely Submissions- The head of each Federal agency shall ensure the timely development and submission to the Director of each proposed budget under this section, in such format as may be designated by the Director with the concurrence of the Director of the Office of Management and Budget.CommentsClose CommentsPermalink





(c) Adequacy of the Proposed Budget Requests- With the assistance of, and in coordination with, the Office of E-Government and Information Technology and the National Center for Cybersecurity and Communications, the Director shall review each budget submission to assess the adequacy of the proposed request with regard to implementation of the National Strategy.CommentsClose CommentsPermalink





(d) Inadequate Budget Requests- If the Director concludes that a budget request submitted under subsection (a) is inadequate, in whole or in part, to implement the objectives of the National Strategy, the Director shall submit to the Director of the Office of Management and Budget and the head of the Federal agency submitting the budget request a written description of funding levels and specific initiatives that would, in the determination of the Director, make the request adequate.CommentsClose CommentsPermalink

SEC. 105. ACCESS TO INTELLIGENCE.

The Director shall have access to law enforcement information, intelligence information, terrorism information, and any other information (including information relating to incidents provided under subsections (a)(4) and (c) of section 246 of the Homeland Security Act of 2002, as added by this Act) that is obtained by, or in the possession of, any Federal agency that the Director determines relevant to the security of--CommentsClose CommentsPermalink





(1) the Federal information infrastructure;CommentsClose CommentsPermalink





(2) information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community;CommentsClose CommentsPermalink





(3) a national security system; orCommentsClose CommentsPermalink





(4) national information infrastructure.CommentsClose CommentsPermalink

SEC. 106. CONSULTATION.

(a) In General- The Director may consult and obtain recommendations from, as needed, such Presidential and other advisory entities as the Director determines will assist in carrying out the mission of the Office, including--CommentsClose CommentsPermalink





(1) the National Security Telecommunications Advisory Committee;CommentsClose CommentsPermalink





(2) the National Infrastructure Advisory Council;CommentsClose CommentsPermalink





(3) the Privacy and Civil Liberties Oversight Board;CommentsClose CommentsPermalink





(4) the President’s Intelligence Advisory Board;CommentsClose CommentsPermalink





(5) the Critical Infrastructure Partnership Advisory Council; andCommentsClose CommentsPermalink





(6) the National Cybersecurity Advisory Council established under section 239 of the Homeland Security Act of 2002, as added by this Act.CommentsClose CommentsPermalink





(b) National Strategy- In developing and updating the National Strategy the Director shall consult with the National Cybersecurity Advisory Council and, as appropriate, State and local governments and private entities.CommentsClose CommentsPermalink

SEC. 107. REPORTS TO CONGRESS.

(a) In General- The Director shall submit an annual report to the appropriate congressional committees describing the activities, ongoing projects, and plans of the Federal Government designed to meet the goals and objectives of the National Strategy.CommentsClose CommentsPermalink





(b) Classified Annex- A report submitted under this section shall be submitted in an unclassified form, but may include a classified annex, if necessary.CommentsClose CommentsPermalink





(c) Public Report- An unclassified version of each report submitted under this section shall be made available to the public.CommentsClose CommentsPermalink

TITLE II--NATIONAL CENTER FOR CYBERSECURITY AND COMMUNICATIONSCommentsClose CommentsPermalink

SEC. 201. CYBERSECURITY.

Title II of the Homeland Security Act of 2002 (6 U.S.C. 121 et seq.) is amended by adding at the end the following:CommentsClose CommentsPermalink

‘Subtitle E--CybersecurityCommentsClose CommentsPermalink

‘SEC. 241. DEFINITIONS.

‘In this subtitle--CommentsClose CommentsPermalink





‘(1) the term ‘agency information infrastructure’ means the Federal information infrastructure of a particular Federal agency;CommentsClose CommentsPermalink





‘(2) the term ‘appropriate committees of Congress’ means the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives;CommentsClose CommentsPermalink





‘(3) the term ‘Center’ means the National Center for Cybersecurity and Communications established under section 242(a);CommentsClose CommentsPermalink





‘(4) the term ‘covered critical infrastructure’ means a system or asset--CommentsClose CommentsPermalink





‘(A) that is on the prioritized critical infrastructure list established by the Secretary under section 210E(a)(2); andCommentsClose CommentsPermalink





‘(B)(i) that is a component of the national information infrastructure; orCommentsClose CommentsPermalink





‘(ii) for which the national information infrastructure is essential to the reliable operation of the system or asset;CommentsClose CommentsPermalink





‘(5) the term ‘cyber vulnerability’ means any security vulnerability that, if exploited, could pose a significant risk of disruption to the operation of information infrastructure essential to the reliable operation of covered critical infrastructure;CommentsClose CommentsPermalink





‘(6) the term ‘Director’ means the Director of the Center appointed under section 242(b)(1);CommentsClose CommentsPermalink





‘(7) the term ‘Federal agency’--CommentsClose CommentsPermalink





‘(A) means any executive department, military department, Government corporation, Government-controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency; andCommentsClose CommentsPermalink





‘(B) does not include the governments of the District of Columbia and of the territories and possessions of the United States and their various subdivisions;CommentsClose CommentsPermalink





‘(8) the term ‘Federal information infrastructure’--CommentsClose CommentsPermalink





‘(A) means information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, any Federal agency, including information systems used or operated by another entity on behalf of a Federal agency; andCommentsClose CommentsPermalink





‘(B) does not include--CommentsClose CommentsPermalink





‘(i) a national security system; orCommentsClose CommentsPermalink





‘(ii) information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community;CommentsClose CommentsPermalink





‘(9) the term ‘incident’ means an occurrence that--CommentsClose CommentsPermalink





‘(A) actually or potentially jeopardizes--CommentsClose CommentsPermalink





‘(i) the information security of information infrastructure; orCommentsClose CommentsPermalink





‘(ii) the information that information infrastructure processes, stores, receives, or transmits; orCommentsClose CommentsPermalink





‘(B) constitutes a violation or threat of violation of security policies, security procedures, or acceptable use policies applicable to information infrastructure.CommentsClose CommentsPermalink





‘(10) the term ‘information infrastructure’ means the underlying framework that information systems and assets rely on to process, transmit, receive, or store information electronically, including--CommentsClose CommentsPermalink





‘(A) programmable electronic devices and communications networks; andCommentsClose CommentsPermalink





‘(B) any associated hardware, software, or data;CommentsClose CommentsPermalink





‘(11) the term ‘information security’ means protecting information and information systems from disruption or unauthorized access, use, disclosure, modification, or destruction in order to provide--CommentsClose CommentsPermalink





‘(A) integrity, by guarding against improper information modification or destruction, including by ensuring information nonrepudiation and authenticity;CommentsClose CommentsPermalink





‘(B) confidentiality, by preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; andCommentsClose CommentsPermalink





‘(C) availability, by ensuring timely and reliable access to and use of information;CommentsClose CommentsPermalink





‘(12) the term ‘information sharing and analysis center’ means a self-governed forum whose members work together within a specific sector of critical infrastructure to identify, analyze, and share with other members and the Federal Government critical information relating to threats, vulnerabilities, or incidents to the security and resiliency of the critical infrastructure that comprises the specific sector;CommentsClose CommentsPermalink





‘(13) the term ‘information system’ has the meaning given that term in section 3502 of title 44, United States Code;CommentsClose CommentsPermalink





‘(14) the term ‘intelligence community’ has the meaning given that term in section 3(4) of the National Security Act of 1947 (50 U.S.C. 401a(4));CommentsClose CommentsPermalink





‘(15) the term ‘management controls’ means safeguards or countermeasures for an information system that focus on the management of risk and the management of information system security;CommentsClose CommentsPermalink





‘(16) the term ‘National Cybersecurity Advisory Council’ means the National Cybersecurity Advisory Council established under section 239;CommentsClose CommentsPermalink





‘(17) the term ‘national cyber emergency’ means an actual or imminent action by any individual or entity to exploit a cyber vulnerability in a manner that disrupts, attempts to disrupt, or poses a significant risk of disruption to the operation of the information infrastructure essential to the reliable operation of covered critical infrastructure;CommentsClose CommentsPermalink





‘(18) the term ‘national information infrastructure’ means information infrastructure--CommentsClose CommentsPermalink





‘(A)(i) that is owned, operated, or controlled within or from the United States; orCommentsClose CommentsPermalink





‘(ii) if located outside the United States, the disruption of which could result in national or regional catastrophic damage in the United States; andCommentsClose CommentsPermalink





‘(B) that is not owned, operated, controlled, or licensed for use by a Federal agency;CommentsClose CommentsPermalink





‘(19) the term ‘national security system’ has the same meaning given that term in section 3551 of title 44, United States Code;CommentsClose CommentsPermalink





‘(20) the term ‘operational controls’ means the safeguards and countermeasures for an information system that are primarily implemented and executed by individuals not systems;CommentsClose CommentsPermalink





‘(21) the term ‘sector-specific agency’ means the relevant Federal agency responsible for infrastructure protection activities in a designated critical infrastructure sector or key resources category under the National Infrastructure Protection Plan, or any other appropriate Federal agency identified by the President after the date of enactment of this subtitle;CommentsClose CommentsPermalink





‘(22) the term ‘sector coordinating councils’ means self-governed councils that are composed of representatives of key stakeholders within a specific sector of critical infrastructure that serve as the principal private sector policy coordination and planning entities with the Federal Government relating to the security and resiliency of the critical infrastructure that comprise that sector;CommentsClose CommentsPermalink





‘(23) the term ‘security controls’ means the management, operational, and technical controls prescribed for an information system to protect the information security of the system;CommentsClose CommentsPermalink





‘(24) the term ‘small business concern’ has the meaning given that term under section 3 of the Small Business Act (15 U.S.C. 632);CommentsClose CommentsPermalink





‘(25) the term ‘technical controls’ means the safeguards or countermeasures for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system;CommentsClose CommentsPermalink





‘(26) the term ‘terrorism information’ has the meaning given that term in section 1016 of the Intelligence Reform and Terrorism Prevention Act of 2004 (6 U.S.C. 485);CommentsClose CommentsPermalink





‘(27) the term ‘United States person’ has the meaning given that term in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801); andCommentsClose CommentsPermalink





‘(28) the term ‘US-CERT’ means the United States Computer Readiness Team established under section 244.CommentsClose CommentsPermalink

‘SEC. 242. NATIONAL CENTER FOR CYBERSECURITY AND COMMUNICATIONS.

