U.S. Congress - Text of H.R.3674 as Reported in House Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2012
The easiest way to email your members of Congress
Donate NowH.R.3674 - Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2012
To amend the Homeland Security Act of 2002 to make certain improvements in the laws relating to cybersecurity, and for other purposes.
| Version | Word Count | Changes From Previous Version | Percent Change |
|---|---|---|---|
| Introduced in House | 7,746 | n/a | n/a |
| Reported in House | 6,526 | 252 Show Changes Hide Changes | 87% |
Key: changed or removed text inserted or modified text
Loading Bill Text
Rollover any line of text to comment and/or link to it.
HR 3674 IH 112th CONGRESS
Union Calendar No. 501CommentsClose CommentsPermalink
112th CONGRESSCommentsClose CommentsPermalink
2d SessionCommentsClose CommentsPermalink
H. R. 3674CommentsClose CommentsPermalink
[Report No. 112-592, Part I]CommentsClose CommentsPermalink
To amend the Homeland Security Act of 2002 to make certain improvements in the laws relating to cybersecurity, and for other purposes.CommentsClose CommentsPermalink
IN THE HOUSE OF REPRESENTATIVESCommentsClose CommentsPermalink
December 15, 2011CommentsClose CommentsPermalink
December 15, 2011CommentsClose CommentsPermalink
Mr. DANIEL E. LUNGREN of California (for himself, Mr. KING of New York, Mr. MCCAUL, Mr. BILIRAKIS, Mrs. MILLER of Michigan, Mr. WALBERG, Mr. MARINO, Mr. LONG, Mr. TURNER of New York, Mr. STIVERS, and Mr. LANGEVIN) introduced the following bill; which was referred to the Committee on Homeland Security, and in addition to the Committees on Oversight and Government Reform, Science, Space, and Technology, the Judiciary, and Select Intelligence (Permanent Select), for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concernedCommentsClose CommentsPermalink
July 11, 2012CommentsClose CommentsPermalink
July 11, 2012CommentsClose CommentsPermalink
Reported from the Committee on Homeland Security with an amendmentCommentsClose CommentsPermalink
[Strike out all after the enacting clause and insert the part printed in italic]CommentsClose CommentsPermalink
[Strike out all after the enacting clause and insert the part printed in italic]CommentsClose CommentsPermalink
July 11, 2012CommentsClose CommentsPermalink
July 11, 2012CommentsClose CommentsPermalink
The Committees on Oversight and Government Reform, Science, Space, and Technology, the Judiciary, and the Permanent Select Committee on Intelligence discharged; referred to the Committee on Energy and Commerce for a period ending not later than September 21, 2012, for consideration of such provisions of the bill and amendment as fall within the jurisdiction of that committee pursuant to clause 1(f) of rule X.CommentsClose CommentsPermalink
September 21, 2012CommentsClose CommentsPermalink
September 21, 2012CommentsClose CommentsPermalink
Additional sponsor: Mr. MEEHANCommentsClose CommentsPermalink
September 21, 2012CommentsClose CommentsPermalink
September 21, 2012CommentsClose CommentsPermalink
Deleted sponsor: Mr. LANGEVIN (added December 15, 2011; deleted April 25, 2012)CommentsClose CommentsPermalink
September 21, 2012CommentsClose CommentsPermalink
September 21, 2012CommentsClose CommentsPermalink
The Committee on Energy and Commerce discharged; committed to the Committee of the Whole House on the State of the Union and ordered to be printedCommentsClose CommentsPermalink
[For text of introduced bill, see copy of bill as introduced on December 15, 2011]CommentsClose CommentsPermalink
[For text of introduced bill, see copy of bill as introduced on December 15, 2011]CommentsClose CommentsPermalink
A BILLCommentsClose CommentsPermalink
To amend the Homeland Security Act of 2002 to make certain improvements in the laws relating to cybersecurity, and for other purposes.CommentsClose CommentsPermalink
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, CommentsClose CommentsPermalink
SECTION 1. SHORT TITLE.
This Act may be cited as the ‘Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011’ or the ‘PRECISE Act of 20112’ or the ‘PRECISE Act of 2012’. CommentsClose CommentsPermalink
SEC. 2. DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY ACTIVITIES.
(a) In General- Subtitle C of title II of the Homeland Security Act of 2002 is amended by adding at the end the following new sections: CommentsClose CommentsPermalink
‘SEC. 226. NATIONAL CYBERSECURITY AUTHORITYDEPARTMENT OF HOMELAND SECURITY CYBERSECURITY ACTIVITIES.
‘(a) In General- To protect Federal systems and critical infrastructure information systems and to prepare the Nation to respond to, recover from, and mitigate against acts of terrorism and other incidents involving such systems and infrastructure, the Secretary shall--‘(1) develop andhe Secretary shall perform necessary activities to help facilitate the protection of Federal systems and, solely upon the request of critical infrastructure owners and operators, assist such critical infrastructure owners and operators in protecting their critical infrastructure information systems to include-- CommentsClose CommentsPermalink
‘(1) conduct risk assessments for Federal systems and, upon request and, subject to the availability of resources, critical infrastructure information systems in consultation with the heads of other agencies or governmental and private entities that own and operate such systems, that may include threat, vulnerability, and impact assessments and penetration testing, or other comprehensive assessments techniques;‘(2) foster and, solely upon request from critical infrastructure owners and operators, critical infrastructure information systems; CommentsClose CommentsPermalink
‘(2) assist in fostering the development, in conjunction with other governmental entitthe National Institute of Standards and Technology and other Federal departments and agencies and the private sector, of essential information security technologies and capabilities for protecting Federal systems and critical infrastructure information systems, including comprehensive protective capabilities and other technological solutions; CommentsClose CommentsPermalink
‘(3) acquire, integrate, and facilitate the adoption of new cybersecurity technologies and practices in a technologically and vendor-neutral manner to keep pace with emerging terrorist and other cybersecurity threats and developments, including through research and development, technical service agreements, and making such technologies available to governmental and private entities that own or operate critical infrastructure information systems, as necessary to accomplish the purpose of this section;
‘(4) maintain the capability to serve as a focal point with the Federal Government for cybersecurity, responsible for--
‘(A) the coordination of the protection of Federal systems and critical infrastructure information systems;
‘(B) the coordination of national cyber incident response;
‘(C) facilitating information sharing, interactions, and collaborations among and between Federal agencies, State and local governments, the private sector, academia, and international partners;
‘(D) working with appropriate Federal agencies, State and local governments, the private sector, academia, and international partners to prevent and respond to terrorist and other cybersecurity threats and incidents involving Federal systems and critical infrastructure information systems pursuant to the national cyber incident response plan and supporting plans developed in accordance with paragraph (8);
‘(E) the dissemination of timely and actionable terrorist and other cybersecurity threat, vulnerability, mitigation, and warning information, including alerts, advisories, indicators, signatures, and mitigation and response measures, to improve the security and protection of Federal systems and critical infrastructure information systems;
‘(F) the integration of information from Federal Government and non-federal network operation centers and security operations centers;
‘(G) the compilation and analysis of information about risks and incidents regarding terrorism or other causes that threaten Federal systems and critical infrastructure information systems;
‘(H) the provision of incident prediction, detection, analysis, mitigation, and response information and remote or on-site technical assistance to heads of Federal agencies and, upon request, governmental and private entities that own or operate critical infrastructure; and
‘(I) acting as the Federal Government representative with the organization or organizations designated under section 241;
‘(5) assist in nationalssist in efforts to mitigate communications and information technology supply chain vulnerabilities to enhance the security and the resiliency of Federal systems and critical infrastructure information systems;‘(6) develop and lead a ; CommentsClose CommentsPermalink‘(4) support nationwide awareness and outreach effort to educate the public about--
‘(A) the importance of cybersecurity and cyber ethics;
‘(B) ways to promote cybersecurity best practices at home and in the workplace; and
‘(C) training opportunities to support the development of an effective national cybersecurity workforce and educational paths to cybersecurity professions;
‘(7) establish, in coordination with the Director of the National Institute of Standards and Technology and the heads of other appropriate agencies, benchmarks and guidelines for making critical infrastructure information systems more secure at a fundamental level, including through automation, interoperability, and privacy-enhancing authentication;
‘(8) develop a national cybersecurity incident response plan and supporting cyber incident response and restoration plans, in consultation with the heads of other relevant Federal agencies, owners and operators of critical infrastructure, sector coordinating councils, State and local governments, and relevant non-governmental organizations and based on applicable law that describe the specific roles and responsibilities of governmental and private entities during cyber incidents to ensure essential government operations continue;
‘(9) develop ands, to include participation in appropriate interagency cybersecurity awareness and education programs, to educate the public; CommentsClose CommentsPermalink‘(5) conduct exercises, simulations, and other activities designed to support the national response to terrorism and other cybersecurity threats and incidents and evaluate the national cyber incident response plan and supporting plans developed in accordance with paragraph (8);‘(10) ensure that the technology and tools used to accomplish the requirements of this section; and CommentsClose CommentsPermalink
‘(6) subject to the availability of resources and, upon request of critical infrastructure owners and operators, provide technical assistance, including sending on-site teams, to such critical infrastructure owners and operators. CommentsClose CommentsPermalink
‘(b) Interagency Duties- At the direction of the Office of Management and Budget pursuant to subchapter II of chapter 35 of title 44, United States Code, the Secretary shall-- CommentsClose CommentsPermalink
‘(1) conduct targeted risk assessments and operational evaluations, in conjunction with the heads of other agencies, for Federal systems that may include threat, vulnerability, and impact assessments and penetration testing; CommentsClose CommentsPermalink
‘(2) in conjunction with the National Institute of Standards and Technology and appropriate Federal departments and agencies, as well as the private sector, provide for the use of consolidated intrusion detection, prevention, or other protective capabilities and use associated countermeasures for the purpose of protecting Federal systems from cybersecurity threats; CommentsClose CommentsPermalink
‘(3) in conjunction with other agencies and the private sector, assess and foster the development of information security technologies and capabilities for use and dissemination throughout the Department of Homeland Security and to be made available across multiple agencies; CommentsClose CommentsPermalink
‘(4) designate an entity within the Department of Homeland Security to receive reports and information about cybersecurity incidents, threats, and vulnerabilities affecting Federal systems; and CommentsClose CommentsPermalink
‘(5) provide incident detection, analysis, mitigation, and response information and remote or on-site technical assistance for Federal systems. CommentsClose CommentsPermalink
‘(c) Cybersecurity Operational Activity- CommentsClose CommentsPermalink
‘(1) IN GENERAL- While carrying out the responsibilities authorized in paragraphs (2) and (3) of subsection (b), the Secretary is authorized, notwithstanding any other provision of law, to acquire, intercept, retain, use, and disclose communications and other system traffic that are scientifically and operationally validated; and
‘(11) take such other lawful action as may be necessary and appropriate to accomplish the requirements of this section.
