U.S. Congress - Text of S.2105 as Placed on Calendar Senate Cybersecurity Act of 2012
The easiest way to email your members of Congress
Donate NowS.2105 - Cybersecurity Act of 2012
A bill to enhance the security and resiliency of the cyber and communications infrastructure of the United States.
Most commented sections:
Loading Bill Text
Rollover any line of text to comment and/or link to it.
S 2105 PCSCommentsClose CommentsPermalink
Calendar No. 323CommentsClose CommentsPermalink
112th CONGRESSCommentsClose CommentsPermalink
2d SessionCommentsClose CommentsPermalink
S. 2105CommentsClose CommentsPermalink
To enhance the security and resiliency of the cyber and communications infrastructure of the United States.CommentsClose CommentsPermalink
IN THE SENATE OF THE UNITED STATESCommentsClose CommentsPermalink
February 14, 2012CommentsClose CommentsPermalink
February 14, 2012CommentsClose CommentsPermalink
Mr. LIEBERMAN (for himself, Ms. COLLINS, Mr. ROCKEFELLER, and Mrs. FEINSTEIN) introduced the following bill; which was read the first timeCommentsClose CommentsPermalink
February 15, 2012CommentsClose CommentsPermalink
February 15, 2012CommentsClose CommentsPermalink
Read the second time and placed on the calendarCommentsClose CommentsPermalink
A BILLCommentsClose CommentsPermalink
To enhance the security and resiliency of the cyber and communications infrastructure of the United States.CommentsClose CommentsPermalink
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,CommentsClose CommentsPermalink
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title- This Act may be cited as the ‘Cybersecurity Act of 2012’.CommentsClose CommentsPermalink
(b) Table of Contents- The table of contents for this Act is as follows:CommentsClose CommentsPermalink
Sec. 1. Short title; table of contents.CommentsClose CommentsPermalink
Sec. 2. Definitions.CommentsClose CommentsPermalink
TITLE I--PROTECTING CRITICAL INFRASTRUCTURE
Sec. 101. Definitions and responsibilities.CommentsClose CommentsPermalink
Sec. 102. Sector-by-sector cyber risk assessments.CommentsClose CommentsPermalink
Sec. 103. Procedure for designation of covered critical infrastructure.CommentsClose CommentsPermalink
Sec. 104. Sector-by-sector risk-based cybersecurity performance requirements.CommentsClose CommentsPermalink
Sec. 105. Security of covered critical infrastructure.CommentsClose CommentsPermalink
Sec. 106. Sector-specific agencies.CommentsClose CommentsPermalink
Sec. 107. Protection of information.CommentsClose CommentsPermalink
Sec. 108. Voluntary technical assistance.CommentsClose CommentsPermalink
Sec. 109. Emergency planning.CommentsClose CommentsPermalink
Sec. 110. International cooperation.CommentsClose CommentsPermalink
Sec. 111. Effect on other laws.CommentsClose CommentsPermalink
TITLE II--PROTECTING GOVERNMENT NETWORKS
Sec. 201. FISMA Reform.CommentsClose CommentsPermalink
Sec. 202. Management of information technology.CommentsClose CommentsPermalink
Sec. 203. Savings provisions.CommentsClose CommentsPermalink
TITLE III--CLARIFYING AND STRENGTHENING EXISTING ROLES AND AUTHORITIES
Sec. 301. Consolidation of existing departmental cyber resources and authorities.CommentsClose CommentsPermalink
TITLE IV--EDUCATION, RECRUITMENT, AND WORKFORCE DEVELOPMENT
Sec. 401. Definitions.CommentsClose CommentsPermalink
Sec. 402. National education and awareness campaign.CommentsClose CommentsPermalink
Sec. 403. National cybersecurity competition and challenge.CommentsClose CommentsPermalink
Sec. 404. Federal cyber scholarship-for-service program.CommentsClose CommentsPermalink
Sec. 405. Assessment of cybersecurity Federal workforce.CommentsClose CommentsPermalink
Sec. 406. Federal cybersecurity occupation classifications.CommentsClose CommentsPermalink
Sec. 407. Training and education.CommentsClose CommentsPermalink
Sec. 408. Cybersecurity incentives.CommentsClose CommentsPermalink
TITLE V--RESEARCH AND DEVELOPMENT
Sec. 501. Federal cybersecurity research and development.CommentsClose CommentsPermalink
Sec. 502. Homeland security cybersecurity research and development.CommentsClose CommentsPermalink
TITLE VI--FEDERAL ACQUISITION RISK MANAGEMENT STRATEGY
Sec. 601. Federal acquisition risk management strategy.CommentsClose CommentsPermalink
Sec. 602. Amendments to Clinger-Cohen provisions to enhance agency planning for information security needs.CommentsClose CommentsPermalink
TITLE VII--INFORMATION SHARING
Sec. 701. Affirmative authority to monitor and defend against cybersecurity threats.CommentsClose CommentsPermalink
Sec. 702. Voluntary disclosure of cybersecurity threat indicators among private entities.CommentsClose CommentsPermalink
Sec. 703. Cybersecurity exchanges.CommentsClose CommentsPermalink
Sec. 704. Voluntary disclosure of cybersecurity threat indicators to a cybersecurity exchange.CommentsClose CommentsPermalink
Sec. 705. Sharing of classified cybersecurity threat indicators.CommentsClose CommentsPermalink
Sec. 706. Limitation on liability and good faith defense for cybersecurity activities.CommentsClose CommentsPermalink
Sec. 707. Construction; Federal preemption.CommentsClose CommentsPermalink
Sec. 708. Definitions.CommentsClose CommentsPermalink
TITLE VIII--PUBLIC AWARENESS REPORTS
Sec. 801. Findings.CommentsClose CommentsPermalink
Sec. 802. Report on cyber incidents against Government networks.CommentsClose CommentsPermalink
Sec. 803. Reports on prosecution for cybercrime.CommentsClose CommentsPermalink
Sec. 804. Report on research relating to secure domain.CommentsClose CommentsPermalink
Sec. 805. Report on preparedness of Federal courts to promote cybersecurity.CommentsClose CommentsPermalink
Sec. 806. Report on impediments to public awareness.CommentsClose CommentsPermalink
Sec. 807. Report on protecting the electrical grid of the United States.CommentsClose CommentsPermalink
TITLE IX--INTERNATIONAL COOPERATION
Sec. 901. Definitions.CommentsClose CommentsPermalink
Sec. 902. Findings.CommentsClose CommentsPermalink
Sec. 903. Sense of Congress.CommentsClose CommentsPermalink
Sec. 904. Coordination of international cyber issues within the United States Government.CommentsClose CommentsPermalink
Sec. 905. Consideration of cybercrime in foreign policy and foreign assistance programs.CommentsClose CommentsPermalink
SEC. 2. DEFINITIONS.
In this Act:CommentsClose CommentsPermalink
(1) COMMERCIAL INFORMATION TECHNOLOGY PRODUCT- The term ‘commercial information technology product’ means a commercial item that organizes or communicates information electronically.CommentsClose CommentsPermalink
(2) COMMERCIAL ITEM- The term ‘commercial item’ has the meaning given the term in
(3) COVERED CRITICAL INFRASTRUCTURE- The term ‘covered critical infrastructure’ means a system or asset designated by the Secretary as covered critical infrastructure in accordance with the procedure established under section 103.CommentsClose CommentsPermalink
(4) COVERED SYSTEM OR ASSET- The term ‘covered system or asset’ means a system or asset of covered critical infrastructure.CommentsClose CommentsPermalink
(5) CRITICAL INFRASTRUCTURE- The term ‘critical infrastructure’ has the meaning given that term in section 1016(e) of the USA PATRIOT Act (
(6) DEPARTMENT- The term ‘Department’ means the Department of Homeland Security.CommentsClose CommentsPermalink
(7) FEDERAL AGENCY- The term ‘Federal agency’ has the meaning given the term ‘agency’ in
(8) FEDERAL INFORMATION INFRASTRUCTURE- The term ‘Federal information infrastructure’--CommentsClose CommentsPermalink
(A) means information and information systems that are owned, operated, controlled, or licensed for use by, or on behalf of, any Federal agency, including information systems used or operated by another entity on behalf of a Federal agency; andCommentsClose CommentsPermalink
(B) does not include--CommentsClose CommentsPermalink
(i) a national security system; orCommentsClose CommentsPermalink
(ii) information and information systems that are owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community.CommentsClose CommentsPermalink
(9) INCIDENT- The term ‘incident’ has the meaning given that term in
(10) INFORMATION INFRASTRUCTURE- The term ‘information infrastructure’ means the underlying framework that information systems and assets rely on to process, transmit, receive, or store information electronically, including programmable electronic devices and communications networks and any associated hardware, software, or data.CommentsClose CommentsPermalink
(11) INFORMATION SHARING AND ANALYSIS ORGANIZATION- The term ‘Information Sharing and Analysis Organization’ has the meaning given that term in section 212 of the Homeland Security Act of 2002 (
(12) INFORMATION SYSTEM- The term ‘information system’ has the meaning given that term in
(13) INSTITUTION OF HIGHER EDUCATION- The term ‘institution of higher education’ has the meaning given that term in section 102 of the Higher Education Act of 1965 (
(14) INTELLIGENCE COMMUNITY- The term ‘intelligence community’ has the meaning given that term under section 3(4) of the National Security Act of 1947 (
(15) NATIONAL INFORMATION INFRASTRUCTURE- The term ‘national information infrastructure’ means information and information systems--CommentsClose CommentsPermalink
(A) that are owned, operated, or controlled, in whole or in part, within or from the United States; andCommentsClose CommentsPermalink
(B) that are not owned, operated, controlled, or licensed for use by a Federal agency.CommentsClose CommentsPermalink
(16) NATIONAL SECURITY SYSTEM- The term ‘national security system’ has the meaning given that term in
(17) OWNER- The term ‘owner’--CommentsClose CommentsPermalink
(A) means an entity that owns a covered system or asset; andCommentsClose CommentsPermalink
(B) does not include a company contracted by the owner to manage, run, or operate a covered system or asset, or to provide a specific information technology product or service that is used or incorporated into a covered system or asset.CommentsClose CommentsPermalink
(18) OPERATOR- The term ‘operator’--CommentsClose CommentsPermalink
(A) means an entity that manages, runs, or operates, in whole or in part, the day-to-day operations of a covered system or asset; andCommentsClose CommentsPermalink
(B) may include the owner of a covered system or asset.CommentsClose CommentsPermalink
(19) SECRETARY- The term ‘Secretary’ means the Secretary of Homeland Security.CommentsClose CommentsPermalink
TITLE I--PROTECTING CRITICAL INFRASTRUCTURECommentsClose CommentsPermalink
TITLE I--PROTECTING CRITICAL INFRASTRUCTURECommentsClose CommentsPermalink
SEC. 101. DEFINITIONS AND RESPONSIBILITIES.
(a) Definitions- In this title:CommentsClose CommentsPermalink
(1) CYBER RISK- The term ‘cyber risk’ means any risk to information infrastructure, including physical or personnel risks and security vulnerabilities, that, if exploited or not mitigated, could pose a significant risk of disruption to the operation of information infrastructure essential to the reliable operation of covered critical infrastructure.CommentsClose CommentsPermalink
(2) SECTOR-SPECIFIC AGENCY- The term ‘sector-specific agency’ means the relevant Federal agency responsible for infrastructure protection activities in a designated critical infrastructure sector or key resources category under the National Infrastructure Protection Plan, or any other appropriate Federal agency identified by the President after the date of enactment of this Act.CommentsClose CommentsPermalink
(b) Responsibility of Owner- It shall be the responsibility of an owner to comply with the requirements of this Act.CommentsClose CommentsPermalink
SEC. 102. SECTOR-BY-SECTOR CYBER RISK ASSESSMENTS.
(a) In General- The Secretary, in consultation with entities that own or operate critical infrastructure, the Critical Infrastructure Partnership Advisory Council, and appropriate Information Sharing and Analysis Organizations, and in coordination with the intelligence community, the Department of Defense, the Department of Commerce, sector-specific agencies and other Federal agencies with responsibilities for regulating the security of entities that own or operate critical infrastructure shall--CommentsClose CommentsPermalink
(1) not later than 90 days after the date of enactment of this Act, conduct a top-level assessment of the cybersecurity threats, vulnerabilities, risks, and probability of a catastrophic incident across all critical infrastructure sectors to determine which sectors pose the greatest immediate risk, in order to guide the allocation of resources for the implementation of this Act; andCommentsClose CommentsPermalink
(2) beginning with the highest priority sectors identified under paragraph (1), conduct, on an ongoing, sector-by-sector basis, cyber risk assessments of the critical infrastructure in a manner that--CommentsClose CommentsPermalink
(A) uses state-of-the art threat modeling, simulation, and analysis techniques;CommentsClose CommentsPermalink
(B) incorporates, as appropriate, any existing similar risk assessments; andCommentsClose CommentsPermalink
(C) considers--CommentsClose CommentsPermalink
(i) the actual or assessed threat, including consideration of adversary capabilities and intent, intrusion techniques, preparedness, target attractiveness, and deterrence capabilities;CommentsClose CommentsPermalink
(ii) the extent and likelihood of death, injury, or serious adverse effects to human health and safety caused by damage or unauthorized access to critical infrastructure;CommentsClose CommentsPermalink
(iii) the threat to or impact on national security caused by damage or unauthorized access to critical infrastructure;CommentsClose CommentsPermalink
(iv) the extent to which damage or unauthorized access to critical infrastructure will disrupt the reliable operation of other critical infrastructure;CommentsClose CommentsPermalink
(v) the harm to the economy that would result from damage or unauthorized access to critical infrastructure;CommentsClose CommentsPermalink
(vi) the risk of national or regional catastrophic damage within the United States caused by damage or unauthorized access to information infrastructure located outside the United States;CommentsClose CommentsPermalink
(vii) the overall preparedness and resilience of each sector against damage or unauthorized access to critical infrastructure, including the effectiveness of market forces at driving security innovation and secure practices; andCommentsClose CommentsPermalink
(viii) any other risk-based security factors appropriate and necessary to protect public health and safety, critical infrastructure, or national and economic security.CommentsClose CommentsPermalink
(b) Input of Owners and Operators-CommentsClose CommentsPermalink
(1) IN GENERAL- The Secretary shall--CommentsClose CommentsPermalink
(A) establish a process under which entities that own or operate critical infrastructure and other relevant private sector experts provide input into the risk assessments conducted under this section; andCommentsClose CommentsPermalink
(B) seek and incorporate private sector expertise available through established public-private partnerships, including the Critical Infrastructure Partnership Advisory Council and appropriate Information Sharing and Analysis Organizations.CommentsClose CommentsPermalink
(2) PROTECTION OF INFORMATION- Any information submitted as part of the process established under paragraph (1) shall be protected in accordance with section 107.CommentsClose CommentsPermalink
(c) Methodologies for Assessing Information Security Risk- The Secretary and the Director of the National Institute of Standards and Technology, in consultation with entities that own or operate critical infrastructure and relevant private sector and academic experts, shall--CommentsClose CommentsPermalink
(1) develop repeatable, qualitative, and quantitative methodologies for assessing information security risk; orCommentsClose CommentsPermalink
(2) use methodologies described in paragraph (1) that are in existence on the date of enactment of this Act and make the methodologies publicly available.CommentsClose CommentsPermalink
(d) Submission of Risk Assessments- The Secretary shall submit each risk assessment conducted under this section, in a classified or unclassified form as necessary, to--CommentsClose CommentsPermalink
(1) the President;CommentsClose CommentsPermalink
(2) appropriate Federal agencies; andCommentsClose CommentsPermalink
(3) appropriate congressional committees.CommentsClose CommentsPermalink
SEC. 103. PROCEDURE FOR DESIGNATION OF COVERED CRITICAL INFRASTRUCTURE.