‘(a) Establishment-CommentsClose CommentsPermalink





‘(1) IN GENERAL- There is established within the Department a National Center for Cybersecurity and Communications.CommentsClose CommentsPermalink





‘(2) OPERATIONAL ENTITY- The Center may--CommentsClose CommentsPermalink





‘(A) enter into contracts for the procurement of property and services for the Center; andCommentsClose CommentsPermalink





‘(B) appoint employees of the Center in accordance with the civil service laws of the United States.CommentsClose CommentsPermalink





‘(b) Director-CommentsClose CommentsPermalink





‘(1) IN GENERAL- The Center shall be headed by a Director, who shall be appointed by the President, by and with the advice and consent of the Senate.CommentsClose CommentsPermalink





‘(2) REPORTING TO SECRETARY- The Director shall report directly to the Secretary and serve as the principal advisor to the Secretary on cybersecurity and the operations, security, and resiliency of the communications infrastructure of the United States.CommentsClose CommentsPermalink





‘(3) PRESIDENTIAL ADVICE- The Director shall regularly advise the President on the exercise of the authorities provided under this subtitle or any other provision of law relating to the security of the Federal information infrastructure or an agency information infrastructure.CommentsClose CommentsPermalink





‘(4) QUALIFICATIONS- The Director shall be appointed from among individuals who have--CommentsClose CommentsPermalink





‘(A) a demonstrated ability in and knowledge of information technology, cybersecurity, and the operations, security and resiliency of communications networks; andCommentsClose CommentsPermalink





‘(B) significant executive leadership and management experience in the public or private sector.CommentsClose CommentsPermalink





‘(5) LIMITATION ON SERVICE-CommentsClose CommentsPermalink





‘(A) IN GENERAL- Subject to subparagraph (B), the individual serving as the Director may not, while so serving, serve in any other capacity in the Federal Government, except to the extent that the individual serving as Director is doing so in an acting capacity.CommentsClose CommentsPermalink





‘(B) EXCEPTION- The Director may serve on any commission, board, council, or similar entity with responsibilities or duties relating to cybersecurity or the operations, security, and resiliency of the communications infrastructure of the United States at the direction of the President or as otherwise provided by law.CommentsClose CommentsPermalink





‘(c) Deputy Directors-CommentsClose CommentsPermalink





‘(1) IN GENERAL- There shall be not less than 2 Deputy Directors for the Center, who shall report to the Director.CommentsClose CommentsPermalink





‘(2) INFRASTRUCTURE PROTECTION-CommentsClose CommentsPermalink





‘(A) APPOINTMENT- There shall be a Deputy Director appointed by the Secretary, who shall have expertise in infrastructure protection.CommentsClose CommentsPermalink





‘(B) RESPONSIBILITIES- The Deputy Director appointed under subparagraph (A) shall--CommentsClose CommentsPermalink





‘(i) assist the Director and the Assistant Secretary for Infrastructure Protection in coordinating, managing, and directing the information, communications, and physical infrastructure protection responsibilities and activities of the Department, including activities under Homeland Security Presidential Directive-7, or any successor thereto, and the National Infrastructure Protection Plan, or any successor thereto;CommentsClose CommentsPermalink





‘(ii) review the budget for the Center and the Office of Infrastructure Protection before submission of the budget to the Secretary to ensure that activities are appropriately coordinated;CommentsClose CommentsPermalink





‘(iii) develop, update periodically, and submit to the appropriate committees of Congress a strategic plan detailing how critical infrastructure protection activities will be coordinated between the Center, the Office of Infrastructure Protection, and the private sector;CommentsClose CommentsPermalink





‘(iv) subject to the direction of the Director resolve conflicts between the Center and the Office of Infrastructure Protection relating to the information, communications, and physical infrastructure protection responsibilities of the Center and the Office of Infrastructure Protection; andCommentsClose CommentsPermalink





‘(v) perform such other duties as the Director may assign.CommentsClose CommentsPermalink





‘(C) ANNUAL EVALUATION- The Assistant Secretary for Infrastructure Protection shall submit annually to the Director an evaluation of the performance of the Deputy Director appointed under subparagraph (A).CommentsClose CommentsPermalink





‘(3) INTELLIGENCE COMMUNITY- The Director of National Intelligence shall identify an employee of an element of the intelligence community to serve as a Deputy Director of the Center. The employee shall be detailed to the Center on a reimbursable basis for such period as is agreed to by the Director and the Director of National Intelligence, and, while serving as Deputy Director, shall report directly to the Director of the Center.CommentsClose CommentsPermalink





‘(d) Liaison Officers- The Secretary of Defense, the Attorney General, the Secretary of Commerce, and the Director of National Intelligence shall detail personnel to the Center to act as full-time liaisons with the Department of Defense, the Department of Justice, the National Institute of Standards and Technology, and elements of the intelligence community to assist in coordination between and among the Center, the Department of Defense, the Department of Justice, the National Institute of Standards and Technology, and elements of the intelligence community.CommentsClose CommentsPermalink





‘(e) Privacy Officer-CommentsClose CommentsPermalink





‘(1) IN GENERAL- The Director, in consultation with the Secretary, shall designate a full-time privacy officer, who shall report to the Director.CommentsClose CommentsPermalink





‘(2) DUTIES- The privacy officer designated under paragraph (1) shall have primary responsibility for implementation by the Center of the privacy policy for the Department established by the Privacy Officer appointed under section 222.CommentsClose CommentsPermalink





‘(f) Duties of Director-CommentsClose CommentsPermalink





‘(1) IN GENERAL- The Director shall--CommentsClose CommentsPermalink





‘(A) working cooperatively with the private sector, lead the Federal effort to secure, protect, and ensure the resiliency of the Federal information infrastructure and national information infrastructure of the United States, including communications networks;CommentsClose CommentsPermalink





‘(B) assist in the identification, remediation, and mitigation of vulnerabilities to the Federal information infrastructure and the national information infrastructure;CommentsClose CommentsPermalink





‘(C) provide dynamic, comprehensive, and continuous situational awareness of the security status of the Federal information infrastructure, national information infrastructure, and information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community by sharing and integrating classified and unclassified information, including information relating to threats, vulnerabilities, traffic, trends, incidents, and other anomalous activities affecting the infrastructure or systems, on a routine and continuous basis with--CommentsClose CommentsPermalink





‘(i) the National Threat Operations Center of the National Security Agency;CommentsClose CommentsPermalink





‘(ii) the United States Cyber Command, including the Joint Task Force-Global Network Operations;CommentsClose CommentsPermalink





‘(iii) the Cyber Crime Center of the Department of Defense;CommentsClose CommentsPermalink





‘(iv) the National Cyber Investigative Joint Task Force;CommentsClose CommentsPermalink





‘(v) the Intelligence Community Incident Response Center;CommentsClose CommentsPermalink





‘(vi) any other Federal agency, or component thereof, identified by the Director; andCommentsClose CommentsPermalink





‘(vii) any non-Federal entity, including, where appropriate, information sharing and analysis centers, identified by the Director, with the concurrence of the owner or operator of that entity and consistent with applicable law;CommentsClose CommentsPermalink





‘(D) work with the entities described in subparagraph (C) to establish policies and procedures that enable information sharing between and among the entities;CommentsClose CommentsPermalink





‘(E) develop, in coordination with the Assistant Secretary for Infrastructure Protection, other Federal agencies, the private sector, and State and local governments, a national incident response plan that details the roles of Federal agencies, State and local governments, and the private sector, including plans to be executed in response to a declaration of a national cyber emergency by the President under section 249;CommentsClose CommentsPermalink





‘(F) conduct risk-based assessments of the Federal information infrastructure with respect to acts of terrorism, natural disasters, and other large-scale disruptions and provide the results of the assessments to the Director of Cyberspace Policy;CommentsClose CommentsPermalink





‘(G) develop, oversee the implementation of, and enforce policies, principles, and guidelines on information security for the Federal information infrastructure, including timely adoption of and compliance with standards developed by the National Institute of Standards and Technology under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3);CommentsClose CommentsPermalink





‘(H) provide assistance to the National Institute of Standards and Technology in developing standards under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3);CommentsClose CommentsPermalink





‘(I) provide to Federal agencies mandatory security controls to mitigate and remediate vulnerabilities of and incidents affecting the Federal information infrastructure;CommentsClose CommentsPermalink





‘(J) subject to paragraph (2), and as needed, assist the Director of the Office of Management and Budget and the Director of Cyberspace Policy in conducting analysis and prioritization of budgets, relating to the security of the Federal information infrastructure;CommentsClose CommentsPermalink





‘(K) in accordance with section 253, develop, periodically update, and implement a supply chain risk management strategy to enhance, in a risk-based and cost-effective manner, the security of the communications and information technology products and services purchased by the Federal Government;CommentsClose CommentsPermalink





‘(L) notify the Director of Cyberspace Policy of any incident involving the Federal information infrastructure, information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community, or the national information infrastructure that could compromise or significantly affect economic or national security;CommentsClose CommentsPermalink





‘(M) consult, in coordination with the Director of Cyberspace Policy, with appropriate international partners to enhance the security of the Federal information infrastructure and national information infrastructure;CommentsClose CommentsPermalink





‘(N)(i) coordinate and integrate information to analyze the composite security state of the Federal information infrastructure and information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community;CommentsClose CommentsPermalink





‘(ii) ensure the information required under clause (i) and section 3553(c)(1)(A) of title 44, United States Code, including the views of the Director on the adequacy and effectiveness of information security throughout the Federal information infrastructure and information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community, is available on an automated and continuous basis through the system maintained under section 3552(a)(3)(D) of title 44, United States Code;CommentsClose CommentsPermalink





‘(iii) in conjunction with the quadrennial homeland security review required under section 707, and at such other times determined appropriate by the Director, analyze the composite security state of the national information infrastructure and submit to the President, Congress, and the Secretary a report regarding actions necessary to enhance the composite security state of the national information infrastructure based on the analysis; andCommentsClose CommentsPermalink





‘(iv) foster collaboration and serve as the primary contact between the Federal Government, State and local governments, and private entities on matters relating to the security of the Federal information infrastructure and the national information infrastructure;CommentsClose CommentsPermalink





‘(O) oversee the development, implementation, and management of security requirements for Federal agencies relating to the external access points to or from the Federal information infrastructure;CommentsClose CommentsPermalink





‘(P) establish, develop, and oversee the capabilities and operations within the US-CERT as required by section 244;CommentsClose CommentsPermalink





‘(Q) oversee the operations of the National Communications System, as described in Executive Order 12472 (49 Fed. Reg. 13471; relating to the assignment of national security and emergency preparedness telecommunications functions), as amended by Executive Order 13286 (68 Fed. Reg. 10619) and Executive Order 13407 (71 Fed. Reg. 36975), or any successor thereto, including planning for and providing communications for the Federal Government under all circumstances, including crises, emergencies, attacks, recoveries, and reconstitutions;CommentsClose CommentsPermalink





‘(R) ensure, in coordination with the privacy officer designated under subsection (e), the Privacy Officer appointed under section 222, and the Director of the Office of Civil Rights and Civil Liberties appointed under section 705, that the activities of the Center comply with all policies, regulations, and laws protecting the privacy and civil liberties of United States persons;CommentsClose CommentsPermalink





‘(S) subject to the availability of resources, and at the discretion of the Director, provide voluntary technical assistance--CommentsClose CommentsPermalink





