U.S. Congress - Text of H.R.174 as Introduced in House Homeland Security Cyber and Physical Infrastructure Protection Act of 2011
The easiest way to email your members of Congress
Donate NowH.R.174 - Homeland Security Cyber and Physical Infrastructure Protection Act of 2011
To enhance homeland security, including domestic preparedness and collective response to terrorism, by amending the Homeland Security Act of 2002 to establish the Cybersecurity Compliance Division and provide authorities to the Department of Homeland Security to enhance the security and resiliency of the Nation's cyber and physical infrastructure against terrorism and other cyber attacks, and for other purposes.
Loading Bill Text
Rollover any line of text to comment and/or link to it.
HR 174 IHCommentsClose CommentsPermalink
112th CONGRESSCommentsClose CommentsPermalink
1st SessionCommentsClose CommentsPermalink
H. R. 174CommentsClose CommentsPermalink
To enhance homeland security, including domestic preparedness and collective response to terrorism, by amending the Homeland Security Act of 2002 to establish the Cybersecurity Compliance Division and provide authorities to the Department of Homeland Security to enhance the security and resiliency of the Nation’s cyber and physical infrastructure against terrorism and other cyber attacks, and for other purposes.CommentsClose CommentsPermalink
IN THE HOUSE OF REPRESENTATIVESCommentsClose CommentsPermalink
January 5, 2011CommentsClose CommentsPermalink
January 5, 2011CommentsClose CommentsPermalink
Mr. THOMPSON of Mississippi introduced the following bill; which was referred to the Committee on Homeland Security, and in addition to the Committee on Oversight and Government Reform, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concernedCommentsClose CommentsPermalink
A BILLCommentsClose CommentsPermalink
To enhance homeland security, including domestic preparedness and collective response to terrorism, by amending the Homeland Security Act of 2002 to establish the Cybersecurity Compliance Division and provide authorities to the Department of Homeland Security to enhance the security and resiliency of the Nation’s cyber and physical infrastructure against terrorism and other cyber attacks, and for other purposes.CommentsClose CommentsPermalink
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,CommentsClose CommentsPermalink
SECTION 1. SHORT TITLE.
This Act may be cited as the ‘Homeland Security Cyber and Physical Infrastructure Protection Act of 2011’.CommentsClose CommentsPermalink
SEC. 2. OFFICE OF CYBERSECURITY AND COMMUNICATIONS AND CYBERSECURITY COMPLIANCE DIVISION.
(a) In General- Subtitle C of title II of the Homeland Security Act of 2002 (
‘SEC. 221. DEFINITIONS.
‘In this subtitle:CommentsClose CommentsPermalink
‘(1) COMMON CRITERIA FOR INFORMATION TECHNOLOGY SECURITY EVALUATION- The term ‘common criteria for information technology security evaluation’ means international standard for computer security codified in the International Organization for Standardization and the International Electrotechnical Commission standard 15408 (ISO/IEC 15408).CommentsClose CommentsPermalink
‘(2) COVERED CRITICAL INFRASTRUCTURE- The term ‘covered critical infrastructure’ means systems and assets designated by the Director under section 224(e).CommentsClose CommentsPermalink
‘(3) CYBER INCIDENT- The term ‘cyber incident’ means an occurrence that jeopardizes the security of data or the physical security of a computer network owned or operated by a Federal agency or covered critical infrastructure.CommentsClose CommentsPermalink
‘(4) FIRST-PARTY REGULATORY AGENCY- The term ‘first-party regulatory agency’ means a Federal agency that is not a sector-specific agency but that has primary regulatory authority for a specific critical infrastructure sector or sub-sector.CommentsClose CommentsPermalink
‘(5) SECTOR-SPECIFIC AGENCY- The term ‘sector-specific agency’ means the agency that, as of the date of enactment of this section, is designated under Homeland Security Presidential Directive 7 as the lead Federal agency responsible for securing a specific critical infrastructure sector.CommentsClose CommentsPermalink
‘SEC. 222. OFFICE OF CYBERSECURITY AND COMMUNICATIONS.
