Most commented sections:

• Paragraph 132 (2 comments)
• Paragraph 339 (1 comments)
• Paragraph 131 (1 comments)

S 3414 PCSCommentsClose CommentsPermalink

Calendar No. 470CommentsClose CommentsPermalink

112th CONGRESSCommentsClose CommentsPermalink

2d SessionCommentsClose CommentsPermalink

S. 3414CommentsClose CommentsPermalink

To enhance the security and resiliency of the cyber and communications infrastructure of the United States.CommentsClose CommentsPermalink

IN THE SENATE OF THE UNITED STATESCommentsClose CommentsPermalink

July 19, 2012CommentsClose CommentsPermalink

Mr. LIEBERMAN (for himself, Ms. COLLINS, Mr. ROCKEFELLER, Mrs. FEINSTEIN, and Mr. CARPER) introduced the following bill; which was read the first timeCommentsClose CommentsPermalink

July 23, 2012CommentsClose CommentsPermalink

Read the second time and placed on the calendarCommentsClose CommentsPermalink

A BILLCommentsClose CommentsPermalink

To enhance the security and resiliency of the cyber and communications infrastructure of the United States.CommentsClose CommentsPermalink

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,CommentsClose CommentsPermalink

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

(a) Short Title- This Act may be cited as the ‘Cybersecurity Act of 2012’ or the ‘CSA2012’.CommentsClose CommentsPermalink





(b) Table of Contents- The table of contents for this Act is as follows:CommentsClose CommentsPermalink





Sec. 1. Short title; table of contents.CommentsClose CommentsPermalink





Sec. 2. Definitions.CommentsClose CommentsPermalink

TITLE I--PUBLIC-PRIVATE PARTNERSHIP TO PROTECT CRITICAL INFRASTRUCTURE

Sec. 101. National Cybersecurity Council.CommentsClose CommentsPermalink





Sec. 102. Inventory of critical infrastructure.CommentsClose CommentsPermalink





Sec. 103. Voluntary cybersecurity practices.CommentsClose CommentsPermalink





Sec. 104. Voluntary cybersecurity program for critical infrastructure.CommentsClose CommentsPermalink





Sec. 105. Rules of construction.CommentsClose CommentsPermalink





Sec. 106. Protection of information.CommentsClose CommentsPermalink





Sec. 107. Annual assessment of cybersecurity.CommentsClose CommentsPermalink





Sec. 108. International cooperation.CommentsClose CommentsPermalink





Sec. 109. Effect on other laws.CommentsClose CommentsPermalink





Sec. 110. Definitions.CommentsClose CommentsPermalink

TITLE II--FEDERAL INFORMATION SECURITY MANAGEMENT AND CONSOLIDATING RESOURCES

Sec. 201. FISMA Reform.CommentsClose CommentsPermalink





Sec. 202. Management of information technology.CommentsClose CommentsPermalink





Sec. 203. Savings provisions.CommentsClose CommentsPermalink





Sec. 204. Consolidation of existing departmental cyber resources and authorities.CommentsClose CommentsPermalink

TITLE III--RESEARCH AND DEVELOPMENT

Sec. 301. Federal cybersecurity research and development.CommentsClose CommentsPermalink





Sec. 302. Homeland security cybersecurity research and development.CommentsClose CommentsPermalink





Sec. 303. Research centers for cybersecurity.CommentsClose CommentsPermalink





Sec. 304. Centers of excellence.CommentsClose CommentsPermalink

TITLE IV--EDUCATION, WORKFORCE, AND AWARENESS

Sec. 401. Definitions.CommentsClose CommentsPermalink





Sec. 402. Education and awareness.CommentsClose CommentsPermalink





Sec. 403. National cybersecurity competition and challenge.CommentsClose CommentsPermalink





Sec. 404. Federal Cyber Scholarship-for-Service program.CommentsClose CommentsPermalink





Sec. 405. Assessment of cybersecurity Federal workforce.CommentsClose CommentsPermalink





Sec. 406. Federal cybersecurity occupation classifications.CommentsClose CommentsPermalink





Sec. 407. Training and education of Federal employees.CommentsClose CommentsPermalink





Sec. 408. National Center for Cybersecurity and Communications acquisition authorities.CommentsClose CommentsPermalink





Sec. 409. Reports on cyber incidents against Government networks.CommentsClose CommentsPermalink





Sec. 410. Reports on prosecution for cybercrime.CommentsClose CommentsPermalink





Sec. 411. Report on research relating to secure domain.CommentsClose CommentsPermalink





Sec. 412. Report on preparedness of Federal courts to promote cybersecurity.CommentsClose CommentsPermalink





Sec. 413. Report on impediments to public awareness.CommentsClose CommentsPermalink





Sec. 414. Report on protecting the electrical grid of the United States.CommentsClose CommentsPermalink





Sec. 415. Marketplace information.CommentsClose CommentsPermalink

TITLE V--FEDERAL ACQUISITION RISK MANAGEMENT STRATEGY

Sec. 501. Federal acquisition risk management strategy.CommentsClose CommentsPermalink





Sec. 502. Amendments to Clinger-Cohen provisions to enhance agency planning for information security needs.CommentsClose CommentsPermalink

TITLE VI--INTERNATIONAL COOPERATION

Sec. 601. Definitions.CommentsClose CommentsPermalink





Sec. 602. Findings.CommentsClose CommentsPermalink





Sec. 603. Sense of Congress.CommentsClose CommentsPermalink





Sec. 604. Coordination of international cyber issues within the United States Government.CommentsClose CommentsPermalink





Sec. 605. Consideration of cybercrime in foreign policy and foreign assistance programs.CommentsClose CommentsPermalink

TITLE VII--INFORMATION SHARING

Sec. 701. Affirmative authority to monitor and defend against cybersecurity threats.CommentsClose CommentsPermalink





Sec. 702. Voluntary disclosure of cybersecurity threat indicators among private entities.CommentsClose CommentsPermalink





Sec. 703. Cybersecurity exchanges.CommentsClose CommentsPermalink





Sec. 704. Voluntary disclosure of cybersecurity threat indicators to a cybersecurity exchange.CommentsClose CommentsPermalink





Sec. 705. Sharing of classified cybersecurity threat indicators.CommentsClose CommentsPermalink





Sec. 706. Limitation on liability and good faith defense for cybersecurity activities.CommentsClose CommentsPermalink





Sec. 707. Construction and federal preemption.CommentsClose CommentsPermalink





Sec. 708. Definitions.CommentsClose CommentsPermalink

SEC. 2. DEFINITIONS.

In this Act:CommentsClose CommentsPermalink





(1) CATEGORY OF CRITICAL CYBER INFRASTRUCTURE- The term ‘category of critical cyber infrastructure’ means a category identified by the Council as critical cyber infrastructure in accordance with the procedure established under section 102.CommentsClose CommentsPermalink





(2) COMMERCIAL INFORMATION TECHNOLOGY PRODUCT- The term ‘commercial information technology product’ means a commercial item that organizes or communicates information electronically.CommentsClose CommentsPermalink





(3) COMMERCIAL ITEM- The term ‘commercial item’ has the meaning given the term in section 103 of title 41, United States Code.CommentsClose CommentsPermalink





(4) COUNCIL- The term ‘Council’ means the National Cybersecurity Council established under section 101.CommentsClose CommentsPermalink





(5) CRITICAL CYBER INFRASTRUCTURE- The term ‘critical cyber infrastructure’ means critical infrastructure identified by the Council under section 102(b)(3)(A).CommentsClose CommentsPermalink





(6) CRITICAL INFRASTRUCTURE- The term ‘critical infrastructure’ has the meaning given that term in section 1016(e) of the USA PATRIOT Act (42 U.S.C. 5195c(e)).CommentsClose CommentsPermalink





(7) CRITICAL INFRASTRUCTURE PARTNERSHIP ADVISORY COUNCIL- The term ‘Critical Infrastructure Partnership Advisory Council’ means the Critical Infrastructure Partnership Advisory Council established by the Department under section 871 of the Homeland Security Act of 2002 (6 U.S.C. 451) to coordinate critical infrastructure protection activities within the Federal Government and with the private sector and State, local, territorial, and tribal governments.CommentsClose CommentsPermalink





(8) DEPARTMENT- The term ‘Department’ means the Department of Homeland Security.CommentsClose CommentsPermalink





(9) FEDERAL AGENCY- The term ‘Federal agency’ has the meaning given the term ‘agency’ in section 3502 of title 44, United States Code.CommentsClose CommentsPermalink





(10) FEDERAL INFORMATION INFRASTRUCTURE- The term ‘Federal information infrastructure’--CommentsClose CommentsPermalink





(A) means information and information systems that are owned, operated, controlled, or licensed for use by, or on behalf of, any Federal agency, including information systems used or operated by another entity on behalf of a Federal agency; andCommentsClose CommentsPermalink





(B) does not include--CommentsClose CommentsPermalink





(i) a national security system; orCommentsClose CommentsPermalink





(ii) information and information systems that are owned, operated, controlled, or licensed solely for use by, or on behalf of, the Department of Defense, a military department, or an element of the intelligence community.CommentsClose CommentsPermalink





(11) INCIDENT- The term ‘incident’ has the meaning given that term in section 3552 of title 44, United States Code, as added by section 201 of this Act.CommentsClose CommentsPermalink





(12) INFORMATION INFRASTRUCTURE- The term ‘information infrastructure’ means the underlying framework that information systems and assets rely on to process, transmit, receive, or store information electronically, including programmable electronic devices, communications networks, and industrial or supervisory control systems and any associated hardware, software, or data.CommentsClose CommentsPermalink





(13) INFORMATION SHARING AND ANALYSIS ORGANIZATION- The term ‘Information Sharing and Analysis Organization’ has the meaning given that term in section 212 of the Homeland Security Act of 2002 (6 U.S.C. 131).CommentsClose CommentsPermalink





(14) INFORMATION SYSTEM- The term ‘information system’ has the meaning given that term in section 3502 of title 44, United States Code.CommentsClose CommentsPermalink





(15) INSTITUTION OF HIGHER EDUCATION- The term ‘institution of higher education’ has the meaning given that term in section 102 of the Higher Education Act of 1965 (20 U.S.C. 1002).CommentsClose CommentsPermalink





(16) INTELLIGENCE COMMUNITY- The term ‘intelligence community’ has the meaning given that term under section 3(4) of the National Security Act of 1947 (50 U.S.C. 401a(4)).CommentsClose CommentsPermalink





(17) MEMBER AGENCY- The term ‘member agency’ means a Federal agency from which a member of the Council is appointed.CommentsClose CommentsPermalink





(18) NATIONAL INFORMATION INFRASTRUCTURE- The term ‘national information infrastructure’ means information and information systems--CommentsClose CommentsPermalink





(A) that are owned, operated, or controlled, in whole or in part, within or from the United States; andCommentsClose CommentsPermalink





(B) that are not owned, operated, controlled, or licensed for use by a Federal agency.CommentsClose CommentsPermalink





(19) NATIONAL LABORATORY- The term ‘national laboratory’ has the meaning given the term in section 2 of the Energy Policy Act of 2005 (42 U.S.C. 15801).CommentsClose CommentsPermalink





(20) NATIONAL SECURITY SYSTEM- The term ‘national security system’ has the meaning given that term in section 3552 of title 44, United States Code, as added by section 201 of this Act.CommentsClose CommentsPermalink





(21) OWNER- The term ‘owner’--CommentsClose CommentsPermalink





(A) means an entity that owns critical infrastructure; andCommentsClose CommentsPermalink





(B) does not include a company contracted by the owner to manage, run, or operate that critical infrastructure, or to provide a specific information technology product or service that is used or incorporated into that critical infrastructure.CommentsClose CommentsPermalink





(22) OPERATOR- The term ‘operator’--CommentsClose CommentsPermalink





(A) means an entity that manages, runs, or operates, in whole or in part, the day-to-day operations of critical infrastructure; andCommentsClose CommentsPermalink





(B) may include the owner of critical infrastructure.CommentsClose CommentsPermalink





(23) SECRETARY- The term ‘Secretary’ means the Secretary of Homeland Security.CommentsClose CommentsPermalink





(24) SIGNIFICANT CYBER INCIDENT- The term ‘significant cyber incident’ means an incident resulting in, or an attempted to cause an incident that, if successful, would have resulted in--CommentsClose CommentsPermalink





(A) the exfiltration of data that is essential to the operation of critical cyber infrastructure; orCommentsClose CommentsPermalink





(B) the defeat of an operational control or technical control, as those terms are defined in section 708, essential to the security or operation of critical cyber infrastructure.CommentsClose CommentsPermalink

TITLE I--PUBLIC-PRIVATE PARTNERSHIP TO PROTECT CRITICAL INFRASTRUCTURECommentsClose CommentsPermalink

SEC. 101. NATIONAL CYBERSECURITY COUNCIL.