‘(i) at the request of an owner or operator of covered critical infrastructure, to assist the owner or operator in complying with sections 248 and 249, including implementing required security or emergency measures and developing response plans for national cyber emergencies declared under section 249; andCommentsClose CommentsPermalink





‘(ii) at the request of the owner or operator of national information infrastructure that is not covered critical infrastructure, and based on risk, to assist the owner or operator in implementing best practices, and related standards and guidelines, recommended under section 247 and other measures necessary to mitigate or remediate vulnerabilities of the information infrastructure and the consequences of efforts to exploit the vulnerabilities;CommentsClose CommentsPermalink





‘(T)(i) conduct, in consultation with the National Cybersecurity Advisory Council, the head of appropriate sector-specific agencies, and any private sector entity determined appropriate by the Director, risk-based assessments of national information infrastructure, on a sector-by-sector basis, with respect to acts of terrorism, natural disasters, and other large-scale disruptions or financial harm, which shall identify and prioritize risks to the national information infrastructure, including vulnerabilities and associated consequences; andCommentsClose CommentsPermalink





‘(ii) coordinate and evaluate the mitigation or remediation of cyber vulnerabilities and consequences identified under clause (i);CommentsClose CommentsPermalink





‘(U) regularly evaluate and assess technologies designed to enhance the protection of the Federal information infrastructure and national information infrastructure, including an assessment of the cost-effectiveness of the technologies;CommentsClose CommentsPermalink





‘(V) promote the use of the best practices recommended under section 247 to State and local governments and the private sector;CommentsClose CommentsPermalink





‘(W) develop and implement outreach and awareness programs on cybersecurity, including--CommentsClose CommentsPermalink





‘(i) a public education campaign to increase the awareness of cybersecurity, cyber safety, and cyber ethics, which shall include use of the Internet, social media, entertainment, and other media to reach the public;CommentsClose CommentsPermalink





‘(ii) an education campaign to increase the understanding of State and local governments and private sector entities of the costs of failing to ensure effective security of information infrastructure and cost-effective methods to mitigate and remediate vulnerabilities; andCommentsClose CommentsPermalink





‘(iii) outcome-based performance measures to determine the success of the programs;CommentsClose CommentsPermalink





‘(X) develop and implement a national cybersecurity exercise program that includes--CommentsClose CommentsPermalink





‘(i) the participation of State and local governments, international partners of the United States, and the private sector; andCommentsClose CommentsPermalink





‘(ii) an after action report analyzing lessons learned from exercises and identifying vulnerabilities to be remediated or mitigated;CommentsClose CommentsPermalink





‘(Y) coordinate with the Assistant Secretary for Infrastructure Protection to ensure that--CommentsClose CommentsPermalink





‘(i) cybersecurity is appropriately addressed in carrying out the infrastructure protection responsibilities described in section 201(d); andCommentsClose CommentsPermalink





‘(ii) the operations of the Center and the Office of Infrastructure Protection avoid duplication and use, to the maximum extent practicable, joint mechanisms for information sharing and coordination with the private sector;CommentsClose CommentsPermalink





‘(Z) oversee the activities of the Office of Emergency Communications established under section 1801; andCommentsClose CommentsPermalink





‘(AA) perform such other duties as the Secretary may direct relating to the security and resiliency of the information and communications infrastructure of the United States.CommentsClose CommentsPermalink





‘(2) BUDGET ANALYSIS- In conducting analysis and prioritization of budgets under paragraph (1)(J), the Director--CommentsClose CommentsPermalink





‘(A) in coordination with the Director of the Office of Management and Budget, may access information from any Federal agency regarding the finances, budget, and programs of the Federal agency relevant to the security of the Federal information infrastructure;CommentsClose CommentsPermalink





‘(B) may make recommendations to the Director of the Office of Management and Budget and the Director of Cyberspace Policy regarding the budget for each Federal agency to ensure that adequate funding is devoted to securing the Federal information infrastructure, in accordance with policies, principles, and guidelines established by the Director under this subtitle; andCommentsClose CommentsPermalink





‘(C) shall provide copies of any recommendations made under subparagraph (B) to--CommentsClose CommentsPermalink





‘(i) the Committee on Appropriations of the Senate;CommentsClose CommentsPermalink





‘(ii) the Committee on Appropriations of the House of Representatives; andCommentsClose CommentsPermalink





‘(iii) the appropriate committees of Congress.CommentsClose CommentsPermalink





‘(g) Use of Mechanisms for Collaboration- In carrying out the responsibilities and authorities of the Director under this subtitle, to the maximum extent practicable, the Director shall use mechanisms for collaboration and information sharing (including mechanisms relating to the identification and communication of threats, vulnerabilities, and associated consequences) established by other components of the Department or other Federal agencies to avoid unnecessary duplication or waste.CommentsClose CommentsPermalink





‘(h) Sufficiency of Resources Plan-CommentsClose CommentsPermalink





‘(1) REPORT- Not later than 120 days after the date of enactment of this subtitle, the Director of the Office of Management and Budget shall submit to the appropriate committees of Congress and the Comptroller General of the United States a report on the resources and staff necessary to carry out fully the responsibilities under this subtitle.CommentsClose CommentsPermalink





‘(2) COMPTROLLER GENERAL REVIEW-CommentsClose CommentsPermalink





‘(A) IN GENERAL- The Comptroller General of the United States shall evaluate the reasonableness and adequacy of the report submitted by the Director under paragraph (1).CommentsClose CommentsPermalink





‘(B) REPORT- Not later than 60 days after the date on which the report is submitted under paragraph (1), the Comptroller General shall submit to the appropriate committees of Congress a report containing the findings of the review under subparagraph (A).CommentsClose CommentsPermalink





‘(i) Functions Transferred- There are transferred to the Center the National Cyber Security Division, the Office of Emergency Communications, and the National Communications System, including all the functions, personnel, assets, authorities, and liabilities of the National Cyber Security Division and the National Communications System.CommentsClose CommentsPermalink

‘SEC. 243. PHYSICAL AND CYBER INFRASTRUCTURE COLLABORATION.

‘(a) In General- The Director and the Assistant Secretary for Infrastructure Protection shall coordinate the information, communications, and physical infrastructure protection responsibilities and activities of the Center and the Office of Infrastructure Protection.CommentsClose CommentsPermalink





‘(b) Oversight- The Secretary shall ensure that the coordination described in subsection (a) occurs.CommentsClose CommentsPermalink

‘SEC. 244. UNITED STATES COMPUTER EMERGENCY READINESS TEAM.

‘(a) Establishment of Office- There is established within the Center, the United States Computer Emergency Readiness Team, which shall be headed by a Director, who shall be selected from the Senior Executive Service by the Secretary.CommentsClose CommentsPermalink





‘(b) Responsibilities- The US-CERT shall--CommentsClose CommentsPermalink





‘(1) collect, coordinate, and disseminate information on--CommentsClose CommentsPermalink





‘(A) risks to the Federal information infrastructure, information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community, or the national information infrastructure; andCommentsClose CommentsPermalink





‘(B) security controls to enhance the security of the Federal information infrastructure or the national information infrastructure against the risks identified in subparagraph (A); andCommentsClose CommentsPermalink





‘(2) establish a mechanism for engagement with the private sector.CommentsClose CommentsPermalink





‘(c) Monitoring, Analysis, Warning, and Response-CommentsClose CommentsPermalink





‘(1) DUTIES- Subject to paragraph (2), the US-CERT shall--CommentsClose CommentsPermalink





‘(A) provide analysis and reports to Federal agencies on the security of the Federal information infrastructure;CommentsClose CommentsPermalink





‘(B) provide continuous, automated monitoring of the Federal information infrastructure at external Internet access points, which shall include detection and warning of threats, vulnerabilities, traffic, trends, incidents, and other anomalous activities affecting the information security of the Federal information infrastructure;CommentsClose CommentsPermalink





‘(C) warn Federal agencies of threats, vulnerabilities, incidents, and anomalous activities that could affect the Federal information infrastructure;CommentsClose CommentsPermalink





‘(D) develop, recommend, and deploy security controls to mitigate or remediate vulnerabilities;CommentsClose CommentsPermalink





‘(E) support Federal agencies in conducting risk assessments of the agency information infrastructure;CommentsClose CommentsPermalink





‘(F) disseminate to Federal agencies risk analyses of incidents that could impair the risk-based security of the Federal information infrastructure;CommentsClose CommentsPermalink





‘(G) develop and acquire predictive analytic tools to evaluate threats, vulnerabilities, traffic, trends, incidents, and anomalous activities;CommentsClose CommentsPermalink





‘(H) aid in the detection of, and warn owners or operators of national information infrastructure regarding, threats, vulnerabilities, and incidents, affecting the national information infrastructure, including providing--CommentsClose CommentsPermalink





‘(i) timely, targeted, and actionable notifications of threats, vulnerabilities, and incidents; andCommentsClose CommentsPermalink





‘(ii) recommended security controls to mitigate or remediate vulnerabilities; andCommentsClose CommentsPermalink





‘(I) respond to assistance requests from Federal agencies and, subject to the availability of resources, owners or operators of the national information infrastructure to--CommentsClose CommentsPermalink





‘(i) isolate, mitigate, or remediate incidents;CommentsClose CommentsPermalink





‘(ii) recover from damages and mitigate or remediate vulnerabilities; andCommentsClose CommentsPermalink





‘(iii) evaluate security controls and other actions taken to secure information infrastructure and incorporate lessons learned into best practices, policies, principles, and guidelines.CommentsClose CommentsPermalink





‘(2) REQUIREMENT- With respect to the Federal information infrastructure, the US-CERT shall conduct the activities described in paragraph (1) in a manner consistent with the responsibilities of the head of a Federal agency described in section 3553 of title 44, United States Code.CommentsClose CommentsPermalink





‘(3) REPORT- Not later than 1 year after the date of enactment of this subtitle, and every year thereafter, the Secretary shall--CommentsClose CommentsPermalink





‘(A) in conjunction with the Inspector General of the Department, conduct an independent audit or review of the activities of the US-CERT under paragraph (1)(B); andCommentsClose CommentsPermalink





‘(B) submit to the appropriate committees of Congress and the President a report regarding the audit or report.CommentsClose CommentsPermalink





‘(d) Procedures for Federal Government- Not later than 90 days after the date of enactment of this subtitle, the head of each Federal agency shall establish procedures for the Federal agency that ensure that the US-CERT can perform the functions described in subsection (c) in relation to the Federal agency.CommentsClose CommentsPermalink





‘(e) Operational Updates- The US-CERT shall provide unclassified and, as appropriate, classified updates regarding the composite security state of the Federal information infrastructure to the Federal Information Security Taskforce.CommentsClose CommentsPermalink





‘(f) Federal Points of Contact- The Director of the US-CERT shall designate a principal point of contact within the US-CERT for each Federal agency to--CommentsClose CommentsPermalink





‘(1) maintain communication;CommentsClose CommentsPermalink





‘(2) ensure cooperative engagement and information sharing; andCommentsClose CommentsPermalink





‘(3) respond to inquiries or requests.CommentsClose CommentsPermalink





‘(g) Requests for Information or Physical Access-CommentsClose CommentsPermalink





‘(1) INFORMATION ACCESS- Upon request of the Director of the US-CERT, the head of a Federal agency or an Inspector General for a Federal agency shall provide any law enforcement information, intelligence information, terrorism information, or any other information (including information relating to incidents provided under subsections (a)(4) and (c) of section 246) relevant to the security of the Federal information infrastructure or the national information infrastructure necessary to carry out the duties, responsibilities, and authorities under this subtitle.CommentsClose CommentsPermalink





‘(2) PHYSICAL ACCESS- Upon request of the Director, and in consultation with the head of a Federal agency, the Federal agency shall provide physical access to any facility of the Federal agency necessary to determine whether the Federal agency is in compliance with any policies, principles, and guidelines established by the Director under this subtitle, or otherwise necessary to carry out the duties, responsibilities, and authorities of the Director applicable to the Federal information infrastructure.CommentsClose CommentsPermalink

‘SEC. 245. ADDITIONAL AUTHORITIES OF THE DIRECTOR OF THE NATIONAL CENTER FOR CYBERSECURITY AND COMMUNICATIONS.