‘(b)transiting to or from or stored on Federal systems and to deploy countermeasures with regard to such communications and system traffic for cybersecurity purposes if the Secretary certifies that-- CommentsClose CommentsPermalink
‘(A) such acquisitions, interceptions, and countermeasures are reasonably necessary for the purpose of protecting Federal systems from cybersecurity threats; CommentsClose CommentsPermalink
‘(B) the content of communications will be collected and retained only when the communication is associated with a known or reasonably suspected cybersecurity threat and communications and system traffic will not be subject to the operation of a countermeasure unless associated with such threats; CommentsClose CommentsPermalink
‘(C) information obtained pursuant to activities authorized under this subsection will only be retained, used, or disclosed to protect Federal systems from cybersecurity threats, mitigate against such threats, or, with the approval of the Attorney General, for law enforcement purposes when the information is evidence of a crime which has been, is being, or is about to be committed; CommentsClose CommentsPermalink
‘(D) notice has been provided to users of Federal systems concerning the potential for acquisition, interception, retention, use, and disclosure of communications and other system traffic; and CommentsClose CommentsPermalink
‘(E) such activities are implemented pursuant to policies and procedures governing the acquisition, interception, retention, use, and disclosure of communications and other system traffic that have been reviewed and approved by the Attorney General. CommentsClose CommentsPermalink
‘(2) OBTAINING ASSISTANCE- The Secretary may enter into contracts or other agreements, or otherwise request and obtain the assistance of, private entities that provide electronic communication or cybersecurity services to acquire, intercept, retain, use, and disclose communications and other system traffic consistent with paragraph (1). CommentsClose CommentsPermalink
‘(3) PERMISSION BY OTHER AGENCIES- Agencies are authorized to permit the Secretary, or a private entity providing assistance to the Secretary under paragraph (2), to acquire, intercept, retain, use, or disclose communications, system traffic, records, or other information transiting to or from or stored on a Federal system, notwithstanding any other provision of law, for the purpose of protecting Federal systems from cybersecurity threats or mitigating such threats in connection with activities under this subsection. CommentsClose CommentsPermalink
‘(4) PRIVILEGED COMMUNICATIONS- No otherwise privileged communication obtained in accordance with, or in violation of, this subtitle shall lose its privileged character. CommentsClose CommentsPermalink
‘(d) Coordination- CommentsClose CommentsPermalink
‘(1) COORDINATION WITH OTHER ENTITIES- In carrying out the cybersecurity activities under this section, the Secretary shallcybersecurity activities subsection (a), the Secretary shall coordinate, as appropriate, with-- CommentsClose CommentsPermalink
‘(A) the head of any relevant agency or entityrelevant Federal departments or agencies; CommentsClose CommentsPermalink
‘(B) representatives of State and local governments; CommentsClose CommentsPermalink
‘(C) the private sector, including owners and operators of critical infrastructure; CommentsClose CommentsPermalink
‘(D) suppliers of technology for owners and operators of critical infrastructure; CommentsClose CommentsPermalink
‘(E) academia; and CommentsClose CommentsPermalink
‘(F) international organizations and foreign partners. CommentsClose CommentsPermalink
‘(2) COORDINATION OF AGENCY ACTIVITIES- The Secretary shall coordinate the activities undertaken by agencies to protect Federal systems and critical infrastructure information systems and prepare the Nation to predict, anticipate, recognize, respond to, recover from, and mitigate against risk of acts of terrorism and other incidents involving such systems and infrastructure.‘(3) LEAD DHS CYBERSECURITY OFFICIAL- The Secretary shall designate a lead cybersecurity official within the Department to provide leadership to the cybersecurity activities of the Department and to ensure that the Department’s cybersecurity activities under this subtitle are coordinated with all other infrastructure protection and cyber-related programs and activities of the Department, including those of any intelligence or law enforcement components or entities within the Department. CommentsClose CommentsPermalink
‘(43) REPORTS TO CONGRESS- The lead DHS cybersecurity official shall make regularannual reports to the appropriate committees of Congress on the coordination of cyber-related programs across the Department. CommentsClose CommentsPermalink
‘(ce) Strategy- In carrying out the cybersecurity functions of the Departmentactivities of the Department under subsection (a), the Secretary shall develop and maintain a strategy that-- CommentsClose CommentsPermalink
‘(1) articulates the actions of the Department that are necessary to assure the readiness, reliability, continuity, integrity, and resilience of Federal systems and critical infrastructure information systems; CommentsClose CommentsPermalink
‘(2) is informed by the need to maintain economic prosperity and facilitate market leadership for the United States informationncludes explicit goals and objectives for the Department as well as specific timeframes for achievement of stated goals and objectives by the Department; CommentsClose CommentsPermalink
‘(3) fosters the continued superiority and reliability of the United States information technology and communications industry; and‘(3)sectors; and CommentsClose CommentsPermalink
‘(4) ensures that activities of the Department are undertaken in a manner that protects statutory privacy rights and preserves civil liberties of United States persons. CommentsClose CommentsPermalink
‘(d) Access to Information- The Secretary shall ensure that the organization or organizations designated under section 241 have full and timely access to properly anonymized cyber incident information originating within the Federal civilian networks to populate the common operating picture described in section 242.‘(ef) No Right or Benefit- The provision of assistance or information to governmental or private entities that own or operate critical infrastructure information systemscritical infrastructure owners and operators, upon request of such critical infrastructure owners and operators, under this section shall be at the discretion of the Secretary and subject to the availability of resources. The provision of certain assistance or information to one governmental or private entitycritical infrastructure owner or and operator pursuant to this section shall not create a right or benefit, substantive or procedural, to similar assistance or information for any other governmental or private entity.‘(f)critical infrastructure owner or and operator. CommentsClose CommentsPermalink
‘(g) Privacy Officer Oversight- The Privacy Officer of the Department of Homeland Security shall review on an ongoing basis, and prepare, as necessary, privacy impact assessments on, the cybersecurity policies, programs, and activities of the Department of Homeland Security for such purposes as ensuring compliance with all relevant constitutional and legal protections. CommentsClose CommentsPermalink
‘(h) Savings Clause- Nothing in this subtitle shall be interpreted to-- CommentsClose CommentsPermalink
‘(1) alter or amend the authorities of any Federal department or agency other than the Department of Homeland Security, including the law enforcement or intelligence authorities of any agency.‘(g)such Federal department or agency or the authority of any such Federal department or agency to protect sources and methods and the national security; CommentsClose CommentsPermalink
‘(2) limit or modify an existing information sharing or other relationship; CommentsClose CommentsPermalink
‘(3) prohibit a new information sharing or other relationship; CommentsClose CommentsPermalink
‘(4) require a new information sharing or other relationship between the Federal Government and a private sector entity; CommentsClose CommentsPermalink
‘(5) alter or otherwise limit the authority of any Federal department or agency to also undertake any activities that the Department of Homeland Security is authorized to undertake pursuant to this section; or CommentsClose CommentsPermalink
‘(6) provide additional authority to, or modify an existing authority of the Department of Homeland Security to control, modify, require, or otherwise direct the cybersecurity efforts of a private-sector entity or a component of the Federal Government or a State, local, or tribal government. CommentsClose CommentsPermalink
‘(i) Definitions- In this section: CommentsClose CommentsPermalink
‘(1) The term ‘countermeasure’ means automated actions with defensive intent to modify or block data packets associated with electronic or wire communications, internet traffic, program code, or other system traffic transiting to or from or stored on an information system for the purpose of protecting the information system from cybersecurity threats. CommentsClose CommentsPermalink
‘(2) The term ‘Federal systems’ means all information systems information systems owned, operated, leased, or otherwise controlled by an Federal department or agency, or on behalf of an Federal department or agency, except for national security systems or those information systems under the control of the , used by, or storing information of the Department of Defense.‘(2 or any element of the Intelligence Community, including any information systems used or operated by a contractor of the Department of Defense or any element of the Intelligence Community, or other organization on behalf of the Department of Defense or any element of the Intelligence Community. CommentsClose CommentsPermalink
‘(3) The term ‘critical infrastructure information systems’ means any physical or virtual information system that controls, processes, transmits, receives, or stores electronic information in any form, including data, voice, or video,information system that is-- CommentsClose CommentsPermalink
‘(A) vital to the functioning of critical infrastructure as defined in
section 5195c(e) of title 42, United States Code ; or CommentsClose CommentsPermalink‘(B) owned or operated by or on behalf of a State or local government entity that is necessary to ensure essential government operations continue. CommentsClose CommentsPermalink
‘SEC. 227. IDENTIFICATION OF SECTOR SPECIFIC CYBERSECURITY RISKS.