(a) In General- There is established a National Cybersecurity Council.CommentsClose CommentsPermalink





(b) Responsibilities- The Council shall--CommentsClose CommentsPermalink





(1) conduct sector-by-sector risk assessments in partnership with owners and operators, private sector entities, relevant Federal agencies, and appropriate non-governmental entities and institutions of higher education;CommentsClose CommentsPermalink





(2) identify categories of critical cyber infrastructure, in partnership with relevant Federal agencies, owners and operators, other appropriate private sector entities, and appropriate non-governmental entities and institutions of higher education;CommentsClose CommentsPermalink





(3) coordinate the adoption of private-sector recommended voluntary outcome-based cybersecurity practices with owners and operators, private sector entities, relevant Federal agencies, the Critical Infrastructure Partnership Advisory Council, institutions of higher education, and appropriate non-governmental cybersecurity experts, in accordance with this title;CommentsClose CommentsPermalink





(4) establish an incentives-based voluntary cybersecurity program for critical infrastructure to encourage owners to adopt voluntary outcome-based cybersecurity practices under section 103;CommentsClose CommentsPermalink





(5) develop procedures to inform owners and operators of cyber threats, vulnerabilities, and consequences; andCommentsClose CommentsPermalink





(6) upon request and to the maximum extent possible, provide any technical guidance or assistance to owners and operators consistent with this title.CommentsClose CommentsPermalink





(c) Procedures- The President shall establish procedures, consistent with this section, for the operation of the Council, which shall include procedures that--CommentsClose CommentsPermalink





(1) prescribe the responsibilities of the Council and the member agencies;CommentsClose CommentsPermalink





(2) ensure the timely implementation of decisions of the Council;CommentsClose CommentsPermalink





(3) delegate authority to the Chairperson to take action to fulfill the responsibilities of the Council if--CommentsClose CommentsPermalink





(A) the Council is not fulfilling the responsibilities of the Council in a timely fashion; orCommentsClose CommentsPermalink





(B) necessary to prevent or mitigate an imminent cybersecurity threat.CommentsClose CommentsPermalink





(d) Membership- The Council shall be comprised of appropriate representatives appointed by the President from--CommentsClose CommentsPermalink





(1) the Department of Commerce;CommentsClose CommentsPermalink





(2) the Department of Defense;CommentsClose CommentsPermalink





(3) the Department of Justice;CommentsClose CommentsPermalink





(4) the intelligence community;CommentsClose CommentsPermalink





(5) sector-specific Federal agencies, as appropriate;CommentsClose CommentsPermalink





(6) Federal agencies with responsibility for regulating the security of critical cyber infrastructure, as appropriate; andCommentsClose CommentsPermalink





(7) the Department.CommentsClose CommentsPermalink





(e) Coordination- The Council shall coordinate the activities of the Council with--CommentsClose CommentsPermalink





(1) appropriate representatives of the private sector; andCommentsClose CommentsPermalink





(2) owners and operators.CommentsClose CommentsPermalink





(f) Chairperson-CommentsClose CommentsPermalink





(1) IN GENERAL- The Secretary shall serve as Chairperson of the Council (referred to in this section as the ‘Chairperson’).CommentsClose CommentsPermalink





(2) RESPONSIBILITIES OF THE CHAIRPERSON- The Chairperson shall--CommentsClose CommentsPermalink





(A) ensure the responsibilities of the Council are expeditiously fulfilled;CommentsClose CommentsPermalink





(B) provide expertise and support to the Council; andCommentsClose CommentsPermalink





(C) provide recommendations to the Council.CommentsClose CommentsPermalink





(g) Participation of Sector-specific Federal Agencies and Federal Regulatory Agencies- A sector-specific Federal agency and a Federal agency with responsibility for regulating the security of critical cyber infrastructure shall participate on the Council on matters directly relating to the sector of critical infrastructure for which the Federal agency has responsibility to ensure that any cybersecurity practice adopted by the Council under section 103--CommentsClose CommentsPermalink





(1) does not contradict any regulation or compulsory standard in effect before the adoption of the cybersecurity practice; andCommentsClose CommentsPermalink





(2) to the extent possible, complements or otherwise improves the regulation or compulsory standard described in paragraph (1).CommentsClose CommentsPermalink

SEC. 102. INVENTORY OF CRITICAL INFRASTRUCTURE.

(a) Risk Assessments-CommentsClose CommentsPermalink





(1) IN GENERAL-CommentsClose CommentsPermalink





(A) DESIGNATION OF MEMBER AGENCY- The Council shall designate a member agency to conduct top-level cybersecurity assessments of cyber risks to critical infrastructure with voluntary participation from private sector entities.CommentsClose CommentsPermalink





(B) RULE OF CONSTRUCTION- Nothing in this subsection shall be construed to give new authority to a Federal agency to require owners or operators to provide information to the Federal Government.CommentsClose CommentsPermalink





(2) RESPONSIBILITY- The member agency designated under paragraph (1), in consultation with owners and operators, the Critical Infrastructure Partnership Advisory Council, and appropriate Information Sharing and Analysis Organizations, and in coordination with other member agencies, the intelligence community, and the Department of Commerce, shall--CommentsClose CommentsPermalink





(A) not later than 180 days after the date of enactment of this Act, conduct a top-level assessment of the cybersecurity threats, vulnerabilities, and consequences and the probability of a catastrophic incident and associated risk across all critical infrastructure sectors to determine which sectors pose the greatest immediate risk, in order to guide the allocation of resources for the implementation of this Act; andCommentsClose CommentsPermalink





(B) beginning with the highest priority sectors identified under subparagraph (A), conduct, on an ongoing, sector-by-sector basis, cyber risk assessments of the threats to, vulnerabilities of, and consequences of a cyber attack on critical infrastructure.CommentsClose CommentsPermalink





(3) VOLUNTARY INPUT OF OWNERS AND OPERATORS- The member agency designated under paragraph (1) shall--CommentsClose CommentsPermalink





(A) establish a process under which owners and operators and other relevant private sector experts may provide input into the risk assessments conducted under this section; andCommentsClose CommentsPermalink





(B) seek and incorporate private sector expertise available through established public-private partnerships, including the Critical Infrastructure Partnership Advisory Council and appropriate Information Sharing and Analysis Organizations.CommentsClose CommentsPermalink





(4) PROTECTION OF INFORMATION- Any information submitted as part of the process established under paragraph (3) shall be protected in accordance with section 106.CommentsClose CommentsPermalink





(5) SUBMISSION OF RISK ASSESSMENTS- The Council shall submit each risk assessment conducted under this section, in a classified or unclassified form as necessary, to--CommentsClose CommentsPermalink





(A) the President;CommentsClose CommentsPermalink





(B) appropriate Federal agencies; andCommentsClose CommentsPermalink





(C) appropriate congressional committees.CommentsClose CommentsPermalink





(b) Identification of Critical Cyber Infrastructure Categories-CommentsClose CommentsPermalink





(1) IN GENERAL- The Council, in consultation with owners and operators, the Critical Infrastructure Partnership Advisory Council, appropriate Information Sharing and Analysis Organizations, and other appropriate representatives of State and local governments, shall establish procedures to identify categories of critical cyber infrastructure within each sector of critical infrastructure for the purposes of this Act.CommentsClose CommentsPermalink





(2) DUTIES- In establishing the procedure under paragraph (1), the Council shall--CommentsClose CommentsPermalink





(A) prioritize efforts based on the prioritization established under subsection (a);CommentsClose CommentsPermalink





(B) incorporate, to the extent practicable, the input of owners and operators, the Critical Infrastructure Partnership Advisory Council, appropriate Information Sharing and Analysis Organizations, and other appropriate representatives of the private sector and State and local governments;CommentsClose CommentsPermalink





(C) develop a voluntary mechanism for owners to submit information to assist the Council in making determinations under this section;CommentsClose CommentsPermalink





(D) inform owners and operators of the criteria used to identify categories of critical cyber infrastructure;CommentsClose CommentsPermalink





(E) establish procedures for an owner of critical infrastructure identified as critical cyber infrastructure to challenge the identification;CommentsClose CommentsPermalink





(F) select a member agency to make recommendations to the Council on the identification of categories of critical cyber infrastructure; andCommentsClose CommentsPermalink





(G) periodically review and update identifications under this subsection.CommentsClose CommentsPermalink





(3) IDENTIFICATION REQUIREMENTS- The Council shall--CommentsClose CommentsPermalink





(A) identify categories of critical cyber infrastructure within each sector of critical infrastructure and identify owners of critical infrastructure within each category of critical cyber infrastructure;CommentsClose CommentsPermalink





(B) only identify a category of critical infrastructure as critical cyber infrastructure if damage to or unauthorized access to such critical infrastructure could reasonably result in--CommentsClose CommentsPermalink





(i) the interruption of life-sustaining services, including energy, water, transportation, emergency services, or food, sufficient to cause--CommentsClose CommentsPermalink





(I) a mass casualty event; orCommentsClose CommentsPermalink





(II) mass evacuations;CommentsClose CommentsPermalink





(ii) catastrophic economic damage to the United States including--CommentsClose CommentsPermalink





(I) failure or substantial disruption of a financial market of the United States;CommentsClose CommentsPermalink





(II) incapacitation or sustained disruption of a transportation system; orCommentsClose CommentsPermalink





(III) other systemic, long-term damage to the economy of the United States; orCommentsClose CommentsPermalink





(iii) severe degradation of national security or national security capabilities, including intelligence and defense functions; andCommentsClose CommentsPermalink





(C) consider the sector-by-sector risk assessments developed in accordance with subsection (a).CommentsClose CommentsPermalink