‘(a) Access to Information- Unless otherwise directed by the President--CommentsClose CommentsPermalink





‘(1) the Director shall access, receive, and analyze law enforcement information, intelligence information, terrorism information, and any other information (including information relating to incidents provided under subsections (a)(4) and (c) of section 246) relevant to the security of the Federal information infrastructure, information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community, or national information infrastructure from Federal agencies and, consistent with applicable law, State and local governments (including law enforcement agencies), and private entities, including information provided by any contractor to a Federal agency regarding the security of the agency information infrastructure;CommentsClose CommentsPermalink





‘(2) any Federal agency in possession of law enforcement information, intelligence information, terrorism information, or any other information (including information relating to incidents provided under subsections (a)(4) and (c) of section 246) relevant to the security of the Federal information infrastructure, information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community, or national information infrastructure shall provide that information to the Director in a timely manner; andCommentsClose CommentsPermalink





‘(3) the Director, in coordination with the Attorney General, the Privacy and Civil Liberties Oversight Board established under section 1061 of the National Security Intelligence Reform Act of 2004 (42 U.S.C. 2000ee), the Director of National Intelligence, and the Archivist of the United States, shall establish guidelines to ensure that information is transferred, stored, and preserved in accordance with applicable law and in a manner that protects the privacy and civil liberties of United States persons.CommentsClose CommentsPermalink





‘(b) Operational Evaluations-CommentsClose CommentsPermalink





‘(1) IN GENERAL- The Director--CommentsClose CommentsPermalink





‘(A) subject to paragraph (2), shall develop, maintain, and enhance capabilities to evaluate the security of the Federal information infrastructure as described in section 3554(a)(3) of title 44, United States Code, including the ability to conduct risk-based penetration testing and vulnerability assessments;CommentsClose CommentsPermalink





‘(B) in carrying out subparagraph (A), may request technical assistance from the Director of the Federal Bureau of Investigation, the Director of the National Security Agency, the head of any other Federal agency that may provide support, and any nongovernmental entity contracting with the Department or another Federal agency; andCommentsClose CommentsPermalink





‘(C) in consultation with the Attorney General and the Privacy and Civil Liberties Oversight Board established under section 1061 of the National Security Intelligence Reform Act of 2004 (42 U.S.C. 2000ee), shall develop guidelines to ensure compliance with all applicable laws relating to the privacy of United States persons in carrying out the operational evaluations under subparagraph (A).CommentsClose CommentsPermalink





‘(2) OPERATIONAL EVALUATIONS-CommentsClose CommentsPermalink





‘(A) IN GENERAL- The Director may conduct risk-based operational evaluations of the agency information infrastructure of any Federal agency, at a time determined by the Director, in consultation with the head of the Federal agency, using the capabilities developed under paragraph (1)(A).CommentsClose CommentsPermalink





‘(B) ANNUAL EVALUATION REQUIREMENT- If the Director conducts an operational evaluation under subparagraph (A) or an operational evaluation at the request of a Federal agency to meet the requirements of section 3554 of title 44, United States Code, the operational evaluation shall satisfy the requirements of section 3554 for the Federal agency for the year of the evaluation, unless otherwise specified by the Director.CommentsClose CommentsPermalink





‘(c) Corrective Measures and Mitigation Plans- If the Director determines that a Federal agency is not in compliance with applicable policies, principles, standards, and guidelines applicable to the Federal information infrastructure--CommentsClose CommentsPermalink





‘(1) the Director, in consultation with the Director of the Office of Management and Budget, may direct the head of the Federal agency to--CommentsClose CommentsPermalink





‘(A) take corrective measures to meet the policies, principles, standards, and guidelines; andCommentsClose CommentsPermalink





‘(B) develop a plan to remediate or mitigate any vulnerabilities addressed by the policies, principles, standards, and guidelines;CommentsClose CommentsPermalink





‘(2) within such time period as the Director shall prescribe, the head of the Federal agency shall--CommentsClose CommentsPermalink





‘(A) implement a corrective measure or develop a mitigation plan in accordance with paragraph (1); orCommentsClose CommentsPermalink





‘(B) submit to the Director, the Director of the Office of Management and Budget, the Inspector General for the Federal agency, and the appropriate committees of Congress a report indicating why the Federal agency has not implemented the corrective measure or developed a mitigation plan; andCommentsClose CommentsPermalink





‘(3) the Director may direct the isolation of any component of the agency information infrastructure, consistent with the contingency or continuity of operation plans applicable to the agency information infrastructure, until corrective measures are taken or mitigation plans approved by the Director are put in place, if--CommentsClose CommentsPermalink





‘(A) the head of the Federal agency has failed to comply with the corrective measures prescribed under paragraph (1); andCommentsClose CommentsPermalink





‘(B) the failure to comply presents a significant danger to the Federal information infrastructure.CommentsClose CommentsPermalink

‘SEC. 246. INFORMATION SHARING.

‘(a) Federal Agencies-CommentsClose CommentsPermalink





‘(1) INFORMATION SHARING PROGRAM- Consistent with the responsibilities described in section 242 and 244, the Director, in consultation with the other members of the Chief Information Officers Council established under section 3603 of title 44, United States Code, and the Federal Information Security Taskforce, shall establish a program for sharing information with and between the Center and other Federal agencies that includes processes and procedures, including standard operating procedures--CommentsClose CommentsPermalink





‘(A) under which the Director regularly shares with each Federal agency--CommentsClose CommentsPermalink





‘(i) analysis and reports on the composite security state of the Federal information infrastructure and information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community, which shall include information relating to threats, vulnerabilities, incidents, or anomalous activities;CommentsClose CommentsPermalink





‘(ii) any available analysis and reports regarding the security of the agency information infrastructure; andCommentsClose CommentsPermalink





‘(iii) means and methods of preventing, responding to, mitigating, and remediating vulnerabilities; andCommentsClose CommentsPermalink





‘(B) under which the Director may request information from Federal agencies concerning the security of the Federal information infrastructure, information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community, or the national information infrastructure necessary to carry out the duties of the Director under this subtitle or any other provision of law.CommentsClose CommentsPermalink





‘(2) CONTENTS- The program established under this section shall include--CommentsClose CommentsPermalink





‘(A) timeframes for the sharing of information under paragraph (1);CommentsClose CommentsPermalink





‘(B) guidance on what information shall be shared, including information regarding incidents;CommentsClose CommentsPermalink





‘(C) a tiered structure that provides guidance for the sharing of urgent information; andCommentsClose CommentsPermalink





‘(D) processes and procedures under which the Director or the head of a Federal agency may report noncompliance with the program to the Director of Cyberspace Policy.CommentsClose CommentsPermalink





‘(3) US-CERT- The Director of the US-CERT shall ensure that the head of each Federal agency has continual access to data collected by the US-CERT regarding the agency information infrastructure of the Federal agency.CommentsClose CommentsPermalink





‘(4) FEDERAL AGENCIES-CommentsClose CommentsPermalink





‘(A) IN GENERAL- The head of a Federal agency shall comply with all processes and procedures established under this subsection regarding notification to the Director relating to incidents.CommentsClose CommentsPermalink





‘(B) IMMEDIATE NOTIFICATION REQUIRED- Unless otherwise directed by the President, any Federal agency with a national security system shall immediately notify the Director regarding any incident affecting the risk-based security of the national security system.CommentsClose CommentsPermalink





‘(b) State and Local Governments, Private Sector, and International Partners-CommentsClose CommentsPermalink





‘(1) IN GENERAL- The Director, shall establish processes and procedures, including standard operating procedures, to promote bidirectional information sharing with State and local governments, private entities, and international partners of the United States on--CommentsClose CommentsPermalink





‘(A) threats, vulnerabilities, incidents, and anomalous activities affecting the national information infrastructure; andCommentsClose CommentsPermalink





‘(B) means and methods of preventing, responding to, and mitigating and remediating vulnerabilities.CommentsClose CommentsPermalink





‘(2) CONTENTS- The processes and procedures established under paragraph (1) shall include--CommentsClose CommentsPermalink





‘(A) means or methods of accessing classified or unclassified information, as appropriate, that will provide situational awareness of the security of the Federal information infrastructure and the national information infrastructure relating to threats, vulnerabilities, traffic, trends, incidents, and other anomalous activities affecting the Federal information infrastructure or the national information infrastructure;CommentsClose CommentsPermalink





‘(B) a mechanism, established in consultation with the heads of the relevant sector-specific agencies, sector coordinating councils, and information sharing and analysis centers, by which owners and operators of covered critical infrastructure shall report incidents in the information infrastructure for covered critical infrastructure, to the extent the incident might indicate an actual or potential cyber vulnerability, or exploitation of that vulnerability; andCommentsClose CommentsPermalink





‘(C) an evaluation of the need to provide security clearances to employees of State and local governments, private entities, and international partners to carry out this subsection.CommentsClose CommentsPermalink





‘(3) GUIDELINES- The Director, in consultation with the Attorney General and the Director of National Intelligence, shall develop guidelines to protect the privacy and civil liberties of United States persons and intelligence sources and methods, while carrying out this subsection.CommentsClose CommentsPermalink





‘(c) Incidents-CommentsClose CommentsPermalink





‘(1) NON-FEDERAL ENTITIES-CommentsClose CommentsPermalink





‘(A) IN GENERAL-CommentsClose CommentsPermalink





‘(i) MANDATORY REPORTING- Subject to clause (i), the owner or operator of covered critical infrastructure shall report any incident affecting the information infrastructure of covered critical infrastructure to the extent the incident might indicate an actual or potential cyber vulnerability, or exploitation of a cyber vulnerability, in accordance with the policies and procedures for the mechanism established under subsection (b)(2)(B) and guidelines developed under subsection (b)(3).CommentsClose CommentsPermalink