(a) Responsibility for Designation of Covered Critical Infrastructure-CommentsClose CommentsPermalink
(1) IN GENERAL- The Secretary, in consultation with entities that own or operate critical infrastructure, the Critical Infrastructure Partnership Advisory Council, appropriate Information Sharing and Analysis Organizations, and other appropriate representatives of State and local governments, shall establish a procedure for the designation of critical infrastructure, on a sector-by-sector basis, as covered critical infrastructure for the purposes of this Act.CommentsClose CommentsPermalink
(2) DUTIES- In establishing the procedure under paragraph (1), the Secretary shall--CommentsClose CommentsPermalink
(A) prioritize the efforts of the Department based on the prioritization established under section 102(a)(1);CommentsClose CommentsPermalink
(B) incorporate, to the extent practicable, the input of entities that own or operate critical infrastructure, the Critical Infrastructure Partnership Advisory Council, appropriate Information Sharing and Analysis Organizations, and other appropriate representatives of the private sector and State and local governments;CommentsClose CommentsPermalink
(C) coordinate with the head of the sector-specific agency with responsibility for critical infrastructure and the head of any Federal agency with responsibilities for regulating the security of critical infrastructure;CommentsClose CommentsPermalink
(D) develop a mechanism for owners to submit information to assist the Secretary in making determinations under this section; andCommentsClose CommentsPermalink
(E) periodically, but not less often than annually, review and update designations under this section.CommentsClose CommentsPermalink
(b) Designation of Covered Critical Infrastructure-CommentsClose CommentsPermalink
(1) GUIDELINES FOR DESIGNATION- In designating covered critical infrastructure for the purposes of this Act, the Secretary shall--CommentsClose CommentsPermalink
(A) designate covered critical infrastructure on a sector-by-sector basis and at the system or asset level;CommentsClose CommentsPermalink
(B) inform owners of the criteria used to identify covered critical infrastructure;CommentsClose CommentsPermalink
(C) only designate a system or asset as covered critical infrastructure if damage or unauthorized access to that system or asset could reasonably result in--CommentsClose CommentsPermalink
(i) the interruption of life-sustaining services, including energy, water, transportation, emergency services, or food, sufficient to cause--CommentsClose CommentsPermalink
(I) a mass casualty event that includes an extraordinary number of fatalities; orCommentsClose CommentsPermalink
(II) mass evacuations with a prolonged absence;CommentsClose CommentsPermalink
(ii) catastrophic economic damage to the United States including--CommentsClose CommentsPermalink
(I) failure or substantial disruption of a United States financial market;CommentsClose CommentsPermalink
(II) incapacitation or sustained disruption of a transportation system; orCommentsClose CommentsPermalink
(III) other systemic, long-term damage to the United States economy; orCommentsClose CommentsPermalink
(iii) severe degradation of national security or national security capabilities, including intelligence and defense functions; andCommentsClose CommentsPermalink
(D) consider the sector-by-sector risk assessments developed in accordance with section 102.CommentsClose CommentsPermalink
(2) LIMITATIONS- The Secretary may not designate as covered critical infrastructure under this section--CommentsClose CommentsPermalink
(A) a system or asset based solely on activities protected by the first amendment to the Constitution of the United States;CommentsClose CommentsPermalink
(B) an information technology product or service based solely on a finding that the product or service is capable of, or is actually, being used in covered critical infrastructure;CommentsClose CommentsPermalink
(C) a commercial information technology product, including hardware and software; orCommentsClose CommentsPermalink
(D) any service provided in support of a product specified in subparagraph (C), including installation services, maintenance services, repair services, training services, and any other services provided in support of the product.CommentsClose CommentsPermalink
(3) NOTIFICATION OF IDENTIFICATION OF SYSTEM OR ASSET- Not later than 30 days after the Secretary designates a system or asset as covered critical infrastructure under this section, the Secretary shall notify the owner of the system or asset that was designated and the basis for the designation.CommentsClose CommentsPermalink
(4) SELF-DESIGNATION OF SYSTEM OR ASSET AS COVERED CRITICAL INFRASTRUCTURE- The owner of a system or asset may request that the system or asset be designated as covered critical infrastructure under this section if the owner determines that the system or asset meets the criteria for designation.CommentsClose CommentsPermalink
(5) SYSTEM OR ASSET NO LONGER COVERED CRITICAL INFRASTRUCTURE-CommentsClose CommentsPermalink
(A) IN GENERAL- If the Secretary determines that any system or asset that was designated as covered critical infrastructure under this section no longer constitutes covered critical infrastructure, the Secretary shall promptly notify the owner of that system or asset of that determination.CommentsClose CommentsPermalink
(B) SELF-DESIGNATION- If an owner determines that an asset or system previously self-designated as covered critical infrastructure under paragraph (4) no longer meets the criteria for designation, the owner shall notify the Secretary of this determination and submit to the redress process under subsection (c).CommentsClose CommentsPermalink
(6) DEFINITION- In this subsection, the term ‘damage’ has the meaning given that term in
(c) Redress-CommentsClose CommentsPermalink
(1) IN GENERAL- Subject to paragraphs (2) and (3), the Secretary shall develop a mechanism, consistent with subchapter II of chapter 5 of title 5, United States Code, for an owner notified under subsection (b)(3) or for an owner that self-designates under subsection (b)(4) to request that the Secretary review--CommentsClose CommentsPermalink
(A) the designation of a system or asset as covered critical infrastructure;CommentsClose CommentsPermalink
(B) the rejection of the self-designation of an owner of a system or asset as covered critical infrastructure; orCommentsClose CommentsPermalink
(C) a determination under subsection (b)(5)(B).CommentsClose CommentsPermalink
(2) APPEAL TO FEDERAL COURT- A civil action seeking judicial review of a final agency action taken under the mechanism developed under paragraph (1) shall be filed in the United States District Court for the District of Columbia.CommentsClose CommentsPermalink
(3) COMPLIANCE- An owner shall comply with this title relating to covered critical infrastructure until such time as the critical infrastructure is no longer designated as covered critical infrastructure, based on--CommentsClose CommentsPermalink
(A) an appeal under paragraph (1);CommentsClose CommentsPermalink
(B) a determination of the Secretary unrelated to an appeal; orCommentsClose CommentsPermalink
(C) a final judgment entered in a civil action seeking judicial review brought in accordance with paragraph (2).CommentsClose CommentsPermalink
SEC. 104. SECTOR-BY-SECTOR RISK-BASED CYBERSECURITY PERFORMANCE REQUIREMENTS.
(a) Purpose- The purpose of this section is to secure the critical infrastructure of the Nation while promoting and protecting private sector innovation in design and development of technology for the global market for commercial information technology products, including hardware and software and related products and services.CommentsClose CommentsPermalink
(b) Performance Requirements- The Secretary, in consultation with owners and operators, the Critical Infrastructure Partnership Advisory Council, and appropriate Information Sharing and Analysis Organizations, and in coordination with the National Institute of Standards and Technology, the Director of the National Security Agency, sector-specific agencies, appropriate representatives from State and local governments, and other Federal agencies with responsibilities for regulating the security of covered critical infrastructure, shall identify or develop, on a sector-by-sector basis, risk-based cybersecurity performance requirements (referred to in this section as ‘performance requirements’) that--CommentsClose CommentsPermalink
(1) require owners to remediate or mitigate identified cyber risks and any associated consequences identified under section 102(a) or otherwise; andCommentsClose CommentsPermalink
(2) do not permit any Federal employee or agency to--CommentsClose CommentsPermalink
(A) regulate commercial information technology products, including hardware and software and related services, including installation services, maintenance services, repair services, training services, and any other services provided in support of the product;CommentsClose CommentsPermalink
(B) require commercial information technology products, including hardware and software and related services, for use or non-use in covered critical infrastructure; orCommentsClose CommentsPermalink
(C) regulate the design, development, manufacturing, or attributes of commercial information technology products, including hardware and software and related services, for use or non-use in covered critical infrastructure.CommentsClose CommentsPermalink
(c) Limitation- If the Secretary determines that there are regulations in effect on the date of enactment of this Act that apply to covered critical infrastructure and that address some or all of the risks identified under section 102, the Secretary shall identify or develop performance requirements under this section only if the regulations do not require an appropriate level of security.CommentsClose CommentsPermalink
(d) Identification and Development of Performance Requirements- In establishing the performance requirements under this section, the Secretary shall--CommentsClose CommentsPermalink
(1) establish a process for entities that own or operate critical infrastructure, voluntary consensus standards development organizations, representatives of State and local government, and the private sector, including sector coordinating councils and appropriate Information Sharing and Analysis Organizations to propose performance requirements;CommentsClose CommentsPermalink
(2) identify existing industry practices, standards, and guidelines; andCommentsClose CommentsPermalink
(3) select and adopt performance requirements submitted under paragraph (1) or identified under paragraph (2) that satisfy other provisions of this section.CommentsClose CommentsPermalink
(e) Requirement- If the Secretary determines that none of the performance requirements submitted or identified under paragraphs (1) and (2) of subsection (d) satisfy the other provisions of this section, the Secretary shall, in consultation with owners and operators, the Critical Infrastructure Partnership Advisory Council, and appropriate Information Sharing and Analysis Organizations, and in coordination with the National Institute of Standards and Technology, the Director of the National Security Agency, sector-specific agencies, and other Federal agencies with responsibilities for regulating the security of covered critical infrastructure, develop satisfactory performance requirements.CommentsClose CommentsPermalink
(f) Exemption Authority-CommentsClose CommentsPermalink
(1) IN GENERAL- The President, in consultation with the Director of the Office of Management and Budget, may exempt an appropriate part of covered critical infrastructure from the requirements of this title if the President determines that a sector-specific regulatory agency has sufficient specific requirements and enforcement mechanisms to effectively mitigate the risks identified under section 102.CommentsClose CommentsPermalink
(2) RECONSIDERATION- The President may reconsider any exemption under paragraph (1) as appropriate.CommentsClose CommentsPermalink
(g) Consideration- The Secretary, in establishing performance requirements under this section, shall take into consideration available resources and anticipated consequences of a cyber attack.CommentsClose CommentsPermalink
SEC. 105. SECURITY OF COVERED CRITICAL INFRASTRUCTURE.
(a) In General- Not later than 1 year after the date of enactment of this Act, the Secretary, in consultation with owners and operators, and the Critical Infrastructure Partnership Advisory Council, and in coordination with sector-specific agencies and other Federal agencies with responsibilities for regulating the security of covered critical infrastructure, shall promulgate regulations to enhance the security of covered critical infrastructure against cyber risks.CommentsClose CommentsPermalink
(b) Responsibilities- The regulations promulgated under this section shall establish procedures under which--CommentsClose CommentsPermalink
(1) each owner--CommentsClose CommentsPermalink
(A) is regularly informed of cyber risk assessments, identified cybersecurity threats, and the risk-based security performance requirements appropriate to the sector of the owner established under section 104;CommentsClose CommentsPermalink
(B) selects and implements the cybersecurity measures the owner determines to be best suited to satisfy the risk-based cybersecurity performance requirements established under section 104;CommentsClose CommentsPermalink
(C) develop or update continuity of operations and incident response plans; andCommentsClose CommentsPermalink
(D) shall report, consistent with the protections in section 107, significant cyber incidents affecting covered critical infrastructure;CommentsClose CommentsPermalink
(2) the Secretary and each Federal agency with responsibilities for regulating the security of covered critical infrastructure, is notified of the security measure or measures selected by an owner in accordance with paragraph (1)(B); andCommentsClose CommentsPermalink
(3) the Secretary--CommentsClose CommentsPermalink
(A) identifies, in consultation with owners and operators, cyber risks that are not capable of effective remediation or mitigation using available standards, industry practices or other available security measures;CommentsClose CommentsPermalink
(B) provides owners the opportunity to develop practices or security measures to remediate or mitigate the cyber risks identified in section 102 without the prior approval of the Secretary and without affecting the compliance of the covered critical infrastructure with the requirements under this section;CommentsClose CommentsPermalink
(C) in accordance with applicable law relating to the protection of trade secrets, permits owners and operators to report to the Secretary the development of effective practices or security measures to remediate or mitigate the cyber risks identified under section 102; andCommentsClose CommentsPermalink
(D) shall develop, in conjunction with the Secretary of Defense and the Director of National Intelligence and in coordination with owners and operators, a procedure for ensuring that owners and operators are, to the maximum extent practicable and consistent with the protection of sources and methods, informed of relevant real-time threat information.CommentsClose CommentsPermalink
(c) Enforcement-CommentsClose CommentsPermalink
(1) REQUIREMENTS- The regulations promulgated under this section shall establish procedures that--CommentsClose CommentsPermalink
(A) require each owner--CommentsClose CommentsPermalink
(i) to certify, on an annual basis, in writing to the Secretary and the head of the Federal agency with responsibilities for regulating the security of the covered critical infrastructure whether the owner has developed and effectively implemented security measures sufficient to satisfy the risk-based security performance requirements established under section 104; orCommentsClose CommentsPermalink
(ii) to submit a third-party assessment in accordance with subsection (d), on an annual basis;CommentsClose CommentsPermalink
(B) provide for civil penalties for any person who--CommentsClose CommentsPermalink
(i) violates this section; andCommentsClose CommentsPermalink
(ii) fails to remediate such violation in an appropriate timeframe; andCommentsClose CommentsPermalink
(C) do not confer upon any person, except the Federal agency with responsibilities for regulating the security of the covered critical infrastructure and the Secretary, a right of action against an owner or operator to enforce any provision of this section.CommentsClose CommentsPermalink
(2) PROPOSED SECURITY MEASURES- An owner may select any security measures that satisfy the risk-based security performance requirements established under section 104.CommentsClose CommentsPermalink
(3) RECOMMENDED SECURITY MEASURES- Upon request from an owner or operator, the Secretary may recommend a specific security measure that the Secretary believes will satisfy the risk-based security performance requirements established under section 104.CommentsClose CommentsPermalink
(4) SECURITY AND PERFORMANCE-BASED EXEMPTIONS-CommentsClose CommentsPermalink
(A) IN GENERAL- The Secretary shall develop a process for an owner to demonstrate that--CommentsClose CommentsPermalink
(i) a covered system or asset is sufficiently secured against the risks identified in section 102; orCommentsClose CommentsPermalink
(ii) compliance with risk-based performance requirements developed under section 104 would not substantially improve the security of the covered system or asset.CommentsClose CommentsPermalink
(B) EXEMPTION AUTHORITY- Upon a determination by the Secretary that a covered system or asset is sufficiently secured against the risks identified in section 102, or that compliance with risk based performance requirements developed under section 104 would not substantially improve the security of the system or asset, the Secretary may not require the owner to select or implement cybersecurity measures or submit an annual certification or third party assessment as required under this Act.CommentsClose CommentsPermalink
(C) REQUIREMENT- The Secretary shall require an owner that was exempted under subparagraph (B) to demonstrate that the covered system or asset of the owner is sufficiently secured against the risks identified in section 102, or that compliance with risk based performance requirements developed under section 104 would not substantially improve the security of the system or asset--CommentsClose CommentsPermalink
(i) not less than once every 3 years; orCommentsClose CommentsPermalink
(ii) if the Secretary has reason to believe that the covered system or asset no longer meets the exemption qualifications under subparagraph (B).CommentsClose CommentsPermalink
(5) ENFORCEMENT ACTIONS- An action to enforce any regulation promulgated pursuant to this section shall be initiated by--CommentsClose CommentsPermalink
(A) the Federal agency with responsibilities for regulating the security of the covered critical infrastructure, in consultation with the Secretary; orCommentsClose CommentsPermalink
(B) the Secretary, when--CommentsClose CommentsPermalink
(i) the covered critical infrastructure is not subject to regulation by another Federal agency;CommentsClose CommentsPermalink
(ii) the head of the Federal agency with responsibilities for regulating the security of the covered critical infrastructure requests the Secretary take such action; orCommentsClose CommentsPermalink
(iii) the Federal agency with responsibilities for regulating the security of the covered critical infrastructure fails to initiate such action after a request by the Secretary.CommentsClose CommentsPermalink
(d) Assessments-CommentsClose CommentsPermalink
(1) THIRD-PARTY ASSESSMENTS- The regulations promulgated under this section shall establish procedures for third-party private entities to conduct assessments that use reliable, repeatable, performance-based evaluations and metrics to--CommentsClose CommentsPermalink
(A) assess the implementation of the selected security measures;CommentsClose CommentsPermalink
(B) assess the effectiveness of the security measure or measures implemented by the owner in satisfying the risk-based security performance requirements established under section 104;CommentsClose CommentsPermalink
(C) require that third party assessors--CommentsClose CommentsPermalink
(i) be certified by the Secretary, in consultation with the head of any Federal agency with responsibilities for regulating the security of covered critical infrastructure, after completing a proficiency program established by the Secretary in consultation with owners and operators, the Critical Infrastructure Partnership Advisory Council, appropriate Information Sharing and Analysis Organizations, and in coordination with the Director of the National Institute of Standards and Technology, and relevant Federal agencies;CommentsClose CommentsPermalink
(ii) undergo regular retraining and certification;CommentsClose CommentsPermalink
(iii) provide the findings of the third party assessors to the owners and operators; andCommentsClose CommentsPermalink
(iv) submit each independent assessment to the owner, the Secretary, and to the Federal agency with responsibilities for regulating the security of the covered critical infrastructure.CommentsClose CommentsPermalink
(2) OTHER ASSESSMENTS- The regulations promulgated under this section shall establish procedures under which the Secretary--CommentsClose CommentsPermalink
(A) may perform cybersecurity assessments of selected covered critical infrastructure, in consultation with relevant agencies, based on--CommentsClose CommentsPermalink
(i) the specific cyber risks affecting or potentially affecting the information infrastructure of the specific system or asset constituting covered critical infrastructure;CommentsClose CommentsPermalink
(ii) any reliable intelligence or other information indicating a cyber risk to the information infrastructure of the specific system or asset constituting covered critical infrastructure;CommentsClose CommentsPermalink
(iii) actual knowledge or reasonable suspicion that an owner is not in compliance with risk-based security performance requirements established under section 104; orCommentsClose CommentsPermalink
(iv) such other risk-based factors as identified by the Secretary; andCommentsClose CommentsPermalink
(B) may use the resources of any relevant Federal agency with the concurrence of the head of such agency;CommentsClose CommentsPermalink
(C) to the extent practicable uses government and private sector information security assessment programs that were in existence on the date of enactment of this Act to conduct assessments; andCommentsClose CommentsPermalink
(D) provides copies of any Federal Government assessments to the owner of the covered system or asset.CommentsClose CommentsPermalink
(3) ACCESS TO INFORMATION-CommentsClose CommentsPermalink
(A) IN GENERAL- For the purposes of an assessment conducted under paragraph (1) or (2), an owner or operator shall provide an assessor any reasonable access necessary to complete the assessment.CommentsClose CommentsPermalink
(B) PROTECTION OF INFORMATION- Information provided to the Secretary, the Secretary’s designee, or any assessor during the course of an assessment under this section shall be protected from disclosure in accordance with section 107.CommentsClose CommentsPermalink
(e) Limitations on Civil Liability-CommentsClose CommentsPermalink
(1) IN GENERAL- Except as provided in paragraph (2), in any civil action for damages directly caused by an incident related to a cyber risk identified under section 102, an owner or operator shall not be liable for any punitive damages intended to punish or deter if the owner or operator--CommentsClose CommentsPermalink
(A) has implemented security measures, or a combination thereof, that satisfy the security performance requirements established under section 104;CommentsClose CommentsPermalink
(B) has undergone successful assessments, submitted an annual certification or third party assessment required by subsection (c)(1), or been granted an exemption in accordance with subsection (c)(4); andCommentsClose CommentsPermalink
(C) is in substantial compliance with the appropriate risk based cybersecurity performance requirements at the time of the incident related to that cyber risk.CommentsClose CommentsPermalink
(2) LIMITATION- Paragraph (1) shall only apply to harm directly caused by the incident related to the cyber risk and shall not apply to damages caused by any additional or intervening acts or omissions by the owner or operator.CommentsClose CommentsPermalink
SEC. 106. SECTOR-SPECIFIC AGENCIES.