‘(a) In General- The Secretary shall, on a continuous and sector-by-sector basis, identify and evaluate cybersecurity risks to critical infrastructure. In carrying out this subsection, the Secretary shall coordinate, as appropriate, with the following:
‘(1) The head of the sector specific agency with responsibility for critical infrastructure.
‘(2) The head of any agency with responsibilities for regulating the critical infrastructure.
‘(3) The owners and operators of critical infrastructure and any private sector entity determined appropriate by the Secretary.
‘(b) Evaluation of Risks- The Secretary, in coordination with the individuals and entities referred to in subsection (a), shall evaluate the cybersecurity risks identified under subsection (a) by taking into account each of the following:
‘(1) The actual or assessed threat, including a consideration of adversary capabilities and intent, preparedness, target attractiveness, and deterrence capabilities.
‘(2) The extent and likelihood of death, injury, or serious adverse effects to human health and safety caused by a disruption, destruction, or unauthorized use of critical infrastructure.
‘(3) The threat to national security caused by the disruption, destruction or unauthorized use of critical infrastructure.
‘(4) The harm to the economy that would result from the disruption, destruction, or unauthorized use of critical infrastructure.
‘(5) Other risk-based security factors that the Secretary, in consultation with the head of the sector specific agency with responsibility for critical infrastructure and the head of any Federal agency that is not a sector specific agency with responsibilities for regulating critical infrastructure, and in consultation with any private sector entity determined appropriate by the Secretary to protect public health and safety, critical infrastructure, or national and economic security.
‘(c) Availability of Identified Risks- The Secretary shall ensure that the risks identified and evaluated under this section for each sector and subsector are made available to the owners and operators of critical infrastructure within each sector and subsector.
‘(d) Collection of Risk-Based Performance Standards-
‘(1) REVIEW AND ESTABLISHMENT- The Secretary, in coordination with the heads of other appropriate agencies, shall review existing internationally recognized consensus-developed risk-based performance standards, including such standards developed by the National Institute of Standards and Technology, for inclusion in a common collection. Such collection shall include, for each such risk-based performance standard, an analysis of each of the following:
‘(A) How well the performance standard addresses the identified risks.
‘(B) How cost-effective the standard implementation of the performance standard can be.
‘(2) USE OF COLLECTION- The Secretary, in conjunction with the heads of other appropriate agencies, shall develop market-based incentives designed to encourage the use of the collection established under paragraph (1).
‘(3) INCLUSION IN REGULATORY REGIMES- The heads of sector specific agencies with responsibility for covered critical infrastructure and the head of any Federal agency that is not a sector specific agency with responsibilities for regulating covered critical infrastructure, in consultation with the Secretary and with any private sector entity determined appropriate by the Secretary, shall propose through notice and comment rulemaking to include the most effective and cost-efficient risk-based performance standards identified in the collection established under paragraph (1) in the regulatory regimes applicable to covered critical infrastructure.
‘(e) Mitigation of Risks- If the Secretary determines that no existing internationally-recognized risk-based performance standard mitigates a risk identified under subsection (a), the Secretary shall--
‘(1) work with owners and operators of critical infrastructure and suppliers of technology to appropriately mitigate the identified risk, including determining appropriate market-based incentives for development and implementation of the identified mitigation; and
‘(2) engage with the National Institute of Standards and Technology and appropriate international consensus bodies that develop and strengthen standards and practices to address the identified risk.
‘(f) Covered Critical Infrastructure Defined- In this section, the term ‘covered critical infrastructure‘(4) The term ‘information system’ means any facility or function that, by way of cyber vulnerability, the destruction or disruption of or unauthorized access to could result in--‘(1) a significant loss of life;
‘(2) a major economic disruption, includingequipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information, and includes-- CommentsClose CommentsPermalink
‘(A) computers and computer networks; CommentsClose CommentsPermalink
‘(B) ancillary equipment; CommentsClose CommentsPermalink
‘(C) software, firmware, and related procedures; CommentsClose CommentsPermalink
‘(D) services, including support services; and CommentsClose CommentsPermalink
‘(E) related resources. CommentsClose CommentsPermalink
‘(5) The term ‘national security system’ means any information infrastructure (including any telecommunications system) used or operated by an agency, by a contractor of an agency, or by another organization on behalf of an agency-- CommentsClose CommentsPermalink
‘(A) the immediate failure of, or loss of confidence in, a major financial market; or
‘(B) the sustained disruption of financial systems that would lead to long term catastrophic economic damage to the United States;
‘(3) mass evacuations of a major population center for an extended length of time; or
‘(4) severe degradation of national security or national security capabilities, including intelligence and defense functions, but excludingfunction, operation, or use of which-- CommentsClose CommentsPermalink
‘(i) involves intelligence activities or intelligence-related activities; CommentsClose CommentsPermalink
‘(ii) involves cryptologic activities related to national security; CommentsClose CommentsPermalink
‘(iii) involves command and control of military facilities.
‘(g) Redress-
‘(1) IN GENERAL- Subject to paragraphs (2) and (3), the Secretary shall develop a mechanism, consistent with subchapter II of chapter 5 of title 5, United States Code, for an owner or operator notified under subsection (f) to appeal the identification of a facility or function as covered critical infrastructure under this section.
‘(2) APPEAL TO FEDERAL COURT- A civil action seeking judicial review of a final agency action taken under the mechanism developed under paragraph (1) shall be filed in the United States District Court for the District of Columbia.
‘(3) COMPLIANCE- The owner or operator of a facility or function identified as covered critical infrastructure shall comply with any requirement of this subtitle relating to covered critical infrastructure until such time as the facility or function is no longer identified as covered critical infrastructure, based on--
‘(A) an appeal under paragraph (1);
‘(B) a determination of the Secretary unrelated to an appeal; or
‘(C) a final judgment entered in a civil action seeking judicial review brought in accordance with paragraph (2).
‘SEC. 228. INFORMATION SHARING.‘(a) Cybersecurity Information- The Secretary shall be responsible for making all cyber threat information, provided pursuant to section 202 of this title, available to appropriate owners and operators of critical infrastructure on a timely basis consistent with the responsibilities of the Secretary to provide information related to threats to critical infrastructures to the organization designated under section 241.