‘(ii) LIMITATION- Clause (i) shall not authorize the Director, the Center, the Department, or any other Federal entity to compel the disclosure of information relating to an incident or conduct surveillance unless otherwise authorized under chapter 119, chapter 121, or chapter 206 of title 18, United States Code, the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), or any other provision of law.CommentsClose CommentsPermalink





‘(B) REPORTING PROCEDURES- The Director shall establish procedures that enable and encourage the owner or operator of national information infrastructure to report to the Director regarding incidents affecting such information infrastructure.CommentsClose CommentsPermalink





‘(2) INFORMATION PROTECTION- Notwithstanding any other provision of law, information reported under paragraph (1) shall be protected from unauthorized disclosure, in accordance with section 251.CommentsClose CommentsPermalink





‘(d) Additional Responsibilities- In accordance with section 251, the Director shall--CommentsClose CommentsPermalink





‘(1) share data collected on the Federal information infrastructure with the National Science Foundation and other accredited research institutions for the sole purpose of cybersecurity research in a manner that protects privacy and civil liberties of United States persons and intelligence sources and methods;CommentsClose CommentsPermalink





‘(2) establish a Web site to provide an opportunity for the public to provide--CommentsClose CommentsPermalink





‘(A) input about the operations of the Center; andCommentsClose CommentsPermalink





‘(B) recommendations for improvements of the Center; andCommentsClose CommentsPermalink





‘(3) in coordination with the Secretary of Defense, the Director of National Intelligence, the Secretary of State, and the Attorney General, develop information sharing pilot programs with international partners of the United States.CommentsClose CommentsPermalink

‘SEC. 247. PRIVATE SECTOR ASSISTANCE.

‘(a) In General- The Director, in consultation with the Director of the National Institute of Standards and Technology, the Director of the National Security Agency, the head of any relevant sector-specific agency, the National Cybersecurity Advisory Council, State and local governments, and any private entities the Director determines appropriate, shall establish a program to promote, and provide technical assistance authorized under section 242(f)(1)(S) relating to the implementation of, best practices and related standards and guidelines for securing the national information infrastructure, including the costs and benefits associated with the implementation of the best practices and related standards and guidelines.CommentsClose CommentsPermalink





‘(b) Analysis and Improvement of Standards and Guidelines- For purposes of the program established under subsection (a), the Director shall--CommentsClose CommentsPermalink





‘(1) regularly assess and evaluate cybersecurity standards and guidelines issued by private sector organizations, recognized international and domestic standards setting organizations, and Federal agencies; andCommentsClose CommentsPermalink





‘(2) in coordination with the National Institute of Standards and Technology, encourage the development of, and recommend changes to, the standards and guidelines described in paragraph (1) for securing the national information infrastructure.CommentsClose CommentsPermalink





‘(c) Guidance and Technical Assistance-CommentsClose CommentsPermalink





‘(1) IN GENERAL- The Director shall promote best practices and related standards and guidelines to assist owners and operators of national information infrastructure in increasing the security of the national information infrastructure and protecting against and mitigating or remediating known vulnerabilities.CommentsClose CommentsPermalink





‘(2) REQUIREMENT- Technical assistance provided under section 242(f)(1)(S) and best practices promoted under this section shall be prioritized based on risk.CommentsClose CommentsPermalink





‘(d) Criteria- In promoting best practices or recommending changes to standards and guidelines under this section, the Director shall ensure that best practices, and related standards and guidelines--CommentsClose CommentsPermalink





‘(1) address cybersecurity in a comprehensive, risk-based manner;CommentsClose CommentsPermalink





‘(2) include consideration of the cost of implementing such best practices or of implementing recommended changes to standards and guidelines;CommentsClose CommentsPermalink





‘(3) increase the ability of the owners or operators of national information infrastructure to protect against and mitigate or remediate known vulnerabilities;CommentsClose CommentsPermalink





‘(4) are suitable, as appropriate, for implementation by small business concerns;CommentsClose CommentsPermalink





‘(5) as necessary and appropriate, are sector specific;CommentsClose CommentsPermalink





‘(6) to the maximum extent possible, incorporate standards and guidelines established by private sector organizations, recognized international and domestic standards setting organizations, and Federal agencies; andCommentsClose CommentsPermalink





‘(7) provide sufficient flexibility to permit a range of security solutions.CommentsClose CommentsPermalink

‘SEC. 248. CYBER VULNERABILITIES TO COVERED CRITICAL INFRASTRUCTURE.

‘(a) Identification of Cyber Vulnerabilities-CommentsClose CommentsPermalink





‘(1) IN GENERAL- Based on the risk-based assessments conducted under section 242(f)(1)(T)(i), the Director, in coordination with the head of the sector-specific agency with responsibility for covered critical infrastructure and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating the covered critical infrastructure, and in consultation with the National Cybersecurity Advisory Council and any private sector entity determined appropriate by the Director, shall, on a continuous and sector-by-sector basis, identify and evaluate the cyber vulnerabilities to covered critical infrastructure.CommentsClose CommentsPermalink





‘(2) FACTORS TO BE CONSIDERED- In identifying and evaluating cyber vulnerabilities under paragraph (1), the Director shall consider--CommentsClose CommentsPermalink





‘(A) the perceived threat, including a consideration of adversary capabilities and intent, preparedness, target attractiveness, and deterrence capabilities;CommentsClose CommentsPermalink





‘(B) the potential extent and likelihood of death, injury, or serious adverse effects to human health and safety caused by a disruption of the reliable operation of covered critical infrastructure;CommentsClose CommentsPermalink





‘(C) the threat to or potential impact on national security caused by a disruption of the reliable operation of covered critical infrastructure;CommentsClose CommentsPermalink





‘(D) the extent to which the disruption of the reliable operation of covered critical infrastructure will disrupt the reliable operation of other covered critical infrastructure;CommentsClose CommentsPermalink





‘(E) the potential for harm to the economy that would result from a disruption of the reliable operation of covered critical infrastructure; andCommentsClose CommentsPermalink





‘(F) other risk-based security factors that the Director, in consultation with the head of the sector-specific agency with responsibility for the covered critical infrastructure and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating the covered critical infrastructure, determine to be appropriate and necessary to protect public health and safety, critical infrastructure, or national and economic security.CommentsClose CommentsPermalink





‘(3) REPORT-CommentsClose CommentsPermalink





‘(A) IN GENERAL- Not later than 180 days after the date of enactment of this subtitle, and annually thereafter, the Director, in coordination with the head of the sector-specific agency with responsibility for the covered critical infrastructure and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating the covered critical infrastructure, shall submit to the appropriate committees of Congress a report on the findings of the identification and evaluation of cyber vulnerabilities under this subsection. Each report submitted under this paragraph shall be submitted in an unclassified form, but may include a classified annex.CommentsClose CommentsPermalink





‘(B) INPUT- For purposes of the reports required under subparagraph (A), the Director shall create a process under which owners and operators of covered critical infrastructure may provide input on the findings of the reports.CommentsClose CommentsPermalink





‘(b) Risk-Based Performance Requirements-CommentsClose CommentsPermalink





‘(1) IN GENERAL- Not later than 270 days after the date of the enactment of this subtitle, in coordination with the heads of the sector-specific agencies with responsibility for covered critical infrastructure and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating the covered critical infrastructure, and in consultation with the National Cybersecurity Advisory Council and any private sector entity determined appropriate by the Director, the Director shall issue interim final regulations establishing risk-based security performance requirements to secure covered critical infrastructure against cyber vulnerabilities through the adoption of security measures that satisfy the security performance requirements identified by the Director.CommentsClose CommentsPermalink





‘(2) PROCEDURES- The regulations issued under this subsection shall--CommentsClose CommentsPermalink





‘(A) include a process under which owners and operators of covered critical infrastructure are informed of identified cyber vulnerabilities and security performance requirements designed to remediate or mitigate the cyber vulnerabilities, in combination with best practices recommended under section 247;CommentsClose CommentsPermalink





‘(B) establish a process for owners and operators of covered critical infrastructure to select security measures, including any best practices recommended under section 247, that, in combination, satisfy the security performance requirements established by the Director under this subsection;CommentsClose CommentsPermalink





‘(C) establish a process for owners and operators of covered critical infrastructure to develop response plans for a national cyber emergency declared under section 249; andCommentsClose CommentsPermalink





‘(D) establish a process by which the Director--CommentsClose CommentsPermalink





‘(i) is notified of the security measures selected by the owner or operator of covered critical infrastructure under subparagraph (B); andCommentsClose CommentsPermalink





‘(ii) may determine whether the proposed security measures satisfy the security performance requirements established by the Director under this subsection.CommentsClose CommentsPermalink





‘(3) INTERNATIONAL COOPERATION ON SECURING COVERED CRITICAL INFRASTRUCTURE-CommentsClose CommentsPermalink





‘(A) IN GENERAL- The Director, in coordination with the head of the sector-specific agency with responsibility for covered critical infrastructure and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating the covered critical infrastructure, shall--CommentsClose CommentsPermalink





‘(i) consistent with the protection of intelligence sources and methods and other sensitive matters, inform the owner or operator of covered critical infrastructure that is located outside the United States and the government of the country in which the covered critical infrastructure is located of any cyber vulnerabilities to the covered critical infrastructure; andCommentsClose CommentsPermalink





‘(ii) coordinate with the government of the country in which the covered critical infrastructure is located and, as appropriate, the owner or operator of the covered critical infrastructure, regarding the implementation of security measures or other measures to the covered critical infrastructure to mitigate or remediate cyber vulnerabilities.CommentsClose CommentsPermalink





‘(B) INTERNATIONAL AGREEMENTS- The Director shall carry out the this paragraph in a manner consistent with applicable international agreements.CommentsClose CommentsPermalink





‘(4) RISK-BASED SECURITY PERFORMANCE REQUIREMENTS-CommentsClose CommentsPermalink





‘(A) IN GENERAL- The security performance requirements established by the Director under this subsection shall be--CommentsClose CommentsPermalink





‘(i) based on the factors listed in subsection (a)(2); andCommentsClose CommentsPermalink





‘(ii) designed to remediate or mitigate identified cyber vulnerabilities and any associated consequences of an exploitation based on such vulnerabilities.CommentsClose CommentsPermalink





‘(B) CONSULTATION- In establishing security performance requirements under this subsection, the Director shall, to the maximum extent practicable, consult with--CommentsClose CommentsPermalink





‘(i) the Director of the National Security Agency;CommentsClose CommentsPermalink





‘(ii) the Director of the National Institute of Standards and Technology;CommentsClose CommentsPermalink





‘(iii) the National Cybersecurity Advisory Council;CommentsClose CommentsPermalink





‘(iv) the heads of sector-specific agencies; andCommentsClose CommentsPermalink





‘(v) the heads of Federal agencies that are not a sector-specific agency with responsibilities for regulating the covered critical infrastructure.CommentsClose CommentsPermalink





‘(C) ALTERNATIVE MEASURES-CommentsClose CommentsPermalink





‘(i) IN GENERAL- The owners and operators of covered critical infrastructure shall have flexibility to implement any security measure, or combination thereof, to satisfy the security performance requirements described in subparagraph (A) and the Director may not disapprove under this section any proposed security measures, or combination thereof, based on the presence or absence of any particular security measure if the proposed security measures, or combination thereof, satisfy the security performance requirements established by the Director under this section.CommentsClose CommentsPermalink





‘(ii) RECOMMENDED SECURITY MEASURES- The Director may recommend to an owner and operator of covered critical infrastructure a specific security measure, or combination thereof, that will satisfy the security performance requirements established by the Director. The absence of the recommended security measures, or combination thereof, may not serve as the basis for a disapproval of the security measure, or combination thereof, proposed by the owner or operator of covered critical infrastructure if the proposed security measure, or combination thereof, otherwise satisfies the security performance requirements established by the Director under this section.CommentsClose CommentsPermalink

‘SEC. 249. NATIONAL CYBER EMERGENCIES.