(a) In General- The head of each sector-specific agency and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating the security of covered critical infrastructure shall coordinate with the Secretary on any activities of the sector-specific agency or Federal agency that relate to the efforts of the agency regarding the cybersecurity and resiliency to cyber attack of critical infrastructure and covered critical infrastructure, within or under the supervision of the agency.CommentsClose CommentsPermalink
(b) Duplicative Reporting Requirements-CommentsClose CommentsPermalink
(1) IN GENERAL- The Secretary shall coordinate with the head of each sector-specific agency and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating the security of covered critical infrastructure to determine whether reporting requirements in effect on the date of enactment of this Act substantially fulfill any reporting requirements described in this title.CommentsClose CommentsPermalink
(2) PRIOR REQUIRED REPORTS- If the Secretary determines that a report that was required under a regulatory regime in existence on the date of enactment of this Act substantially satisfies a reporting requirement under this title, the Secretary shall use such report and may not require an owner or operator to submit an additional report.CommentsClose CommentsPermalink
(3) COORDINATION- The Secretary shall coordinate with the head of each sector-specific agency and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating the security of covered critical infrastructure to eliminate any duplicate reporting or compliance requirements relating to the security or resiliency of critical infrastructure and covered critical infrastructure, within or under the supervision of the agency.CommentsClose CommentsPermalink
(c) Requirements-CommentsClose CommentsPermalink
(1) IN GENERAL- To the extent that the head of each sector-specific agency and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating the security of covered critical infrastructure has the authority to establish regulations, rules, or requirements or other required actions that are applicable to the security of critical infrastructure and covered critical infrastructure, the head of the agency shall--CommentsClose CommentsPermalink
(A) notify the Secretary in a timely fashion of the intent to establish the regulations, rules, requirements, or other required actions;CommentsClose CommentsPermalink
(B) coordinate with the Secretary to ensure that the regulations, rules, requirements, or other required actions are consistent with, and do not conflict or impede, the activities of the Secretary under this title; andCommentsClose CommentsPermalink
(C) in coordination with the Secretary, ensure that the regulations, rules, requirements, or other required actions are implemented, as they relate to covered critical infrastructure, in accordance with subsection (a).CommentsClose CommentsPermalink
(2) RULE OF CONSTRUCTION- Nothing in this section shall be construed to provide additional authority for any sector-specific agency or any Federal agency that is not a sector-specific agency with responsibilities for regulating the security of critical infrastructure or covered critical infrastructure to establish standards or other measures that are applicable to the security of critical infrastructure not otherwise authorized by law.CommentsClose CommentsPermalink
SEC. 107. PROTECTION OF INFORMATION.
(a) Definition- In this section, the term ‘covered information’--CommentsClose CommentsPermalink
(1) means--CommentsClose CommentsPermalink
(A) any information that constitutes a privileged or confidential trade secret or commercial or financial transaction that is appropriately marked at the time it is provided by entities that own or operate critical infrastructure in sector-by-sector risk assessments conducted under section 102;CommentsClose CommentsPermalink
(B) any information required to be submitted by owners and operators under section 105; andCommentsClose CommentsPermalink
(C) any information submitted by State and local governments, private entities, and international partners of the United States regarding threats, vulnerabilities, risks, and incidents affecting--CommentsClose CommentsPermalink
(i) the Federal information infrastructure;CommentsClose CommentsPermalink
(ii) information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community; orCommentsClose CommentsPermalink
(iii) critical infrastructure; andCommentsClose CommentsPermalink
(2) does not include any information described under paragraph (1), if that information is submitted to--CommentsClose CommentsPermalink
(A) conceal violations of law, inefficiency, or administrative error;CommentsClose CommentsPermalink
(B) prevent embarrassment to a person, organization, or agency; orCommentsClose CommentsPermalink
(C) interfere with competition in the private sector.CommentsClose CommentsPermalink
(b) Voluntarily Shared Critical Infrastructure Information- Covered information submitted in accordance with this section shall be treated as voluntarily shared critical infrastructure information under section 214 of the Homeland Security Act (
(c) Guidelines-CommentsClose CommentsPermalink
(1) IN GENERAL- Subject to paragraph (2), the Secretary shall develop and issue guidelines, in consultation with the Attorney General and the Critical Infrastructure Partnership Advisory Council, appropriate Information Sharing and Analysis Organizations, as necessary to implement this section.CommentsClose CommentsPermalink
(2) REQUIREMENTS- The guidelines developed under this section shall--CommentsClose CommentsPermalink
(A) include provisions for the sharing of information among governmental and nongovernmental officials and entities in furtherance of carrying out the authorities and responsibilities of the Secretary;CommentsClose CommentsPermalink
(B) be consistent, to the maximum extent possible, with policy guidance and implementation standards developed by the National Archives and Records Administration for controlled unclassified information, including with respect to marking, safeguarding, dissemination, and dispute resolution; andCommentsClose CommentsPermalink
(C) describe, with as much detail as possible, the categories and type of information entities should voluntarily submit.CommentsClose CommentsPermalink
(d) Process for Reporting Security Threats, Vulnerabilities, Risks, and Incidents-CommentsClose CommentsPermalink
(1) ESTABLISHMENT OF PROCESS- The Secretary shall establish through regulation, and provide information to the public regarding, a process by which any person may submit a report to the Secretary regarding cybersecurity threats, vulnerabilities, risks, and incidents affecting--CommentsClose CommentsPermalink
(A) the Federal information infrastructure;CommentsClose CommentsPermalink
(B) information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community; orCommentsClose CommentsPermalink
(C) critical infrastructure.CommentsClose CommentsPermalink
(2) ACKNOWLEDGMENT OF RECEIPT- If a report submitted under paragraph (1) includes the identity of the person making the report, the Secretary shall respond promptly to the person and acknowledge receipt of the report.CommentsClose CommentsPermalink
(3) STEPS TO ADDRESS PROBLEM- Consistent with existing authority, the Secretary shall review and consider the information provided in any report submitted under paragraph (1) and, at the sole, unreviewable discretion of the Secretary, determine what, if any, steps are necessary or appropriate to address any threats, vulnerabilities, risks, and incidents identified.CommentsClose CommentsPermalink
(4) DISCLOSURE OF IDENTITY-CommentsClose CommentsPermalink
(A) IN GENERAL- Except as provided in subparagraph (B), or with the written consent of the person, the Secretary may not disclose the identity of a person who has provided information described in paragraph (1).CommentsClose CommentsPermalink
(B) REFERRAL TO THE ATTORNEY GENERAL-CommentsClose CommentsPermalink
(i) IN GENERAL- The Secretary shall disclose to the Attorney General the identity of a person who has provided information described in paragraph (1) if the matter is referred to the Attorney General for enforcement.CommentsClose CommentsPermalink
(ii) NOTICE- The Secretary shall provide reasonable advance notice to the person described in clause (i) if disclosure of that person’s identity is to occur, unless such notice would risk compromising a criminal or civil enforcement investigation or proceeding.CommentsClose CommentsPermalink
(e) Rules of Construction- Nothing in this section shall be construed to--CommentsClose CommentsPermalink
(1) limit or otherwise affect the right, ability, duty, or obligation of any entity to use or disclose any information of that entity, including in the conduct of any judicial or other proceeding;CommentsClose CommentsPermalink
(2) prevent the classification of information submitted under this section if that information meets the standards for classification under Executive Order 12958, or any successor thereto, or affect measures and controls relating to the protection of classified information as prescribed by Federal statute or under Executive Order 12958, or any successor thereto;CommentsClose CommentsPermalink
(3) limit the right of an individual to make any disclosure--CommentsClose CommentsPermalink
(A) protected or authorized under section 2302(b)(8) or 7211 of title 5, United States Code;CommentsClose CommentsPermalink
(B) to an appropriate official of information that the individual reasonably believes evidences a violation of any law, rule, or regulation, gross mismanagement, or substantial and specific danger to public health, safety, or security, and that is protected under any Federal or State law (other than those referenced in subparagraph (A)) that shields the disclosing individual against retaliation or discrimination for having made the disclosure if such disclosure is not specifically prohibited by law and if such information is not specifically required by Executive order to be kept secret in the interest of national defense or the conduct of foreign affairs; orCommentsClose CommentsPermalink
(C) to the Special Counsel, the Inspector General of an agency, or any other employee designated by the head of an agency to receive similar disclosures;CommentsClose CommentsPermalink
(4) prevent the Secretary from using information required to be submitted under this Act for enforcement of this title, including enforcement proceedings subject to appropriate safeguards;CommentsClose CommentsPermalink
(5) authorize information to be withheld from Congress, the Comptroller General, or the Inspector General of the Department;CommentsClose CommentsPermalink
(6) affect protections afforded to trade secrets under any other provision of law; orCommentsClose CommentsPermalink
(7) create a private right of action for enforcement of any provision of this section.CommentsClose CommentsPermalink
(f) Audit-CommentsClose CommentsPermalink
(1) IN GENERAL- Not later than 1 year after the date of enactment of this Act, the Inspector General of the Department shall conduct an audit of the management of information submitted under this section and report the findings to appropriate committees of Congress.CommentsClose CommentsPermalink
(2) CONTENTS- The audit under paragraph (1) shall include assessments of--CommentsClose CommentsPermalink
(A) whether the information is adequately safeguarded against inappropriate disclosure;CommentsClose CommentsPermalink
(B) the processes for marking and disseminating the information and resolving any disputes;CommentsClose CommentsPermalink
(C) how the information is used for the purposes of this section, and whether that use is effective;CommentsClose CommentsPermalink
(D) whether information sharing has been effective to fulfill the purposes of this section;CommentsClose CommentsPermalink
(E) whether the kinds of information submitted have been appropriate and useful, or overbroad or overnarrow;CommentsClose CommentsPermalink
(F) whether the information protections allow for adequate accountability and transparency of the regulatory, enforcement, and other aspects of implementing this title; andCommentsClose CommentsPermalink
(G) any other factors at the discretion of the Inspector General.CommentsClose CommentsPermalink
SEC. 108. VOLUNTARY TECHNICAL ASSISTANCE.
Subject to the availability of resources, in accordance with applicable law relating to the protection of trade secrets, and at the discretion of the Secretary, the Secretary shall provide voluntary technical assistance at the request of an owner or operator of covered critical infrastructure, to assist the owner or operator in meeting the requirements of section 105, including implementing required security or emergency measures, restoring the critical infrastructure in the event of destruction or serious disruption, and developing emergency response plans.CommentsClose CommentsPermalink
SEC. 109. EMERGENCY PLANNING.
(a) Emergency Planning- In partnership with owners and operators, the Secretary, in coordination with the heads of sector-specific agencies and the heads of other Federal agencies with responsibilities for regulating the security of covered critical infrastructure, shall exercise response and restoration plans, including plans required under section 105(b) to--CommentsClose CommentsPermalink
(1) assess performance and improve the capabilities and procedures of government and private sector entities to respond to a major cyber incident; andCommentsClose CommentsPermalink
(2) clarify specific roles, responsibilities, and authorities of government and private sector entities when responding to a major cyber incident.CommentsClose CommentsPermalink
SEC. 110. INTERNATIONAL COOPERATION.
(a) In General- The Secretary, in coordination with the Secretary of State or the head of the sector-specific agencies and the head of any Federal agency with responsibilities for regulating the security of covered critical infrastructure, shall--CommentsClose CommentsPermalink
(1) consistent with the protection of intelligence sources and methods and other sensitive matters, inform the owner or operator of information infrastructure located outside the United States the disruption of which could result in national or regional catastrophic damage within the United States and the government of the country in which the information infrastructure is located of any cyber risks to such information infrastructure; andCommentsClose CommentsPermalink
(2) coordinate with the government of the country in which such information infrastructure is located and, as appropriate, the owner or operator of the information infrastructure regarding the implementation of security measures or other measures to the information infrastructure to mitigate or remediate cyber risks.CommentsClose CommentsPermalink
(b) International Agreements- The Secretary, in coordination with the Secretary of State, including in particular with the interpretation of international agreements, shall perform the functions prescribed by this section consistent with applicable international agreements.CommentsClose CommentsPermalink
SEC. 111. EFFECT ON OTHER LAWS.
(a) Preemption of State Cybersecurity Laws- This Act shall supersede any statute, provision of a statute, regulation, or rule of a State or political subdivision of a State that expressly requires comparable cybersecurity practices to protect covered critical infrastructure.CommentsClose CommentsPermalink
(b) Preservation of Other State Law- Except as expressly provided in subsection (a) and section 105(e), nothing in this Act shall be construed to preempt the applicability of any other State law or requirement.CommentsClose CommentsPermalink
TITLE II--PROTECTING GOVERNMENT NETWORKSCommentsClose CommentsPermalink
TITLE II--PROTECTING GOVERNMENT NETWORKSCommentsClose CommentsPermalink
SEC. 201. FISMA REFORM.