‘(b) Information Sharing- The Secretary shall, to the maximum extent possible, consistent with rules for the handling of classified and sensitive but unclassified information, share relevant information regarding cybersecurity threats and vulnerabilities, and any proposed actions to mitigate them, with all Federal agencies, appropriate State or local government representatives, and appropriate critical infrastructure information systems owners and operators, including by expediting necessary security clearances for designated points of contact for critical infrastructure information systems.
‘(c) Protection of Information- The Secretary shall designate, as appropriate, information received from Federal agencies and from critical infrastructure information systems owners and operators and information provided to Federal agencies or critical infrastructure information systems owners and operators pursuant to this section as sensitive security information and shall require and enforce sensitive security information requirements for handling, storage, and dissemination of any such information, including proper protections for personally identifiablorces; CommentsClose CommentsPermalink‘(iv) involves equipment that is an integral part of a weapon or weapons system; or CommentsClose CommentsPermalink
‘(v) is critical to the direct fulfillment of military or intelligence missions; CommentsClose CommentsPermalink
‘(B) that contains information related to the activities and other matters set forth in subparagraph (A); or CommentsClose CommentsPermalink
‘(C) that is protected by procedures established for classified, national security, foreign policy, intelligence or intelligence-related, or other appropriate information. CommentsClose CommentsPermalink
‘SEC. 229. CYBERSECURITY RESEARCH AND DEVELOPMENT.
‘(a) In General- The Under Secretary for Science and Technology shall support research, development, testing, evaluation, and transition of cybersecurity technology, including fundamental, long-term research to improve the ability of the United States to prevent, protect against, detect, respond to, and recover from acts of terrorism and cyber attacks, with an emphasis on research and development relevant to attacks that would cause a debilitating impact on national security, national economic security, or national public health and safety.
‘(b) Activities- The research and development testing, evaluation, and transition supported under subsection (a) shall include work to--
‘(1) advance the development and accelerate the deployment of more secure versions of fundamental Internet protocols and architectures, including for the domain name system and routing protocols;
‘(2) improve, create, and advance the research and development of techniques and technologies for proactive detection and identification of threats, attacks, and acts of terrorism before they occur;
‘(3) advance technologies for detecting attacks or intrusions, including real-time monitoring and real-time analytic technologies;
‘(4) improve and create mitigation and recovery methodologies, including techniques and policies for real-time containment of attacks and development of resilient networks and systems;
‘(5) develop and support infrastructure and tools to support cybersecurity research and development efforts, including modeling, test beds, and data sets for assessment of new cybersecurity technologies;
‘(6) assist in the development and support of technologies to reduce vulnerabilities in process control systems;
‘(7) develop and support cyber forensics and attack attribution;
‘(8) test, evaluate, and facilitate the transfer of technologies associated with the engineering of less vulnerable software and securing the information technology software development lifecycle; and
‘(9) ensure new cybersecurity technologies are scientifically and operationally validated.
‘(c) Coordination- In carrying out this section, the Under Secretary shall coordinate activities with--
‘(1) the Under Secretary for National Protection and Programs Directorate; and
‘(2) the heads of other relevant Federal departments and agencies, including the National Science Foundation, the Defense Advanced Research Projects Agency, the Information Assurance Directorate of the National Security Agency, the National Institute of Standards and Technology, the Department of Commerce, academic institutions, and other appropriate working groups established by the President to identify unmet needs and cooperatively support activities, as appropriate.
‘SEC. 2307. PERSONNEL AUTHORITIES RELATED TO THE OFFICE OF CYBERSECURITY AND COMMUNICATIONS.
‘(a) In General- In order to assure that the Department has the necessary resources to carry out the mission of securing Federal systems and critical infrastructure information systemsset forth in section 226, the Secretary may, as necessary, convert competitive service positions, and the incumbents of such positions, within the Office of Cybersecurity and Communications to excepted service, or may establish new positions within the Office of Cybersecurity and Communications in the excepted service, to the extent that the Secretary determines such positions are necessary to carry out the cybersecurity functions of the Department. CommentsClose CommentsPermalink
‘(b) Compensation- The Secretary may-- CommentsClose CommentsPermalink
‘(1) fix the compensation of individuals who serve in positions referred to in subsection (a) in relation to the rates of pay provided for comparable positions in the Department and subject to the same limitations on maximum rates of pay established for employees of the Department by law or regulations; and CommentsClose CommentsPermalink
‘(2) provide additional forms of compensation, including benefits, incentives, and allowances, that are consistent with and not in excess of the level authorized for comparable positions authorized under title 5, United States Code. CommentsClose CommentsPermalink
‘(c) Retention Bonuses- Notwithstanding any other provision of law, the Secretary may pay a retention bonus to any employee appointed under this section, if the Secretary determines that the bonus is needed to retain essential personnel. Before announcing the payment of a bonus under this subsection, the Secretary shall submit a written explanation of such determination to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate. CommentsClose CommentsPermalink
‘(d) Annual Report- Not later than one year after the date of the enactment of this section, and annually thereafter, the Secretary shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Government Affairs of the Senateappropriate Congressional committees a detailed report that includes, for the period covered by the report-- CommentsClose CommentsPermalink
‘(1) a discussion the Secretary’s use of the flexible authority authorized under this section to recruit and retain qualified employees; CommentsClose CommentsPermalink
‘(2) metrics on relevant personnel actions, including-- CommentsClose CommentsPermalink
‘(A) the number of qualified employees hired by occupation and grade, level, or pay band; CommentsClose CommentsPermalink
‘(B) the total number of veterans hired; CommentsClose CommentsPermalink
‘(C) the number of separations of qualified employees; CommentsClose CommentsPermalink
‘(D) the number of retirements of qualified employees; and CommentsClose CommentsPermalink
‘(E) the number and amounts of recruitment, relocation, and retention incentives paid to qualified employees by occupation and grade, level, or pay band; and CommentsClose CommentsPermalink
‘(3) long-term and short-term strategic goals to address critical skills deficiencies, including an analysis of the numbers of and reasons for attrition of employees and barriers to recruiting and hiring individuals qualified in cybersecurity. CommentsClose CommentsPermalink
‘SEC. 228. FEDERAL PREEMPTION, EXCLUSIVITY, AND LAW ENFORCEMENT AND INTELLIGENCE ACTIVITIES.
‘(a) Preemption- This subtitle supersedes any statute of a State or political subdivision of a State that restricts or otherwise expressly regulates the acquisition, interception, retention, use, or disclosure of communications, records, or other information by private entities or governmental entities to the extent such statute is inconsistent with this subtitle. CommentsClose CommentsPermalink
‘(b) Additional Exclusive Means- Section 226(c) constitutes an additional exclusive means for the domestic interception of wire or electronic communications, in accordance with the provisions of law codified at
. CommentsClose CommentsPermalink section 1812(b) of title 50, United States Code ‘(c) Limitation- This subtitle does not authorize the Secretary to engage in law enforcement or intelligence activities that the Department is not otherwise authorized to conduct under existing law.’. CommentsClose CommentsPermalink
(b) Clerical Amendment- The table of contents in section 21(b) of such Act is amended by inserting after the item relating to section 225 the following new items: CommentsClose CommentsPermalink
‘Sec. 226. National cybersecurity authorityDepartment of Homeland Security cybersecurity activities. CommentsClose CommentsPermalink
‘Sec. 227. Identification of sector specific cybersecurity risks.
‘Sec. 228. Information sharing.
‘Sec. 229. Cybersecurity research and development.
‘Sec. 230. Personnel authorities related to the Office of Cybersecurity and Communications. CommentsClose CommentsPermalink‘Sec. 228. Federal preemption, exclusivity, and law enforcement and intelligence activities.’. CommentsClose CommentsPermalink
(c) Plan for Execution of Authorities- Not later than 120 days after the date of the enactment of this Act, the Secretary of Homeland Security shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report containing a plan for the execution of the authorities contained in the amendment made by subsection (a). CommentsClose CommentsPermalink
SEC. 3. NATIONALDEPARTMENT OF HOMELAND SECURITY CYBERSECURITY INFORMATION SHARING ORGANIZATION.(a) National Information Sharing Organization.
(a) Department of Homeland Security Cybersecurity Information Sharing- CommentsClose CommentsPermalink
(1) IN GENERAL- Title II of the Homeland Security Act of 2002, as amended by section 2, is further amended by adding at the end the following: CommentsClose CommentsPermalink
‘Subtitle E--National Information Sharing OrganizationDepartment of Homeland Security Cybersecurity Information Sharing CommentsClose CommentsPermalink
‘SEC. 241. INFORMATION SHARING.