(4) INCIDENT REPORTING- The Council shall establish procedures under which each owner of critical cyber infrastructure shall report significant cyber incidents affecting critical cyber infrastructure.CommentsClose CommentsPermalink





(5) LIMITATIONS- The Council may not identify as a category of critical cyber infrastructure under this section--CommentsClose CommentsPermalink





(A) critical infrastructure based solely on activities protected by the first amendment to the Constitution of the United States;CommentsClose CommentsPermalink





(B) an information technology product based solely on a finding that the product is capable of, or is actually, being used in critical cyber infrastructure; orCommentsClose CommentsPermalink





(C) a commercial item that organizes or communicates information electronically.CommentsClose CommentsPermalink





(6) NOTIFICATION OF IDENTIFICATION OF CATEGORY OF CRITICAL CYBER INFRASTRUCTURE- Not later than 10 days after the Council identifies a category of critical cyber infrastructure under this section, the Council shall notify the relevant owners of the identified critical cyber infrastructure.CommentsClose CommentsPermalink





(7) DEFINITION- In this subsection, the term ‘damage’ has the meaning given that term in section 1030(e) of title 18, United States Code.CommentsClose CommentsPermalink





(c) Congressional Notice and Opportunity for Disapproval-CommentsClose CommentsPermalink





(1) NOTIFICATION- Not later than 10 days after the date on which the Council identifies a category of critical infrastructure as critical cyber infrastructure under this section, the Council shall--CommentsClose CommentsPermalink





(A) notify Congress of the identification; andCommentsClose CommentsPermalink





(B) submit to Congress a report explaining the basis for the identification.CommentsClose CommentsPermalink





(2) OPPORTUNITY FOR CONGRESSIONAL REVIEW- The identification of a category of critical infrastructure as critical cyber infrastructure shall not take effect for purposes of this title until the date that is 60 days after the date on which the Council notifies Congress under paragraph (1).CommentsClose CommentsPermalink

SEC. 103. VOLUNTARY CYBERSECURITY PRACTICES.

(a) Private Sector Development of Cybersecurity Practices- Not later than 180 days after the date of enactment of this Act, each sector coordinating council shall propose to the Council voluntary outcome-based cybersecurity practices (referred to in this section as ‘cybersecurity practices’) sufficient to effectively remediate or mitigate cyber risks identified through an assessment conducted under section 102(a) comprised of--CommentsClose CommentsPermalink





(1) industry best practices, standards, and guidelines; orCommentsClose CommentsPermalink





(2) practices developed by the sector coordinating council in coordination with owners and operators, voluntary consensus standards development organizations, representatives of State and local governments, the private sector, and appropriate information sharing and analysis organizations.CommentsClose CommentsPermalink





(b) Review of Cybersecurity Practices-CommentsClose CommentsPermalink





(1) IN GENERAL- The Council shall, in consultation with owners and operators, the Critical Infrastructure Partnership Advisory Council, and appropriate information sharing and analysis organizations, and in coordination with appropriate representatives from State and local governments--CommentsClose CommentsPermalink





(A) consult with relevant security experts and institutions of higher education, including university information security centers, appropriate nongovernmental cybersecurity experts, and representatives from national laboratories;CommentsClose CommentsPermalink





(B) review relevant regulations or compulsory standards or guidelines;CommentsClose CommentsPermalink





(C) review cybersecurity practices proposed under subsection (a); andCommentsClose CommentsPermalink





(D) consider any amendments to the cybersecurity practices and any additional cybersecurity practices necessary to ensure adequate remediation or mitigation of the cyber risks identified through an assessment conducted under section 102(a).CommentsClose CommentsPermalink





(2) ADOPTION-CommentsClose CommentsPermalink





(A) IN GENERAL- Not later than 1 year after the date of enactment of this Act, the Council shall--CommentsClose CommentsPermalink





(i) adopt any cybersecurity practices proposed under subsection (a) that adequately remediate or mitigate identified cyber risks and any associated consequences identified through an assessment conducted under section 102(a); andCommentsClose CommentsPermalink





(ii) adopt any amended or additional cybersecurity practices necessary to ensure the adequate remediation or mitigation of the cyber risks identified through an assessment conducted under section 102(a).CommentsClose CommentsPermalink





(B) NO SUBMISSION BY SECTOR COORDINATING COUNCIL- If a sector coordinating council fails to propose to the Council cybersecurity practices under subsection (a) within 180 days of the date of enactment of this Act, not later than 1 year after the date of enactment of this Act the Council shall adopt cybersecurity practices that adequately remediate or mitigate identified cyber risks and associated consequences identified through an assessment conducted under section 102(a) for the sector.CommentsClose CommentsPermalink





(c) Flexibility of Cybersecurity Practices- Each sector coordinating council and the Council shall periodically assess cybersecurity practices, but not less frequently than once every 3 years, and update or modify cybersecurity practices as necessary to ensure adequate remediation and mitigation of the cyber risks identified through an assessment conducted under section 102(a).CommentsClose CommentsPermalink





(d) Prioritization- Based on the risk assessments performed under section 102(a), the Council shall prioritize the development of cybersecurity practices to ensure the reduction or mitigation of the greatest cyber risks.CommentsClose CommentsPermalink





(e) Private Sector Recommended Measures- Each sector coordinating council shall develop voluntary recommended cybersecurity measures that provide owners reasonable and cost-effective methods of meeting any cybersecurity practice.CommentsClose CommentsPermalink





(f) Technology Neutrality- No cybersecurity practice shall require--CommentsClose CommentsPermalink





(1) the use of a specific commercial information technology product; orCommentsClose CommentsPermalink





(2) that a particular commercial information technology product be designed, developed, or manufactured in a particular manner.CommentsClose CommentsPermalink





(g) Relationship to Existing Regulations-CommentsClose CommentsPermalink





(1) INCLUSION IN REGULATORY REGIMES-CommentsClose CommentsPermalink





(A) IN GENERAL- A Federal agency with responsibilities for regulating the security of critical infrastructure may adopt the cybersecurity practices as mandatory requirements.CommentsClose CommentsPermalink





(B) REPORTS- If, as of the date that is 1 year after the date of enactment of this Act, a Federal agency with responsibilities for regulating the security of critical infrastructure has not adopted the cybersecurity practices as mandatory requirements, the agency shall submit to the appropriate congressional committees a report on the reasons the agency did not do so, including a description of whether the critical cyber infrastructure for which the Federal agency has responsibility is maintaining practices sufficient to effectively remediate or mitigate cyber risks identified through an assessment conducted under section 102(a).CommentsClose CommentsPermalink





(C) RULE OF CONSTRUCTION- Nothing in this subsection shall be construed to provide a Federal agency with authority for regulating the security of critical cyber infrastructure in addition or to a greater extent than the authority the Federal agency has under other law.CommentsClose CommentsPermalink





(2) AVOIDANCE OF CONFLICT- No cybersecurity practice shall--CommentsClose CommentsPermalink





(A) prevent an owner (including a certified owner) from complying with any law or regulation; orCommentsClose CommentsPermalink





(B) require an owner (including a certified owner) to implement cybersecurity measures that prevent the owner from complying with any law or regulation.CommentsClose CommentsPermalink





(3) AVOIDANCE OF DUPLICATION- Where regulations or compulsory standards regulate the security of critical cyber infrastructure, a cybersecurity practice shall, to the greatest extent possible, complement or otherwise improve the regulations or compulsory standards.CommentsClose CommentsPermalink





(h) Independent Review-CommentsClose CommentsPermalink





(1) IN GENERAL- Each cybersecurity practice shall be publicly reviewed by the relevant sector coordinating council and the Critical Infrastructure Partnership Advisory Council, which may include input from relevant institutions of higher education, including university information security centers, national laboratories, and appropriate non-governmental cybersecurity experts.CommentsClose CommentsPermalink





(2) CONSIDERATION BY COUNCIL- The Council shall consider any review conducted under paragraph (1).CommentsClose CommentsPermalink





(i) Voluntary Technical Assistance- At the request of an owner or operator of critical infrastructure, the Council shall provide guidance on the application of cybersecurity practices to the critical infrastructure.CommentsClose CommentsPermalink

SEC. 104. VOLUNTARY CYBERSECURITY PROGRAM FOR CRITICAL INFRASTRUCTURE.

(a) Voluntary Cybersecurity Program for Critical Infrastructure-CommentsClose CommentsPermalink





(1) IN GENERAL- Not later than 1 year after the date of enactment of this Act, the Council, in consultation with owners and operators and the Critical Infrastructure Partnership Advisory Council, shall establish the Voluntary Cybersecurity Program for Critical Infrastructure in accordance with this section.CommentsClose CommentsPermalink





(2) ELIGIBILITY-CommentsClose CommentsPermalink





(A) IN GENERAL- An owner of critical cyber infrastructure may apply for certification under the Voluntary Cybersecurity Program for Critical Infrastructure.CommentsClose CommentsPermalink





(B) CRITERIA- The Council shall establish criteria for owners of critical infrastructure that is not critical cyber infrastructure to be eligible to apply for certification in the Voluntary Cybersecurity Program for Critical Infrastructure.CommentsClose CommentsPermalink





(3) APPLICATION FOR CERTIFICATION- An owner of critical cyber infrastructure or an owner of critical infrastructure that meets the criteria established under paragraph (2)(B) that applies for certification under this subsection shall--CommentsClose CommentsPermalink





(A) select and implement cybersecurity measures of their choosing that satisfy the outcome-based cybersecurity practices established under section 103; andCommentsClose CommentsPermalink





(B)(i) certify in writing and under penalty of perjury to the Council that the owner has developed and effectively implemented cybersecurity measures sufficient to satisfy the outcome-based cybersecurity practices established under section 103; orCommentsClose CommentsPermalink





(ii) submit to the Council an assessment verifying that the owner has developed and effectively implemented cybersecurity measures sufficient to satisfy the outcome-based cybersecurity practices established under section 103.CommentsClose CommentsPermalink





(4) CERTIFICATION- Upon receipt of a self-certification under paragraph (3)(B)(i) or an assessment under paragraph (3)(B)(ii) the Council shall certify an owner.CommentsClose CommentsPermalink





(5) NONPERFORMANCE- If the Council determines that a certified owner is not in compliance with the cybersecurity practices established under section 103, the Council shall--CommentsClose CommentsPermalink





(A) notify the certified owner of such determination; andCommentsClose CommentsPermalink





(B) work with the certified owner to remediate promptly any deficiencies.CommentsClose CommentsPermalink





(6) REVOCATION- If a certified owner fails to remediate promptly any deficiencies identified by the Council, the Council shall revoke the certification of the certified owner.CommentsClose CommentsPermalink





(7) REDRESS-CommentsClose CommentsPermalink





(A) IN GENERAL- If the Council revokes a certification under paragraph (6), the Council shall--CommentsClose CommentsPermalink





(i) notify the owner of such revocation; andCommentsClose CommentsPermalink





(ii) provide the owner with specific cybersecurity measures that, if implemented, would remediate any deficiencies.CommentsClose CommentsPermalink





(B) RECERTIFICATION- If the Council determines that an owner has remedied any deficiencies and is in compliance with the cybersecurity practices, the Council may recertify the owner.CommentsClose CommentsPermalink