(a) In General- Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting the following:CommentsClose CommentsPermalink
‘SUBCHAPTER II--INFORMATION SECURITY
‘Sec. 3551. Purposes
‘The purposes of this subchapter are to--CommentsClose CommentsPermalink
‘(1) provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets;CommentsClose CommentsPermalink
‘(2) recognize the highly networked nature of the Federal computing environment and provide effective governmentwide management of policies, directives, standards, and guidelines, as well as effective and nimble oversight of and response to information security risks, including coordination of information security efforts throughout the Federal civilian, national security, and law enforcement communities;CommentsClose CommentsPermalink
‘(3) provide for development and maintenance of controls required to protect agency information and information systems and contribute to the overall improvement of agency information security posture; andCommentsClose CommentsPermalink
‘(4) provide a mechanism to improve and continuously monitor the security of agency information security programs and systems through a focus on continuous monitoring of agency information systems and streamlined reporting requirements rather than overly prescriptive manual reporting.CommentsClose CommentsPermalink
‘Sec. 3552. Definitions
‘(a) In General- Except as provided under subsection (b), the definitions under section 3502 (including the definitions of the terms ‘agency’ and ‘information system’) shall apply to this subchapter.CommentsClose CommentsPermalink
‘(b) Other Terms- In this subchapter:CommentsClose CommentsPermalink
‘(1) ADEQUATE SECURITY- The term ‘adequate security’ means security commensurate with the risk and impact resulting from the unauthorized access to or loss, misuse, destruction, or modification of information.CommentsClose CommentsPermalink
‘(2) CONTINUOUS MONITORING- The term ‘continuous monitoring’ means the ongoing real time or near real-time process used to determine if the complete set of planned, required, and deployed security controls within an information system continue to be effective over time in light of rapidly changing information technology and threat development. To the maximum extent possible, this also requires automation of that process to enable cost effective, efficient, and consistent monitoring and provide a more dynamic view of the security state of those deployed controls.CommentsClose CommentsPermalink
‘(3) INCIDENT- The term ‘incident’ means an occurrence that--CommentsClose CommentsPermalink
‘(A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; orCommentsClose CommentsPermalink
‘(B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.CommentsClose CommentsPermalink
‘(4) INFORMATION SECURITY- The term ‘information security’ means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide--CommentsClose CommentsPermalink
‘(A) integrity, which means guarding against improper information modification or destruction, and includes ensuring nonrepudiation and authenticity;CommentsClose CommentsPermalink
‘(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; andCommentsClose CommentsPermalink
‘(C) availability, which means ensuring timely and reliable access to and use of information.CommentsClose CommentsPermalink
‘(5) INFORMATION TECHNOLOGY- The term ‘information technology’ has the meaning given that term in section 11101 of title 40.CommentsClose CommentsPermalink
‘(6) NATIONAL SECURITY SYSTEM-CommentsClose CommentsPermalink
‘(A) IN GENERAL- The term ‘national security system’ means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency--CommentsClose CommentsPermalink
‘(i) the function, operation, or use of which--CommentsClose CommentsPermalink
‘(I) involves intelligence activities;CommentsClose CommentsPermalink
‘(II) involves cryptologic activities related to national security;CommentsClose CommentsPermalink
‘(III) involves command and control of military forces;CommentsClose CommentsPermalink
‘(IV) involves equipment that is an integral part of a weapon or weapons system; orCommentsClose CommentsPermalink
‘(V) subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; orCommentsClose CommentsPermalink
‘(ii) that is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.CommentsClose CommentsPermalink
‘(B) EXCLUSION- Subparagraph (A)(i)(V) does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications).CommentsClose CommentsPermalink
‘(7) SECRETARY- The term ‘Secretary’ means the Secretary of Homeland Security.CommentsClose CommentsPermalink
‘(8) THREAT ASSESSMENT- The term ‘threat assessment’ means the real time or near real time process of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat. Threat assessments consist of identifying threat sources, possible threat events, vulnerabilities within a system or network environment, determining the likelihood that an identified threat will occur and the possible adverse impacts of such an occurrence. This requires automation of that process and rapid sharing of emerging threat information among government agencies.CommentsClose CommentsPermalink
‘Sec. 3553. Federal information security authority and coordination
‘(a) In General- Except as provided in subsections (f) and (g), the Secretary shall oversee agency information security policies and practices, including the development and oversight of information security policies and directives and compliance with this subchapter.CommentsClose CommentsPermalink
‘(b) Duties- The Secretary shall--CommentsClose CommentsPermalink
‘(1) develop, issue, and oversee the implementation of information security policies and directives, which shall be compulsory and binding on agencies to the extent determined appropriate by the Secretary, including--CommentsClose CommentsPermalink
‘(A) policies and directives consistent with the standards promulgated under section 11331 of title 40 to identify and provide information security protections that are commensurate with the risk and impact resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of--CommentsClose CommentsPermalink
‘(i) information collected, created, processed, stored, disseminated, or otherwise used or maintained by or on behalf of an agency; orCommentsClose CommentsPermalink
‘(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency;CommentsClose CommentsPermalink
‘(B) minimum operational requirements for network operations centers and security operations centers of agencies to facilitate the protection of and provide common situational awareness for all agency information and information systems;CommentsClose CommentsPermalink
‘(C) reporting requirements, consistent with relevant law, regarding information security incidents;CommentsClose CommentsPermalink
‘(D) requirements for agencywide information security programs, including continuous monitoring of information security;CommentsClose CommentsPermalink
‘(E) performance requirements and metrics for the security of agency information systems;CommentsClose CommentsPermalink
‘(F) training requirements to ensure that agencies are able to fully and timely comply with directions issued by the Secretary under this subchapter;CommentsClose CommentsPermalink
‘(G) training requirements regarding privacy, civil rights, civil liberties, and information oversight for agency information security employees;CommentsClose CommentsPermalink
‘(H) requirements for the annual reports to the Secretary under section 3554(c); andCommentsClose CommentsPermalink
‘(I) any other information security requirements as determined by the Secretary;CommentsClose CommentsPermalink
‘(2) review agency information security programs required to be developed under section 3554(b);CommentsClose CommentsPermalink
‘(3) develop and conduct targeted risk assessments and operational evaluations for agency information and information systems in consultation with the heads of other agencies or governmental and private entities that own and operate such systems, that may include threat, vulnerability, and impact assessments and penetration testing;CommentsClose CommentsPermalink
‘(4) operate consolidated intrusion detection, prevention, or other protective capabilities and use associated countermeasures for the purpose of protecting agency information and information systems from information security threats;CommentsClose CommentsPermalink
‘(5) in conjunction with other agencies and the private sector, assess and foster the development of information security technologies and capabilities for use across multiple agencies;CommentsClose CommentsPermalink
‘(6) designate an entity to receive reports and information about information security incidents, threats, and vulnerabilities affecting agency information systems;CommentsClose CommentsPermalink
‘(7) provide incident detection, analysis, mitigation, and response information and remote or on-site technical assistance to the heads of agencies; andCommentsClose CommentsPermalink
‘(8) coordinate with appropriate agencies and officials to ensure, to the maximum extent feasible, that policies and directives issued under paragraph (1) are complementary with--CommentsClose CommentsPermalink
‘(A) standards and guidelines developed for national security systems; andCommentsClose CommentsPermalink
‘(B) policies and directives issues by the Secretary of Defense, Director of the Central Intelligence Agency, and Director of National Intelligence under subsection (g)(1).CommentsClose CommentsPermalink
‘(c) Issuing Policies and Directives- When issuing policies and directives under subsection (b), the Secretary shall consider any applicable standards or guidelines developed by the National Institute of Standards and Technology and issued by the Secretary of Commerce under section 11331 of title 40. The Secretary shall consult with the Director of the National Institute of Standards and Technology when such policies and directives implement standards or guidelines developed by National Institute of Standards and Technology. To the maximum extent feasible, such standards and guidelines shall be complementary with standards and guidelines developed for national security systems.CommentsClose CommentsPermalink
‘(d) Communications and System Traffic-CommentsClose CommentsPermalink
‘(1) IN GENERAL- Notwithstanding any other provision of law, in carrying out the responsibilities under paragraphs (3) and (4) of subsection (b), if the Secretary makes a certification described in paragraph (2), the Secretary may acquire, intercept, retain, use, and disclose communications and other system traffic that are transiting to or from or stored on agency information systems and deploy countermeasures with regard to the communications and system traffic.CommentsClose CommentsPermalink
‘(2) CERTIFICATION- A certification described in this paragraph is a certification by the Secretary that--CommentsClose CommentsPermalink
‘(A) the acquisitions, interceptions, and countermeasures are reasonably necessary for the purpose of protecting agency information systems from information security threats;CommentsClose CommentsPermalink
‘(B) the content of communications will be collected and retained only when the communication is associated with a known or reasonably suspected information security threat, and communications and system traffic will not be subject to the operation of a countermeasure unless associated with the threats;CommentsClose CommentsPermalink
‘(C) information obtained under activities authorized under this subsection will only be retained, used, or disclosed to protect agency information systems from information security threats, mitigate against such threats, or, with the approval of the Attorney General, for law enforcement purposes when the information is evidence of a crime which has been, is being, or is about to be committed;CommentsClose CommentsPermalink
‘(D) notice has been provided to users of agency information systems concerning the potential for acquisition, interception, retention, use, and disclosure of communications and other system traffic; andCommentsClose CommentsPermalink
‘(E) the activities are implemented pursuant to policies and procedures governing the acquisition, interception, retention, use, and disclosure of communications and other system traffic that have been reviewed and approved by the Attorney General.CommentsClose CommentsPermalink
‘(3) PRIVATE ENTITIES- The Secretary may enter into contracts or other agreements, or otherwise request and obtain the assistance of, private entities that provide electronic communication or information security services to acquire, intercept, retain, use, and disclose communications and other system traffic in accordance with this subsection.CommentsClose CommentsPermalink
‘(e) Directions to Agencies-CommentsClose CommentsPermalink
‘(1) AUTHORITY-CommentsClose CommentsPermalink
‘(A) IN GENERAL- Notwithstanding section 3554, and subject to subparagraph (B), in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, the Secretary may direct other agency heads to take any lawful action with respect to the operation of the information systems, including those owned or operated by another entity on behalf of an agency, that collect, process, store, transmit, disseminate, or otherwise maintain agency information, for the purpose of protecting the information system from or mitigating an information security threat.CommentsClose CommentsPermalink
‘(B) EXCEPTION- The authorities of the Secretary under this subsection shall not apply to a system described in paragraph (2), (3), or (4) of subsection (g).CommentsClose CommentsPermalink
‘(2) PROCEDURES FOR USE OF AUTHORITY- The Secretary shall--CommentsClose CommentsPermalink
‘(A) in coordination with the Director of the Office of Management and Budget and in consultation with Federal contractors, as appropriate, establish procedures governing the circumstances under which a directive may be issued under this subsection, which shall include--CommentsClose CommentsPermalink
‘(i) thresholds and other criteria;CommentsClose CommentsPermalink
‘(ii) privacy and civil liberties protections; andCommentsClose CommentsPermalink
‘(iii) providing notice to potentially affected third parties;CommentsClose CommentsPermalink
‘(B) specify the reasons for the required action and the duration of the directive;CommentsClose CommentsPermalink
‘(C) minimize the impact of directives under this subsection by--CommentsClose CommentsPermalink
‘(i) adopting the least intrusive means possible under the circumstances to secure the agency information systems; andCommentsClose CommentsPermalink
‘(ii) limiting directives to the shortest period practicable; andCommentsClose CommentsPermalink
‘(D) notify the Director of the Office of Management and Budget and head of any affected agency immediately upon the issuance of a directive under this subsection.CommentsClose CommentsPermalink
‘(3) IMMINENT THREATS-CommentsClose CommentsPermalink
‘(A) IN GENERAL- If the Secretary determines that there is an imminent threat to agency information systems and a directive under this subsection is not reasonably likely to result in a timely response to the threat, the Secretary may authorize the use of protective capabilities under the control of the Secretary for communications or other system traffic transiting to or from or stored on an agency information system without prior consultation with the affected agency for the purpose of ensuring the security of the information or information system or other agency information systems.CommentsClose CommentsPermalink
‘(B) LIMITATION ON DELEGATION- The authority under this paragraph may not be delegated to an official in a position lower than Assistant Secretary.CommentsClose CommentsPermalink
‘(C) NOTICE- The Secretary or designee of the Secretary shall immediately notify the Director of the Office of Management and Budget and the head and chief information officer (or equivalent official) of each affected agency of--CommentsClose CommentsPermalink
‘(i) any action taken under this subsection; andCommentsClose CommentsPermalink
‘(ii) the reasons for and duration and nature of the action.CommentsClose CommentsPermalink
‘(D) OTHER LAW- The actions of the Secretary under this paragraph shall be consistent with applicable law.CommentsClose CommentsPermalink
‘(4) LIMITATION- The Secretary may direct or authorize lawful action or protective capability under this subsection only to--CommentsClose CommentsPermalink
‘(A) protect agency information from unauthorized access, use, disclosure, disruption, modification, or destruction; orCommentsClose CommentsPermalink
‘(B) require the remediation of or protect against identified information security risks with respect to--CommentsClose CommentsPermalink
‘(i) information collected or maintained by or on behalf of an agency; orCommentsClose CommentsPermalink
‘(ii) that portion of an information system used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.CommentsClose CommentsPermalink
‘(f) National Security Systems-CommentsClose CommentsPermalink
‘(1) IN GENERAL- This section shall not apply to a national security system.CommentsClose CommentsPermalink
‘(2) INFORMATION SECURITY- Information security policies, directives, standards, and guidelines for national security systems shall be overseen as directed by the President and, in accordance with that direction, carried out under the authority of the heads of agencies that operate or exercise authority over national security systems.CommentsClose CommentsPermalink
‘(g) Delegation of Authorities-CommentsClose CommentsPermalink
‘(1) IN GENERAL- The authorities of the Secretary described in paragraphs (1), (2), (3), and (4) of subsection (b) shall be delegated to--CommentsClose CommentsPermalink
‘(A) the Secretary of Defense in the case of systems described in paragraph (2);CommentsClose CommentsPermalink
‘(B) the Director of the Central Intelligence Agency in the case of systems described in paragraph (3); andCommentsClose CommentsPermalink
‘(C) the Director of National Intelligence in the case of systems described in paragraph (4).CommentsClose CommentsPermalink
‘(2) DEPARTMENT OF DEFENSE- The systems described in this paragraph are systems that are operated by the Department of Defense, a contractor of the Department of Defense, or another entity on behalf of the Department of Defense that process any information the unauthorized access, use, disclosure, disruption, modification, or destruction of which would have a debilitating impact on the mission of the Department of Defense.CommentsClose CommentsPermalink
‘(3) CENTRAL INTELLIGENCE AGENCY- The systems described in this paragraph are systems that are operated by the Central Intelligence Agency, a contractor of the Central Intelligence Agency, or another entity on behalf of the Central Intelligence Agency that process any information the unauthorized access, use, disclosure, disruption, modification, or destruction of which would have a debilitating impact on the mission of the Central Intelligence Agency.CommentsClose CommentsPermalink
‘(4) OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE- The systems described in this paragraph are systems that are operated by the Office of the Director of National Intelligence, a contractor of the Office of the Director of National Intelligence, or another entity on behalf of the Office of the Director of National Intelligence that process any information the unauthorized access, use, disclosure, disruption, modification, or destruction of which would have a debilitating impact on the mission of the Office of the Director of National Intelligence.CommentsClose CommentsPermalink
‘(5) INTEGRATION OF INFORMATION- The Secretary of Defense, the Director of the Central Intelligence Agency, and the Director of National Intelligence shall carry out their responsibilities under this subsection in coordination with the Secretary and share relevant information in a timely manner with the Secretary relating to the security of agency information and information systems, including systems described in paragraphs (2), (3), and (4), to enable the Secretary to carry out the responsibilities set forth in this section and to maintain comprehensive situational awareness regarding information security incidents, threats, and vulnerabilities affecting agency information systems, consistent with standards and guidelines for national security systems, issued in accordance with law and as directed by the President.CommentsClose CommentsPermalink
‘Sec. 3554. Agency responsibilities
‘(a) In General- The head of each agency shall--CommentsClose CommentsPermalink
‘(1) be responsible for--CommentsClose CommentsPermalink
‘(A) providing information security protections commensurate with the risk resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of--CommentsClose CommentsPermalink
‘(i) information collected, created, processed, stored, disseminated, or otherwise used or maintained by or on behalf of the agency; orCommentsClose CommentsPermalink
‘(ii) information systems used or operated by the agency or by a contractor of the agency or other organization on behalf of the agency;CommentsClose CommentsPermalink
‘(B) complying with this subchapter, including--CommentsClose CommentsPermalink
‘(i) the policies and directives issued under section 3553, including any directions under section 3553(e); andCommentsClose CommentsPermalink
‘(ii) information security policies, directives, standards, and guidelines for national security systems issued in accordance with law and as directed by the President;CommentsClose CommentsPermalink
‘(C) complying with the requirements of the information security standards prescribed under section 11331 of title 40, including any required security configuration checklists; andCommentsClose CommentsPermalink
‘(D) ensuring that information security management processes are integrated with agency strategic and operational planning processes;CommentsClose CommentsPermalink
‘(2) ensure that senior agency officials provide information security for the information and information systems that support the operations and assets under the control of the officials, including through--CommentsClose CommentsPermalink
‘(A) assessing, with a frequency commensurate with risk, the risk and impact that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information or information systems;CommentsClose CommentsPermalink
‘(B) determining the levels of information security appropriate to protect the information and information systems in accordance with the policies and directives issued under section 3553(b) and standards prescribed under section 11331 of title 40;CommentsClose CommentsPermalink
‘(C) implementing policies, procedures, and capabilities to reduce risks to an acceptable level in a cost-effective manner;CommentsClose CommentsPermalink
‘(D) security testing and evaluation, including continuously monitoring the effective implementation of information security controls and techniques, threats, vulnerabilities, assets, and other aspects of information security as appropriate; andCommentsClose CommentsPermalink
‘(E) reporting information about information security incidents, threats, and vulnerabilities in a timely manner as required under policies and procedures established under subsection (b)(7);CommentsClose CommentsPermalink
‘(3) assess and maintain the resiliency of information systems critical to the mission and operations of the agency;CommentsClose CommentsPermalink