‘The Secretary shall make appropriate cyber threat information obtained by the Department pursuant to title XI of the National Security Act of 1947 or other information appropriately in the possession of the Department available to appropriate owners and operators of critical infrastructure on a timely basis consistent with the statutory and other appropriate restrictions on the dissemination of such information and with the responsibilities of the Secretary under this title. CommentsClose CommentsPermalink
‘SEC. 242. ESTABLISHMENT OF NATIONAL INFORMATION SHARING ORGANIZATIONCYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER.
‘(a) Establishment- There is established a not-for-profit organization for sharingwithin the Department the National Cybersecurity and Communications Integration Center. CommentsClose CommentsPermalink
‘(b) Purpose- The center established pursuant to subsection (a) shall be the primary entity within the Department for sharing timely cyber threat information and exchanging technical assistance, advice, and support and developing and disseminating necessary information security technology. Such organization shall be designated as the ‘National Information Sharing Organization’.
‘(b) Purpose- The National Information Sharing Organization shall serve as a national clearinghouse for the exchange of cyber threat information so that the owners and operators of networks or systems in the private sector, educational institutions, State, tribal, and local governments, entities operating critical infrastructure, and the Federal Government have access to timely and actionable information in order to protect their networks or systems as effectively as possible.
‘(c) Designation- Not later than 120 days after the date of the enactment of this subtitle, the board of directors established in section 243 shall designate the appropriate organization or organizations as the National Information Sharing Organization.
‘(d) Criteria for Designation- The board of directors shall select the organization or organizations to function as the National Information Sharing Organization by taking into consideration the following criteria and other criteria found appropriate by the board:
‘(1) Whether the organization or organizations have received recognition from the Secretary of Homeland Security for its cyber capabilities.
‘(2) Whether the organization or organizations have demonstrated the ability to address cyber-related issues in a trusted and cooperative environment maximizing public-private partnerships.
‘(3) Whether the organization or organizations have demonstrated the capability to deploy cybersecurity services for the detection, prevention, and mitigation of cyber-related issues.
‘(4) Whether the organization or organizations have an operational center that is open 24 hours a day, seven days a week, and is capable of determining, analyzing, and responding to cyber events.
‘(5) Whether the organization or organizations have a proven relationship with the private sector critical infrastructure sectors.
‘(6) Whether the organization or organizations have experience implementing privacy protections to safeguard, sensitive information, including personally identifiable information, in transit and at rest.
‘SEC. 242. MISSION AND ACTIVITIES.‘The National Information Sharing Organization shall--
‘(1) facilitate the exchange of information, best practices, technical assistance, and support related to the security of public, private, and critical infrastructure information networks, including by--
‘(A) ensuring that the information exchanged shall be stripped of all information identifying the submitter and of any unnecessary personally identifiable information and shall be available to members of the National Information Sharing Organization, including Federal, State, and local government agencies; and
‘(B) sharing timely and actionable threat and vulnerability information originating through intelligence collection with appropriately cleared members of the National Information Sharing Organization;
‘(2) create a common operating picture by combining agreed upon network and cyber threat warning information to be shared--
‘(A) through a secure automated mechanism to be determined by the board; and
‘(B) with designated members of the National Information Sharing Organization, including the Federal Government;
‘(3) undertake collaborative research and development projects to improve the level of cybersecurity in critical infrastructure information systems while maintaining impartiality, the independence of members of the National Information Sharing Organization, and vendor neutrality;
‘(4) develop language to be incorporated into the membership agreement regarding the transferability and use of intellectual property developed by the National Information Sharing Organization and its members under this subtitle; and
‘(5) integrate with the Federal Government through the National Cybersecurity and Communications Integration Center and other existing information sharing and analysis centers, as appropriatewith appropriate entities pursuant to the Department’s authorities. CommentsClose CommentsPermalink
‘SEC. 243. BOARD OF DIRECTADVISORS.
‘(a) In General- The National Information Sharing Organization shall have a board of directors which shall be responsible for--‘(1) the executive and administrativeCybersecurity and Communications Integration Center shall have a board of advisors which shall advise the Secretary on the efficient operation of the National Information Sharing Organization, including matters relating to funding and promotion of the National Information Sharing Organization; and‘(2) ensuring and facilitating compliance by members of the National Information Sharing Organization with the requirements of this subtitleCybersecurity and Communications Integration Center. CommentsClose CommentsPermalink
‘(b) Composition- The board shall be composed of the following members:
‘(1) One representative from the Department of Homeland Security.
‘(2) Four representatives from three different Federal agencies with significant responsibility for cybersecurity.
‘(3) T13 members, including the following: CommentsClose CommentsPermalink
‘(1) Eleven representatives from the private sector, includingcritical infrastructure sectors enumerated in the National Infrastructure Protection Plan, of which at least one member representingshall represent a small business interest and members representingat least one member shall represent each of the following critical infrastructure sectors and subsectors: CommentsClose CommentsPermalink
‘(A) Banking and finance. CommentsClose CommentsPermalink
‘(B) Communications. CommentsClose CommentsPermalink
‘(C) Defense industrial base. CommentsClose CommentsPermalink
‘(D) Energy, electricity subsector. CommentsClose CommentsPermalink
‘(E) Energy, oil, and natural gas subsector. CommentsClose CommentsPermalink
‘(F) Heath care and public health. CommentsClose CommentsPermalink
‘(G) Information technology. CommentsClose CommentsPermalink
‘(4H) Water. CommentsClose CommentsPermalink
‘(I) Chemical. CommentsClose CommentsPermalink
‘(2) Two representatives from the privacy and civil liberties community. CommentsClose CommentsPermalink
‘(53) The Chair of the National Council of Information Sharing and Analysis Centers. CommentsClose CommentsPermalink
‘(c) Initial Appointment- Not later than 30 days after the date of the enactment of this subtitle, the Secretary of Homeland Security, in consultation with the heads of the sector specific agencies of the sectors and subsectors referred to in subsection (b)(3), shall appoint the members of thecritical infrastructure sectors enumerated in the National Infrastructure Protection Plan, shall appoint the members of the board described under subsection (b)(3) from individuals identified by the sector coordinating councils of sectors and subsectors referred to in subsection (b)(3).‘(d)the critical infrastructure sectors enumerated in the National Infrastructure Protection Plan. CommentsClose CommentsPermalink
‘(d) Terms- CommentsClose CommentsPermalink
‘(1) REPRESENTATIVES OF CERTAIN FEDERAL AGENCICRITICAL INFRASTRUCTURE REPRESENTATIVES- Each member of the board described in subsection (b)(1) and (b)(2) shall be appointed for a term that is not less than one year and not longer than three years from the date of the member’s appointment, as determined by the member’s sector coordinating council. CommentsClose CommentsPermalink
‘(2) OTHER REPRESENTATIVES- The original private sector members of the board described subsection (bEach member of the board described in subsection (b)(2) or (3) shall serve an initial term of one year from the date of appointment under subsection (c), at which time the members of the National Information Sharing Organization shall conduct elections in accordance with the procedures established under subsection (e).‘(e) Rules and Procedures- Not later than 90 days afterthat is not less than two years and not longer than three years from the date of the enactment of this Act, the board shall establish rules and procedures for the election and service of members of the board described in paragraphs (3) and (4) of subsection (b)member’s appointment, and each such member shall select the member’s successor. CommentsClose CommentsPermalink
‘(e) Duties- The board shall-- CommentsClose CommentsPermalink
‘(1) meet not less frequently than quarterly; CommentsClose CommentsPermalink
‘(2) act as an advocate on behalf of the private sector in improving the operations of the National Cybersecurity Communications Integration Center; and CommentsClose CommentsPermalink
‘(3) submit to the Secretary and the appropriate committees of Congress the annual report described in section 247. CommentsClose CommentsPermalink
‘(f) Leadership- The board shall elect from among its members a chair and vice-chair of the board, who shall serve under such terms and conditions as the board may establish. The chair of the board may not be a Federal employeeAccess to Information- The members of the board shall, subject to the laws and procedures applicable to national security background investigations and security clearances, be provided with the appropriate security clearances and have access to appropriate information shared with the National Cybersecurity and Communications Integration Center and shall be subject to all of the limitations on the use of such information. CommentsClose CommentsPermalink
‘(g) Sub-Bboards- The board shall have the authority to constitute such sub-boards, or other advisory groups or panels, as may be necessary to assist the board in carrying out its functions under this section. CommentsClose CommentsPermalink
‘SEC. 244. CHARTER.
‘The boardSecretary shall develop a charter to govern the operations and administration of the National Information Sharing OrganizationCybersecurity and Communications Integration Center consistent with the requirements of title XI of the National Security Act of 1947. The charter shall coverinclude each of the following: CommentsClose CommentsPermalink
‘(1) The organizational structure of the National Information Sharing Organization.