‘(a) Establishment-CommentsClose CommentsPermalink
‘(1) IN GENERAL- There shall be in the Department an Office of Cybersecurity and Communications.CommentsClose CommentsPermalink
‘(2) ASSISTANT SECRETARY FOR CYBERSECURITY AND COMMUNICATIONS- The Assistant Secretary for Cybersecurity and Communications shall be the head of the Office.CommentsClose CommentsPermalink
‘(3) COMPONENTS- The Office shall include--CommentsClose CommentsPermalink
‘(A) the United States Computer Emergency Readiness Team, as in effect on the date of enactment of this section;CommentsClose CommentsPermalink
‘(B) the Cybersecurity Compliance Division established by subsection (b); andCommentsClose CommentsPermalink
‘(C) other components of the Department that have primary responsibilities for emergency or national communications or cybersecurity.CommentsClose CommentsPermalink
‘(b) Cybersecurity Compliance Division-CommentsClose CommentsPermalink
‘(1) IN GENERAL- There is established in the Office of Cybersecurity and Communications a Cybersecurity Compliance Division.CommentsClose CommentsPermalink
‘(2) DIRECTOR- The Cybersecurity Compliance Division shall be headed by a Director, who shall be appointed by the Secretary or the Secretary’s designee from among individuals who possess--CommentsClose CommentsPermalink
‘(A) demonstrated knowledge and ability in cybersecurity, information technology, infrastructure protection, and the operation, security, and resilience of communications networks;CommentsClose CommentsPermalink
‘(B) significant executive leadership, regulatory, and management experience in the public or private sector; andCommentsClose CommentsPermalink
‘(C) other skills or attributes the Secretary considers necessary.CommentsClose CommentsPermalink
‘(3) DUTIES AND RESPONSIBILITIES- The Director--CommentsClose CommentsPermalink
‘(A) shall issue risk-based, performance-based regulations, after notice and comment, in accordance with section 224;CommentsClose CommentsPermalink
‘(B) shall serve as the first-party regulatory agency to enforce regulations under section 224 for computer networks and assets in critical infrastructure sectors for which the Office of Cybersecurity and Communications or any of its components is the designated sector-specific agency;CommentsClose CommentsPermalink
‘(C) may require a first-party regulatory agency or sector-specific agency to coordinate with the Director to--CommentsClose CommentsPermalink
‘(i) develop and publish, for covered critical infrastructure sectors or subsectors, risk-based and performance-based regulations after notice and comment in accordance with paragraph (1), with any appropriate modifications, as identified by the Director, necessary for application to a specific critical infrastructure sector or subsector; andCommentsClose CommentsPermalink
‘(ii) enforce the regulations promulgated under paragraph (1); andCommentsClose CommentsPermalink
‘(D) may delegate part or all of the responsibilities and authorities for securing private sector networks under this section to an appropriate first-party regulatory agency or sector-specific agency, which shall report to the Director all activities it carries out pursuant to such delegation.CommentsClose CommentsPermalink
‘(4) RESOURCES- There is authorized to be appropriated such sums as may be necessary for the operations of the Cybersecurity Compliance Division for each of fiscal years 2012, 2013, and 2014.CommentsClose CommentsPermalink
‘SEC. 223. DEPARTMENT RESPONSIBILITIES AND AUTHORITIES FOR SECURING FEDERAL GOVERNMENT NETWORKS.
‘(a) In General- The Secretary, acting through the Assistant Secretary for Cybersecurity and Communications or the Director of the Cybersecurity Compliance Division pursuant to subparagraphs (B), (C), and (D) of subsection (b)(2), shall establish and enforce cybersecurity requirements for civilian nonmilitary and nonintelligence community Federal systems to prevent, deter, prepare for, detect, report, attribute, mitigate, respond to, and recover from cyber attacks and other cyber incidents.CommentsClose CommentsPermalink
‘(b) Interagency Working Group-CommentsClose CommentsPermalink
‘(1) IN GENERAL- The Assistant Secretary for Cybersecurity and Communications shall establish and chair an interagency working group that shall include, at a minimum, representation of all chief information officers from all Federal civilian agencies, the Director of the Cybersecurity Compliance division, the Assistant Secretary for Infrastructure Protection, and the White House Cybersecurity Coordinator. The Assistant Secretary shall invite the Secretary of Defense, the Director of the National Security Agency, and the Director of National Intelligence to participate as nonvoting representatives for purposes of advising the interagency working group.CommentsClose CommentsPermalink