‘(a) Declaration-CommentsClose CommentsPermalink





‘(1) IN GENERAL- The President may issue a declaration of a national cyber emergency to covered critical infrastructure. Any declaration under this section shall specify the covered critical infrastructure subject to the national cyber emergency.CommentsClose CommentsPermalink





‘(2) NOTIFICATION- Upon issuing a declaration under paragraph (1), the President shall, consistent with the protection of intelligence sources and methods, notify the owners and operators of the specified covered critical infrastructure of the nature of the national cyber emergency.CommentsClose CommentsPermalink





‘(3) AUTHORITIES- If the President issues a declaration under paragraph (1), the Director shall--CommentsClose CommentsPermalink





‘(A) immediately direct the owners and operators of covered critical infrastructure subject to the declaration under paragraph (1) to implement response plans required under section 248(b)(2)(C);CommentsClose CommentsPermalink





‘(B) develop and coordinate emergency measures or actions necessary to preserve the reliable operation, and mitigate or remediate the consequences of the potential disruption, of covered critical infrastructure;CommentsClose CommentsPermalink





‘(C) ensure that emergency measures or actions directed under this section represent the least disruptive means feasible to the operations of the covered critical infrastructure;CommentsClose CommentsPermalink





‘(D) subject to subsection (f), direct actions by other Federal agencies to respond to the national cyber emergency;CommentsClose CommentsPermalink





‘(E) coordinate with officials of State and local governments, international partners of the United States, and private owners and operators of covered critical infrastructure specified in the declaration to respond to the national cyber emergency;CommentsClose CommentsPermalink





‘(F) initiate a process under section 248 to address the cyber vulnerability that may be exploited by the national cyber emergency; andCommentsClose CommentsPermalink





‘(G) provide voluntary technical assistance, if requested, under section 242(f)(1)(S).CommentsClose CommentsPermalink





‘(4) REIMBURSEMENT- A Federal agency shall be reimbursed for expenditures under this section from funds appropriated for the purposes of this section. Any funds received by a Federal agency as reimbursement for services or supplies furnished under the authority of this section shall be deposited to the credit of the appropriation or appropriations available on the date of the deposit for the services or supplies.CommentsClose CommentsPermalink





‘(5) CONSULTATION- In carrying out this section, the Director shall consult with the Secretary, the Secretary of Defense, the Director of the National Security Agency, the Director of the National Institute of Standards and Technology, and any other official, as directed by the President.CommentsClose CommentsPermalink





‘(6) PRIVACY- In carrying out this section, the Director shall ensure that the privacy and civil liberties of United States persons are protected.CommentsClose CommentsPermalink





‘(b) Discontinuance of Emergency Measures-CommentsClose CommentsPermalink





‘(1) IN GENERAL- Any emergency measure or action developed under this section shall cease to have effect not later than 30 days after the date on which the President issued the declaration of a national cyber emergency, unless--CommentsClose CommentsPermalink





‘(A) the Director affirms in writing that the emergency measure or action remains necessary to address the identified national cyber emergency; andCommentsClose CommentsPermalink





‘(B) the President issues a written order or directive reaffirming the national cyber emergency, the continuing nature of the national cyber emergency, or the need to continue the adoption of the emergency measure or action.CommentsClose CommentsPermalink





‘(2) EXTENSIONS- An emergency measure or action extended in accordance with paragraph (1) may--CommentsClose CommentsPermalink





‘(A) remain in effect for not more than 30 days after the date on which the emergency measure or action was to cease to have effect; andCommentsClose CommentsPermalink





‘(B) be extended for additional 30-day periods, if the requirements of paragraph (1) and subsection (d) are met.CommentsClose CommentsPermalink





‘(c) Compliance With Emergency Measures-CommentsClose CommentsPermalink





‘(1) IN GENERAL- Subject to paragraph (2), the owner or operator of covered critical infrastructure shall immediately comply with any emergency measure or action developed by the Director under this section during the pendency of any declaration by the President under subsection (a)(1) or an extension under subsection (b)(2).CommentsClose CommentsPermalink





‘(2) ALTERNATIVE MEASURES- If the Director determines that a proposed security measure, or any combination thereof, submitted by the owner or operator of covered critical infrastructure in accordance with the process established under section 248(b)(2) addresses the cyber vulnerability associated with the national cyber emergency that is the subject of the declaration under this section, the owner or operator may comply with paragraph (1) of this subsection by implementing the proposed security measure, or combination thereof, approved by the Director under the process established under section 248. Before submission of a proposed security measure, or combination thereof, and during the pendency of any review by the Director under the process established under section 248, the owner or operator of covered critical infrastructure shall remain in compliance with any emergency measure or action developed by the Director under this section during the pendency of any declaration by the President under subsection (a)(1) or an extension under subsection (b)(2), until such time as the Director has approved an alternative proposed security measure, or combination thereof, under this paragraph.CommentsClose CommentsPermalink





‘(3) INTERNATIONAL COOPERATION ON NATIONAL CYBER EMERGENCIES-CommentsClose CommentsPermalink





‘(A) IN GENERAL- The Director, in coordination with the head of the sector-specific agency with responsibility for covered critical infrastructure and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating the covered critical infrastructure, shall--CommentsClose CommentsPermalink





‘(i) consistent with the protection of intelligence sources and methods and other sensitive matters, inform the owner or operator of covered critical infrastructure that is located outside of the United States and the government of the country in which the covered critical infrastructure is located of any national cyber emergency affecting the covered critical infrastructure; andCommentsClose CommentsPermalink





‘(ii) coordinate with the government of the country in which the covered critical infrastructure is located and, as appropriate, the owner or operator of the covered critical infrastructure, regarding the implementation of emergency measures or actions necessary to preserve the reliable operation, and mitigate or remediate the consequences of the potential disruption, of the covered critical infrastructure.CommentsClose CommentsPermalink





‘(B) INTERNATIONAL AGREEMENTS- The Director shall carry out this paragraph in a manner consistent with applicable international agreements.CommentsClose CommentsPermalink





‘(4) LIMITATION ON COMPLIANCE AUTHORITY- The authority to direct compliance with an emergency measure or action under this section shall not authorize the Director, the Center, the Department, or any other Federal entity to compel the disclosure of information or conduct surveillance unless otherwise authorized under chapter 119, chapter 121, or chapter 206 of title 18, United States Code, the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), or any other provision of law.CommentsClose CommentsPermalink





‘(d) Reporting-CommentsClose CommentsPermalink





‘(1) IN GENERAL- Except as provided in paragraph (2), the President shall ensure that any declaration under subsection (a)(1) or any extension under subsection (b)(2) is reported to the appropriate committees of Congress before the Director mandates any emergency measure or actions under subsection (a)(3).CommentsClose CommentsPermalink





‘(2) EXCEPTION- If notice cannot be given under paragraph (1) before mandating any emergency measure or actions under subsection (a)(3), the President shall provide the report required under paragraph (1) as soon as possible, along with a statement of the reasons for not providing notice in accordance with paragraph (1).CommentsClose CommentsPermalink





‘(3) CONTENTS- Each report under this subsection shall describe--CommentsClose CommentsPermalink





‘(A) the nature of the national cyber emergency;CommentsClose CommentsPermalink





‘(B) the reasons that risk-based security requirements under section 248 are not sufficient to address the national cyber emergency; andCommentsClose CommentsPermalink





‘(C) the actions necessary to preserve the reliable operation and mitigate the consequences of the potential disruption of covered critical infrastructure.CommentsClose CommentsPermalink





‘(e) Statutory Defenses and Civil Liability Limitations for Compliance With Emergency Measures-CommentsClose CommentsPermalink





‘(1) DEFINITIONS- In this subsection--CommentsClose CommentsPermalink





‘(A) the term ‘covered civil action’--CommentsClose CommentsPermalink





‘(i) means a civil action filed in a Federal or State court against a covered entity; andCommentsClose CommentsPermalink





‘(ii) does not include an action brought under section 2520 or 2707 of title 18, United States Code, or section 110 or 308 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1810 and 1828);CommentsClose CommentsPermalink





‘(B) the term ‘covered entity’ means any entity that owns or operates covered critical infrastructure, including any owner, operator, officer, employee, agent, landlord, custodian, or other person acting for or on behalf of that entity with respect to the covered critical infrastructure; andCommentsClose CommentsPermalink





‘(C) the term ‘noneconomic damages’ means damages for losses for physical and emotional pain, suffering, inconvenience, physical impairment, mental anguish, disfigurement, loss of enjoyment of life, loss of society and companionship, loss of consortium, hedonic damages, injury to reputation, and any other nonpecuniary losses.CommentsClose CommentsPermalink





‘(2) APPLICATION OF LIMITATIONS ON CIVIL LIABILITY- The limitations on civil liability under paragraph (3) apply if--CommentsClose CommentsPermalink





‘(A) the President has issued a declaration of national cyber emergency under subsection (a)(1);CommentsClose CommentsPermalink





‘(B) the Director has--CommentsClose CommentsPermalink





‘(i) issued emergency measures or actions for which compliance is required under subsection (c)(1); orCommentsClose CommentsPermalink





‘(ii) approved security measures under subsection (c)(2);CommentsClose CommentsPermalink





‘(C) the covered entity is in compliance with--CommentsClose CommentsPermalink





‘(i) the emergency measures or actions required under subsection (c)(1); orCommentsClose CommentsPermalink





‘(ii) security measures which the Director has approved under subsection (c)(2); andCommentsClose CommentsPermalink





‘(D)(i) the Director certifies to the court in which the covered civil action is pending that the actions taken by the covered entity during the period covered by the declaration under subsection (a)(1) were consistent with--CommentsClose CommentsPermalink