(b) Assessments-CommentsClose CommentsPermalink





(1) THIRD-PARTY ASSESSMENTS- The Council, in consultation with owners and operators and the Critical Infrastructure Protection Advisory Council, shall enter into agreements with qualified third-party private entities, to conduct assessments that use reliable, repeatable, performance-based evaluations and metrics to assess whether an owner certified under subsection (a)(3)(B)(ii) is in compliance with all applicable cybersecurity practices.CommentsClose CommentsPermalink





(2) TRAINING- The Council shall ensure that third party assessors described in paragraph (1) undergo regular training and accreditation.CommentsClose CommentsPermalink





(3) OTHER ASSESSMENTS- Using the procedures developed under this section, the Council may perform cybersecurity assessments of a certified owner based on actual knowledge or a reasonable suspicion that the certified owner is not in compliance with the cybersecurity practices or any other risk-based factors as identified by the Council.CommentsClose CommentsPermalink





(4) NOTIFICATION- The Council shall provide copies of any assessments by the Federal Government to the certified owner.CommentsClose CommentsPermalink





(5) ACCESS TO INFORMATION-CommentsClose CommentsPermalink





(A) IN GENERAL- For the purposes of an assessment conducted under this subsection, a certified owner shall provide the Council, or a third party assessor, any reasonable access necessary to complete an assessment.CommentsClose CommentsPermalink





(B) PROTECTION OF INFORMATION- Information provided to the Council, the Council’s designee, or any assessor during the course of an assessment under this section shall be protected from disclosure in accordance with section 106.CommentsClose CommentsPermalink





(c) Benefits of Certification-CommentsClose CommentsPermalink





(1) LIMITATIONS ON CIVIL LIABILITY-CommentsClose CommentsPermalink





(A) IN GENERAL- In any civil action for damages directly caused by an incident related to a cyber risk identified through an assessment conducted under section 102(a), a certified owner shall not be liable for any punitive damages intended to punish or deter if the certified owner is in substantial compliance with the appropriate cybersecurity practices at the time of the incident related to that cyber risk.CommentsClose CommentsPermalink





(B) LIMITATION- Subaragraph (A) shall only apply to harm directly caused by the incident related to the cyber risk and shall not apply to damages caused by any additional or intervening acts or omissions by the owner.CommentsClose CommentsPermalink





(2) EXPEDITED SECURITY CLEARANCE PROCESS- The Council, in coordination with the Office of the Director of National Intelligence, shall establish a procedure to expedite the provision of security clearances to appropriate personnel employed by a certified owner.CommentsClose CommentsPermalink





(3) PRIORITIZED TECHNICAL ASSISTANCE- The Council shall ensure that certified owners are eligible to receive prioritized technical assistance.CommentsClose CommentsPermalink





(4) PROVISION OF CYBER THREAT INFORMATION- The Council shall develop, in coordination with certified owners, a procedure for ensuring that certified owners are, to the maximum extent practicable and consistent with the protection of sources and methods, informed of relevant real-time cyber threat information.CommentsClose CommentsPermalink





(5) PUBLIC RECOGNITION- With the approval of a certified owner, the Council may publicly recognize the certified owner if the Council determines such recognition does not pose a risk to the security of critical cyber infrastructure.CommentsClose CommentsPermalink





(6) STUDY TO EXAMINE BENEFITS OF PROCUREMENT PREFERENCE-CommentsClose CommentsPermalink





(A) IN GENERAL- The Federal Acquisition Regulatory Council, in coordination with the Council and with input from relevant private sector individuals and entities, shall conduct a study examining the potential benefits of establishing a procurement preference for the Federal Government for certified owners.CommentsClose CommentsPermalink





(B) AREAS- The study under subparagraph (A) shall include a review of--CommentsClose CommentsPermalink





(i) potential persons and related property and services that could be eligible for preferential consideration in the procurement process;CommentsClose CommentsPermalink





(ii) development and management of an approved list of categories of property and services that could be eligible for preferential consideration in the procurement process;CommentsClose CommentsPermalink





(iii) appropriate mechanisms to implement preferential consideration in the procurement process, including--CommentsClose CommentsPermalink





(I) establishing a policy encouraging Federal agencies to conduct market research and industry outreach to identify property and services that adhere to relevant cybersecurity practices;CommentsClose CommentsPermalink





(II) authorizing the use of a mark for the Voluntary Cybersecurity Program for Critical Infrastructure to be used for marketing property or services to the Federal Government;CommentsClose CommentsPermalink





(III) establishing a policy of encouraging procurement of certain property and services from an approved list;CommentsClose CommentsPermalink





(IV) authorizing the use of a preference by Federal agencies in the evaluation process; andCommentsClose CommentsPermalink





(V) authorizing a requirement in certain solicitations that the person providing the property or services be a certified owner; andCommentsClose CommentsPermalink





(iv) benefits of and impact on the economy and efficiency of the Federal procurement system, if preferential consideration were given in the procurement process to encourage the procurement of property and services that adhere to relevant baseline performance goals establishing under the Voluntary Cybersecurity Program for Critical Infrastructure.CommentsClose CommentsPermalink

SEC. 105. RULES OF CONSTRUCTION.

Nothing in this title shall be construed to--CommentsClose CommentsPermalink





(1) limit the ability of a Federal agency with responsibilities for regulating the security of critical infrastructure from requiring that the cybersecurity practices developed under section 103 be met;CommentsClose CommentsPermalink





(2) provide additional authority for any sector-specific agency or any Federal agency that is not a sector-specific agency with responsibilities for regulating the security of critical infrastructure to establish standards or other cybersecurity measures that are applicable to the security of critical infrastructure not otherwise authorized by law;CommentsClose CommentsPermalink





(3) limit or restrict the authority of the Department, or any other Federal agency, under any other provision of law; orCommentsClose CommentsPermalink





(4) permit any owner (including a certified owner) to fail to comply with any other law or regulation, unless specifically authorized.CommentsClose CommentsPermalink

SEC. 106. PROTECTION OF INFORMATION.

(a) Definitions- In this section--CommentsClose CommentsPermalink





(1) the term ‘covered information’ means any information--CommentsClose CommentsPermalink





(A) submitted as part of the process established under section 102(a)(3);CommentsClose CommentsPermalink





(B) submitted under section 102(b)(2)(C);CommentsClose CommentsPermalink





(C) required to be submitted by owners under section 102(b)(4);CommentsClose CommentsPermalink





(D) provided to the Secretary, the Secretary’s designee, or any assessor during the course of an assessment under section 104; orCommentsClose CommentsPermalink





(E) provided to the Secretary or the Inspector General of the Department through the tip line or another secure channel established under subsection (c); andCommentsClose CommentsPermalink





(2) the term ‘Inspector General’ means an Inspector General described in subparagraph (A), (B), or (I) of section 11(b)(1) of the Inspector General Act of 1978 (5 U.S.C. App.), the Inspector General of the United States Postal Service, the Inspector General of the Central Intelligence Agency, and the Inspector General of the Intelligence Community.CommentsClose CommentsPermalink





(b) Critical Infrastructure Information-CommentsClose CommentsPermalink





(1) IN GENERAL- Covered information shall be treated as voluntarily shared critical infrastructure information under section 214 of the Homeland Security Act of 2002 (6 U.S.C. 133), except that the requirement of such section 214 that the information be voluntarily submitted shall not be required for protection of information under this section to apply.CommentsClose CommentsPermalink





(2) SAVINGS CLAUSE FOR EXISTING WHISTLEBLOWER PROTECTIONS- With respect to covered information, the rights and protections relating to disclosure by individuals of voluntarily shared critical infrastructure information submitted under subtitle B of title II of the Homeland Security Act of 2002 (6 U.S.C. 131 et seq.) shall apply with respect to disclosure of the covered information by individuals.CommentsClose CommentsPermalink





(c) Critical Infrastructure Cyber Security Tip Line-CommentsClose CommentsPermalink





(1) IN GENERAL- The Secretary shall establish and publicize the availability of a Critical Infrastructure Cyber Security Tip Line (and any other secure means the Secretary determines would be desirable to establish), by which individuals may report--CommentsClose CommentsPermalink





(A) concerns involving the security of covered critical infrastructure against cyber risks; andCommentsClose CommentsPermalink





(B) concerns (in addition to any concerns described under subparagraph (A)) with respect to programs and functions authorized or funded under this title involving--CommentsClose CommentsPermalink





(i) a possible violation of any law, rule, regulation or guideline;CommentsClose CommentsPermalink





(ii) mismanagement;CommentsClose CommentsPermalink





(iii) risk to public health, safety, security, or privacy; orCommentsClose CommentsPermalink





(iv) other misfeasance or nonfeasance.CommentsClose CommentsPermalink





(2) DESIGNATION OF EMPLOYEES- The Secretary and the Inspector General of the Department shall each designate employees authorized to receive concerns reported under this subsection that include--CommentsClose CommentsPermalink





(A) disclosure of covered information; orCommentsClose CommentsPermalink





(B) any other disclosure of information that is specifically prohibited by law or is specifically required by Executive order to be kept secret in the interest of national defense or the conduct of foreign affairs.CommentsClose CommentsPermalink





(3) HANDLING OF CERTAIN CONCERNS- A concern described in paragraph (1)(B)--CommentsClose CommentsPermalink





(A) shall be received initially to the Inspector General of the Department;CommentsClose CommentsPermalink





(B) shall not be provided initially to the Secretary; andCommentsClose CommentsPermalink





(C) may be provided to the Secretary if determined appropriate by the Inspector General of the Department.CommentsClose CommentsPermalink





(d) Rules of Construction- Nothing in this section shall be construed to--CommentsClose CommentsPermalink





(1) limit or otherwise affect the right, ability, duty, or obligation of any entity to use or disclose any information of that entity, including in the conduct of any judicial or other proceeding;CommentsClose CommentsPermalink





(2) prevent the classification of information submitted under this section if that information meets the standards for classification under Executive Order 12958, or any successor thereto, or affect measures and controls relating to the protection of classified information as prescribed by Federal statute or under Executive Order 12958, or any successor thereto;CommentsClose CommentsPermalink





(3) limit or otherwise affect the ability of an entity, agency, or authority of a State, a local government, or the Federal Government or any other individual or entity under applicable law to obtain information that is not covered information (including any information lawfully and properly disclosed generally or broadly to the public) and to use such information in any manner permitted by law, including the disclosure of such information under--CommentsClose CommentsPermalink





(A) section 552 or 2302(b)(8) of title 5, United States Code;CommentsClose CommentsPermalink





(B) section 2409 of title 10, United States Code; orCommentsClose CommentsPermalink





(C) any other Federal, State, or local law, ordinance, or regulation that protects against retaliation an individual who discloses information that the individual reasonably believes evidences a violation of any law, rule, or regulation, gross mismanagement, substantial and specific danger to public health, safety, or security, or other misfeasance or nonfeasance;CommentsClose CommentsPermalink





(4) prevent the Secretary from using information required to be submitted under this Act for enforcement of this title, including enforcement proceedings subject to appropriate safeguards;CommentsClose CommentsPermalink





(5) authorize information to be withheld from any committee of Congress, the Comptroller General, or any Inspector General;CommentsClose CommentsPermalink





(6) affect protections afforded to trade secrets under any other provision of law; orCommentsClose CommentsPermalink





(7) create a private right of action for enforcement of any provision of this section.CommentsClose CommentsPermalink





(e) Audit-CommentsClose CommentsPermalink





(1) IN GENERAL- Not later than 1 year after the date of enactment of this Act, the Inspector General of the Department shall conduct an audit of the management of covered information under this title and report the findings to appropriate congressional committees.CommentsClose CommentsPermalink





(2) CONTENTS- The audit under paragraph (1) shall include assessments of--CommentsClose CommentsPermalink





(A) whether the covered information is adequately safeguarded against inappropriate disclosure;CommentsClose CommentsPermalink





(B) the processes for marking and disseminating the covered information and resolving any disputes;CommentsClose CommentsPermalink





(C) how the covered information is used for the purposes of this title, and whether that use is effective;CommentsClose CommentsPermalink





(D) whether sharing of covered information has been effective to fulfill the purposes of this title;CommentsClose CommentsPermalink





(E) whether the kinds of covered information submitted have been appropriate and useful, or overbroad or overnarrow;CommentsClose CommentsPermalink





(F) whether the protections of covered information allow for adequate accountability and transparency of the regulatory, enforcement, and other aspects of implementing this title; andCommentsClose CommentsPermalink





(G) any other factors at the discretion of the Inspector General of the Department.CommentsClose CommentsPermalink

SEC. 107. ANNUAL ASSESSMENT OF CYBERSECURITY.