‘(4) delegate to the chief information officer or equivalent official (or to a senior agency official who reports to the chief information officer or equivalent official) the authority to ensure and primary responsibility for ensuring compliance with this subchapter, including--CommentsClose CommentsPermalink
‘(A) overseeing the establishment and maintenance of an agencywide security operations capability that on a continuous basis can--CommentsClose CommentsPermalink
‘(i) detect, report, respond to, contain, and mitigate information security incidents that impair adequate security of the agency information and information systems in a timely manner and in accordance with the policies and directives issued under section 3553(b); andCommentsClose CommentsPermalink
‘(ii) report any information security incident described under clause (i) to the entity designated under section 3553(b)(6);CommentsClose CommentsPermalink
‘(B) developing, maintaining, and overseeing an agencywide information security program as required under subsection (b);CommentsClose CommentsPermalink
‘(C) developing, maintaining, and overseeing information security policies, procedures, and control techniques to address all applicable requirements, including those issued under section 3553 and section 11331 of title 40;CommentsClose CommentsPermalink
‘(D) training and overseeing employees and contractors of the agency with significant responsibilities for information security with respect to such responsibilities; andCommentsClose CommentsPermalink
‘(E) assisting senior agency officials concerning their responsibilities under paragraph (2);CommentsClose CommentsPermalink
‘(5) the agency has trained and obtained security clearances for an adequate number of employees to assist the agency in complying with this subchapter, including the policies and directives issued under section 3553(b);CommentsClose CommentsPermalink
‘(6) ensure that the chief information officer (or other senior agency official designated under paragraph (4)), in coordination with other senior agency officials, reports to the head of the agency on the effectiveness of the agency information security program, including the progress of remedial actions;CommentsClose CommentsPermalink
‘(7) ensure that the chief information officer (or other senior agency official designated under paragraph (4))--CommentsClose CommentsPermalink
‘(A) possesses the necessary qualifications to administer the duties of the official under this subchapter; andCommentsClose CommentsPermalink
‘(B) has information security duties as a primary duty of the official; andCommentsClose CommentsPermalink
‘(8) ensure that senior agency officials (including component chief information officers or equivalent officials) carry out responsibilities under this subchapter as directed by the official delegated authority under paragraph (4).CommentsClose CommentsPermalink
‘(b) Agency Program- The head of each agency shall develop, document, and implement an agencywide information security program, which shall be reviewed under section 3553(b)(2), to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source, which shall include--CommentsClose CommentsPermalink
‘(1) the development, execution, and maintenance of a risk management strategy for information security that--CommentsClose CommentsPermalink
‘(A) considers information security threats, vulnerabilities, and consequences;CommentsClose CommentsPermalink
‘(B) includes periodic assessments and reporting of risk, with a frequency commensurate with risk and impact;CommentsClose CommentsPermalink
‘(2) policies and procedures that--CommentsClose CommentsPermalink
‘(A) are based on the risk management strategy and assessment results required under paragraph (1);CommentsClose CommentsPermalink
‘(B) reduce information security risks to an acceptable level in a cost-effective manner;CommentsClose CommentsPermalink
‘(C) ensure that cost-effective and adequate information security is addressed throughout the life cycle of each agency information system; andCommentsClose CommentsPermalink
‘(D) ensure compliance with--CommentsClose CommentsPermalink
‘(i) this subchapter;CommentsClose CommentsPermalink
‘(ii) the information security policies and directives issued under section 3553(b); andCommentsClose CommentsPermalink
‘(iii) any other applicable requirements;CommentsClose CommentsPermalink
‘(3) subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems;CommentsClose CommentsPermalink
‘(4) security awareness training developed in accordance with the requirements issued under section 3553(b) to inform individuals with access to agency information systems, including information security employees, contractors, and other users of information systems that support the operations and assets of the agency, of--CommentsClose CommentsPermalink
‘(A) information security risks associated with their activities;CommentsClose CommentsPermalink
‘(B) their responsibilities in complying with agency policies and procedures designed to reduce those risks; andCommentsClose CommentsPermalink
‘(C) requirements for fulfilling privacy, civil rights, civil liberties, and other information oversight responsibilities;CommentsClose CommentsPermalink
‘(5) security testing and evaluation commensurate with risk and impact that includes--CommentsClose CommentsPermalink
‘(A) risk-based continuous monitoring of the operational status and security of agency information systems to enable evaluation of the effectiveness of and compliance with information security policies, procedures, and practices, including a relevant and appropriate selection of management, operational, and technical controls of information systems identified in the inventory required under section 3505(c);CommentsClose CommentsPermalink
‘(B) penetration testing exercises and operational evaluations in accordance with the requirements issued under section 3553(b) to evaluate whether the agency adequately protects against, detects, and responds to incidents;CommentsClose CommentsPermalink
‘(C) vulnerability scanning, intrusion detection and prevention, and penetration testing, in accordance with the requirements issued under section 3553(b); andCommentsClose CommentsPermalink
‘(D) any other periodic testing and evaluation, in accordance with the requirements issued under section 3553(b);CommentsClose CommentsPermalink
‘(6) a process for ensuring that remedial actions are taken to mitigate information security vulnerabilities commensurate with risk and impact, and otherwise address any deficiencies in the information security policies, procedures, and practices of the agency;CommentsClose CommentsPermalink
‘(7) policies and procedures to ensure detection, mitigation, reporting, and responses to information security incidents, in accordance with the policies and directives issued under section 3553(b), including--CommentsClose CommentsPermalink
‘(A) ensuring timely internal reporting of information security incidents;CommentsClose CommentsPermalink
‘(B) establishing and maintaining appropriate technical capabilities to detect and mitigate risks associated with information security incidents;CommentsClose CommentsPermalink
‘(C) notifying and consulting with the entity designated by the Secretary under section 3553(b)(6); andCommentsClose CommentsPermalink
‘(D) notifying and consulting with--CommentsClose CommentsPermalink
‘(i) law enforcement agencies and relevant Offices of Inspectors General; andCommentsClose CommentsPermalink
‘(ii) any other entity, in accordance with law and as directed by the President; andCommentsClose CommentsPermalink
‘(8) plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.CommentsClose CommentsPermalink
‘(c) Agency Reporting- The head of each agency shall--CommentsClose CommentsPermalink
‘(1) report annually to the Secretary on the adequacy and effectiveness of information security policies, procedures, and practices, including--CommentsClose CommentsPermalink
‘(A) compliance of the agency with the requirements of this subchapter;CommentsClose CommentsPermalink
‘(B) a conclusion as to the effectiveness of the information security policies, procedures, and practices of the agency based on a determination of the aggregate effect of identified deficiencies;CommentsClose CommentsPermalink
‘(C) an identification and analysis of, including actions and plans to address, any significant deficiencies identified in such policies, procedures and practices; andCommentsClose CommentsPermalink
‘(D) any information or evaluation required under the reporting requirements issued under section 3553(b);CommentsClose CommentsPermalink
‘(2) make the report required under paragraph (1) available to the appropriate authorization and appropriations committees of Congress and the Comptroller General of the United States; andCommentsClose CommentsPermalink
‘(3) address the adequacy and effectiveness of the information security policies, procedures, and practices of the agency as required for management and budget plans and reports, as appropriate.CommentsClose CommentsPermalink
‘(d) Communications and System Traffic- Notwithstanding any other provision of law, the head of each agency is authorized to allow the Secretary, or a private entity providing assistance to the Secretary under section 3553, to acquire, intercept, retain, use, and disclose communications, system traffic, records, or other information transiting to or from or stored on an agency information system for the purpose of protecting agency information and information systems from information security threats or mitigating the threats in connection with the implementation of the information security capabilities authorized by paragraph (3) or (4) of section 3553(b).CommentsClose CommentsPermalink
‘Sec. 3555. Annual assessments
‘(a) In General- Except as provided in subsection (c), the Secretary shall conduct periodic assessments of the information security programs and practices of agencies based on the annual agency reports required under section 3554(c), the annual independent evaluations required under section 3556, the results of any continuous monitoring, and other available information.CommentsClose CommentsPermalink
‘(b) Contents- Each assessment conducted under subsection (a) shall--CommentsClose CommentsPermalink
‘(1) assess the effectiveness of agency information security policies, procedures, and practices;CommentsClose CommentsPermalink
‘(2) provide an assessment of the status of agency information system security for the Federal Government as a whole; andCommentsClose CommentsPermalink
‘(3) include recommendations for improving information system security for an agency or the Federal Government as a whole.CommentsClose CommentsPermalink
‘(c) Certain Information Systems-CommentsClose CommentsPermalink
‘(1) NATIONAL SECURITY SYSTEMS- A periodic assessment conducted under subsection (a) relating to a national security system shall be prepared as directed by the President.CommentsClose CommentsPermalink
‘(2) SPECIFIC AGENCIES- Periodic assessments conducted under subsection (a) shall be prepared in accordance with governmentwide reporting requirements by--CommentsClose CommentsPermalink
‘(A) the Secretary of Defense for information systems under the control of the Department of Defense;CommentsClose CommentsPermalink
‘(B) the Director of the Central Intelligence Agency for information systems under the control of the Central Intelligence Agency; andCommentsClose CommentsPermalink
‘(C) the Director of National Intelligence for information systems under the control of the Office of the Director of National Intelligence.CommentsClose CommentsPermalink
‘(d) Agency-specific Assessments- Each assessment conducted under subsection (a) that relates, in whole or in part, to the information systems of an agency shall be made available to the head of the agency.CommentsClose CommentsPermalink
‘(e) Protection of Information- In conducting assessments under subsection (a), the Secretary shall take appropriate actions to ensure the protection of information which, if disclosed, may adversely affect information security. Such protections shall be commensurate with the risk and comply with all applicable laws and policies.CommentsClose CommentsPermalink
‘(f) Report to Congress- The Secretary, in coordination with the Secretary of Defense, the Director of the Central Intelligence Agency, and the Director of National Intelligence, shall evaluate and submit to Congress an annual report on the adequacy and effectiveness of the information security programs and practices assessed under this section.CommentsClose CommentsPermalink
‘Sec. 3556. Independent evaluations
‘(a) In General- Not less than once every 2 years, an independent evaluation shall be performed of the information security program and practices of each agency in accordance with the guidance developed under subsection (d) to determine the effectiveness of the programs and practices in addressing risk.CommentsClose CommentsPermalink
‘(b) Contents- Each evaluation performed under subsection (a) shall include--CommentsClose CommentsPermalink
‘(1) testing of the effectiveness of information security policies, procedures, and practices of a representative subset of the information systems of the agency;CommentsClose CommentsPermalink
‘(2) an assessment of compliance with this subchapter and any significant deficiencies; andCommentsClose CommentsPermalink
‘(3) a conclusion as to the effectiveness of the information security policies, procedures, and practices of the agency in addressing risk based on a determination of the aggregate effect of identified deficiencies.CommentsClose CommentsPermalink
‘(c) Conduct of Independent Evaluations- An evaluation of an agency under subsection (a) shall be performed by--CommentsClose CommentsPermalink
‘(1) the Inspector General of the agency;CommentsClose CommentsPermalink
‘(2) at the discretion of the Inspector General of the agency, an independent entity entering a contract with the Inspector General to perform the evaluation; orCommentsClose CommentsPermalink
‘(3) if the agency does not have an Inspector General, an independent entity selected by the head of the agency, in consultation with the Secretary.CommentsClose CommentsPermalink
‘(d) Guidance- The Council of Inspectors General on Integrity and Efficiency, in consultation with the Secretary, the Comptroller General of the United States, and the Director of the National Institute of Standards and Technology, shall issue and maintain guidance for performing timely, cost-effective, and risk-based evaluations under subsection (a).CommentsClose CommentsPermalink
‘(e) Reports- The official or entity performing an evaluation of an agency under subsection (a) shall submit to Congress, the agency, and the Comptroller General of the United States a report regarding the evaluation. The head of the agency shall provide to the Secretary a report received under this subsection.CommentsClose CommentsPermalink
‘(f) National Security Systems- An evaluation under subsection (a) of a national security system shall be performed as directed by the President.CommentsClose CommentsPermalink
‘(g) Comptroller General- The Comptroller General of the United States shall periodically evaluate and submit to Congress reports on--CommentsClose CommentsPermalink
‘(1) the adequacy and effectiveness of the information security policies and practices of agencies; andCommentsClose CommentsPermalink
‘(2) implementation of this subchapter.CommentsClose CommentsPermalink
‘Sec. 3557. National security systems
‘The head of each agency operating or exercising control of a national security system shall be responsible for ensuring that the agency--CommentsClose CommentsPermalink
‘(1) provides information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized use, disclosure, disruption, modification, or destruction of the information contained in the national security system;CommentsClose CommentsPermalink
‘(2) implements information security policies and practices as required by standards and guidelines for national security systems issued in accordance with law and as directed by the President; andCommentsClose CommentsPermalink
‘(3) complies with this subchapter.CommentsClose CommentsPermalink
‘Sec. 3558. Effect on existing law
‘Nothing in this subchapter shall be construed to alter or amend any law regarding the authority of any head of an agency over the agency.’.CommentsClose CommentsPermalink
(b) Technical and Conforming Amendment- The table of sections for chapter 35 of title 44 is amended by striking the matter relating to subchapters II and III and inserting the following:CommentsClose CommentsPermalink
‘subchapter ii--information security
‘Sec. 3551. Purposes.CommentsClose CommentsPermalink
‘Sec. 3552. Definitions.CommentsClose CommentsPermalink
‘Sec. 3553. Federal information security authority and coordination.CommentsClose CommentsPermalink
‘Sec. 3554. Agency responsibilities.CommentsClose CommentsPermalink
‘Sec. 3555. Annual assessments.CommentsClose CommentsPermalink
‘Sec. 3556. Independent evaluations.CommentsClose CommentsPermalink
‘Sec. 3557. National security systems.CommentsClose CommentsPermalink
‘Sec. 3558. Effect on existing law.’.CommentsClose CommentsPermalink
SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY.
(a) In General-
‘Sec. 11331. Responsibilities for Federal information systems standards
‘(a) Definitions- In this section:CommentsClose CommentsPermalink
‘(1) FEDERAL INFORMATION SYSTEM- The term ‘Federal information system’ means an information system used or operated by an executive agency, by a contractor of an executive agency, or by another entity on behalf of an executive agency.CommentsClose CommentsPermalink
‘(2) INFORMATION SECURITY- The term ‘information security’ has the meaning given that term in section 3552 of title 44.CommentsClose CommentsPermalink
‘(3) NATIONAL SECURITY SYSTEM- The term ‘national security system’ has the meaning given that term in section 3552 of title 44.CommentsClose CommentsPermalink
‘(b) Standards and Guidelines-CommentsClose CommentsPermalink
‘(1) AUTHORITY TO PRESCRIBE- Except as provided under paragraph (2), and based on the standards and guidelines developed by the National Institute of Standards and Technology under paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (
15 U.S.C. 278g-3(a) ), the Secretary of Commerce, in consultation with the Secretary of Homeland Security, shall prescribe standards and guidelines relating to Federal information systems.CommentsClose CommentsPermalink‘(2) NATIONAL SECURITY SYSTEMS- Standards and guidelines for national security systems shall be developed, prescribed, enforced, and overseen as otherwise authorized by law and as directed by the President.CommentsClose CommentsPermalink
‘(c) Mandatory Requirements-CommentsClose CommentsPermalink
‘(1) AUTHORITY TO MAKE MANDATORY- The Secretary of Commerce may require executive agencies to comply with the standards prescribed under subsection (b)(1) to the extent determined necessary by the Secretary of Commerce to improve the efficiency of operation or security of Federal information systems.CommentsClose CommentsPermalink
‘(2) REQUIRED MANDATORY STANDARDS-CommentsClose CommentsPermalink
‘(A) IN GENERAL- The Secretary of Commerce shall require executive agencies to comply with the standards described in subparagraph (B).CommentsClose CommentsPermalink
‘(B) CONTENTS- The standards described in this subparagraph are information security standards that--CommentsClose CommentsPermalink
‘(i) provide minimum information security requirements as determined under section 20(b) of the National Institute of Standards and Technology Act (
15 U.S.C. 278g-3(b) ); andCommentsClose CommentsPermalink‘(ii) are otherwise necessary to improve the security of Federal information and Federal information systems.CommentsClose CommentsPermalink
‘(d) Authority To Disapprove or Modify- The President may disapprove or modify the standards and guidelines prescribed under subsection (b)(1) if the President determines such action to be in the public interest. The authority of the President to disapprove or modify the standards and guidelines may be delegated to the Director of the Office of Management and Budget. Notice of a disapproval or modification under this subsection shall be published promptly in the Federal Register. Upon receiving notice of a disapproval or modification, the Secretary of Commerce shall immediately rescind or modify the standards or guidelines as directed by the President or the Director of the Office of Management and Budget.CommentsClose CommentsPermalink
‘(e) Exercise of Authority- To ensure fiscal and policy consistency, the Secretary of Commerce shall exercise the authority under this section subject to direction by the President and in coordination with the Director of the Office of Management and Budget.CommentsClose CommentsPermalink
‘(f) Application of More Stringent Standards- The head of an executive agency may employ standards for the cost-effective information security for Federal information systems of that agency that are more stringent than the standards prescribed by the Secretary of Commerce under subsection (b)(1) if the more stringent standards--CommentsClose CommentsPermalink
‘(1) contain any standards with which the Secretary of Commerce has required the agency to comply; andCommentsClose CommentsPermalink
‘(2) are otherwise consistent with the policies and directives issued under section 3553(b) of title 44.CommentsClose CommentsPermalink
‘(g) Decisions on Promulgation of Standards- The decision by the Secretary of Commerce regarding the promulgation of any standard under this section shall occur not later than 6 months after the submission of the proposed standard to the Secretary of Commerce by the National Institute of Standards and Technology, as provided under section 20 of the National Institute of Standards and Technology Act (
15 U.S.C. 278g-3 ).’.CommentsClose CommentsPermalink(b) Technical and Conforming Amendments-CommentsClose CommentsPermalink
(1) Section 3502(8)) of title 44, United States Code, is amended by inserting ‘hosting,’ after ‘collection,’;CommentsClose CommentsPermalink
(2) The National Institute of Standards and Technology Act (
15 U.S.C. 271 et seq.) is amended--CommentsClose CommentsPermalink
(A) in section 20(a)(2) (
15 U.S.C. 278g-3(a)(2) ), by striking ‘section 3532(b)(2)’ and inserting ‘section 3552(b)’; andCommentsClose CommentsPermalink(B) in section 21(b) (
15 U.S.C. 278g-4(b) )--CommentsClose CommentsPermalink
(i) in paragraph (2), by inserting ‘, the Secretary of Homeland Security,’ after ‘the Institute’; andCommentsClose CommentsPermalink
(ii) in paragraph (3), by inserting ‘the Secretary of Homeland Security,’ after ‘the Secretary of Commerce,’.CommentsClose CommentsPermalink
(3) Section 1001(c)(1)(A) of the Homeland Security Act of 2002 (
6 U.S.C. 511(c)(1)(A) ) is amended by striking ‘section 3532(3)’ and inserting ‘section 3552(b)’.CommentsClose CommentsPermalink(4) Part IV of title 10, United States Code, is amended--CommentsClose CommentsPermalink
(A) in section 2222(j)(5), by striking ‘section 3542(b)(2)’ and inserting ‘section 3552(b)’;CommentsClose CommentsPermalink
(B) in section 2223(c)(3), by striking ‘section 3542(b)(2)’ and inserting ‘section 3552(b)’; andCommentsClose CommentsPermalink
(C) in section 2315, by striking ‘section 3542(b)(2)’ and inserting ‘section 3552(b)’.CommentsClose CommentsPermalink
(5) Section 8(d)(1) of the Cyber Security Research and Development Act (
15 U.S.C. 7406(d)(1) ) is amended by striking ‘section 3534(b)’ and inserting ‘section 3554(b)’.CommentsClose CommentsPermalink
SEC. 203. SAVINGS PROVISIONS.