‘(I) emergency measures or actions for which compliance is required under subsection (c)(1); orCommentsClose CommentsPermalink





‘(II) security measures which the Director has approved under subsection (c)(2); orCommentsClose CommentsPermalink





‘(ii) notwithstanding the lack of a certification, the covered entity demonstrates by a preponderance of the evidence that the actions taken during the period covered by the declaration under subsection (a)(1) are consistent with the implementation of--CommentsClose CommentsPermalink





‘(I) emergency measures or actions for which compliance is required under subsection (c)(1); orCommentsClose CommentsPermalink





‘(II) security measures which the Director has approved under subsection (c)(2).CommentsClose CommentsPermalink





‘(3) LIMITATIONS ON CIVIL LIABILITY- In any covered civil action that is related to any incident associated with a cyber vulnerability covered by a declaration of a national cyber emergency and for which Director has issued emergency measures or actions for which compliance is required under subsection (c)(1) or for which the Director has approved security measures under subsection (c)(2), or that is the direct consequence of actions taken in good faith for the purpose of implementing security measures or actions which the Director has approved under subsection (c)(2)--CommentsClose CommentsPermalink





‘(A) the covered entity shall not be liable for any punitive damages intended to punish or deter, exemplary damages, or other damages not intended to compensate a plaintiff for actual losses; andCommentsClose CommentsPermalink





‘(B) noneconomic damages may be awarded against a defendant only in an amount directly proportional to the percentage of responsibility of such defendant for the harm to the plaintiff, and no plaintiff may recover noneconomic damages unless the plaintiff suffered physical harm.CommentsClose CommentsPermalink





‘(4) CIVIL ACTIONS ARISING OUT OF IMPLEMENTATION OF EMERGENCY MEASURES OR ACTIONS- A covered civil action may not be maintained against a covered entity that is the direct consequence of actions taken in good faith for the purpose of implementing specific emergency measures or actions for which compliance is required under subsection (c)(1), if--CommentsClose CommentsPermalink





‘(A) the President has issued a declaration of national cyber emergency under subsection (a)(1) and the action was taken during the period covered by that declaration;CommentsClose CommentsPermalink





‘(B) the Director has issued emergency measures or actions for which compliance is required under subsection (c)(1);CommentsClose CommentsPermalink





‘(C) the covered entity is in compliance with the emergency measures required under subsection (c)(1); andCommentsClose CommentsPermalink





‘(D)(i) the Director certifies to the court in which the covered civil action is pending that the actions taken by the entity during the period covered by the declaration under subsection (a)(1) were consistent with the implementation of emergency measures or actions for which compliance is required under subsection (c)(1); orCommentsClose CommentsPermalink





‘(ii) notwithstanding the lack of a certification, the entity demonstrates by a preponderance of the evidence that the actions taken during the period covered by the declaration under subsection (a)(1) are consistent with the implementation of emergency measures or actions for which compliance is required under subsection (c)(1).CommentsClose CommentsPermalink





‘(5) CERTAIN ACTIONS NOT SUBJECT TO LIMITATIONS ON LIABILITY-CommentsClose CommentsPermalink





‘(A) ADDITIONAL OR INTERVENING ACTS- Paragraphs (2) through (4) shall not apply to a civil action relating to any additional or intervening acts or omissions by any covered entity.CommentsClose CommentsPermalink





‘(B) SERIOUS OR SUBSTANTIAL DAMAGE- Paragraph (4) shall not apply to any civil action brought by an individual--CommentsClose CommentsPermalink





‘(i) whose recovery is otherwise precluded by application of paragraph (4); andCommentsClose CommentsPermalink





‘(ii) who has suffered--CommentsClose CommentsPermalink





‘(I) serious physical injury or death; orCommentsClose CommentsPermalink





‘(II) substantial damage or destruction to his primary residence.CommentsClose CommentsPermalink





‘(C) RULE OF CONSTRUCTION- Recovery available under subparagraph (B) shall be limited to those damages available under subparagraphs (A) and (B) of paragraph (3), except that neither reasonable and necessary medical benefits nor lifetime total benefits for lost employment income due to permanent and total disability shall be limited herein.CommentsClose CommentsPermalink





‘(D) INDEMNIFICATION- In any civil action brought under subparagraph (B), the United States shall defend and indemnify any covered entity. Any covered entity defended and indemnified under this subparagraph shall fully cooperate with the United States in the defense by the United States in any proceeding and shall be reimbursed the reasonable costs associated with such cooperation.CommentsClose CommentsPermalink





‘(f) Rule of Construction- Nothing in this section shall be construed to--CommentsClose CommentsPermalink





‘(1) alter or supersede the authority of the Secretary of Defense, the Attorney General, or the Director of National Intelligence in responding to a national cyber emergency; orCommentsClose CommentsPermalink





‘(2) limit the authority of the Director under section 248, after a declaration issued under this section expires.CommentsClose CommentsPermalink

‘SEC. 250. ENFORCEMENT.

‘(a) Annual Certification of Compliance-CommentsClose CommentsPermalink





‘(1) IN GENERAL- Not later than 6 months after the date on which the Director promulgates regulations under section 248(b), and every year thereafter, each owner or operator of covered critical infrastructure shall certify in writing to the Director whether the owner or operator has developed and implemented, or is implementing, security measures approved by the Director under section 248 and any applicable emergency measures or actions required under section 249 for any cyber vulnerabilities and national cyber emergencies.CommentsClose CommentsPermalink





‘(2) FAILURE TO COMPLY- If an owner or operator of covered critical infrastructure fails to submit a certification in accordance with paragraph (1), or if the certification indicates the owner or operator is not in compliance, the Director may issue an order requiring the owner or operator to submit proposed security measures under section 248 or comply with specific emergency measures or actions under section 249.CommentsClose CommentsPermalink





‘(b) Risk-Based Evaluations-CommentsClose CommentsPermalink





‘(1) IN GENERAL- Consistent with the factors described in paragraph (3), the Director may perform an evaluation of the information infrastructure of any specific system or asset constituting covered critical infrastructure to assess the validity of a certification of compliance submitted under subsection (a)(1).CommentsClose CommentsPermalink





‘(2) DOCUMENT REVIEW AND INSPECTION- An evaluation performed under paragraph (1) may include--CommentsClose CommentsPermalink





‘(A) a review of all documentation submitted to justify an annual certification of compliance submitted under subsection (a)(1); andCommentsClose CommentsPermalink





‘(B) a physical or electronic inspection of relevant information infrastructure to which the security measures required under section 248 or the emergency measures or actions required under section 249 apply.CommentsClose CommentsPermalink





‘(3) EVALUATION SELECTION FACTORS- In determining whether sufficient risk exists to justify an evaluation under this subsection, the Director shall consider--CommentsClose CommentsPermalink





‘(A) the specific cyber vulnerabilities affecting or potentially affecting the information infrastructure of the specific system or asset constituting covered critical infrastructure;CommentsClose CommentsPermalink





‘(B) any reliable intelligence or other information indicating a cyber vulnerability or credible national cyber emergency to the information infrastructure of the specific system or asset constituting covered critical infrastructure;CommentsClose CommentsPermalink





‘(C) actual knowledge or reasonable suspicion that the certification of compliance submitted by a specific owner or operator of covered critical infrastructure is false or otherwise inaccurate;CommentsClose CommentsPermalink





‘(D) a request by a specific owner or operator of covered critical infrastructure for such an evaluation; andCommentsClose CommentsPermalink





‘(E) such other risk-based factors as identified by the Director.CommentsClose CommentsPermalink





‘(4) SECTOR-SPECIFIC AGENCIES- To carry out the risk-based evaluation authorized under this subsection, the Director may use the resources of a sector-specific agency with responsibility for the covered critical infrastructure or any Federal agency that is not a sector-specific agency with responsibilities for regulating the covered critical infrastructure with the concurrence of the head of the agency.CommentsClose CommentsPermalink





‘(5) INFORMATION PROTECTION- Information provided to the Director during the course of an evaluation under this subsection shall be protected from disclosure in accordance with section 251.CommentsClose CommentsPermalink





‘(c) Civil Penalties-CommentsClose CommentsPermalink





‘(1) IN GENERAL- Any person who violates section 248 or 249 shall be liable for a civil penalty.CommentsClose CommentsPermalink





‘(2) NO PRIVATE RIGHT OF ACTION- Nothing in this section confers upon any person, except the Director, a right of action against an owner or operator of covered critical infrastructure to enforce any provision of this subtitle.CommentsClose CommentsPermalink





‘(d) Limitation on Civil Liability-CommentsClose CommentsPermalink





‘(1) DEFINITION- In this subsection--CommentsClose CommentsPermalink





‘(A) the term ‘covered civil action’--CommentsClose CommentsPermalink





‘(i) means a civil action filed in a Federal or State court against a covered entity; andCommentsClose CommentsPermalink





‘(ii) does not include an action brought under section 2520 or 2707 of title 18, United States Code, or section 110 or 308 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1810 and 1828);CommentsClose CommentsPermalink





‘(B) the term ‘covered entity’ means any entity that owns or operates covered critical infrastructure, including any owner, operator, officer, employee, agent, landlord, custodian, or other person acting for or on behalf of that entity with respect to the covered critical infrastructure; andCommentsClose CommentsPermalink





‘(C) the term ‘noneconomic damages’ means damages for losses for physical and emotional pain, suffering, inconvenience, physical impairment, mental anguish, disfigurement, loss of enjoyment of life, loss of society and companionship, loss of consortium, hedonic damages, injury to reputation, and any other nonpecuniary losses.CommentsClose CommentsPermalink





‘(2) LIMITATIONS ON CIVIL LIABILITY- If a covered entity experiences an incident related to a cyber vulnerability identified under section 248(a), in any covered civil action for damages directly caused by the incident related to that cyber vulnerability--CommentsClose CommentsPermalink





‘(A) the covered entity shall not be liable for any punitive damages intended to punish or deter, exemplary damages, or other damages not intended to compensate a plaintiff for actual losses; andCommentsClose CommentsPermalink





‘(B) noneconomic damages may be awarded against a defendant only in an amount directly proportional to the percentage of responsibility of such defendant for the harm to the plaintiff, and no plaintiff may recover noneconomic damages unless the plaintiff suffered physical harm.CommentsClose CommentsPermalink





‘(3) APPLICATION- This subsection shall apply to claims made by any individual or nongovernmental entity, including claims made by a State or local government agency on behalf of such individuals or nongovernmental entities, against a covered entity--CommentsClose CommentsPermalink





‘(A) whose proposed security measures, or combination thereof, satisfy the security performance requirements established under subsection 248(b) and have been approved by the Director;CommentsClose CommentsPermalink





‘(B) that has been evaluated under subsection (b) and has been found by the Director to have implemented the proposed security measures approved under section 248; andCommentsClose CommentsPermalink





‘(C) that is in actual compliance with the approved security measures at the time of the incident related to that cyber vulnerability.CommentsClose CommentsPermalink





‘(4) LIMITATION- This subsection shall only apply to harm directly caused by the incident related to the cyber vulnerability and shall not apply to damages caused by any additional or intervening acts or omissions by the covered entity.CommentsClose CommentsPermalink





‘(5) RULE OF CONSTRUCTION- Except as provided under paragraph (3), nothing in this subsection shall be construed to abrogate or limit any right, remedy, or authority that the Federal Government or any State or local government, or any entity or agency thereof, may possess under any law, or that any individual is authorized by law to bring on behalf of the government.CommentsClose CommentsPermalink





‘(e) Report to Congress- The Director shall submit an annual report to the appropriate committees of Congress on the implementation and enforcement of the risk-based performance requirements of covered critical infrastructure under subsection 248(b) and this section including--CommentsClose CommentsPermalink





‘(1) the level of compliance of covered critical infrastructure with the risk-based security performance requirements issued under section 248(b);CommentsClose CommentsPermalink





‘(2) how frequently the evaluation authority under subsection (b) was utilized and a summary of the aggregate results of the evaluations; andCommentsClose CommentsPermalink





‘(3) any civil penalties imposed on covered critical infrastructure.CommentsClose CommentsPermalink

‘SEC. 251. PROTECTION OF INFORMATION.