(a) In General- Not later than 1 year after the date of enactment of this Act, and every year thereafter, the Council shall submit to the appropriate congressional committees a report on the effectiveness of this title in reducing the risk of cyber attack to critical infrastructure.CommentsClose CommentsPermalink





(b) Contents- Each report submitted under subsection (a) shall include--CommentsClose CommentsPermalink





(1) a discussion of cyber risks and associated consequences and whether the cybersecurity practices developed under section 103 are sufficient to effectively remediate and mitigate cyber risks and associated consequences; andCommentsClose CommentsPermalink





(2) an analysis of--CommentsClose CommentsPermalink





(A) whether owners of critical cyber infrastructure are successfully implementing the cybersecurity practices adopted under section 103;CommentsClose CommentsPermalink





(B) whether the critical infrastructure of the United States is effectively secured from cybersecurity threats, vulnerabilities, and consequences;CommentsClose CommentsPermalink





(C) whether Federal agencies with responsibilities for regulating the security of critical infrastructure are adequately adopting and enforcing the cybersecurity practices adopted under section 103; andCommentsClose CommentsPermalink





(D) whether additional legislative authority or other actions are needed to effectively remediate or mitigate cyber risks and associated consequences.CommentsClose CommentsPermalink





(c) Form of Report- A report submitted under this subsection shall be submitted in an unclassified form, but may include a classified annex, if necessary.CommentsClose CommentsPermalink

SEC. 108. INTERNATIONAL COOPERATION.

(a) In General- The Secretary, in coordination with the Secretary of State, the heads of appropriate sector-specific agencies, and the heads of any appropriate Federal agency with responsibilities for regulating the security of covered critical infrastructure, shall--CommentsClose CommentsPermalink





(1) consistent with the protection of intelligence sources and methods and other sensitive matters, inform the owner or operator of information infrastructure located outside the United States the disruption of which could result in national or regional catastrophic damage within the United States and the government of the country in which the information infrastructure is located of any cyber risks to such information infrastructure; andCommentsClose CommentsPermalink





(2) coordinate with the government of the country in which such information infrastructure is located and, as appropriate, the owner or operator of the information infrastructure regarding the implementation of cybersecurity measures or other measures to the information infrastructure to mitigate or remediate cyber risks.CommentsClose CommentsPermalink





(b) International Agreements- The Secretary, in coordination with the Secretary of State, including in particular with the interpretation of international agreements, shall perform the functions prescribed by this section consistent with applicable international agreements.CommentsClose CommentsPermalink

SEC. 109. EFFECT ON OTHER LAWS.

Except as expressly provided in section 104(c)(1) and section 106, nothing in this Act shall be construed to preempt the applicability of any State law or requirement.CommentsClose CommentsPermalink

SEC. 110. DEFINITIONS.

In this title:CommentsClose CommentsPermalink





(1) CERTIFIED OWNER- The term ‘certified owner’ means an owner of critical cyber infrastructure or an owner of critical infrastructure that is certified by the Council under section 104(a)(4).CommentsClose CommentsPermalink





(2) CYBER RISK- The term ‘cyber risk’ means any risk to information infrastructure, including physical or personnel risks and security vulnerabilities, that, if exploited or not mitigated, could pose a significant risk of disruption to the operation of information infrastructure essential to the reliable operation of critical infrastructure.CommentsClose CommentsPermalink





(3) SECTOR COORDINATING COUNCIL- The term ‘sector coordinating council’ means a private sector coordinating council comprised of representatives of owners and operators within a particular sector of critical infrastructure established by the National Infrastructure Protection Plan.CommentsClose CommentsPermalink





(4) SECTOR-SPECIFIC AGENCY- The term ‘sector-specific agency’ means the relevant Federal agency responsible for infrastructure protection activities in a designated critical infrastructure sector or key resources category under the National Infrastructure Protection Plan, or any other appropriate Federal agency identified by the President after the date of enactment of this Act.CommentsClose CommentsPermalink

TITLE II--FEDERAL INFORMATION SECURITY MANAGEMENT AND CONSOLIDATING RESOURCESCommentsClose CommentsPermalink

SEC. 201. FISMA REFORM.

(a) In General- Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting the following:CommentsClose CommentsPermalink

‘SUBCHAPTER II--INFORMATION SECURITY

‘Sec. 3551. Purposes

‘The purposes of this subchapter are to--CommentsClose CommentsPermalink





‘(1) provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets;CommentsClose CommentsPermalink





‘(2) recognize the highly networked nature of the Federal computing environment and provide effective governmentwide management of policies, directives, standards, and guidelines, as well as effective and nimble oversight of and response to information security risks, including coordination of information security efforts throughout the Federal civilian, national security, and law enforcement communities;CommentsClose CommentsPermalink





‘(3) provide for development and maintenance of controls required to protect agency information and information systems and contribute to the overall improvement of agency information security posture; andCommentsClose CommentsPermalink





‘(4) provide a mechanism to improve and continuously monitor the security of agency information security programs and systems through a focus on continuous monitoring of agency information systems and streamlined reporting requirements rather than overly prescriptive manual reporting.CommentsClose CommentsPermalink

‘Sec. 3552. Definitions

‘(a) In General- Except as provided under subsection (b), the definitions under section 3502 (including the definitions of the terms ‘agency’ and ‘information system’) shall apply to this subchapter.CommentsClose CommentsPermalink





‘(b) Other Terms- In this subchapter:CommentsClose CommentsPermalink





‘(1) ADEQUATE SECURITY- The term ‘adequate security’ means security commensurate with the risk and impact resulting from the unauthorized access to or loss, misuse, destruction, or modification of information.CommentsClose CommentsPermalink





‘(2) CONTINUOUS MONITORING- The term ‘continuous monitoring’ means the ongoing real time or near real-time process used to determine if the complete set of planned, required, and deployed security controls within an information system continue to be effective over time in light of rapidly changing information technology and threat development. To the maximum extent possible, this also requires automation of that process to enable cost effective, efficient, and consistent monitoring and provide a more dynamic view of the security state of those deployed controls.CommentsClose CommentsPermalink





‘(3) COUNTERMEASURE- The term ‘countermeasure’ means automated or manual actions with defensive intent to modify or block data packets associated with electronic or wire communications, Internet traffic, program code, or other system traffic transiting to or from or stored on an information system for the purpose of protecting the information system from cybersecurity threats, conducted on an information system owned or operated by or on behalf of the party to be protected or operated by a private entity acting as a provider of electronic communication services, remote computing services, or cybersecurity services to the party to be protected.CommentsClose CommentsPermalink





‘(4) INCIDENT- The term ‘incident’ means an occurrence that--CommentsClose CommentsPermalink





‘(A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; orCommentsClose CommentsPermalink





‘(B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.CommentsClose CommentsPermalink





‘(5) INFORMATION SECURITY- The term ‘information security’ means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide--CommentsClose CommentsPermalink





‘(A) integrity, which means guarding against improper information modification or destruction, and includes ensuring nonrepudiation and authenticity;CommentsClose CommentsPermalink





‘(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; andCommentsClose CommentsPermalink





‘(C) availability, which means ensuring timely and reliable access to and use of information.CommentsClose CommentsPermalink





‘(6) INFORMATION TECHNOLOGY- The term ‘information technology’ has the meaning given that term in section 11101 of title 40.CommentsClose CommentsPermalink





‘(7) NATIONAL SECURITY SYSTEM-CommentsClose CommentsPermalink





‘(A) IN GENERAL- The term ‘national security system’ means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency--CommentsClose CommentsPermalink





‘(i) the function, operation, or use of which--CommentsClose CommentsPermalink





‘(I) involves intelligence activities;CommentsClose CommentsPermalink





‘(II) involves cryptologic activities related to national security;CommentsClose CommentsPermalink





‘(III) involves command and control of military forces;CommentsClose CommentsPermalink





‘(IV) involves equipment that is an integral part of a weapon or weapons system; orCommentsClose CommentsPermalink





‘(V) subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; orCommentsClose CommentsPermalink





‘(ii) that is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.CommentsClose CommentsPermalink





‘(B) EXCLUSION- Subparagraph (A)(i)(V) does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications).CommentsClose CommentsPermalink





‘(8) SECRETARY- The term ‘Secretary’ means the Secretary of Homeland Security.CommentsClose CommentsPermalink

‘Sec. 3553. Federal information security authority and coordination

‘(a) In General- Except as provided in subsections (f) and (g), the Secretary shall oversee agency information security policies and practices, including the development and oversight of information security policies and directives and compliance with this subchapter.CommentsClose CommentsPermalink





‘(b) Duties- The Secretary shall--CommentsClose CommentsPermalink





‘(1) develop, issue, and oversee the implementation of information security policies and directives, which shall be compulsory and binding on agencies to the extent determined appropriate by the Secretary, including--CommentsClose CommentsPermalink





‘(A) policies and directives consistent with the standards promulgated under section 11331 of title 40 to identify and provide information security protections that are commensurate with the risk and impact resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of--CommentsClose CommentsPermalink





‘(i) information collected, created, processed, stored, disseminated, or otherwise used or maintained by or on behalf of an agency; orCommentsClose CommentsPermalink





‘(ii) information systems used or operated by an agency or by a contractor of an agency or other organization, such as a State government entity, on behalf of an agency;CommentsClose CommentsPermalink





‘(B) minimum operational requirements for network operations centers and security operations centers of agencies to facilitate the protection of and provide common situational awareness for all agency information and information systems;CommentsClose CommentsPermalink





‘(C) reporting requirements, consistent with relevant law, regarding information security incidents;CommentsClose CommentsPermalink





‘(D) requirements for agencywide information security programs, including continuous monitoring of information security;CommentsClose CommentsPermalink





‘(E) performance requirements and metrics for the security of agency information systems;CommentsClose CommentsPermalink