‘(2) FUNCTIONS- The interagency working group shall--CommentsClose CommentsPermalink
‘(A) meet at the call of the Chair;CommentsClose CommentsPermalink
‘(B) develop and adopt risk-based, performance-based cybersecurity requirements for civilian Federal agency computer networks and federally owned critical infrastructure;CommentsClose CommentsPermalink
‘(C) develop and adopt a range of remedies, including penalties, for noncompliance of the requirements adopted under paragraph (2), each agency having one vote;CommentsClose CommentsPermalink
‘(D) develop recommended budgets for security of the civilian nonmilitary and non-intelligence community Federal agency computer networks; andCommentsClose CommentsPermalink
‘(E) propose updates, as necessary, for the Common Criteria for Information Technology Security Evaluation as part of a supply chain risk management strategy designed to ensure the security and resilience of the Federal information infrastructure, including protection against unauthorized access to, alteration of information in, disruption of operations of, interruption of communications or services of, and insertion of malicious software, engineering vulnerabilities, or otherwise corrupting software, hardware, services, or products intended for use in Federal information infrastructure.CommentsClose CommentsPermalink
‘(3) ADOPTION BY VOTE- Adoption of requirements and remedies under subparagraphs (B) and (C) of paragraph (2) shall be by a majority vote of the members of the interagency working group, in which each agency with a voting representative on the interagency working group has one vote.CommentsClose CommentsPermalink
‘(c) Codification of Agreements- All measures adopted under subsection (b) shall be submitted by the Secretary to the Office of Management and Budget for establishment in a binding Governmentwide memo or circular.CommentsClose CommentsPermalink
‘(d) Enforcement of Cybersecurity Requirements for Federal Government Networks- The Assistant Secretary, acting through the Director of the Cybersecurity Compliance Division, may enforce all requirements adopted under subsection (b)(2)(B).CommentsClose CommentsPermalink
‘(e) Certifications, Audits, and Inspections- The Director of the Cybersecurity Compliance Division, in carrying out the Assistant Secretary for Cybersecurity and Communications’ enforcement authority under subsection (d), shall require a certification of compliance from the head of each civilian Federal agency that is subject to the requirements under subsection (b)(2)(B), and may conduct announced or unannounced audits and inspections of any network owned, operated, or used by a Federal civilian agency.CommentsClose CommentsPermalink
‘(f) Enforcement- If a certification, audit, or inspection carried out under subsection (e) shows noncompliance with a requirement under subsection (b)(2)(B), Assistant Secretary, acting through the Director of the Cybersecurity Compliance Division, may identify the appropriate remedies, including penalties, under subsection (b)(2)(C).CommentsClose CommentsPermalink
‘(g) Execution of Penalties by OMB- The Director of the Office of Management and Budget shall execute each remedy identified by the Director of the Cybersecurity Compliance Division under subsection (f) on behalf of the Assistant Secretary.CommentsClose CommentsPermalink
‘(h) Reporting of Cyber Incidents on Federal Networks- The requirements under subsection (b)(2)(B) shall include a requirement that all Federal entities report any cyber incidents on their computer networks to the Director and to the United States Computer Emergency Readiness Team.CommentsClose CommentsPermalink
‘(i) Responding to Cyber Incidents on Federal Networks- If an incident is reported under subsection (h), the United States Computer Emergency Readiness Team shall, in coordination with the reporting agency, research the incident to determine and report to the Director and the reporting agency--CommentsClose CommentsPermalink
‘(1) the extent of any compromise;CommentsClose CommentsPermalink
‘(2) an identification of any attackers, including any affiliations with terrorists, terrorist organizations, criminal organizations, state entities, and nonstate entities;CommentsClose CommentsPermalink
‘(3) the method of penetration;CommentsClose CommentsPermalink
‘(4) ramifications of any such compromise on future operations;CommentsClose CommentsPermalink
‘(5) secondary ramifications of any such compromise on other Federal or non-Federal networks;CommentsClose CommentsPermalink
‘(6) ramifications of any such compromise on national security, including war fighting capability; andCommentsClose CommentsPermalink
‘(7) recommended mitigation activities.CommentsClose CommentsPermalink
‘SEC. 224. DEPARTMENT RESPONSIBILITIES AND AUTHORITIES FOR SECURING PRIVATE SECTOR NETWORKS.