‘(a) Definition- In this section, the term ‘covered information’--CommentsClose CommentsPermalink





‘(1) means--CommentsClose CommentsPermalink





‘(A) any information required to be submitted under sections 246, 248, and 249 to the Center by the owners and operators of covered critical infrastructure; andCommentsClose CommentsPermalink





‘(B) any information submitted to the Center under the processes and procedures established under section 246 by State and local governments, private entities, and international partners of the United States regarding threats, vulnerabilities, and incidents affecting--CommentsClose CommentsPermalink





‘(i) the Federal information infrastructure;CommentsClose CommentsPermalink





‘(ii) information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community; orCommentsClose CommentsPermalink





‘(iii) the national information infrastructure; andCommentsClose CommentsPermalink





‘(2) shall not include any information described under paragraph (1), if that information is submitted to--CommentsClose CommentsPermalink





‘(A) conceal violations of law, inefficiency, or administrative error;CommentsClose CommentsPermalink





‘(B) prevent embarrassment to a person, organization, or agency; orCommentsClose CommentsPermalink





‘(C) interfere with competition in the private sector.CommentsClose CommentsPermalink





‘(b) Voluntarily Shared Critical Infrastructure Information- Covered information submitted in accordance with this section shall be treated as voluntarily shared critical infrastructure information under section 214, except that the requirement of section 214 that the information be voluntarily submitted, including the requirement for an express statement, shall not be required for submissions of covered information.CommentsClose CommentsPermalink





‘(c) Guidelines-CommentsClose CommentsPermalink





‘(1) IN GENERAL- Subject to paragraph (2), the Director shall develop and issue guidelines, in consultation with the Secretary, Attorney General, and the National Cybersecurity Advisory Council, as necessary to implement this section.CommentsClose CommentsPermalink





‘(2) REQUIREMENTS- The guidelines developed under this section shall--CommentsClose CommentsPermalink





‘(A) consistent with section 214(e)(2)(D) and (g) and the guidelines developed under section 246(b)(3), include provisions for information sharing among Federal, State, and local and officials, private entities, or international partners of the United States necessary to carry out the authorities and responsibilities of the Director;CommentsClose CommentsPermalink





‘(B) be consistent, to the maximum extent possible, with policy guidance and implementation standards developed by the National Archives and Records Administration for controlled unclassified information, including with respect to marking, safeguarding, dissemination and dispute resolution; andCommentsClose CommentsPermalink





‘(C) describe, with as much detail as possible, the categories and type of information entities should voluntarily submit under subsections (b) and (c)(1)(B) of section 246.CommentsClose CommentsPermalink





‘(d) Process for Reporting Security Problems-CommentsClose CommentsPermalink





‘(1) ESTABLISHMENT OF PROCESS- The Director shall establish through regulation, and provide information to the public regarding, a process by which any person may submit a report to the Secretary regarding cybersecurity threats, vulnerabilities, and incidents affecting--CommentsClose CommentsPermalink





‘(A) the Federal information infrastructure;CommentsClose CommentsPermalink





‘(B) information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community; orCommentsClose CommentsPermalink





‘(C) national information infrastructure.CommentsClose CommentsPermalink





‘(2) ACKNOWLEDGMENT OF RECEIPT- If a report submitted under paragraph (1) identifies the person making the report, the Director shall respond promptly to such person and acknowledge receipt of the report.CommentsClose CommentsPermalink





‘(3) STEPS TO ADDRESS PROBLEM- The Director shall review and consider the information provided in any report submitted under paragraph (1) and, at the sole, unreviewable discretion of the Director, determine what, if any, steps are necessary or appropriate to address any problems or deficiencies identified.CommentsClose CommentsPermalink





‘(4) DISCLOSURE OF IDENTITY-CommentsClose CommentsPermalink





‘(A) IN GENERAL- Except as provided in subparagraph (B), or with the written consent of the person, the Secretary may not disclose the identity of a person who has provided information described in paragraph (1).CommentsClose CommentsPermalink





‘(B) REFERRAL TO THE ATTORNEY GENERAL- The Secretary shall disclose to the Attorney General the identity of a person described under subparagraph (A) if the matter is referred to the Attorney General for enforcement. The Director shall provide reasonable advance notice to the affected person if disclosure of that person’s identity is to occur, unless such notice would risk compromising a criminal or civil enforcement investigation or proceeding.CommentsClose CommentsPermalink





‘(e) Rules of Construction- Nothing in this section shall be construed to--CommentsClose CommentsPermalink





‘(1) limit or otherwise affect the right, ability, duty, or obligation of any entity to use or disclose any information of that entity, including in the conduct of any judicial or other proceeding;CommentsClose CommentsPermalink





‘(2) prevent the classification of information submitted under this section if that information meets the standards for classification under Executive Order 12958 or any successor of that order;CommentsClose CommentsPermalink





‘(3) limit the right of an individual to make any disclosure--CommentsClose CommentsPermalink





‘(A) protected or authorized under section 2302(b)(8) or 7211 of title 5, United States Code;CommentsClose CommentsPermalink





‘(B) to an appropriate official of information that the individual reasonably believes evidences a violation of any law, rule, or regulation, gross mismanagement, or substantial and specific danger to public health, safety, or security, and that is protected under any Federal or State law (other than those referenced in subparagraph (A)) that shields the disclosing individual against retaliation or discrimination for having made the disclosure if such disclosure is not specifically prohibited by law and if such information is not specifically required by Executive order to be kept secret in the interest of national defense or the conduct of foreign affairs; orCommentsClose CommentsPermalink





‘(C) to the Special Counsel, the inspector general of an agency, or any other employee designated by the head of an agency to receive similar disclosures;CommentsClose CommentsPermalink





‘(4) prevent the Director from using information required to be submitted under sections 246, 248, or 249 for enforcement of this subtitle, including enforcement proceedings subject to appropriate safeguards;CommentsClose CommentsPermalink





‘(5) authorize information to be withheld from Congress, the Government Accountability Office, or Inspector General of the Department; orCommentsClose CommentsPermalink





‘(6) create a private right of action for enforcement of any provision of this section.CommentsClose CommentsPermalink





‘(f) Audit-CommentsClose CommentsPermalink





‘(1) IN GENERAL- Not later than 1 year after the date of enactment of the Protecting Cyberspace as a National Asset Act of 2010, the Inspector General of the Department shall conduct an audit of the management of information submitted under subsection (b) and report the findings to appropriate committees of Congress.CommentsClose CommentsPermalink





‘(2) CONTENTS- The audit under paragraph (1) shall include assessments of--CommentsClose CommentsPermalink





‘(A) whether the information is adequately safeguarded against inappropriate disclosure;CommentsClose CommentsPermalink





‘(B) the processes for marking and disseminating the information and resolving any disputes;CommentsClose CommentsPermalink





‘(C) how the information is used for the purposes of this section, and whether that use is effective;CommentsClose CommentsPermalink





‘(D) whether information sharing has been effective to fulfill the purposes of this section;CommentsClose CommentsPermalink





‘(E) whether the kinds of information submitted have been appropriate and useful, or overbroad or overnarrow;CommentsClose CommentsPermalink





‘(F) whether the information protections allow for adequate accountability and transparency of the regulatory, enforcement, and other aspects of implementing this subtitle; andCommentsClose CommentsPermalink





‘(G) any other factors at the discretion of the Inspector General.CommentsClose CommentsPermalink

‘SEC. 252. SECTOR-SPECIFIC AGENCIES.

‘(a) In General- The head of each sector-specific agency and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating covered critical infrastructure shall coordinate with the Director on any activities of the sector-specific agency or Federal agency that relate to the efforts of the agency regarding security or resiliency of the national information infrastructure, including critical infrastructure and covered critical infrastructure, within or under the supervision of the agency.CommentsClose CommentsPermalink





‘(b) Duplicative Reporting Requirements- The head of each sector-specific agency and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating covered critical infrastructure shall coordinate with the Director to eliminate and avoid the creation of duplicate reporting or compliance requirements relating to the security or resiliency of the national information infrastructure, including critical infrastructure and covered critical infrastructure, within or under the supervision of the agency.CommentsClose CommentsPermalink





‘(c) Requirements-CommentsClose CommentsPermalink





‘(1) IN GENERAL- To the extent that the head of each sector-specific agency and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating covered critical infrastructure has the authority to establish regulations, rules, or requirements or other required actions that are applicable to the security of national information infrastructure, including critical infrastructure and covered critical infrastructure, the head of that agency shall--CommentsClose CommentsPermalink





‘(A) notify the Director in a timely fashion of the intent to establish the regulations, rules, requirements, or other required actions;CommentsClose CommentsPermalink





‘(B) coordinate with the Director to ensure that the regulations, rules, requirements, or other required actions are consistent with, and do not conflict or impede, the activities of the Director under sections 247, 248, and 249; andCommentsClose CommentsPermalink





‘(C) in coordination with the Director, ensure that the regulations, rules, requirements, or other required actions are implemented, as they relate to covered critical infrastructure, in accordance with subsection (a).CommentsClose CommentsPermalink





‘(2) COORDINATION- Coordination under paragraph (1)(B) shall include the active participation of the Director in the process for developing regulations, rules, requirements, or other required actions.CommentsClose CommentsPermalink





‘(3) RULE OF CONSTRUCTION- Nothing in this section shall be construed to provide additional authority for any sector-specific agency or any Federal agency that is not a sector-specific agency with responsibilities for regulating national information infrastructure, including critical infrastructure or covered critical infrastructure, to establish standards or other measures that are applicable to the security of national information infrastructure not otherwise authorized by law.CommentsClose CommentsPermalink