‘(F) training requirements to ensure that agencies are able to fully and timely comply with directions issued by the Secretary under this subchapter;CommentsClose CommentsPermalink





‘(G) training requirements regarding privacy, civil rights, civil liberties, and information oversight for agency information security employees;CommentsClose CommentsPermalink





‘(H) requirements for the annual reports to the Secretary under section 3554(c); andCommentsClose CommentsPermalink





‘(I) any other information security requirements as determined by the Secretary;CommentsClose CommentsPermalink





‘(2) review agency information security programs required to be developed under section 3554(b);CommentsClose CommentsPermalink





‘(3) develop and conduct targeted risk assessments and operational evaluations for agency information and information systems in consultation with the heads of other agencies or governmental and private entities that own and operate such systems, that may include threat, vulnerability, and impact assessments and penetration testing;CommentsClose CommentsPermalink





‘(4) operate consolidated intrusion detection, prevention, or other protective capabilities and use associated countermeasures for the purpose of protecting agency information and information systems from information security threats;CommentsClose CommentsPermalink





‘(5) in conjunction with other agencies and the private sector, assess and foster the development of information security technologies and capabilities for use across multiple agencies;CommentsClose CommentsPermalink





‘(6) designate an entity to receive reports and information about information security incidents, threats, and vulnerabilities affecting agency information systems;CommentsClose CommentsPermalink





‘(7) provide incident detection, analysis, mitigation, and response information and remote or on-site technical assistance to the heads of agencies;CommentsClose CommentsPermalink





‘(8) coordinate with appropriate agencies and officials to ensure, to the maximum extent feasible, that policies and directives issued under paragraph (1) are complementary with--CommentsClose CommentsPermalink





‘(A) standards and guidelines developed for national security systems; andCommentsClose CommentsPermalink





‘(B) policies and directives issues by the Secretary of Defense, Director of the Central Intelligence Agency, and Director of National Intelligence under subsection (g)(1); andCommentsClose CommentsPermalink





‘(9) not later than March 1 of each year, submit to Congress a report on agency compliance with the requirements of this subchapter, which shall include--CommentsClose CommentsPermalink





‘(A) a summary of the incidents described by the reports required in section 3554(c);CommentsClose CommentsPermalink





‘(B) a summary of the results of assessments required by section 3555;CommentsClose CommentsPermalink





‘(C) a summary of the results of evaluations required by section 3556;CommentsClose CommentsPermalink





‘(D) significant deficiencies in agency information security practices as identified in the reports, assessments, and evaluations referred to in subparagraphs (A), (B), and (C), or otherwise; andCommentsClose CommentsPermalink





‘(E) planned remedial action to address any deficiencies identified under subparagraph (D).CommentsClose CommentsPermalink





‘(c) Issuing Policies and Directives- When issuing policies and directives under subsection (b), the Secretary shall consider any applicable standards or guidelines developed by the National Institute of Standards and Technology and issued by the Secretary of Commerce under section 11331 of title 40. The Secretary shall consult with the Director of the National Institute of Standards and Technology when such policies and directives implement standards or guidelines developed by National Institute of Standards and Technology. To the maximum extent feasible, such standards and guidelines shall be complementary with standards and guidelines developed for national security systems.CommentsClose CommentsPermalink





‘(d) Communications and System Traffic-CommentsClose CommentsPermalink





‘(1) IN GENERAL- Notwithstanding any other provision of law, in carrying out the responsibilities under paragraphs (3) and (4) of subsection (b), if the Secretary makes a certification described in paragraph (2), the Secretary may acquire, intercept, retain, use, and disclose communications and other system traffic that are transiting to or from or stored on agency information systems and deploy countermeasures with regard to the communications and system traffic.CommentsClose CommentsPermalink





‘(2) CERTIFICATION- A certification described in this paragraph is a certification by the Secretary that--CommentsClose CommentsPermalink





‘(A) the acquisitions, interceptions, and countermeasures are reasonably necessary for the purpose of protecting agency information systems from information security threats;CommentsClose CommentsPermalink





‘(B) the content of communications will be collected and retained only when the communication is associated with a known or reasonably suspected information security threat, and communications and system traffic will not be subject to the operation of a countermeasure unless associated with the threats;CommentsClose CommentsPermalink





‘(C) information obtained under activities authorized under this subsection will only be retained, used, or disclosed to protect agency information systems from information security threats, mitigate against such threats, or, with the approval of the Attorney General, for law enforcement purposes when--CommentsClose CommentsPermalink





‘(i) the information is evidence of a crime that has been, is being, or is about to be committed; andCommentsClose CommentsPermalink





‘(ii) disclosure of the information to a law enforcement agency is not otherwise prohibited by law;CommentsClose CommentsPermalink





‘(D) notice has been provided to users of agency information systems concerning the potential for acquisition, interception, retention, use, and disclosure of communications and other system traffic; andCommentsClose CommentsPermalink





‘(E) the activities are implemented pursuant to policies and procedures governing the acquisition, interception, retention, use, and disclosure of communications and other system traffic that have been reviewed and approved by the Attorney General.CommentsClose CommentsPermalink





‘(3) PRIVATE ENTITIES- The Secretary may enter into contracts or other agreements, or otherwise request and obtain the assistance of, private entities that provide electronic communication or information security services to acquire, intercept, retain, use, and disclose communications and other system traffic or to deploy countermeasures in accordance with this subsection.CommentsClose CommentsPermalink





‘(e) Directions to Agencies-CommentsClose CommentsPermalink





‘(1) AUTHORITY-CommentsClose CommentsPermalink





‘(A) IN GENERAL- Notwithstanding section 3554, and subject to subparagraph (B), in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, the Secretary may direct other agency heads to take any lawful action with respect to the operation of the information systems, including those owned or operated by another entity on behalf of an agency, that collect, process, store, transmit, disseminate, or otherwise maintain agency information, for the purpose of protecting the information system from or mitigating an information security threat.CommentsClose CommentsPermalink





‘(B) EXCEPTION- The authorities of the Secretary under this subsection shall not apply to a system described in paragraph (2), (3), or (4) of subsection (g).CommentsClose CommentsPermalink





‘(2) PROCEDURES FOR USE OF AUTHORITY- The Secretary shall--CommentsClose CommentsPermalink





‘(A) in coordination with the Director of the Office of Management and Budget and, as appropriate, in consultation with operators of information systems, establish procedures governing the circumstances under which a directive may be issued under this subsection, which shall include--CommentsClose CommentsPermalink





‘(i) thresholds and other criteria;CommentsClose CommentsPermalink





‘(ii) privacy and civil liberties protections; andCommentsClose CommentsPermalink





‘(iii) providing notice to potentially affected third parties;CommentsClose CommentsPermalink





‘(B) specify the reasons for the required action and the duration of the directive;CommentsClose CommentsPermalink





‘(C) minimize the impact of directives under this subsection by--CommentsClose CommentsPermalink





‘(i) adopting the least intrusive means possible under the circumstances to secure the agency information systems; andCommentsClose CommentsPermalink





‘(ii) limiting directives to the shortest period practicable; andCommentsClose CommentsPermalink





‘(D) notify the Director of the Office of Management and Budget and head of any affected agency immediately upon the issuance of a directive under this subsection.CommentsClose CommentsPermalink





‘(3) IMMINENT THREATS-CommentsClose CommentsPermalink





‘(A) IN GENERAL- If the Secretary determines that there is an imminent threat to agency information systems and a directive under this subsection is not reasonably likely to result in a timely response to the threat, the Secretary may authorize the use of protective capabilities under the control of the Secretary for communications or other system traffic transiting to or from or stored on an agency information system without prior consultation with the affected agency for the purpose of ensuring the security of the information or information system or other agency information systems.CommentsClose CommentsPermalink





‘(B) LIMITATION ON DELEGATION- The authority under this paragraph may not be delegated to an official in a position lower than Assistant Secretary or Director of the National Cybersecurity and Communications Integration Center.CommentsClose CommentsPermalink





‘(C) NOTICE- The Secretary or designee of the Secretary shall immediately notify the Director of the Office of Management and Budget and the head and chief information officer (or equivalent official) of each affected agency of--CommentsClose CommentsPermalink





‘(i) any action taken under this subsection; andCommentsClose CommentsPermalink





‘(ii) the reasons for and duration and nature of the action.CommentsClose CommentsPermalink





‘(D) OTHER LAW- The actions of the Secretary under this paragraph shall be consistent with applicable law.CommentsClose CommentsPermalink





‘(4) LIMITATION- The Secretary may direct or authorize lawful action or protective capability under this subsection only to--CommentsClose CommentsPermalink





‘(A) protect agency information from unauthorized access, use, disclosure, disruption, modification, or destruction; orCommentsClose CommentsPermalink





‘(B) require the remediation of or protect against identified information security risks with respect to--CommentsClose CommentsPermalink





‘(i) information collected or maintained by or on behalf of an agency; orCommentsClose CommentsPermalink





‘(ii) that portion of an information system used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.CommentsClose CommentsPermalink





‘(f) National Security Systems-CommentsClose CommentsPermalink





‘(1) IN GENERAL- This section shall not apply to a national security system.CommentsClose CommentsPermalink





‘(2) INFORMATION SECURITY- Information security policies, directives, standards, and guidelines for national security systems shall be overseen as directed by the President and, in accordance with that direction, carried out under the authority of the heads of agencies that operate or exercise authority over national security systems.CommentsClose CommentsPermalink





‘(g) Delegation of Authorities-CommentsClose CommentsPermalink





‘(1) IN GENERAL- The authorities of the Secretary described in paragraphs (1), (2), (3), and (4) of subsection (b) shall be delegated to--CommentsClose CommentsPermalink





‘(A) the Secretary of Defense in the case of systems described in paragraph (2);CommentsClose CommentsPermalink





‘(B) the Director of the Central Intelligence Agency in the case of systems described in paragraph (3); andCommentsClose CommentsPermalink





‘(C) the Director of National Intelligence in the case of systems described in paragraph (4).CommentsClose CommentsPermalink





‘(2) DEPARTMENT OF DEFENSE- The systems described in this paragraph are systems that are operated by the Department of Defense, a contractor of the Department of Defense, or another entity on behalf of the Department of Defense that process any information the unauthorized access, use, disclosure, disruption, modification, or destruction of which would have a debilitating impact on the mission of the Department of Defense.CommentsClose CommentsPermalink





‘(3) CENTRAL INTELLIGENCE AGENCY- The systems described in this paragraph are systems that are operated by the Central Intelligence Agency, a contractor of the Central Intelligence Agency, or another entity on behalf of the Central Intelligence Agency that process any information the unauthorized access, use, disclosure, disruption, modification, or destruction of which would have a debilitating impact on the mission of the Central Intelligence Agency.CommentsClose CommentsPermalink





‘(4) OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE- The systems described in this paragraph are systems that are operated by the Office of the Director of National Intelligence, a contractor of the Office of the Director of National Intelligence, or another entity on behalf of the Office of the Director of National Intelligence that process any information the unauthorized access, use, disclosure, disruption, modification, or destruction of which would have a debilitating impact on the mission of the Office of the Director of National Intelligence.CommentsClose CommentsPermalink