‘(a) Findings- Congress finds that--CommentsClose CommentsPermalink
‘(1) pursuant to Homeland Security Presidential Directive 7 the Department established public-private partnerships including Government Coordinating Councils (GCCs) and Sector Coordinating Councils (SCCs) to aid in the task of protecting the Nation’s critical infrastructures;CommentsClose CommentsPermalink
‘(2) as part of this structure, each critical infrastructure sector has a designated sector-specific agency;CommentsClose CommentsPermalink
‘(3) the designated sector-specific agency for the Information Technology sector is the Office of Cybersecurity and Communications, and the designated sector-specific agency for the communications sector is the National Communications System, which resides within the Office of Cybersecurity and Communications;CommentsClose CommentsPermalink
‘(4) if cybersecurity regulation are necessary, the Department, consistent with the entire GCC/SCC structure, as the sector-specific agency, will be the regulator for cybersecurity requirements within the information technology and communications sectors; andCommentsClose CommentsPermalink
‘(5) in other critical infrastructure sectors, enforcement of cybersecurity regulations should be accomplished through appropriate first-party regulatory agencies or sector-specific agencies.CommentsClose CommentsPermalink
‘(b) General Authority- The Secretary, acting through the Director, may establish and enforce risk-based cybersecurity requirements for private sector computer networks within covered critical infrastructures.CommentsClose CommentsPermalink
‘(c) Risk-Based Cybersecurity Requirements for Critical Infrastructure-CommentsClose CommentsPermalink
‘(1) IN GENERAL- The Director shall promulgate risk-based, performance-based cybersecurity requirements for covered critical infrastructures, that are designed to prevent, deter, prepare for, detect, report, attribute, mitigate, respond to and recover from cyber incidents.CommentsClose CommentsPermalink
‘(2) RISK FACTORS- The requirements shall be based on the risk factors of threats, vulnerabilities, and consequences, as follows:CommentsClose CommentsPermalink
‘(A) THREATS- The requirements shall be based on terrorist or other known adversary capabilities and intent, or the likelihood of a potential terrorist or other adversary attacking or causing a cyber incident against critical infrastructure, as identified by the Secretary in consultation with the Director of National Intelligence, including--CommentsClose CommentsPermalink
‘(i) theft, modification, compromise, damage, or destruction of data or databases;CommentsClose CommentsPermalink
‘(ii) physical compromise, damage, or destruction of covered critical infrastructures; andCommentsClose CommentsPermalink
‘(iii) national, corporate, or personal espionage.CommentsClose CommentsPermalink
‘(3) VULNERABILITIES- The requirements shall require security measures based on--CommentsClose CommentsPermalink
‘(A) preparedness;CommentsClose CommentsPermalink
‘(B) target attractiveness; andCommentsClose CommentsPermalink
‘(C) deterrence capabilities.CommentsClose CommentsPermalink
‘(4) CONSEQUENCES- The requirements shall require security measures based on--CommentsClose CommentsPermalink
‘(A) the potential extent and likelihood of death, injury, or serious adverse effects to human health and safety caused by a disruption of the reliable operation of covered critical infrastructure;CommentsClose CommentsPermalink
‘(B) the threat to or potential impact on national security caused by a disruption of the reliable operation of covered critical infrastructure;CommentsClose CommentsPermalink
‘(C) the extent to which the disruption of the reliable operation of covered critical infrastructure will disrupt the reliable operation of other covered critical infrastructure;CommentsClose CommentsPermalink
‘(D) the potential for harm to the economy that would result from a disruption of the reliable operation of covered critical infrastructure; andCommentsClose CommentsPermalink
‘(E) other risk-based security factors that the Director, in consultation with the head of the sector-specific agency that is the first-party regulatory agency with responsibility for the covered critical infrastructure concerned, determines to be appropriate and necessary to protect public health and safety, critical infrastructure, national security, or economic security.CommentsClose CommentsPermalink
‘(d) Consultation- In establishing security performance requirements under subsection (c), the Director shall, to the maximum extent practicable, consult with--CommentsClose CommentsPermalink
‘(1) the Assistant Secretary for Infrastructure Protection of the Department;CommentsClose CommentsPermalink
‘(2) the Officer for Civil Rights and Civil Liberties of the Department;CommentsClose CommentsPermalink
‘(3) the Chief Privacy Officer of the Department;CommentsClose CommentsPermalink
‘(4) the Under Secretary for Intelligence and Analysis;CommentsClose CommentsPermalink
‘(5) the Director of National Intelligence;CommentsClose CommentsPermalink
‘(6) the Director of the National Security Agency;CommentsClose CommentsPermalink
‘(7) the Director of the National Institute of Standards and Technology;CommentsClose CommentsPermalink
‘(8) the heads of sector-specific agencies;CommentsClose CommentsPermalink