(a) In General- Policies and compliance guidance issued by the Director of the Office of Management and Budget before the date of enactment of this Act under section 3543(a)(1) of title 44 (as in effect on the day before the date of enactment of this Act) shall continue in effect, according to their terms, until modified, terminated, superseded, or repealed under section 3553(b)(1) of title 44, as added by this Act.CommentsClose CommentsPermalink
(b) Other Standards and Guidelines- Standards and guidelines issued by the Secretary of Commerce or by the Director of the Office of Management and Budget before the date of enactment of this Act under section 11331(b)(1) of title 40 (as in effect on the day before the date of enactment of this Act) shall continue in effect, according to their terms, until modified, terminated, superseded, or repealed under section 11331(b)(1), as added by this Act.CommentsClose CommentsPermalink
TITLE III--CLARIFYING AND STRENGTHENING EXISTING ROLES AND AUTHORITIESCommentsClose CommentsPermalink
TITLE III--CLARIFYING AND STRENGTHENING EXISTING ROLES AND AUTHORITIESCommentsClose CommentsPermalink
SEC. 301. CONSOLIDATION OF EXISTING DEPARTMENTAL CYBER RESOURCES AND AUTHORITIES.
(a) In General- Title II of the Homeland Security Act of 2002 (
‘Subtitle E--CybersecurityCommentsClose CommentsPermalink
‘SEC. 241. DEFINITIONS.
‘In this subtitle:CommentsClose CommentsPermalink
‘(1) AGENCY INFORMATION INFRASTRUCTURE- The term ‘agency information infrastructure’ means the Federal information infrastructure of a particular Federal agency.CommentsClose CommentsPermalink
‘(2) CENTER- The term ‘Center’ means the National Center for Cybersecurity and Communications established under section 242.CommentsClose CommentsPermalink
‘(3) COVERED CRITICAL INFRASTRUCTURE- The term ‘covered critical infrastructure’ means a system or asset designated by the Secretary as covered critical infrastructure in accordance with the procedure established under section 103 of the Cybersecurity Act of 2012.CommentsClose CommentsPermalink
‘(4) DAMAGE- The term ‘damage’ has the meaning given that term in
section 1030(e) of title 18, United States Code .CommentsClose CommentsPermalink‘(5) FEDERAL AGENCY- The term ‘Federal agency’ has the meaning given the term ‘agency’ in
section 3502 of title 44, United States Code .CommentsClose CommentsPermalink‘(6) FEDERAL CYBERSECURITY CENTER- The term ‘Federal cybersecurity center’ has the meaning given that term in section 708 of the Cybersecurity Act of 2012.CommentsClose CommentsPermalink
‘(7) FEDERAL ENTITY- The term ‘Federal entity’ has the meaning given that term in section 708 of the Cybersecurity Act of 2012.CommentsClose CommentsPermalink
‘(8) FEDERAL INFORMATION INFRASTRUCTURE- The term ‘Federal information infrastructure’--CommentsClose CommentsPermalink
‘(A) means information and information systems that are owned, operated, controlled, or licensed for use by, or on behalf of, any Federal agency, including information systems used or operated by another entity on behalf of a Federal agency; andCommentsClose CommentsPermalink
‘(B) does not include--CommentsClose CommentsPermalink
‘(i) a national security system; orCommentsClose CommentsPermalink
‘(ii) information and information systems that are owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community.CommentsClose CommentsPermalink
‘(9) INCIDENT- The term ‘incident’ has the meaning given that term in
section 3552 of title 44, United States Code .CommentsClose CommentsPermalink‘(10) INFORMATION SECURITY- The term ‘information security’ has the meaning given that term in
section 3552 of title 44, United States Code .CommentsClose CommentsPermalink‘(11) INFORMATION SYSTEM- The term ‘information system’ has the meaning given that term in
section 3502 of title 44, United States Code .CommentsClose CommentsPermalink‘(12) INTELLIGENCE COMMUNITY- The term ‘intelligence community’ has the meaning given that term in section 3(4) of the National Security Act of 1947 (
50 U.S.C. 401a(4) ).CommentsClose CommentsPermalink‘(13) NATIONAL SECURITY AND EMERGENCY PREPAREDNESS COMMUNICATIONS INFRASTRUCTURE- The term ‘national security and emergency preparedness communications infrastructure’ means the systems supported or covered by the Office of Emergency Communications and the National Communications System on the date of enactment of the Cybersecurity Act of 2012 or otherwise described in Executive Order 12472, or any successor thereto, relating to national security and emergency preparedness communications functions.CommentsClose CommentsPermalink
‘(14) NATIONAL INFORMATION INFRASTRUCTURE- The term ‘national information infrastructure’ means information and information systems--CommentsClose CommentsPermalink
‘(A) that are owned, operated, or controlled within or from the United States; andCommentsClose CommentsPermalink
‘(B) that are not owned, operated, controlled, or licensed for use by a Federal agency.CommentsClose CommentsPermalink
‘(15) NATIONAL SECURITY SYSTEM- The term ‘national security system’ has the meaning given that term in
section 3552 of title 44, United States Code .CommentsClose CommentsPermalink‘(16) NON-FEDERAL ENTITY- The term ‘non-Federal entity’ has the meaning given that term in section 708 of the Cybersecurity Act of 2012.CommentsClose CommentsPermalink
‘SEC. 242. CONSOLIDATION OF EXISTING RESOURCES.
‘(a) Establishment- There is established within the Department a National Center for Cybersecurity and Communications.CommentsClose CommentsPermalink
‘(b) Transfer of Functions- There are transferred to the Center the National Cyber Security Division, the Office of Emergency Communications, and the National Communications System, including all the functions, personnel, assets, authorities, and liabilities of the National Cyber Security Division, the Office of Emergency Communications, and the National Communications System.CommentsClose CommentsPermalink
‘(c) Director- The Center shall be headed by a Director, who shall be appointed by the President, by and with the advice and consent of the Senate, and who shall report directly to the Secretary.CommentsClose CommentsPermalink
‘(d) Duties- The Director of the Center shall--CommentsClose CommentsPermalink
‘(1) manage Federal efforts to secure, protect, and ensure the resiliency of the Federal information infrastructure, national information infrastructure, and national security and emergency preparedness communications infrastructure of the United States, working cooperatively with appropriate government agencies and the private sector;CommentsClose CommentsPermalink
‘(2) support private sector efforts to secure, protect, and ensure the resiliency of the national information infrastructure;CommentsClose CommentsPermalink
‘(3) prioritize the efforts of the Center to address the most significant risks and incidents that have caused or are likely to cause damage to the Federal information infrastructure, the national information infrastructure, and national security and emergency preparedness communications infrastructure of the United States;CommentsClose CommentsPermalink
‘(4) ensure, in coordination with the privacy officer designated under subsection (j), the Privacy Officer appointed under section 222, and the Director of the Office of Civil Rights and Civil Liberties appointed under section 705, that the activities of the Center comply with all policies, regulations, and laws protecting the privacy and civil liberties of United States persons; andCommentsClose CommentsPermalink
‘(5) perform such other duties as the Secretary may require relating to the security and resiliency of the Federal information infrastructure, national information infrastructure, and the national security and emergency preparedness communications infrastructure of the United States.CommentsClose CommentsPermalink
‘(e) Authorities and Responsibilities of Center- The Center shall--CommentsClose CommentsPermalink
‘(1) engage in activities and otherwise coordinate Federal efforts to identify, protect against, remediate, and mitigate, respond to, and recover from cybersecurity threats, consequences, vulnerabilities and incidents impacting the Federal information infrastructure and the national information infrastructure, including by providing support to entities that own or operate national information infrastructure, at their request;CommentsClose CommentsPermalink
‘(2) conduct risk-based assessments of the Federal information infrastructure, and risk assessments of critical infrastructure;CommentsClose CommentsPermalink
‘(3) develop, oversee the implementation of, and enforce policies, principles, and guidelines on information security for the Federal information infrastructure, including exercise of the authorities under the Federal Information Security Management Act of 2002 (title III of
Public Law 107-347 ; 116 Stat. 2946);CommentsClose CommentsPermalink‘(4) evaluate and facilitate the adoption of technologies designed to enhance the protection of information infrastructure, including making such technologies available to entities that own or operate national information infrastructure, with or without reimbursement, as necessary to accomplish the purposes of this section;CommentsClose CommentsPermalink
‘(5) oversee the responsibilities related to national security and emergency preparedness communications infrastructure, including the functions of the Office of Emergency Communications and the National Communications System;CommentsClose CommentsPermalink
‘(6)(A) maintain comprehensive situational awareness of the security of the Federal information infrastructure and the national information infrastructure for the purpose of enabling and supporting activities under subparagraph (e)(1); andCommentsClose CommentsPermalink
‘(B) provide classified and unclassified information to entities that own or operate national information infrastructure to support efforts by such entities to secure such infrastructure and for enhancing overall situational awareness;CommentsClose CommentsPermalink
‘(7) serve as the focal point for, and foster collaboration between, the Federal Government, State and local governments, and private entities on matters relating to the security of the national information infrastructure;CommentsClose CommentsPermalink
‘(8) develop, in coordination with the Assistant Secretary for Infrastructure Protection, other Federal agencies, the private sector, and State and local governments a national incident response plan that details the roles of Federal agencies, State and local governments, and the private sector, and coordinate national cyber incident response efforts;CommentsClose CommentsPermalink
‘(9) consult, in coordination with the Secretary of State, with appropriate international partners to enhance the security of the Federal information infrastructure, national information infrastructure, and information infrastructure located outside the United States the disruption of which could result in national or regional catastrophic damage in the United States; andCommentsClose CommentsPermalink
‘(10) coordinate the activities undertaken by Federal agencies to--CommentsClose CommentsPermalink
‘(A) protect Federal information infrastructure and national information infrastructure; andCommentsClose CommentsPermalink
‘(B) prepare the Nation to respond to, recover from, and mitigate against risks of incidents involving such infrastructure; andCommentsClose CommentsPermalink
‘(11) perform such other duties as the Secretary may require relating to the security and resiliency of the Federal information infrastructure, national information infrastructure, and national security and emergency preparedness communications infrastructure of the United States.CommentsClose CommentsPermalink
‘(f) Use of Existing Mechanisms for Collaboration- To avoid unnecessary duplication or waste, in carrying out the authorities and responsibilities of the Center under this subtitle, to the maximum extent practicable, the Director of the Center shall make use of existing mechanisms for collaboration and information sharing, including mechanisms relating to the identification and communication of cybersecurity threats, vulnerabilities, and associated consequences, established by other components of the Department or other Federal agencies and the information sharing mechanisms established under title VII of the Cybersecurity Act of 2012.CommentsClose CommentsPermalink
‘(g) Deputy Directors-CommentsClose CommentsPermalink
‘(1) IN GENERAL- There shall be a Deputy Director appointed by the Secretary, who shall--CommentsClose CommentsPermalink
‘(A) have expertise in infrastructure protection; andCommentsClose CommentsPermalink
‘(B) ensure that the operations of the Center and the Office of Infrastructure Protection avoid duplication and use, to the maximum extent practicable, joint mechanisms for information sharing and coordination with the private sector.CommentsClose CommentsPermalink
‘(2) INTELLIGENCE COMMUNITY- The Director of National Intelligence, with the concurrence of the Secretary, shall identify an employee of an element of the intelligence community to serve as a Deputy Director of the Center. The employee shall be detailed to the Center on a reimbursable basis for such period as is agreed to by the Director of the Center and the Director of National Intelligence, and, while serving as Deputy Director, shall report directly to the Director of the Center.CommentsClose CommentsPermalink
‘(h) Cybersecurity Exercise Program- The Director of the Center shall develop and implement a national cybersecurity exercise program with the participation of State and local governments, international partners of the United States, and the private sector.CommentsClose CommentsPermalink
‘(i) Liaison Officers-CommentsClose CommentsPermalink
‘(1) REQUIRED DETAIL OF LIAISON OFFICERS- The Secretary of Defense, the Attorney General, the Secretary of Commerce, and the Director of National Intelligence shall assign personnel to the Center to act as full-time liaisons.CommentsClose CommentsPermalink
‘(2) OPTIONAL DETAIL OF LIAISON OFFICERS- The head of any Federal agency not described in paragraph (1), with the concurrence of the Director of the Center, may assign personnel to the Center to act as liaisons.CommentsClose CommentsPermalink
‘(3) PRIVATE SECTOR LIAISON- The Director of the Center shall designate not less than 1 employee of the Center to serve as a liaison with the private sector.CommentsClose CommentsPermalink
‘(j) Privacy Officer- The Director of the Center, in consultation with the Secretary, shall designate a full-time privacy officer.CommentsClose CommentsPermalink
‘(k) Sufficiency of Resources Plan-CommentsClose CommentsPermalink
‘(1) REPORT- Not later than 120 days after the date of enactment of the Cybersecurity Act of 2012, the Director of the Office of Management and Budget shall submit to the appropriate committees of Congress and the Comptroller General of the United States a report on the resources and staff necessary to carry out fully the responsibilities under this subtitle, including the availability of existing resources and staff.CommentsClose CommentsPermalink
‘(2) COMPTROLLER GENERAL REVIEW- The Comptroller General of the United States shall evaluate the reasonableness and adequacy of the report submitted by the Director of the Office of Management and Budget under paragraph (1) and submit to the appropriate committees of Congress a report regarding the same.CommentsClose CommentsPermalink
‘(l) No Right or Benefit- The provision of assistance or information under this section to governmental or private entities that own or operate critical infrastructure shall be at the discretion of the Secretary. The provision of certain assistance or information to a governmental or private entity pursuant to this section shall not create a right or benefit, substantive or procedural, to similar assistance or information for any other governmental or private entity.CommentsClose CommentsPermalink
‘SEC. 243. DEPARTMENT OF HOMELAND SECURITY INFORMATION SHARING.