‘(5) INTEGRATION OF INFORMATION- The Secretary of Defense, the Director of the Central Intelligence Agency, and the Director of National Intelligence shall carry out their responsibilities under this subsection in coordination with the Secretary and share relevant information in a timely manner with the Secretary relating to the security of agency information and information systems, including systems described in paragraphs (2), (3), and (4), to enable the Secretary to carry out the responsibilities set forth in this section and to maintain comprehensive situational awareness regarding information security incidents, threats, and vulnerabilities affecting agency information systems, consistent with standards and guidelines for national security systems, issued in accordance with law and as directed by the President.CommentsClose CommentsPermalink

‘Sec. 3554. Agency responsibilities

‘(a) In General- The head of each agency shall--CommentsClose CommentsPermalink





‘(1) be responsible for--CommentsClose CommentsPermalink





‘(A) providing information security protections commensurate with the risk resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of--CommentsClose CommentsPermalink





‘(i) information collected, created, processed, stored, disseminated, or otherwise used or maintained by or on behalf of the agency; orCommentsClose CommentsPermalink





‘(ii) information systems used or operated by the agency or by a contractor of the agency or other organization, such as a State government entity, on behalf of the agency;CommentsClose CommentsPermalink





‘(B) complying with this subchapter, including--CommentsClose CommentsPermalink





‘(i) the policies and directives issued under section 3553, including any directions under section 3553(e); andCommentsClose CommentsPermalink





‘(ii) information security policies, directives, standards, and guidelines for national security systems issued in accordance with law and as directed by the President;CommentsClose CommentsPermalink





‘(C) complying with the requirements of the information security standards prescribed under section 11331 of title 40, including any required security configuration checklists; andCommentsClose CommentsPermalink





‘(D) ensuring that information security management processes are integrated with agency strategic and operational planning processes;CommentsClose CommentsPermalink





‘(2) ensure that senior agency officials provide information security for the information and information systems that support the operations and assets under the control of the officials, including through--CommentsClose CommentsPermalink





‘(A) assessing, with a frequency commensurate with risk, the risk and impact that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information or information systems;CommentsClose CommentsPermalink





‘(B) determining the levels of information security appropriate to protect the information and information systems in accordance with the policies and directives issued under section 3553(b) and standards prescribed under section 11331 of title 40;CommentsClose CommentsPermalink





‘(C) implementing policies, procedures, and capabilities to reduce risks to an acceptable level in a cost-effective manner;CommentsClose CommentsPermalink





‘(D) security testing and evaluation, including continuously monitoring the effective implementation of information security controls and techniques, threats, vulnerabilities, assets, and other aspects of information security as appropriate; andCommentsClose CommentsPermalink





‘(E) reporting information about information security incidents, threats, and vulnerabilities in a timely manner as required under policies and procedures established under subsection (b)(7);CommentsClose CommentsPermalink





‘(3) assess and maintain the resiliency of information systems critical to the mission and operations of the agency;CommentsClose CommentsPermalink





‘(4) delegate to the chief information officer or equivalent official (or to a senior agency official who reports to the chief information officer or equivalent official) the authority to ensure and primary responsibility for ensuring compliance with this subchapter, including--CommentsClose CommentsPermalink





‘(A) overseeing the establishment and maintenance of an agencywide security operations capability that on a continuous basis can--CommentsClose CommentsPermalink





‘(i) detect, report, respond to, contain, and mitigate information security incidents that impair adequate security of the agency information and information systems in a timely manner and in accordance with the policies and directives issued under section 3553(b); andCommentsClose CommentsPermalink





‘(ii) report any information security incident described under clause (i) to the entity designated under section 3553(b)(6);CommentsClose CommentsPermalink





‘(B) developing, maintaining, and overseeing an agencywide information security program as required under subsection (b);CommentsClose CommentsPermalink





‘(C) developing, maintaining, and overseeing information security policies, procedures, and control techniques to address all applicable requirements, including those issued under section 3553 and section 11331 of title 40;CommentsClose CommentsPermalink





‘(D) training and overseeing employees and contractors of the agency with significant responsibilities for information security with respect to such responsibilities; andCommentsClose CommentsPermalink





‘(E) assisting senior agency officials concerning their responsibilities under paragraph (2);CommentsClose CommentsPermalink





‘(5) the agency has trained and obtained security clearances for an adequate number of employees to assist the agency in complying with this subchapter, including the policies and directives issued under section 3553(b);CommentsClose CommentsPermalink





‘(6) ensure that the chief information officer (or other senior agency official designated under paragraph (4)), in coordination with other senior agency officials, reports to the head of the agency on the effectiveness of the agency information security program, including the progress of remedial actions;CommentsClose CommentsPermalink





‘(7) ensure that the chief information officer (or other senior agency official designated under paragraph (4))--CommentsClose CommentsPermalink





‘(A) possesses the necessary qualifications to administer the duties of the official under this subchapter; andCommentsClose CommentsPermalink





‘(B) has information security duties as a primary duty of the official; andCommentsClose CommentsPermalink





‘(8) ensure that senior agency officials (including component chief information officers or equivalent officials) carry out responsibilities under this subchapter as directed by the official delegated authority under paragraph (4).CommentsClose CommentsPermalink





‘(b) Agency Program- The head of each agency shall develop, document, and implement an agencywide information security program, which shall be reviewed under section 3553(b)(2), to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source, which shall include--CommentsClose CommentsPermalink





‘(1) the development, execution, and maintenance of a risk management strategy for information security that--CommentsClose CommentsPermalink





‘(A) considers information security threats, vulnerabilities, and consequences;CommentsClose CommentsPermalink





‘(B) includes periodic assessments and reporting of risk, with a frequency commensurate with risk and impact;CommentsClose CommentsPermalink





‘(2) policies and procedures that--CommentsClose CommentsPermalink





‘(A) are based on the risk management strategy and assessment results required under paragraph (1);CommentsClose CommentsPermalink





‘(B) reduce information security risks to an acceptable level in a cost-effective manner;CommentsClose CommentsPermalink





‘(C) ensure that cost-effective and adequate information security is addressed throughout the life cycle of each agency information system; andCommentsClose CommentsPermalink





‘(D) ensure compliance with--CommentsClose CommentsPermalink





‘(i) this subchapter;CommentsClose CommentsPermalink





‘(ii) the information security policies and directives issued under section 3553(b); andCommentsClose CommentsPermalink





‘(iii) any other applicable requirements;CommentsClose CommentsPermalink





‘(3) subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems;CommentsClose CommentsPermalink





‘(4) security awareness training developed in accordance with the requirements issued under section 3553(b) to inform individuals with access to agency information systems, including information security employees, contractors, and other users of information systems that support the operations and assets of the agency, of--CommentsClose CommentsPermalink





‘(A) information security risks associated with their activities;CommentsClose CommentsPermalink





‘(B) their responsibilities in complying with agency policies and procedures designed to reduce those risks;CommentsClose CommentsPermalink





‘(C) requirements for fulfilling privacy, civil rights, civil liberties, and other information oversight responsibilities; andCommentsClose CommentsPermalink





‘(D) methods for individuals to report risks and incidents to relevant Offices of Inspectors General and the Secretary under section 106 of the Cybersecurity Act of 2012;CommentsClose CommentsPermalink





‘(5) security testing and evaluation commensurate with risk and impact that includes--CommentsClose CommentsPermalink





‘(A) risk-based continuous monitoring of the operational status and security of agency information systems to enable evaluation of the effectiveness of and compliance with information security policies, procedures, and practices, including a relevant and appropriate selection of management, operational, and technical controls of information systems identified in the inventory required under section 3505(c);CommentsClose CommentsPermalink





‘(B) penetration testing exercises and operational evaluations in accordance with the requirements issued under section 3553(b) to evaluate whether the agency adequately protects against, detects, and responds to incidents;CommentsClose CommentsPermalink





‘(C) vulnerability scanning, intrusion detection and prevention, and penetration testing, in accordance with the requirements issued under section 3553(b); andCommentsClose CommentsPermalink





‘(D) any other periodic testing and evaluation, in accordance with the requirements issued under section 3553(b);CommentsClose CommentsPermalink





‘(6) a process for ensuring that remedial actions are taken to mitigate information security vulnerabilities commensurate with risk and impact, and otherwise address any deficiencies in the information security policies, procedures, and practices of the agency;CommentsClose CommentsPermalink





‘(7) policies and procedures to ensure detection, mitigation, reporting, and responses to information security incidents, in accordance with the policies and directives issued under section 3553(b), including--CommentsClose CommentsPermalink





‘(A) ensuring timely internal reporting of information security incidents;CommentsClose CommentsPermalink





‘(B) establishing and maintaining appropriate technical capabilities to detect and mitigate risks associated with information security incidents;CommentsClose CommentsPermalink





‘(C) notifying and consulting with the entity designated by the Secretary under section 3553(b)(6); andCommentsClose CommentsPermalink





‘(D) notifying and consulting with--CommentsClose CommentsPermalink





‘(i) law enforcement agencies and relevant Offices of Inspectors General;CommentsClose CommentsPermalink





‘(ii) relevant committees of Congress, as appropriate; andCommentsClose CommentsPermalink





‘(iii) any other entity, in accordance with law and as directed by the President; andCommentsClose CommentsPermalink





‘(8) plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.CommentsClose CommentsPermalink





‘(c) Annual Agency Reporting- The head of each agency shall--CommentsClose CommentsPermalink





‘(1) report annually to the Committee on Government Reform and the Committee on Science, Space, and Technology of the House of Representatives, the Committee on Homeland Security and Governmental Affairs and the Committee on Commerce, Science, and Transportation of the Senate, any other appropriate committees of Congress, and the Secretary on the adequacy and effectiveness of information security policies, procedures, and practices, including--CommentsClose CommentsPermalink





‘(A) a description of each major information security incident, or set of related incidents, resulting in significant compromise of information security, including a summary of--CommentsClose CommentsPermalink





‘(i) the threats, vulnerabilities, and impact of the incident;CommentsClose CommentsPermalink





‘(ii) the system risk assessment conducted before the incident and required under section 3554(a)(2); andCommentsClose CommentsPermalink





‘(iii) the detection and response actions taken;CommentsClose CommentsPermalink





‘(B) the number of information security incidents within the agency resulting in significant compromise of information security, presented by system impact level, type of incident, and location;CommentsClose CommentsPermalink





‘(C) the total number of information security incidents within the agency, presented by system impact level, type of incident, and location;CommentsClose CommentsPermalink





‘(D) an identification and analysis of, including actions and plans to address, any significant deficiencies identified in such policies, procedures and practices;CommentsClose CommentsPermalink





‘(E) any information or evaluation required under the reporting requirements issued under section 3553(b); andCommentsClose CommentsPermalink





‘(2) address the adequacy and effectiveness of the information security policies, procedures, and practices of the agency as required for management and budget plans and reports, as appropriate.CommentsClose CommentsPermalink





‘(d) Communications and System Traffic- Notwithstanding any other provision of law, the head of each agency is authorized to allow the Secretary, or a private entity providing assistance to the Secretary under section 3553, to acquire, intercept, retain, use, and disclose communications, system traffic, records, or other information transiting to or from or stored on an agency information system for the purpose of protecting agency information and information systems from information security threats or mitigating the threats in connection with the implementation of the information security capabilities authorized by paragraph (3) or (4) of section 3553(b).CommentsClose CommentsPermalink