‘(9) the heads of first-party regulatory agencies;CommentsClose CommentsPermalink
‘(10) private sector companies or industry groups, including but not limited to members of appropriate sector coordinating councils;CommentsClose CommentsPermalink
‘(11) State, local, and tribal agency representatives;CommentsClose CommentsPermalink
‘(12) academic institutions and think tanks;CommentsClose CommentsPermalink
‘(13) private sector, government, and nonprofit entities that specialize in privacy and civil liberties; andCommentsClose CommentsPermalink
‘(14) the White House Cybersecurity Coordinator.CommentsClose CommentsPermalink
‘(e) Covered Critical Infrastructures-CommentsClose CommentsPermalink
‘(1) DESIGNATION- The Director shall--CommentsClose CommentsPermalink
‘(A) determine, in consultation with the heads of sector-specific agencies and the heads of first-party regulatory agencies, which systems or assets of critical infrastructure shall be subject to the requirements of this section and designate them as covered critical infrastructures for purposes of this section;CommentsClose CommentsPermalink
‘(B) notify each first-party regulatory agency or sector-specific agency of each such determination; andCommentsClose CommentsPermalink
‘(C) acting through the corresponding first-party regulatory agency or sector-specific agency, notify owners or operators of covered critical infrastructure sectors of the requirements of this subtitle.CommentsClose CommentsPermalink
‘(2) REQUIREMENTS- A system or asset may not be designated as covered critical infrastructure under paragraph (1) unless--CommentsClose CommentsPermalink
‘(A) the system or asset meets the requirements for inclusion on the prioritized critical infrastructure list established by the Secretary under section 210E(a)(2);CommentsClose CommentsPermalink
‘(B) the system or asset is a component of the national information infrastructure or the national information infrastructure is essential to the reliable operation of the system or asset; orCommentsClose CommentsPermalink
‘(C) the destruction or the disruption of the reliable operation of the system or asset would cause a national or regional catastrophe.CommentsClose CommentsPermalink
‘(3) FACTORS TO BE CONSIDERED- In designating systems or assets under this section, the Director shall consider cyber risks and consequences by sector, including--CommentsClose CommentsPermalink
‘(A) the factors listed in section subsection (c);CommentsClose CommentsPermalink
‘(B) known cyber incidents or cyber risks identified by existing risk assessments;CommentsClose CommentsPermalink
‘(C) interdependencies between components of covered critical infrastructure; andCommentsClose CommentsPermalink
‘(D) the potential for the destruction or disruption of the system or asset to cause--CommentsClose CommentsPermalink
‘(i) a mass casualty event with an extraordinary number of fatalities;CommentsClose CommentsPermalink
‘(ii) severe economic consequences;CommentsClose CommentsPermalink
‘(iii) mass evacuations with a prolonged absence; orCommentsClose CommentsPermalink
‘(iv) severe degradation of national security capabilities, including intelligence and defense functions.CommentsClose CommentsPermalink
‘(4) RECONSIDERATION- Prior to a final designation of a system or asset of critical infrastructure under this subsection, the Director shall provide the owner or operator of the system or asset an opportunity to appeal the determination made under paragraph (1)(A).CommentsClose CommentsPermalink
‘(f) Cybersecurity Plans- The Director shall require entities determined under subsection (e) to be covered critical infrastructures to comply with the requirements under subsection (c) and to submit to the first-party regulatory agency or sector-specific agency, a proposed cybersecurity plan to satisfy the security performance requirements described in subsection (c) on a timeline determined by the Director.CommentsClose CommentsPermalink
‘(g) Cybersecurity Plan Review- Upon submission of the plan, the first-party regulatory agency or sector-specific agency shall, based on guidance provided by the Director--CommentsClose CommentsPermalink
‘(1) review cybersecurity plans submitted pursuant to subsection (f);CommentsClose CommentsPermalink
‘(2) approve or disapprove each cybersecurity plan;CommentsClose CommentsPermalink
‘(3) notify the submitter of the cybersecurity plan of approval or disapproval;CommentsClose CommentsPermalink
‘(4) in the case of disapproval, provide a clear explanation of the reasons for disapproval, possible changes that would result in approval, and provide a timetable for resubmission for compliance; andCommentsClose CommentsPermalink
‘(5) inform the Director of any approvals or disapprovals.CommentsClose CommentsPermalink
‘(h) Implementation of Cybersecurity Plans-CommentsClose CommentsPermalink
‘(1) IN GENERAL- The owners and operators of covered critical infrastructure shall have flexibility in their cybersecurity plans to implement any cybersecurity measure, or combination thereof, to satisfy the cybersecurity performance requirements described in subsection (c) and the first-party regulatory agency or sector-specific agency may not disapprove under this section any proposed cybersecurity measures, or combination thereof, based on the presence or absence of any particular cybersecurity measure if the proposed cybersecurity measures, or combination thereof, satisfy the cybersecurity performance requirements established by the Director under subsection (c).CommentsClose CommentsPermalink