‘(2) The governance of the National Information Sharing Organization.
‘(3)Cybersecurity and Communications Integration Center, including a delineation of the mission expectations and responsibilities of the various elements assigned to the Center. CommentsClose CommentsPermalink‘(2) A mission statement of the National Information Sharing Organization.
‘(4) Criteria for membership of the National Information Sharing Organization and for termination of such membership.
‘(5Cybersecurity and Communications Integration Center. CommentsClose CommentsPermalink‘(3) A funding model of the National Information Sharing Organization, including costs, if any, for membership.
‘(6) Rules for sharing information with members of the National Information Sharing Organization, including the treatment and ownership of intellectual property provided by or to the National Information Sharing Organization, limitations on liability, and consideration of any necessary measures to mitigate anti-trust concerns.
‘(7) Technical requirements for participation in the common operating picture and a technical architecture that enables an automated, real-time sharing among members and Federal Government agencies.
‘(8) Rules for participating in collaborative research and development projects.
‘(9) Protections of privacy and civil liberties to be used by the National Information Sharing Organization and its members, including appropriate measures for public transparency and oversight.
‘(10) Security requirements and member obligations for the protection of information from other sources, including private and governmental.
‘(11plan that promotes broad participation by large, medium, and small business owners and operators of networks or systems in the private sector, entities operating critical infrastructure, educational institutions, State, tribal, and local governments, and the Federal Government. CommentsClose CommentsPermalink‘(4) Procedures for making anonymizedppropriate cyber incident information available to outside groups for academic research and insurance actuarial purposes. CommentsClose CommentsPermalink
‘SEC. 245. MEMBERSHIPPARTICIPATION.
‘Not later than 90 days after the date of the enactment of this subtitle, the board of directors of the National Information Sharing Organization shall establish criteria procedures for theSecretary shall publish the criteria and procedures for voluntary membership byparticipation and voluntary physical collocation by appropriate Federal, State and local government departments, agencies, and entities, private sector and entities, and private sector businesses and organizations, and academic institutions in the National Information Sharing Organization.
‘SEC. 246. FUNDING.‘Annual administrative and operational expenses for the National Information Sharing Organization shall be paid by the members of such Organization, as determined by the board of directors of the Organization.
‘SEC. 247. CLASSIFIED INFORMATION.‘SEC. 248. VOLUNTARY INFORMATION SHARING.‘Consistent with the protection of sensitive intelligence sources and methods, the Secretary, in conjunction with the Director of National Intelligence, shall facilitate--
‘(1) the sharing of classified information in the possession of a Federal agency related to threats to information networks with cleared members of the National Information Sharing Organization, including representatives of the private sector and of public and private sector entities operating critical infrastructure; and
‘(2) the declassification and sharing of information in the possession of a Federal agency related to threats to information networks with members of the National Information Sharing Organization.
‘(a) In General-
‘(1) CYBERSECURITY PROVIDERS- Notwithstanding any other provision of law, a cybersecurity provider may, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity.
‘(2) PROTECTED ENTITIES- Notwithstanding any other provision of law, a protected entity may, for cybersecurity purposes--
‘(A) share cyber threat information with the National Information Sharing Organization and its membership, including the Federal Government; or
‘(B) authorize their cybersecurity provider to share on their behalf with the National Information Sharing Organization and its membership, including the Federal Government.
‘(3) SELF-PROTECTED ENTITIES- Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes--
‘(A) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and
‘(B) share such cyber threat information with the National Information Sharing Organization and its membership, including the Federal Government.
‘(b) Uses of Shared Information- Notwithstanding any other provision of law, information shared with or provided to the National Information Sharing Organization or to a Federal agency or private entity through the National Information Sharing Organization by any member of the National Information Sharing Organization that is not a Federal agency in furtherance of the mission and activities of the National Information Sharing Organization as described in section 242--
‘(1) shall be exempt from disclosure under
(commonly referred to as the Freedom of Information Act); section 552 of title 5, United States Code ‘(2) shall not, without the written consent of the person or entity submitting such information, be used directly by any Federal agency, any other Federal, State, tribal, or local authority, or any third party, in any civil action arising under Federal or State law if such information is submitted to the National Information Sharing Organization for the purpose of facilitating the missions of such Organization, as articulated in the mission statement required under section 244;
‘(3) shall not, without the written consent of the person or entity submitting such information, be used or disclosed by any officer or employee of the United States for purposes other than the purposes of this title, including any regulatory purpose, except--
‘(A) to further an investigation or the prosecution of a cybersecurity related criminal act; or
‘(B) to disclose the information to the appropriate congressional committee;
‘(4) shall not, if subsequently provided to a State or local government or government agency--
‘(A) be made available pursuant to any State or local law requiring disclosure of information or records;
‘(B) otherwise be disclosed or distributed to any party by such State or local government or government agency without the written consent of the person or entity submitting such information; or
‘(C) be used other than for the purpose of protecting information systems, or in furtherance of an investigation or the prosecution of a criminal act;
‘(5) does not constitute a waiver of any applicable privilege or protection provided under law, such as information that is proprietary, business sensitive, relates specifically to the submitting person or entity, or is otherwise not appropriately in the public domain; and
‘(6) shall not be the basis for any civil or criminal right of action in Federal or State court for a failure to warn or disclose provided that the information is shared with the Federal Government through the National Information Sharing Organization in accordance with the procedures established under this section.
‘(c) Limitation- The Federal Advisory Committee Act (5 U.S.C. App.) shall not apply to any communication of information to a Federal agency made pursuant to this title.
‘(d) Procedures-
‘(1) IN GENERAL- Not later than 90 days after the date of the enactment of this subtitle, the board of directors of the National Information Sharing Organization shall establish uniform procedures for the receipt, care, and storage of information that is voluntarily submitted to the Federal Government through the National Information Sharing Organization.
‘(2) ELEMENTS- The procedures established under paragraph (1) shall include procedures for--
‘(A) the acknowledgment of receipt by the National Information Sharing Organization of cyber threat information that is voluntarily submitted to the National Information Sharing Organization;
‘(B) the maintenance of the identification of such information;
‘(C) the care and storage of such information;
‘(D) limiting subsequent dissemination of such information to ensure that such information is not used for an unauthorized purpose;
‘(E) the protection of the privacy rights and civil liberties of any individuals who are subjects of such information; and
‘(F) the protection and maintenance of the confidentiality of such information so as to permit the sharing of such information within the Federal Government and with State, tribal, and local governments, and the issuance of notices and warnings related to the protection of information networks, in such manner as to protect from public disclosure the identity of the submitting person or entity, or information that is proprietary, business sensitive, relates specifically to the submitting person or entity, and is otherwise not appropriately in the public domain.
‘(e) Independently Obtained Information- Nothing in this section shall be construed to limit or otherwise affect the ability of a Federal agency, a State, tribal, or local government or government agency, or any third party--
‘(1) to obtain or disseminate cyber threat information in a manner other than through the National Information Sharing Organization; and
‘(2) to use such information in any manner permitted by law.
‘(f) Definitions- In this section:
‘(1) The term ‘cybersecurity provider’ means a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes.
‘(2) The term ‘cybersecurity purpose’ means the purpose of ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protecting a system or network from--
‘(A) efforts to degrade, disrupt or destroy such system or network; or
‘(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.
‘(3) The term ‘cybersecurity system’ means a system designed or employed to ensure the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protecting a system or network from--
‘(A) efforts to degrade, disrupt or destroy such system or network; or
‘(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.
‘(4) The term ‘cyber threat information’ means information that is--
‘(A) necessary to describe a method of defeating technical controls on a system or network that corresponds to a cyber threat; and
‘(B) omits all other information not necessary to describe such threat.
‘(5) The term ‘protected entity’ means an entity, other than an individual, that contracts with a cybersecurity provider for goods or services to be used for cybersecurity purposes.
‘(6) The term ‘self-protected entity’ means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself within the National Cybersecurity and Communications Integration Center. CommentsClose CommentsPermalink
‘SEC. 2496. ANNUAL INDEPENDENT AUDITS.‘The board of directors of the National Information Sharing Organization shall commission, onREPORT.