‘(a) In General-CommentsClose CommentsPermalink
‘(1) ASSESSMENT- Not later than 180 days after the date of enactment of the Cybersecurity Act of 2012, the Director of the Center, in consultation with the private sector, relevant government agencies, and nongovernmental organizations, shall conduct an assessment of existing and proposed information sharing models to identify best practices for sharing information across government and with the private sector, including through cybersecurity exchanges designated pursuant to section 703 of the Cybersecurity Act of 2012.CommentsClose CommentsPermalink
‘(2) INFORMATION SHARING- The Director of the Center shall periodically review procedures established under subsection (b) and the program established in accordance with subsection (c) to ensure that classified and unclassified cybersecurity information, including information relating to threats, vulnerabilities, traffic, trends, incidents, and other anomalous activities affecting the Federal information infrastructure, national information infrastructure, or information systems, are being appropriately shared between and among appropriate Federal and non-Federal entities, including Federal cybersecurity centers, Federal and non-Federal network and security operations centers, cybersecurity exchanges, and non-Federal entities responsible for such information systems.CommentsClose CommentsPermalink
‘(b) Federal Agencies-CommentsClose CommentsPermalink
‘(1) INFORMATION SHARING PROGRAM- The Director of the Center, in consultation with the members of the Chief Information Officers Council established under
section 3603 of title 44, United States Code , shall establish a program for sharing information with and between the Center and other Federal agencies that includes processes and procedures--CommentsClose CommentsPermalink
‘(A) under which the Director of the Center regularly shares with each Federal agency analyses and reports regarding the security of such agency information infrastructure and on the overall security of the Federal information infrastructure and information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community, which shall include means and methods of preventing, responding to, mitigating, and remediating cybersecurity threats and vulnerabilities; andCommentsClose CommentsPermalink
‘(B) under which Federal agencies provide the Director of the Center, upon request, with information concerning the security of the Federal information infrastructure, information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community, or the national information infrastructure necessary to carry out the duties of the Director of the Center under this subtitle or any other provision of law.CommentsClose CommentsPermalink
‘(2) ACCESS TO INFORMATION-CommentsClose CommentsPermalink
‘(A) IN GENERAL- The Director of the Center shall ensure--CommentsClose CommentsPermalink
‘(i) that the head of each Federal agency has timely access to data, including appropriate raw and processed data, regarding the information infrastructure of the Federal agency; andCommentsClose CommentsPermalink
‘(ii) to the greatest extent possible, that the head of each Federal agency is kept apprised of common trends in security compliance as well as the likelihood that a significant cybersecurity risk or incident could cause damage to the agency information infrastructure.CommentsClose CommentsPermalink
‘(B) COMPLIANCE- The head of a Federal agency shall comply with all processes and procedures established under this subsection regarding notification to the Director of the Center relating to incidents.CommentsClose CommentsPermalink
‘(C) IMMEDIATE NOTIFICATION REQUIRED- Unless otherwise directed by the President, any Federal agency with a national security system shall, consistent with the level of the risk, immediately notify the Director of the Center regarding any incident affecting the security of a national security system.CommentsClose CommentsPermalink
‘(c) Private Sector, State and Local Governments, and International Partners-CommentsClose CommentsPermalink
‘(1) INFORMATION SHARING PROGRAM- The Director of the Center shall establish a program for sharing cybersecurity threat and vulnerability information in support of activities under section 242(e)(1) between the Center, cybersecurity exchanges designated pursuant to section 703 of the Cybersecurity Act of 2012, State and local governments, the private sector, and international partners, which shall include processes and procedures that--CommentsClose CommentsPermalink
‘(A) expand and enhance the sharing of timely and actionable cybersecurity threat and vulnerability information by the Federal Government with owners and operators of the national information infrastructure;CommentsClose CommentsPermalink
‘(B) establish criteria under which owners or operators of covered critical infrastructure information systems shall share information about incidents affecting covered critical infrastructure, and other relevant data with the Federal Government;CommentsClose CommentsPermalink
‘(C) ensure voluntary information sharing with and from the private sector, State and local governments, and international partners of the United States on--CommentsClose CommentsPermalink
‘(i) cybersecurity threats, vulnerabilities, incidents, and anomalous activities affecting the national information infrastructure; andCommentsClose CommentsPermalink
‘(ii) means and methods of identifying, preventing, responding to, mitigating and remediating cybersecurity threats, and vulnerabilities;CommentsClose CommentsPermalink
‘(D) establish a method of accessing classified or unclassified information, as appropriate and in accordance with applicable laws protecting trade secrets, that will provide situational awareness of the security of the Federal information infrastructure and the national information infrastructure relating to cybersecurity threats, and vulnerabilities, including traffic, trends, incidents, damage, and other anomalous activities affecting the Federal information infrastructure or the national information infrastructure;CommentsClose CommentsPermalink
‘(E) establish guidance on the form, content, and priority of incident reports that shall be submitted under subsection (c)(1)(B), which shall--CommentsClose CommentsPermalink
‘(i) include appropriate mechanisms to protect personally identifiable information; andCommentsClose CommentsPermalink
‘(ii) prioritize the reporting of incidents based on the risk the incident poses to the disruption of the reliable operation of the covered critical infrastructure; andCommentsClose CommentsPermalink
‘(F) establish a procedure for notifying an information technology provider if a vulnerability is detected in the product or service produced by the information technology provider and, where possible, working with the information technology provider to remediate the vulnerability before any public disclosure of the vulnerability so as to minimize the opportunity for the vulnerability to be exploited.CommentsClose CommentsPermalink
‘(2) COORDINATION- In carrying out the duties under this subsection, the Director of the Center shall coordinate, as appropriate, with Federal and non-Federal entities engaged in similar information sharing efforts.CommentsClose CommentsPermalink
‘(3) EVALUATION OF ACCESS TO CLASSIFIED INFORMATION- The Director of the Center, in coordination with the Director of National Intelligence, shall conduct an annual evaluation of the sufficiency of access to classified information by owners and operators of national information infrastructure.CommentsClose CommentsPermalink
‘(4) EVALUATION- The Director of the Center shall create and promote a mechanism for owners and operators of national information infrastructure to provide feedback about the operations of the Center and recommendations for improvements of the Center, including recommendations to improve the sharing of classified and unclassified information.CommentsClose CommentsPermalink
‘(5) GUIDELINES- The Director of the Center, in consultation with the Attorney General, the Director of National Intelligence, and the Privacy Officer established under section 242(j), shall develop guidelines to protect the privacy and civil liberties of United States persons and intelligence sources and methods, while carrying out this subsection.CommentsClose CommentsPermalink
‘(d) Voluntarily Shared Information- Covered information, as defined in section 107 of the Cybersecurity Act of 2012, submitted to the Center in accordance with this subtitle shall be treated as voluntarily shared critical infrastructure information under section 214, except that the requirement of section 214 that the information be voluntarily submitted, including the requirement for an express statement, shall not be required for submissions of covered information.CommentsClose CommentsPermalink
‘(e) Limitation on Use of Voluntarily Submitted Information for Regulatory Enforcement Actions- A Federal entity may not use information submitted under this subtitle as evidence in a regulatory enforcement action against the individual or entity that lawfully submitted the information.CommentsClose CommentsPermalink
‘SEC. 244. ACCESS TO INFORMATION.
‘Unless otherwise directed by the President--CommentsClose CommentsPermalink
‘(1) the Director of the Center shall have access to, receive, and analyze law enforcement information, intelligence information, terrorism information, and any other information in the possession of Federal agencies relevant to the security of the Federal information infrastructure, information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community, or national information infrastructure and, consistent with applicable law, may also receive such information, from State and local governments (including law enforcement agencies), and private entities, including information provided by any contractor to a Federal agency regarding the security of the agency information infrastructure; andCommentsClose CommentsPermalink
‘(2) any Federal agency in possession of law enforcement information, intelligence information, terrorism information, or any other information relevant to the security of the Federal information infrastructure, information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community, or national information infrastructure shall provide that information to the Director of the Center in a timely manner.CommentsClose CommentsPermalink
‘SEC. 245. NATIONAL CENTER FOR CYBERSECURITY AND COMMUNICATIONS ACQUISITION AUTHORITIES.
‘(a) In General- The National Center for Cybersecurity and Communications is authorized to use the authorities under subsections (c)(1) and (d)(1)(B) of
section 2304 of title 10, United States Code , instead of the authorities under subsections (a)(1) and (b)(2) ofsection 3304 of title 41, United States Code , subject to all other requirements of sections 3301 and 3304 of title 41, United States Code.CommentsClose CommentsPermalink‘(b) Guidelines- Not later than 90 days after the date of enactment of the Cybersecurity Act of 2012, the chief procurement officer of the Department of Homeland Security shall issue guidelines for use of the authority under subsection (a).CommentsClose CommentsPermalink
‘(c) Termination- The National Center for Cybersecurity and Communications may not use the authority under subsection (a) on and after the date that is 3 years after the date of enactment of this Act.CommentsClose CommentsPermalink
‘(d) Reporting-CommentsClose CommentsPermalink
‘(1) IN GENERAL- On a semiannual basis, the Director of the Center shall submit a report on use of the authority granted by subsection (a) to--CommentsClose CommentsPermalink
‘(A) the Committee on Homeland Security and Governmental Affairs of the Senate; andCommentsClose CommentsPermalink
‘(B) the Committee on Homeland Security of the House of Representatives.CommentsClose CommentsPermalink
‘(2) CONTENTS- Each report submitted under paragraph (1) shall include, at a minimum--CommentsClose CommentsPermalink
‘(A) the number of contract actions taken under the authority under subsection (a) during the period covered by the report; andCommentsClose CommentsPermalink
‘(B) for each contract action described in subparagraph (A)--CommentsClose CommentsPermalink
‘(i) the total dollar value of the contract action;CommentsClose CommentsPermalink
‘(ii) a summary of the market research conducted by the National Center for Cybersecurity and Communications, including a list of all offerors who were considered and those who actually submitted bids, in order to determine that use of the authority was appropriate; andCommentsClose CommentsPermalink
‘(iii) a copy of the justification and approval documents required by
section 3304(e) of title 41, United States Code .CommentsClose CommentsPermalink‘(3) CLASSIFIED ANNEX- A report submitted under this subsection shall be submitted in an unclassified form, but may include a classified annex, if necessary.CommentsClose CommentsPermalink
‘SEC. 246. RECRUITMENT AND RETENTION PROGRAM FOR THE NATIONAL CENTER FOR CYBERSECURITY AND COMMUNICATIONS.
‘(a) Definitions- In this section:CommentsClose CommentsPermalink
‘(1) COLLECTIVE BARGAINING AGREEMENT- The term ‘collective bargaining agreement’ has the meaning given that term in
section 7103(a)(8) of title 5, United States Code .CommentsClose CommentsPermalink‘(2) QUALIFIED EMPLOYEE- The term ‘qualified employee’ means an employee who performs functions relating to the security of Federal systems and critical information infrastructure.CommentsClose CommentsPermalink
‘(b) General Authority-CommentsClose CommentsPermalink
‘(1) ESTABLISH POSITIONS, APPOINT PERSONNEL, AND FIX RATES OF PAY- The Secretary may exercise with respect to qualified employees of the Department the same authority of that the Secretary of Defense has with respect to civilian intelligence personnel under sections 1601, 1602, and 1603 of title 10, United States Code, to establish as positions in the excepted service, to appoint individuals to those positions, and fix pay. Such authority shall be exercised subject to the same conditions and limitations applicable to the Secretary of Defense with respect to civilian intelligence personnel of the Department of Defense.CommentsClose CommentsPermalink
‘(2) SCHOLARSHIP PROGRAM- The Secretary may exercise with respect to qualified employees of the Department the same authority of the Secretary of Defense has with respect to civilian personnel under
section 2200a of title 10, United States Code , to the same extent, and subject to the same conditions and limitations, that the Secretary of Defense may exercise such authority with respect to civilian personnel of the Department of Defense.CommentsClose CommentsPermalink‘(3) PLAN FOR EXECUTION OF AUTHORITIES- Not later than 120 days after the date of enactment of this subtitle, the Secretary shall submit a report to the appropriate committees of Congress with a plan for the use of the authorities provided under this subsection.CommentsClose CommentsPermalink
‘(4) COLLECTIVE BARGAINING AGREEMENTS- Nothing in paragraph (1) may be construed to impair the continued effectiveness of a collective bargaining agreement with respect to an office, component, subcomponent, or equivalent of the Department that is a successor to an office, component, subcomponent, or equivalent of the Department covered by the agreement before the succession.CommentsClose CommentsPermalink
‘(5) REQUIRED REGULATIONS- The Secretary, in coordination with the Director of the Center and the Director of the Office of Personnel Management, shall prescribe regulations for the administration of this section.CommentsClose CommentsPermalink
‘(c) Merit System Principles And Civil Service Protections: Applicability-CommentsClose CommentsPermalink
‘(1) APPLICABILITY OF MERIT SYSTEM PRINCIPLES- The Secretary shall exercise the authority under subsection (b) in a manner consistent with the merit system principles set forth in
section 2301 of title 5, United States Code .CommentsClose CommentsPermalink‘(2) CIVIL SERVICE PROTECTIONS- Section 1221, section 2302, and chapter 75 of title 5, United States Code, shall apply to the positions established under subsection (b)(1).CommentsClose CommentsPermalink
‘(d) Requirements- Before the initial exercise of any authority authorized under subsection (b)(1) the Secretary shall--CommentsClose CommentsPermalink
‘(1) seek input from affected employees, and the union representatives of affected employees as applicable, and Federal manager and professional associations into the design and implementation of a fair, credible, and transparent system for exercising any authority under subsection (b)(1);CommentsClose CommentsPermalink
‘(2) make a good faith attempt to resolve any employee concerns regarding proposed changes in conditions of employment through discussions with the groups described in paragraph (1);CommentsClose CommentsPermalink
‘(3) develop a program to provide training to supervisors of cybersecurity employees at the Department on the use of the new authorities, including actions, options, and strategies a supervisor may use in--CommentsClose CommentsPermalink
‘(A) developing and discussing relevant goals and objectives with the employee, communicating and discussing progress relative to performance goals and objectives, and conducting performance appraisals;CommentsClose CommentsPermalink
‘(B) mentoring and motivating employees, and improving employee performance and productivity;CommentsClose CommentsPermalink
‘(C) fostering a work environment characterized by fairness, respect, equal opportunity, and attention to the quality of work of the employees;CommentsClose CommentsPermalink
‘(D) effectively managing employees with unacceptable performance;CommentsClose CommentsPermalink
‘(E) addressing reports of a hostile work environment, reprisal, or harassment of or by another supervisor or employee; andCommentsClose CommentsPermalink
‘(F) otherwise carrying out the duties and responsibilities of a supervisor;CommentsClose CommentsPermalink
‘(4) develop a program to provide training to supervisors of cybersecurity employees at the Department on the prohibited personnel practices under
section 2302 of title 5, United States Code , (particularly with respect to the practices described in paragraphs (1) and (8) ofsection 2302(b) of title 5, United States Code ), employee collective bargaining and union participation rights, and the procedures and processes used to enforce employee rights; andCommentsClose CommentsPermalink‘(5) develop a program under which experienced supervisors mentor new supervisors by--CommentsClose CommentsPermalink
‘(A) sharing knowledge and advice in areas such as communication, critical thinking, responsibility, flexibility, motivating employees, teamwork, leadership, and professional development; andCommentsClose CommentsPermalink
‘(B) pointing out strengths and areas for development.CommentsClose CommentsPermalink
‘(e) Supervisor Requirement-CommentsClose CommentsPermalink
‘(1) IN GENERAL- Except as provided in paragraph (2), not later than 1 year after the date of enactment of the Cybersecurity Act of 2012 and every 3 years thereafter, every supervisor of cybersecurity employees at the Department shall complete the programs established under paragraphs (3) and (4) of subsection (d).CommentsClose CommentsPermalink
‘(2) EXCEPTION- A supervisor of cybersecurity employees at the Department who is appointed after the date of enactment of the Cybersecurity Act of 2012 shall complete the programs established under paragraphs (3) and (4) of subsection (d) not later than 1 year after the date on which the supervisor is appointed to the position, and every 3 years thereafter.CommentsClose CommentsPermalink
‘(3) ONGOING PARTICIPATION- Participation by supervisors of cybersecurity employees at the Department in the program established under subsection (d)(5) shall be ongoing.CommentsClose CommentsPermalink
‘(f) Conversion to Competitive Service- In consultation with the Director of the Center, the Secretary may grant competitive civil service status to a qualified employee appointed to the excepted service under subsection (b) if that employee is employed in the Center or is transferring to the Center.CommentsClose CommentsPermalink
‘(g) Annual Report- Not later than 1 year after the date of enactment of this subtitle, and every year thereafter for 4 years, the Secretary shall submit to the appropriate committees of Congress a detailed report that--CommentsClose CommentsPermalink
‘(1) discusses the process used by the Secretary in accepting applications, assessing candidates, ensuring adherence to veterans’ preference, and selecting applicants for vacancies to be filled by a qualified employee;CommentsClose CommentsPermalink
‘(2) describes--CommentsClose CommentsPermalink
‘(A) how the Secretary plans to fulfill the critical need of the Department to recruit and retain qualified employees;CommentsClose CommentsPermalink
‘(B) the measures that will be used to measure progress; andCommentsClose CommentsPermalink
‘(C) any actions taken during the reporting period to fulfill such critical need;CommentsClose CommentsPermalink
‘(3) discusses how the planning and actions taken under paragraph (2) are integrated into the strategic workforce planning of the Department;CommentsClose CommentsPermalink
‘(4) provides metrics on actions occurring during the reporting period, including--CommentsClose CommentsPermalink
‘(A) the number of qualified employees hired by occupation and grade and level or pay band;CommentsClose CommentsPermalink
‘(B) the total number of veterans hired;CommentsClose CommentsPermalink
‘(C) the number of separations of qualified employees by occupation and grade and level or pay band;CommentsClose CommentsPermalink
‘(D) the number of retirements of qualified employees by occupation and grade and level or pay band; andCommentsClose CommentsPermalink
‘(E) the number and amounts of recruitment, relocation, and retention incentives paid to qualified employees by occupation and grade and level or pay band.CommentsClose CommentsPermalink
‘SEC. 247. PROHIBITED CONDUCT.
‘None of the authorities provided under this subtitle shall authorize the Director of the Center, the Center, the Department, or any other Federal entity to--CommentsClose CommentsPermalink
‘(1) compel the disclosure of information from a private entity relating to an incident unless otherwise authorized by law; orCommentsClose CommentsPermalink
‘(2) intercept a wire, oral, or electronic communication (as those terms are defined in
section 2510 of title 18, United States Code ), access a stored electronic or wire communication, install or use a pen register or trap and trace device, or conduct electronic surveillance (as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C.1801)) relating to an incident unless otherwise authorized under chapter 119, chapter 121, or chapter 206 of title 18, United States Code, or the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.).’.CommentsClose CommentsPermalink(b) Technical and Conforming Amendment- The table of contents in section 1(b) of the Homeland Security Act of 2002 (
6 U.S.C. 101 et seq.) is amended by inserting after the item relating to section 237 the following:CommentsClose CommentsPermalink
‘Subtitle E--Cybersecurity
‘Sec. 241. Definitions.CommentsClose CommentsPermalink
‘Sec. 242. Consolidation of existing resources.CommentsClose CommentsPermalink
‘Sec. 243. Department of Homeland Security information sharing.CommentsClose CommentsPermalink
‘Sec. 244. Access to information.CommentsClose CommentsPermalink
‘Sec. 245. National Center for Cybersecurity and Communications acquisition authorities.CommentsClose CommentsPermalink
‘Sec. 246. Recruitment and retention program for the National Center for Cybersecurity and Communications.CommentsClose CommentsPermalink
‘Sec. 247. Prohibited conduct.’.CommentsClose CommentsPermalink
TITLE IV--EDUCATION, RECRUITMENT, AND WORKFORCE DEVELOPMENTCommentsClose CommentsPermalink
TITLE IV--EDUCATION, RECRUITMENT, AND WORKFORCE DEVELOPMENTCommentsClose CommentsPermalink
SEC. 401. DEFINITIONS.