‘(2) RECOMMENDED CYBERSECURITY MEASURES- The Assistant Secretary for Cybersecurity and Communications may, at the request of an owner and operator of covered critical infrastructure, recommend a specific cybersecurity measure, or combination thereof, that will satisfy the cybersecurity performance requirements established by the Director. The absence of the recommended security measures, or combination thereof, may not serve as the basis for a disapproval of the security measure, or combination thereof, proposed by the owner or operator of covered critical infrastructure if the proposed security measure, or combination thereof, otherwise satisfies the security performance requirements established by the Director under (c).CommentsClose CommentsPermalink
‘(i) Enforcement Certifications, Audits and Inspections- The sector-specific agency or first-party regulatory agency, in enforcing the requirements under subsection (c), shall require an entity with a cybersecurity plan approved under subsection (g) to certify that the cybersecurity plan has been implemented, and may conduct announced or unannounced audits and inspections of any such entity to determine compliance.CommentsClose CommentsPermalink
‘(j) Reporting of Cyber Incidents on Covered Critical Infrastructure Networks- The requirements under subsection (c) shall include a requirement that each covered critical infrastructure entity report any cyber incidents on its networks to the first-party regulatory agency for the entity or to the sector-specific agency for the entity (if there is no first-party regulatory agency), and to US CERT.CommentsClose CommentsPermalink
‘(k) Responding to Cyber Incidents on Private Networks- If an incident is reported under subsection (j), the United States Computer Emergency Readiness Team may, at the invitation of and in coordination with the reporting entity, investigate the incident to determine and report to the Director and the reporting entity--CommentsClose CommentsPermalink
‘(1) the extent of any compromise;CommentsClose CommentsPermalink
‘(2) an identification of any attackers, including any affiliations with terrorists, terrorist organizations, state entities, and nonstate entities;CommentsClose CommentsPermalink
‘(3) the method of penetration;CommentsClose CommentsPermalink
‘(4) ramifications of any such compromise on future operations;CommentsClose CommentsPermalink
‘(5) secondary ramifications of any such compromise on other Federal or non-Federal networks;CommentsClose CommentsPermalink
‘(6) ramifications of any such compromise on national security, including war fighting capability; andCommentsClose CommentsPermalink
‘(7) recommended mitigation activities.CommentsClose CommentsPermalink
‘(l) SAFETY Act Incentives- The Director may recommend SAFETY Act designation and certification to entities determined under subsections (g) and (i) to be in compliance with the requirements of this section.CommentsClose CommentsPermalink
‘(m) Penalties- In the case of noncompliance with the requirements of this section the Director may recommend recision or suspension of SAFETY Act designation and certification during the period of noncompliance, and may levy civil penalties, not to exceed $100,000 per day, for each instance of noncompliance.’.CommentsClose CommentsPermalink
(b) Deadlines- The Cybersecurity Compliance Division of the Department of Homeland Security shall--CommentsClose CommentsPermalink
(1) not later than six months after such date of enactment of this Act, publish a notice of proposed rulemaking for regulations required under section 224 of the Homeland Security Act of 2002, as amended by this section; andCommentsClose CommentsPermalink
(2) not later than one year after such date of enactment of this Act, promulgate final regulations required under such section.CommentsClose CommentsPermalink
(c) Rule of Construction- Nothing in this section shall be construed to provide authority to any sector-specific agency or first-party regulatory agency to establish standards or other measures outside of the requirements of this Act except as required by this Act and the amendments made by this Act.CommentsClose CommentsPermalink
(d) Clerical Amendment- The table of contents in section 1(b) of such Act is amended by striking the items relating to sections 221 through 225 and inserting the following:CommentsClose CommentsPermalink
‘Sec. 221. Definitions.CommentsClose CommentsPermalink
‘Sec. 222. Office of Cybersecurity and Communications.CommentsClose CommentsPermalink
‘Sec. 223. Department responsibilities and authorities for securing Federal Government networks.CommentsClose CommentsPermalink
‘Sec. 224. Department responsibilities and authorities for securing private sector networks.CommentsClose CommentsPermalink
‘Sec. 225. Procedures for sharing information.CommentsClose CommentsPermalink
‘Sec. 226. Privacy Officer.CommentsClose CommentsPermalink
‘Sec. 227. Enhancement of non-Federal cybersecurity.CommentsClose CommentsPermalink
‘Sec. 228. Net guard.CommentsClose CommentsPermalink
‘Sec. 229. Cyber Security Enhancement Act of 2002.’.CommentsClose CommentsPermalink
SEC. 3. INFORMATION SHARING.