‘The board of advisors of the National Cybersecurity Communications Integration Center shall submit to the Secretary and the appropriate committees of Congress an annual basis, an audit by a qualified, independent auditing firm approved by the Secretary, to review the compliance of the National Information Sharing Organization and its members with the informationreport on the status of the National Cybersecurity Communications Integration Center and how the Center accomplished its purpose under section 242 during the year covered by the report. Each such report shall include, for the year covered by the report-- CommentsClose CommentsPermalink
‘(1) information on the amount and nature of information shared by and through the Center; CommentsClose CommentsPermalink
‘(2) the number of violations of statutory information sharing rules set forth in section 248 and the information sharing rules established by the board pursuant to the National Information Sharing Organization charter required under section 244. Such audit--‘(1) shall identify instances in which information may have been shared in a manner inconsistent withestrictions and the procedures required under section 248 or with the information sharing rules established by the board pursuant to section 244, with the National Information Sharing Organization, with members of the National Information Sharing Organization, or by the National Information Sharing Organization with a National Information Sharing Organization member or other entity or individual;
‘(2) shall be provided to the Secretary and to the Committee on Homeland Security of the House of Representatives and to the Homeland Security and Governmental Affairs Committee of the Senate;
‘(3) shall be made public, with appropriate redactions to protect the identity of National Information Sharing Organization members; and
‘(4) may include a classified annex.
‘SEC. 250. PENALTIES.‘(a) In General- It shall be unlawful for any officer, employee, representative, or agent of the United States or of any Federal agency, or any employee or officer of the National Information Sharing Organization, its member entities, and any representatives or agents of the National Information Sharing Organization or its member entities to knowingly publish, divulge, disclose, or make known in any manner or to any extent not authorized by law, any cyber threat information protected from disclosure by this title coming to such officer or employee in the course of the employee’s employment or official duties or by reason of any examination or investigation made by, or return, report, or record made to or filed with, such officer, employee, or agency.
‘(b) Penalty- Any person who violates subsection (a) shall be fined under title 18, United States Code, imprisoned for not more than one year, or both, and shall be removed from office or employmentestablished for the Center and any steps taken by the Center to reduce and eliminate such violations; CommentsClose CommentsPermalink‘(3) any changes to the Center’s charter as agreed upon by the board and the membership; and CommentsClose CommentsPermalink
‘(4) proposed ways to improve information sharing by and through the Center. CommentsClose CommentsPermalink
‘SEC. 25147. AUTHORITY TO ISSUE WARNINGS.
‘The Secretary may, in coordination with appropriate Federal departments and agencies, provide advisories, alerts, and warnings to relevant companies, targeted sectors, other government entities, or the general public regarding potential threats to information networks as appropriate. In cybersecurity threats as appropriate. In issuing such an advisory, alert, or warning, the Secretary shall take appropriate actions to protect from disclosure--‘(1) the source of annot disclose-- CommentsClose CommentsPermalink
‘(1) without the express consent of an entity voluntarily submitted information thatharing information with the Federal Government pursuant to title XI of the National Security Act of 1947 and the Federal department or agency that initially received such information, any such information that forms the basis for the advisory, alert, or warning; and or the source of such information; CommentsClose CommentsPermalink
‘(2) information that is proprietary, business sensitive, relates specifically to the submitting person or entity, or is otherwise not appropriate for disclosure in the public domain; and CommentsClose CommentsPermalink
‘(3) any information that is restricted by statute, rule, or regulation, including information restricted from disclosure under title XI of the National Security Act of 1947, and information relating to sources and methods and the national security of the United States. CommentsClose CommentsPermalink
‘SEC. 252. EXEMPTION FROM ANTITRUST PROHIBITIONS.‘The exchange of information by and between private sector members of the National Information Sharing Organization in furtherance of the mission and activities of the National Information Sharing Organization shall not be considered a violation of any provision of the antitrust laws (as such term is defined in the first section of the Clayton Act (
))48. DEFINITIONS. 15 U.S.C. 12
‘In this subtitle: CommentsClose CommentsPermalink
‘(1) CYBER THREAT INFORMATION- The term ‘cyber threat information’ means the information directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from-- CommentsClose CommentsPermalink
‘(A) efforts to degrade, disrupt, or destroy such system or network; or CommentsClose CommentsPermalink
‘(B) efforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access to steal or misappropriate private or government information. CommentsClose CommentsPermalink
‘(2) CYBERSECURITY THREAT- The term ‘cybersecurity threat’ means a vulnerability of, or threat to, a system or network of a government or private entity, including-- CommentsClose CommentsPermalink
‘(A) efforts to degrade, disrupt, or destroy such system or network; or CommentsClose CommentsPermalink
‘(B) efforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access to steal or misappropriate private or government information. CommentsClose CommentsPermalink
‘SEC. 253. LIMITATION.‘For any fiscal year after fiscal year 2015, the amount authorized to be appropriated for the National Information Sharing Organization may not exceed the amount provided by the largest private sector member of the National Information Sharing Organization for that fiscal year49. SAVINGS CLAUSE.
‘Nothing in this subtitle shall be interpreted to-- CommentsClose CommentsPermalink
‘(1) alter or amend the authorities of any Federal department or agency other than the Department of Homeland Security, including the law enforcement or intelligence authorities of any such Federal department or agency or the authority of any such Federal department or agency to protect sources and methods and the national security; CommentsClose CommentsPermalink
‘(2) limit or modify an existing information sharing or other relationship; CommentsClose CommentsPermalink
‘(3) prohibit a new information sharing or other relationship; CommentsClose CommentsPermalink
‘(4) require a new information sharing or other relationship between the Federal Government and a private sector entity; CommentsClose CommentsPermalink
‘(5) alter or otherwise limit the authority of any Federal department or agency to also undertake any activities that the Department of Homeland Security is authorized to undertake pursuant to this section; or CommentsClose CommentsPermalink
‘(6) provide additional authority to, or modify an existing authority of the Department of Homeland Security to control, modify, require, or otherwise direct the cybersecurity efforts of a private-sector entity or a component of the Federal Government or a State, local, or tribal government.’. CommentsClose CommentsPermalink
(2) CLERICAL AMENDMENT- The table of contents in section 21(b) of such Act, as amended by section 2, is further amended by adding at the end of the items relating to title II the following new items: CommentsClose CommentsPermalink
‘Subtitle E--National Information Sharing OrganizationDepartment of Homeland Security Cybersecurity Information Sharing
‘Sec. 241. Establishment of National Information Sharing OrganizationInformation sharing. CommentsClose CommentsPermalink
‘Sec. 242. Mission and activitiesEstablishment of National Cybersecurity and Communications Integration Center. CommentsClose CommentsPermalink
‘Sec. 243. Board of directadvisors. CommentsClose CommentsPermalink
‘Sec. 244. Charter. CommentsClose CommentsPermalink
‘Sec. 245. MembershipParticipation. CommentsClose CommentsPermalink
‘Sec. 246. Funding.
‘Sec. 247. Classified information.
‘Sec. 248. Voluntary information sharing.
‘Sec. 249. Annual independent audits.‘Sec. 250. Penaltiesreport. CommentsClose CommentsPermalink‘Sec. 25147. Authority to issue warnings. CommentsClose CommentsPermalink
‘Sec. 252. Exemption from antitrust prohib48. Definitions. CommentsClose CommentsPermalink
‘Sec. 253. Limitation49. Savings clause.’. CommentsClose CommentsPermalink
(b) Initial Expenses- There is authorized to be Authorization of Appropriation for the National Cybersecurity and Communications Integration Center- There is authorized to be appropriated $104,000,000 for each of fiscal years 2013, 2014, and 2015 for initial expensthe administration and management of the National Cybersecurity and Communications Integration Center. CommentsClose CommentsPermalink
SEC. 4. CYBERSECURITY RESEARCH AND DEVELOPMENT.
(a) In General- Title III of the Homeland Security Act of 2002 is amended by adding at the end the following: CommentsClose CommentsPermalink
‘SEC. 318. CYBERSECURITY RESEARCH AND DEVELOPMENT.