In this title:CommentsClose CommentsPermalink
(1) CYBERSECURITY MISSION- The term ‘cybersecurity mission’ means activities that encompass the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as such activities relate to the security and stability of cyberspace.CommentsClose CommentsPermalink
(2) CYBERSECURITY MISSION OF A FEDERAL AGENCY- The term ‘cybersecurity mission of a Federal agency’ means the portion of a cybersecurity mission that is the responsibility of a Federal agency.CommentsClose CommentsPermalink
SEC. 402. NATIONAL EDUCATION AND AWARENESS CAMPAIGN.
(a) In General- The Secretary, in consultation with appropriate Federal agencies shall develop and implement outreach and awareness programs on cybersecurity, including--CommentsClose CommentsPermalink
(1) in consultation with the Director of the National Institute of Standards and Technology--CommentsClose CommentsPermalink
(A) a public education campaign to increase the awareness of cybersecurity, cyber safety, and cyber ethics, which shall include the use of the Internet, social media, entertainment, and other media to reach the public; andCommentsClose CommentsPermalink
(B) an education campaign to increase the understanding of State and local governments and private sector entities of the benefits of ensuring effective risk management of the information infrastructure versus the costs of failure to do so and methods to mitigate and remediate vulnerabilities; andCommentsClose CommentsPermalink
(2) in coordination with the Secretary of Commerce, development of a program to publicly recognize or identify products, services, and companies, including owners and operators, that meet the highest standards of cybersecurity.CommentsClose CommentsPermalink
(b) Considerations- In carrying out the authority described in subsection (a), the Secretary of Commerce, the Secretary, and the Director of the National Institute of Standards and Technology shall leverage existing programs designed to inform the public of safety and security of products or services, including self-certifications and independently-verified assessments regarding the quantification and valuation of information security risk.CommentsClose CommentsPermalink
SEC. 403. NATIONAL CYBERSECURITY COMPETITION AND CHALLENGE.
(a) Talent Competition and Challenge-CommentsClose CommentsPermalink
(1) IN GENERAL- The Secretary of Homeland Security and the Secretary of Commerce shall establish a program to conduct competitions and challenges and ensure the effective operation of national and statewide competitions and challenges that seek to identify, develop, and recruit talented individuals to work in Federal agencies, State and local government agencies, and the private sector to perform duties relating to the security of the Federal information infrastructure or the national information infrastructure.CommentsClose CommentsPermalink
(2) PARTICIPATION- Participants in the competitions and challenges of the program established under paragraph (1) shall include--CommentsClose CommentsPermalink
(A) students enrolled in grades 9 through 12;CommentsClose CommentsPermalink
(B) students enrolled in a postsecondary program of study leading to a baccalaureate degree at an institution of higher education;CommentsClose CommentsPermalink
(C) students enrolled in a postbaccalaureate program of study leading to an institution of higher education;CommentsClose CommentsPermalink
(D) institutions of higher education and research institutions;CommentsClose CommentsPermalink
(E) veterans; andCommentsClose CommentsPermalink
(F) other groups or individuals as the Secretary of Homeland Security and the Secretary of Commerce determine appropriate.CommentsClose CommentsPermalink
(3) SUPPORT OF OTHER COMPETITIONS AND CHALLENGES- The program established under paragraph (1) may support other competitions and challenges not established under this subsection through affiliation and cooperative agreements with--CommentsClose CommentsPermalink
(A) Federal agencies;CommentsClose CommentsPermalink
(B) regional, State, or school programs supporting the development of cyber professionals;CommentsClose CommentsPermalink
(C) State, local, and tribal governments; orCommentsClose CommentsPermalink
(D) other private sector organizations.CommentsClose CommentsPermalink
(4) AREAS OF TALENT- The program established under paragraph (1) shall seek to identify, develop, and recruit exceptional talent relating to--CommentsClose CommentsPermalink
(A) ethical hacking;CommentsClose CommentsPermalink
(B) penetration testing;CommentsClose CommentsPermalink
(C) vulnerability assessment;CommentsClose CommentsPermalink
(D) continuity of system operations;CommentsClose CommentsPermalink
(E) cyber forensics;CommentsClose CommentsPermalink
(F) offensive and defensive cyber operations; andCommentsClose CommentsPermalink
(G) other areas to fulfill the cybersecurity mission as the Director determines appropriate.CommentsClose CommentsPermalink
(5) INTERNSHIPS- The Director of the Office of Personnel Management shall establish, in coordination with the Director of the National Center for Cybersecurity and Communications, a program to provide, where appropriate, internships or other work experience in the Federal government to the winners of the competitions and challenges.CommentsClose CommentsPermalink
(b) National Research and Development Competition and Challenge-CommentsClose CommentsPermalink
(1) IN GENERAL- The Director of the National Science Foundation, in consultation with appropriate Federal agencies, shall establish a program of cybersecurity competitions and challenges to stimulate innovation in basic and applied cybersecurity research, technology development, and prototype demonstration that has the potential for application to the information technology activities of the Federal Government.CommentsClose CommentsPermalink
(2) PARTICIPATION- Participants in the competitions and challenges of the program established under paragraph (1) shall include--CommentsClose CommentsPermalink
(A) students enrolled in grades 9 through 12;CommentsClose CommentsPermalink
(B) students enrolled in a postsecondary program of study leading to a baccalaureate degree at an institution of higher education;CommentsClose CommentsPermalink
(C) students enrolled in a postbaccalaureate program of study leading to an institution of higher education;CommentsClose CommentsPermalink
(D) institutions of higher education and research institutions;CommentsClose CommentsPermalink
(E) veterans; andCommentsClose CommentsPermalink
(F) other groups or individuals as the Director of the National Science Foundation determines appropriate.CommentsClose CommentsPermalink
(3) TOPICS- In selecting topics for competitions and challenges held as part of the program established under paragraph (1), the Director--CommentsClose CommentsPermalink
(A) shall consult widely both within and outside the Federal Government; andCommentsClose CommentsPermalink
(B) may empanel advisory committees.CommentsClose CommentsPermalink
(4) INTERNSHIPS- The Director of the Office of Personnel Management shall establish, in coordination with the Director of the National Science Foundation, a program to provide, where appropriate, internships or other work experience in the Federal government to the winners of the competitions and challenges held as part of the program established under paragraph (1).CommentsClose CommentsPermalink
SEC. 404. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.
(a) In General- The Director of the National Science Foundation, in coordination with the Secretary, shall establish a Federal Cyber Scholarship-for-Service program to recruit and train the next generation of information technology professionals, industry control system security professionals, and security managers to meet the needs of the cybersecurity mission for the Federal Government and State, local, and tribal governments.CommentsClose CommentsPermalink
(b) Program Description and Components- The program established under subsection (a) shall--CommentsClose CommentsPermalink
(1) incorporate findings from the assessment and development of the strategy under section 405;CommentsClose CommentsPermalink
(2) provide not more than 1,000 scholarships per year, to students who are enrolled in a program of study at an institution of higher education leading to a degree or specialized program certification in the cybersecurity field, in an amount that covers each student’s tuition and fees at the institution and provides the student with an additional stipend;CommentsClose CommentsPermalink
(3) require each scholarship recipient, as a condition of receiving a scholarship under the program, to enter into an agreement under which the recipient agrees to work in the cybersecurity mission of a Federal, State, local, or tribal agency for a period equal to the length of the scholarship following receipt of the student’s degree if offered employment in that field by a Federal, State, local, or tribal agency;CommentsClose CommentsPermalink
(4) provide a procedure by which the National Science Foundation or a Federal agency may, consistent with regulations of the Office of Personnel Management, request and fund security clearances for scholarship recipients, including providing for clearances during summer internships and after the recipient receives the degree; andCommentsClose CommentsPermalink
(5) provide opportunities for students to receive temporary appointments for meaningful employment in the cybersecurity mission of a Federal agency during school vacation periods and for internships.CommentsClose CommentsPermalink
(c) Hiring Authority-CommentsClose CommentsPermalink
(1) IN GENERAL- For purposes of any law or regulation governing the appointment of individuals in the Federal civil service, upon receiving a degree for which an individual received a scholarship under this section, the individual shall be--CommentsClose CommentsPermalink
(A) hired under the authority provided for in section 213.3102(r) of title 5, Code of Federal Regulations; andCommentsClose CommentsPermalink
(B) exempt from competitive service.CommentsClose CommentsPermalink
(2) COMPETITIVE SERVICE POSITION- Upon satisfactory fulfillment of the service term of an individual hired under paragraph (1), the individual may be converted to a competitive service position without competition if the individual meets the requirements for that position.CommentsClose CommentsPermalink
(d) Eligibility- To be eligible to receive a scholarship under this section, an individual shall--CommentsClose CommentsPermalink
(1) be a citizen or lawful permanent resident of the United States;CommentsClose CommentsPermalink
(2) demonstrate a commitment to a career in improving the security of information infrastructure; andCommentsClose CommentsPermalink
(3) have demonstrated a high level of proficiency in mathematics, engineering, or computer sciences.CommentsClose CommentsPermalink
(e) Repayment- If a recipient of a scholarship under this section does not meet the terms of the scholarship program, the recipient shall refund the scholarship payments in accordance with rules established by the Director of the National Science Foundation, in coordination with the Secretary.CommentsClose CommentsPermalink
(f) Evaluation and Report- The Director of the National Science Foundation shall evaluate and report periodically to Congress on the success of recruiting individuals for the scholarships and on hiring and retaining those individuals in the public sector workforce.CommentsClose CommentsPermalink
SEC. 405. ASSESSMENT OF CYBERSECURITY FEDERAL WORKFORCE.
(a) In General- The Director of the Office of Personnel Management and the Secretary, in coordination with the Director of National Intelligence, the Secretary of Defense, and the Chief Information Officers Council established under
(b) Strategy-CommentsClose CommentsPermalink
(1) IN GENERAL- Not later than 180 days after the date of enactment of this Act, the Director of the Office of Personnel Management, in consultation with the Director of the National Center for Cybersecurity and Communications and the Director of the Office of Management and Budget, shall develop a comprehensive workforce strategy that enhances the readiness, capacity, training, and recruitment and retention of cybersecurity personnel of the Federal Government.CommentsClose CommentsPermalink
(2) CONTENTS- The strategy developed under paragraph (1) shall include--CommentsClose CommentsPermalink
(A) a 5-year plan on recruitment of personnel for the Federal workforce; andCommentsClose CommentsPermalink
(B) a 10-year projections of Federal workforce needs.CommentsClose CommentsPermalink
(c) Updates- The Director of the Office of Personnel Management, in consultation with the Director of the National Center for Cybersecurity and Communications and the Director of the Office of Management and Budget, shall update the strategy developed under subsection (b) as needed.CommentsClose CommentsPermalink
SEC. 406. FEDERAL CYBERSECURITY OCCUPATION CLASSIFICATIONS.
(a) In General- Not later than 1 year after the date of enactment of this Act, the Director of the Office of Personnel Management, in coordination with the Director of the National Center for Cybersecurity and Communications, shall develop and issue comprehensive occupation classifications for Federal employees engaged in cybersecurity missions.CommentsClose CommentsPermalink
(b) Applicability of Classifications- The Director of the Office of Personnel Management shall ensure that the comprehensive occupation classifications issued under subsection (a) may be used throughout the Federal Government.CommentsClose CommentsPermalink
SEC. 407. TRAINING AND EDUCATION.
(a) Definition- In this section, the term ‘agency information infrastructure’ means the Federal information infrastructure of a Federal agency.CommentsClose CommentsPermalink
(b) Training-CommentsClose CommentsPermalink
(1) FEDERAL GOVERNMENT EMPLOYEES AND FEDERAL CONTRACTORS- The Director of the Office of Personnel Management, in coordination with the Secretary, the Director of National Intelligence, the Secretary of Defense, and the Chief Information Officers Council established under
(2) CONTENTS- The curriculum established under paragraph (1) shall include, at a minimum--CommentsClose CommentsPermalink
(A) role-based security awareness training;CommentsClose CommentsPermalink
(B) recommended cybersecurity practices;CommentsClose CommentsPermalink
(C) cybersecurity recommendations for traveling abroad;CommentsClose CommentsPermalink
(D) unclassified counterintelligence information;CommentsClose CommentsPermalink
(E) information regarding industrial espionage;CommentsClose CommentsPermalink
(F) information regarding malicious activity online;CommentsClose CommentsPermalink
(G) information regarding cybersecurity and law enforcement;CommentsClose CommentsPermalink
(H) identity management information;CommentsClose CommentsPermalink
(I) information regarding supply chain security;CommentsClose CommentsPermalink
(J) information security risks associated with the activities of Federal employees and contractors; andCommentsClose CommentsPermalink
(K) the responsibilities of Federal employees and contractors in complying with policies and procedures designed to reduce information security risks identified under subparagraph (J).CommentsClose CommentsPermalink
(3) FEDERAL CYBERSECURITY PROFESSIONALS- The Director of the Office of Personnel Management in conjunction with the Secretary, the Director of National Intelligence, the Secretary of Defense, the Director of the Office of Management and Budget, and, as appropriate, colleges, universities, and nonprofit organizations with cybersecurity training expertise, shall develop a program to provide training to improve and enhance the skills and capabilities of Federal employees engaged in the cybersecurity mission, including training specific to the acquisition workforce.CommentsClose CommentsPermalink
(4) HEADS OF FEDERAL AGENCIES- Not later than 30 days after the date on which an individual is appointed to a position at level I or II of the Executive Schedule, the Secretary and the Director of National Intelligence shall provide that individual with a cybersecurity threat briefing.CommentsClose CommentsPermalink
(5) CERTIFICATION- The head of each Federal agency shall include in the annual report required under
(c) Education-CommentsClose CommentsPermalink
(1) FEDERAL EMPLOYEES- The Director of the Office of Personnel Management, in coordination with the Secretary of Education, the Director of the National Science Foundation, and the Director of the National Center for Cybersecurity and Communications, shall develop and implement a strategy to provide Federal employees who work in cybersecurity missions with the opportunity to obtain additional education.CommentsClose CommentsPermalink
(2) K THROUGH 12 EDUCATION- The Secretary of Education, in coordination with the Director of the National Center for Cybersecurity and Communications and State and local governments, shall develop model curriculum standards, guidelines, and recommended courses to address cyber safety, cybersecurity, and cyber ethics for students in kindergarten through grade 12.CommentsClose CommentsPermalink
(3) INSTITUTIONS OF HIGHER EDUCATION AND CAREER AND TECHNICAL INSTITUTIONS-CommentsClose CommentsPermalink
(A) SECRETARY OF EDUCATION- The Secretary of Education, in coordination with the Secretary, and after consultation with appropriate private entities, shall--CommentsClose CommentsPermalink
(i) develop model curriculum standards and guidelines to address cyber safety, cybersecurity, and cyber ethics for all students enrolled in institutions of higher education, and all students enrolled in career and technical institutions, in the United States; andCommentsClose CommentsPermalink
(ii) analyze and develop recommended courses for students interested in pursuing careers in information technology, communications, computer science, engineering, mathematics, and science, as those subjects relate to cybersecurity.CommentsClose CommentsPermalink
(B) OFFICE OF PERSONNEL MANAGEMENT- The Director of the Office of Personnel Management, in coordination with the Director of the National Center for Cybersecurity and Communications, shall develop strategies and programs--CommentsClose CommentsPermalink
(i) to recruit students enrolled in institutions of higher education, and students enrolled in career and technical institutions in the United States to serve as Federal employees engaged in cybersecurity missions; andCommentsClose CommentsPermalink
(ii) that provide internship and part-time work opportunities with the Federal Government for students enrolled in institutions of higher education and career and technical institutions in the United States.CommentsClose CommentsPermalink
SEC. 408. CYBERSECURITY INCENTIVES.
The head of each Federal agency shall adopt best practices, developed by the Office of Personnel Management, regarding effective ways to educate and motivate employees of the Federal Government to demonstrate leadership in cybersecurity, including--CommentsClose CommentsPermalink
(1) promotions and other nonmonetary awards; andCommentsClose CommentsPermalink
(2) publicizing information sharing accomplishments by individual employees and, if appropriate, the tangible benefits that resulted.CommentsClose CommentsPermalink
TITLE V--RESEARCH AND DEVELOPMENTCommentsClose CommentsPermalink
TITLE V--RESEARCH AND DEVELOPMENTCommentsClose CommentsPermalink
SEC. 501. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.
(a) Fundamental Cybersecurity Research- The Director of the Office of Science and Technology Policy (referred to in this section as the ‘Director’), in coordination with the Secretary and the head of any relevant Federal agency, shall develop a national cybersecurity research and development plan.CommentsClose CommentsPermalink
(b) Requirements- The plan required to be developed under subsection (a) shall encourage computer and information science and engineering research to meet challenges in cybersecurity, including--CommentsClose CommentsPermalink
(1) how to design and build complex software-intensive systems that are secure and reliable when first deployed;CommentsClose CommentsPermalink
(2) how to test and verify that software, whether developed locally or obtained from a third party, is free of significant known security flaws;CommentsClose CommentsPermalink
(3) how to test and verify that software obtained from a third party correctly implements stated functionality, and only that functionality;Comments