The Assistant Secretary for Cybersecurity and Communications of the Department of Homeland Security in coordination with the Assistant Secretary Infrastructure Protection of the Department of Homeland Security shall, to the maximum extent possible, consistent with rules for the handling of classified information, share relevant information regarding cybersecurity threats and vulnerabilities, and any proposed actions to mitigate them, with all Federal agencies, appropriate State, local, or tribal authority representatives, and all covered critical infrastructure owners and operators, including by expediting necessary security clearances for designated points of contact for critical infrastructures.CommentsClose CommentsPermalink
SEC. 4. INFORMATION PROTECTION.
The Assistant Secretary for Cybersecurity and Communications of the Department of Homeland Security shall designate, as appropriate, information received from Federal agencies pursuant to the requirements enacted by section 2 (including the amendments made by such section), information received from covered critical infrastructure owners and operators pursuant to such section, and information provided to Federal agencies or covered critical infrastructure owners and operators pursuant to this section as sensitive security information and shall require and enforce sensitive security information requirements for handling, storage, and dissemination of any such information.CommentsClose CommentsPermalink
SEC. 5. CYBERSECURITY RESEARCH AND DEVELOPMENT.
(a) In General- The Under Secretary for Science and Technology of the Department of Homeland Security shall support research, development, testing, evaluation, and transition of cybersecurity technology, including fundamental, long-term research to improve the ability of the United States to prevent, protect against, detect, respond to, and recover from acts of terrorism and cyber attacks, with an emphasis on research and development relevant to large-scale, high-impact attacks.CommentsClose CommentsPermalink
(b) Activities- The research and development supported under subsection (a) shall include work to--CommentsClose CommentsPermalink
(1) advance the development and accelerate the deployment of more secure versions of fundamental Internet protocols and architectures, including for the domain name system and routing protocols;CommentsClose CommentsPermalink
(2) improve and create technologies for detecting attacks or intrusions, including real-time monitoring and real-time analytic technologies;CommentsClose CommentsPermalink
(3) improve and create mitigation and recovery methodologies, including techniques and policies for real-time containment of attacks, and development of resilient networks and systems that degrade gracefully;CommentsClose CommentsPermalink
(4) develop and support infrastructure and tools to support cybersecurity research and development efforts, including modeling, test beds, and data sets for assessment of new cybersecurity technologies;CommentsClose CommentsPermalink
(5) assist the development and support of technologies to reduce vulnerabilities in process control systems;CommentsClose CommentsPermalink
(6) develop and support cyber forensics and attack attribution; andCommentsClose CommentsPermalink
(7) test, evaluate, and facilitate the transfer of technologies associated with the engineering of less vulnerable software and securing the information technology software development lifecycle.CommentsClose CommentsPermalink
(c) Coordination- In carrying out this section, the Under Secretary shall coordinate activities with--CommentsClose CommentsPermalink
(1) the Under Secretary for National Protection and Programs, the Assistant Secretary for Cybersecurity and Communications, and the Assistant Secretary for Infrastructure Protection of the Department of Homeland Security; andCommentsClose CommentsPermalink
(2) the heads of other relevant Federal departments and agencies, including the National Science Foundation, the Defense Advanced Research Projects Agency, the Information Assurance Directorate of the National Security Agency, the National Institute of Standards and Technology, the Department of Commerce, and other appropriate working groups established by the President to identify unmet needs and cooperatively support activities, as appropriate.CommentsClose CommentsPermalink
SEC. 6. CYBER WORKFORCE RECRUITMENT, DEVELOPMENT, AND RETENTION.