‘(a) In General- The Under Secretary for Science and Technology shall support research, development, testing, evaluation, and transition of cybersecurity technology. Such support shall include fundamental, long-term research to improve the ability of the United States to prevent, protect against, detect, respond to, and recover from acts of terrorism and cyber attacks, with an emphasis on research and development relevant to attacks that would cause a debilitating impact on national security, national economic security, or national public health and safety. CommentsClose CommentsPermalink
‘(b) Activities- The research and development testing, evaluation, and transition supported under subsection (a) shall include work to-- CommentsClose CommentsPermalink
‘(1) advance the development and accelerate the deployment of more secure versions of fundamental Internet protocols and architectures, including for the domain name system and routing protocols; CommentsClose CommentsPermalink
‘(2) improve, create, and advance the research and development of techniques and technologies for proactive detection and identification of threats, attacks, and acts of terrorism before they occur; CommentsClose CommentsPermalink
‘(3) advance technologies for detecting attacks or intrusions, including real-time monitoring and real-time analytic technologies; CommentsClose CommentsPermalink
‘(4) improve and create mitigation and recovery methodologies, including techniques and policies for real-time containment of attacks and development of resilient networks and systems; CommentsClose CommentsPermalink
‘(5) develop and support infrastructure and tools to support cybersecurity research and development efforts, including modeling, test beds, and data sets for assessment of new cybersecurity technologies; CommentsClose CommentsPermalink
‘(6) assist in the development and support of technologies to reduce vulnerabilities in process control systems; CommentsClose CommentsPermalink
‘(7) develop and support cyber forensics and attack attribution; CommentsClose CommentsPermalink
‘(8) test, evaluate, and facilitate the transfer of technologies associated with the establishment of the National Information Sharing Organization under subtitle E of title IIngineering of less vulnerable software and securing the information technology software development lifecycle; CommentsClose CommentsPermalink
‘(9) ensure new cybersecurity technology is scientifically and operationally validated; and CommentsClose CommentsPermalink
‘(10) facilitate the planning, development, and implementation of international cooperative activities (as defined in section 317) to address cybersecurity and energy infrastructure with foreign public or private entities, governmental organizations, businesses (including small business concerns and social and economically disadvantaged small business concerns (as those terms are defined in sections 3 and 8 of the Small Business Act (
and 637) respectively)), federally funded research and development centers and universities from countries that may include Israel, the United Kingdom, Canada, Australia, Singapore, Germany, New Zealand, and other allies, as determined by the Secretary, in research and development of technologies, best practices, and other means to protect critical infrastructure, including the national electric grid. CommentsClose CommentsPermalink 15 U.S.C. 632 ‘(c) Coordination- In carrying out this section, the Under Secretary shall coordinate all activities with-- CommentsClose CommentsPermalink
‘(1) the Under Secretary for National Protection and Programs Directorate; and CommentsClose CommentsPermalink
‘(2) the heads of other relevant Federal departments and agencies, including the National Science Foundation, the Defense Advanced Research Projects Agency, the Information Assurance Directorate of the National Security Agency, the National Institute of Standards and Technology, the Department of Commerce, academic institutions, the Networking and Information Technology Research and Development Program, and other appropriate working groups established by the President to identify unmet needs and cooperatively support activities, as appropriate.’. CommentsClose CommentsPermalink
(b) Clerical Amendment- The table of contents in section 1(b) of such Act, as amended by sections 2 and 3, is further amended by inserting after the item relating to section 317 the following new item: CommentsClose CommentsPermalink
‘Sec. 318. Cybersecurity research and development.’. CommentsClose CommentsPermalink
SEC. 5. REPORT ON SUPPORT FOR REGIONAL CYBERSECURITY COOPERATIVES.
(a) In General- Not later than 180 days after the date of the enactment of this Act, the Secretary of Homeland Security shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report on what support, if any, the Department of Homeland Security might provide to regional, State, and local grassroots cyber cooperatives. CommentsClose CommentsPermalink
(b) Contents- The report shall include an analysis of the progress in establishing the ‘NET Guard’ authorized under section 224 of the Homeland Security Act of 2002, as added by subsection (a) (
(1) evaluate whether the grant process should include a methodology of identifying recognized national experts in relevant areas of science and technology, including agreed upon metrics measuring the expertise and demonstrated capabilities of such experts; and CommentsClose CommentsPermalink
(2) address the following: CommentsClose CommentsPermalink
(A) The appropriateness of the establishment and maintenance of a national volunteer experts registry system comprised of the demonstrated national experts described in this paragraph, together with information relating to their particular areas of expertise and who may be called upon to respond to a cyber incident. CommentsClose CommentsPermalink
(B) The need to identify and leverage existing capabilities of cyber response and cyber workforce challenge programs in States, local governments, private sector entities, and non-profit organizations to potentially accelerate the implementation of the NET Guard. CommentsClose CommentsPermalink
(C) The requirements for the implementation of a plan to improve national capability with minimum descriptions of the following: CommentsClose CommentsPermalink
(i) How to evaluate the demonstrated national experts in relevant areas of science and technology. CommentsClose CommentsPermalink
(ii) How to establish and maintain the national volunteer experts registry system. CommentsClose CommentsPermalink
(iii) Potential funding models incorporating private sector funding. CommentsClose CommentsPermalink
SEC. 6. CYBERSECURITY DOMESTIC PREPAREDNESS CONSORTIUM AND CYBERSECURITY TRAINING CENTER.
(a) Cybersecurity Domestic Preparedness Consortium- CommentsClose CommentsPermalink
(1) IN GENERAL- The Secretary of Homeland Security may establish a consortium to be known as the ‘Cybersecurity Domestic Preparedness Consortium’. CommentsClose CommentsPermalink
(2) FUNCTIONS- The Consortium established under paragraph (1) may-- CommentsClose CommentsPermalink
(A) provide training to State and local first responders and officials specifically for preparing and responding to cybersecurity attacks; CommentsClose CommentsPermalink
(B) develop and update a curriculum utilizing the DHS National Cyber Security Division sponsored Community Cyber Security Maturity Model (CCSMM) for State and local first responders and officials; CommentsClose CommentsPermalink
(C) provide technical assistance services to build and sustain capabilities in support of cybersecurity preparedness and response; and CommentsClose CommentsPermalink
(D) conduct cybersecurity training and simulation exercises to defend from and respond to cyber attacks. CommentsClose CommentsPermalink
(3) MEMBERS- The Consortium shall consist of academic, nonprofit, and government partners that develop, update, and deliver cybersecurity training in support of homeland security. CommentsClose CommentsPermalink
(b) Cybersecurity Training Center- As a part of the Cybersecurity Domestic Preparedness Consortium, the Secretary may establish where appropriate one or more cybersecurity training centers to provide training courses and other resources for State and local first responders and officials to improve preparedness and response capabilities. CommentsClose CommentsPermalink
(c) Plan for Fusion Centers- The Cybersecurity Domestic Preparedness Consortium shall develop a plan to implement as one of the Cybersecurity Training Centers a one-year voluntary pilot program to test and assess the feasibility, costs, and benefits of providing cybersecurity training to State and local law enforcement personnel through the national network of fusion centers. CommentsClose CommentsPermalink
(d) Pilot Program- CommentsClose CommentsPermalink
(1) IN GENERAL- Not later than one year after the date of the enactment of the Act, the Secretary shall implement a one-year voluntary pilot program to train State and local law enforcement personnel in the national network of fusion centers in cyber security standards, procedures, and best practices. CommentsClose CommentsPermalink
(2) CURRICULUM AND PERSONNEL- In creating the curriculum for the training program and conducting the program, the Secretary may assign personnel from the Department of Homeland Security, including personnel from the Office of Cybersecurity and Communications. CommentsClose CommentsPermalink
(3) COORDINATION- The curriculum for the training and for conducting the program will be coordinated with that of the Cyber Security Domestic Preparedness Consortium. CommentsClose CommentsPermalink
SEC. 7. SAVINGS CLAUSE.
Nothing in this Act shall be interpreted to-- CommentsClose CommentsPermalink
(1) alter or amend the authorities of any Federal department or agency other than the Department of Homeland Security, including the law enforcement or intelligence authorities of any such Federal department or agency or the authority of any such Federal department or agency to protect sources and methods and the national security; CommentsClose CommentsPermalink
(2) alter or otherwise limit the authority of any Federal department or agency to also undertake any activities that the Department of Homeland Security is authorized to undertake pursuant to this section; or CommentsClose CommentsPermalink
(3) provide additional authority to, or modify an existing authority of the Department of Homeland Security. to control, modify, require, or otherwise direct the cybersecurity efforts of a private-sector entity or a component of the Federal Government or a State, local, or tribal government. CommentsClose CommentsPermalink
Union Calendar No. 501CommentsClose CommentsPermalink
112th CONGRESSCommentsClose CommentsPermalink
2d SessionCommentsClose CommentsPermalink
H. R. 3674CommentsClose CommentsPermalink
[Report No. 112-592, Part I]CommentsClose CommentsPermalink
A BILLCommentsClose CommentsPermalink
To amend the Homeland Security Act of 2002 to make certain improvements in the laws relating to cybersecurity, and for other purposes.CommentsClose CommentsPermalink
September 21, 2012CommentsClose CommentsPermalink
September 21, 2012CommentsClose CommentsPermalink
The Committee on Energy and Commerce discharged; committed to the Committee of the Whole House on the State of the Union and ordered to be printedCommentsClose CommentsPermalink
Vote on This Bill
-
Share This Bill
More Share via Email