(a) Workforce Plan- Not later than 180 days after the date of enactment of this Act and in every subsequent year, the Assistant Secretary for Cybersecurity and Communication of the Department of Homeland Security shall develop a strategic cybersecurity workforce plan as part of the Federal agency performance plan required under
(1) a description of the Department’s cybersecurity mission; andCommentsClose CommentsPermalink
(2) a description and analysis, relating to the specialized workforce needed by the Department to fulfill the Federal agency’s cybersecurity mission, including--CommentsClose CommentsPermalink
(A) the cybersecurity workforce needs of the Department on the date of the report, and near-, mid-, and long-term projections of workforce needs;CommentsClose CommentsPermalink
(B) hiring projections to meet cybersecurity workforce needs, including, for at least a 2-year period, specific occupation and grade levels;CommentsClose CommentsPermalink
(C) long-term and short-term strategic goals to address critical skills deficiencies, including analysis of the numbers of and reasons for attrition of employees;CommentsClose CommentsPermalink
(D) recruitment strategies to attract highly qualified candidates from diverse backgrounds and geographic locations;CommentsClose CommentsPermalink
(E) an assessment of the sources and availability of individuals with needed expertise;CommentsClose CommentsPermalink
(F) ways to streamline the hiring process;CommentsClose CommentsPermalink
(G) the barriers to recruiting and hiring individuals qualified in cybersecurity and recommendations to overcome the barriers; andCommentsClose CommentsPermalink
(H) a training and development plan to enhance and improve the knowledge of employees.CommentsClose CommentsPermalink
(b) Training-CommentsClose CommentsPermalink
(1) FEDERAL GOVERNMENT EMPLOYEES AND FEDERAL CONTRACTORS- The Assistant Secretary for Cybersecurity and Communications shall establish a cybersecurity awareness and education curriculum that shall be required for all Federal employees and contractors engaged in the design, development, or operation of civilian Federal agency computer networks.CommentsClose CommentsPermalink
(2) CONTENTS- The curriculum established under paragraph (1) may include--CommentsClose CommentsPermalink
(A) role-based security awareness training;CommentsClose CommentsPermalink
(B) recommended cybersecurity practices;CommentsClose CommentsPermalink
(C) cybersecurity recommendations for traveling abroad;CommentsClose CommentsPermalink
(D) unclassified counterintelligence information;CommentsClose CommentsPermalink
(E) information regarding industrial espionage;CommentsClose CommentsPermalink
(F) information regarding malicious activity online;CommentsClose CommentsPermalink
(G) information regarding cybersecurity and law enforcement;CommentsClose CommentsPermalink
(H) identity management information;CommentsClose CommentsPermalink
(I) information regarding supply chain security;CommentsClose CommentsPermalink
(J) information security risks associated with the activities of Federal employees; andCommentsClose CommentsPermalink
(K) the responsibilities of Federal employees in complying with policies and procedures designed to reduce information security risks identified under subparagraph (J).CommentsClose CommentsPermalink
(c) Education Opportunities- The Assistant Secretary for Cybersecurity and Communications shall develop and implement a strategy to provide Federal employees who work in cybersecurity-related areas with the opportunity to obtain additional education.CommentsClose CommentsPermalink
(d) Direct Hire Authority- Without regard to the civil service laws (other than sections 3303 and 3328 of title 5, United States Code), the Secretary, acting through the Assistant Secretary for Cybersecurity and Communications, in consultation with the Under Secretary for Management, may appoint not more than 500 employees under this subsection to carry out the requirements of this Act at a rate of pay that may not exceed the maximum rate of basic pay payable under
(e) Retention Bonuses- Notwithstanding
Vote on This Bill
-
Share This Bill
More Share via Email
OC Blog Articles Related To This Bill
- Senate Passes Indefinite Military Detention Bill Over Obama Veto Threat Dec 03, 2011
- Is This Bill Discriminatory? Sep 21, 2011
- PATRIOT Act Extension Get Bipartisan Love in Senate May 24, 2011
- After Weeks of Delay, Senate Small Biz Jobs Bill in Jeopardy Apr 20, 2011
- PATRIOT Act Extension Bill Would Also Expand Death Penalty Laws Mar 21, 2011