‘Sec. 3555. Annual assessments

‘(a) In General- Except as provided in subsection (c), the Secretary shall conduct periodic assessments of the information security programs and practices of agencies based on the annual agency reports required under section 3554(c), the annual independent evaluations required under section 3556, the results of any continuous monitoring, and other available information.CommentsClose CommentsPermalink





‘(b) Contents- Each assessment conducted under subsection (a) shall--CommentsClose CommentsPermalink





‘(1) assess the effectiveness of agency information security policies, procedures, and practices;CommentsClose CommentsPermalink





‘(2) provide an assessment of the status of agency information system security for the Federal Government as a whole; andCommentsClose CommentsPermalink





‘(3) include recommendations for improving information system security for an agency or the Federal Government as a whole.CommentsClose CommentsPermalink





‘(c) Certain Information Systems-CommentsClose CommentsPermalink





‘(1) NATIONAL SECURITY SYSTEMS- A periodic assessment conducted under subsection (a) relating to a national security system shall be prepared as directed by the President.CommentsClose CommentsPermalink





‘(2) SPECIFIC AGENCIES- Periodic assessments conducted under subsection (a) shall be prepared in accordance with governmentwide reporting requirements by--CommentsClose CommentsPermalink





‘(A) the Secretary of Defense for information systems under the control of the Department of Defense;CommentsClose CommentsPermalink





‘(B) the Director of the Central Intelligence Agency for information systems under the control of the Central Intelligence Agency; andCommentsClose CommentsPermalink





‘(C) the Director of National Intelligence for information systems under the control of the Office of the Director of National Intelligence.CommentsClose CommentsPermalink





‘(d) Agency-specific Assessments- Each assessment conducted under subsection (a) that relates, in whole or in part, to the information systems of an agency shall be made available to the head of the agency.CommentsClose CommentsPermalink





‘(e) Protection of Information- In conducting assessments under subsection (a), the Secretary shall take appropriate actions to ensure the protection of information which, if disclosed, may adversely affect information security. Such protections shall be commensurate with the risk and comply with all applicable laws and policies.CommentsClose CommentsPermalink





‘(f) Report to Congress- The Secretary, in coordination with the Secretary of Defense, the Director of the Central Intelligence Agency, and the Director of National Intelligence, shall evaluate and submit to Congress an annual report on the adequacy and effectiveness of the information security programs and practices assessed under this section.CommentsClose CommentsPermalink

‘Sec. 3556. Independent evaluations

‘(a) In General- Not less than annually, an independent evaluation of the information security program and practices of each agency shall be performed to assess the effectiveness of the programs and practices.CommentsClose CommentsPermalink





‘(b) Contents- Each evaluation performed under subsection (a) shall include--CommentsClose CommentsPermalink





‘(1) testing of the effectiveness of information security policies, procedures, and practices of a representative subset of the information systems of the agency; andCommentsClose CommentsPermalink





‘(2) an assessment of the effectiveness of the information security policies, procedures, and practices of the agency.CommentsClose CommentsPermalink





‘(c) Conduct of Independent Evaluations- Except as provided in subsection (f), an evaluation of an agency under subsection (a) shall be performed by--CommentsClose CommentsPermalink





‘(1) the Inspector General of the agency;CommentsClose CommentsPermalink





‘(2) at the discretion of the Inspector General of the agency, an independent entity entering a contract with the Inspector General to perform the evaluation; orCommentsClose CommentsPermalink





‘(3) if the agency does not have an Inspector General, an independent entity selected by the head of the agency, in consultation with the Secretary.CommentsClose CommentsPermalink





‘(d) Previously Conducted Evaluations- The evaluation required by this section may be based in whole or in part on a previously conducted audit, evaluation, or report relating to programs or practices of the applicable agency.CommentsClose CommentsPermalink





‘(e) Reports- The official or entity performing an evaluation of an agency under subsection (a) shall submit to Congress, the agency, and the Comptroller General of the United States a report regarding the evaluation. The head of the agency shall provide to the Secretary a report received under this subsection.CommentsClose CommentsPermalink





‘(f) National Security Systems- An evaluation under subsection (a) of a national security system shall be performed as directed by the President.CommentsClose CommentsPermalink





‘(g) Comptroller General- The Comptroller General of the United States shall periodically evaluate and submit to Congress reports on--CommentsClose CommentsPermalink





‘(1) the adequacy and effectiveness of the information security policies and practices of agencies; andCommentsClose CommentsPermalink





‘(2) implementation of this subchapter.CommentsClose CommentsPermalink

‘Sec. 3557. National security systems

‘The head of each agency operating or exercising control of a national security system shall be responsible for ensuring that the agency--CommentsClose CommentsPermalink





‘(1) provides information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized use, disclosure, disruption, modification, or destruction of the information contained in the national security system;CommentsClose CommentsPermalink





‘(2) implements information security policies and practices as required by standards and guidelines for national security systems issued in accordance with law and as directed by the President; andCommentsClose CommentsPermalink





‘(3) complies with this subchapter.CommentsClose CommentsPermalink

‘Sec. 3558. Effect on existing law

‘Nothing in this subchapter shall be construed to alter or amend any law regarding the authority of any head of an agency over the agency.’.CommentsClose CommentsPermalink





(b) Technical and Conforming Amendment- The table of sections for chapter 35 of title 44 is amended by striking the matter relating to subchapters II and III and inserting the following:CommentsClose CommentsPermalink

‘subchapter ii--information security

‘Sec. 3551. Purposes.CommentsClose CommentsPermalink





‘Sec. 3552. Definitions.CommentsClose CommentsPermalink





‘Sec. 3553. Federal information security authority and coordination.CommentsClose CommentsPermalink





‘Sec. 3554. Agency responsibilities.CommentsClose CommentsPermalink





‘Sec. 3555. Annual assessments.CommentsClose CommentsPermalink





‘Sec. 3556. Independent evaluations.CommentsClose CommentsPermalink





‘Sec. 3557. National security systems.CommentsClose CommentsPermalink





‘Sec. 3558. Effect on existing law.’.CommentsClose CommentsPermalink

SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY.

(a) In General- Section 11331 of title 40, United States Code, is amended to read as follows:CommentsClose CommentsPermalink

‘Sec. 11331. Responsibilities for Federal information systems standards

‘(a) Definitions- In this section:CommentsClose CommentsPermalink





‘(1) FEDERAL INFORMATION SYSTEM- The term ‘Federal information system’ means an information system used or operated by an executive agency, by a contractor of an executive agency, or by another entity on behalf of an executive agency.CommentsClose CommentsPermalink





‘(2) INFORMATION SECURITY- The term ‘information security’ has the meaning given that term in section 3552 of title 44.CommentsClose CommentsPermalink





‘(3) NATIONAL SECURITY SYSTEM- The term ‘national security system’ has the meaning given that term in section 3552 of title 44.CommentsClose CommentsPermalink





‘(b) Standards and Guidelines-CommentsClose CommentsPermalink





‘(1) AUTHORITY TO PRESCRIBE- Except as provided under paragraph (2), and based on the standards and guidelines developed by the National Institute of Standards and Technology under paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(a)), the Secretary of Commerce, in consultation with the Secretary of Homeland Security, shall prescribe standards and guidelines relating to Federal information systems.CommentsClose CommentsPermalink





‘(2) NATIONAL SECURITY SYSTEMS- Standards and guidelines for national security systems shall be developed, prescribed, enforced, and overseen as otherwise authorized by law and as directed by the President.CommentsClose CommentsPermalink





‘(c) Mandatory Requirements-CommentsClose CommentsPermalink





‘(1) AUTHORITY TO MAKE MANDATORY- The Secretary of Commerce may require executive agencies to comply with the standards prescribed under subsection (b)(1) to the extent determined necessary by the Secretary of Commerce to improve the efficiency of operation or security of Federal information systems.CommentsClose CommentsPermalink





‘(2) REQUIRED MANDATORY STANDARDS-CommentsClose CommentsPermalink





‘(A) IN GENERAL- The Secretary of Commerce shall require executive agencies to comply with the standards described in subparagraph (B).CommentsClose CommentsPermalink





‘(B) CONTENTS- The standards described in this subparagraph are information security standards that--CommentsClose CommentsPermalink





‘(i) provide minimum information security requirements as determined under section 20(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(b)); andCommentsClose CommentsPermalink





‘(ii) are otherwise necessary to improve the security of Federal information and Federal information systems.CommentsClose CommentsPermalink





‘(d) Authority To Disapprove or Modify- The President may disapprove or modify the standards and guidelines prescribed under subsection (b)(1) if the President determines such action to be in the public interest. The authority of the President to disapprove or modify the standards and guidelines may be delegated to the Director of the Office of Management and Budget. Notice of a disapproval or modification under this subsection shall be published promptly in the Federal Register. Upon receiving notice of a disapproval or modification, the Secretary of Commerce shall immediately rescind or modify the standards or guidelines as directed by the President or the Director of the Office of Management and Budget.CommentsClose CommentsPermalink





‘(e) Exercise of Authority- To ensure fiscal and policy consistency, the Secretary of Commerce shall exercise the authority under this section subject to direction by the President and in coordination with the Director of the Office of Management and Budget.CommentsClose CommentsPermalink





‘(f) Application of More Stringent Standards- The head of an executive agency may employ standards for the cost-effective information security for Federal information systems of that agency that are more stringent than the standards prescribed by the Secretary of Commerce under subsection (b)(1) if the more stringent standards--CommentsClose CommentsPermalink





‘(1) contain any standards with which the Secretary of Commerce has required the agency to comply; andCommentsClose CommentsPermalink





‘(2) are otherwise consistent with the policies and directives issued under section 3553(b) of title 44.CommentsClose CommentsPermalink





‘(g) Decisions on Promulgation of Standards- The decision by the Secretary of Commerce regarding the promulgation of any standard under this section shall occur not later than 6 months after the submission of the proposed standard to the Secretary of Commerce by the National Institute of Standards and Technology, as provided under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3).’.CommentsClose CommentsPermalink





(b) Technical and Conforming Amendments-CommentsClose CommentsPermalink





(1) Section 3502(8)) of title 44, United States Code, is amended by inserting ‘hosting,’ after ‘collection,’.CommentsClose CommentsPermalink





(2) The National Institute of Standards and Technology Act (15 U.S.C. 271 et seq.) is amended--CommentsClose CommentsPermalink





(A) in section 20(a)(2) (15 U.S.C. 278g-3(a)(2)), by striking ‘section 3532(b)(2)’ and inserting ‘section 3552(b)’; andCommentsClose CommentsPermalink





(B) in section 21(b) (15 U.S.C. 278g-4(b))--CommentsClose CommentsPermalink





(i) in paragraph (2), by inserting ‘, the Secretary of Homeland Security,’ after ‘the Institute’; andCommentsClose CommentsPermalink





(ii) in paragraph (3), by inserting ‘the Secretary of Homeland Security,’ after ‘the Secretary of Commerce,’.CommentsClose CommentsPermalink





(3) Section 1001(c)(1)(A) of the Homeland Security Act of 2002 (6 U.S.C. 511(c)(1)(A)) is amended by striking ‘section 3532(3)’ and inserting ‘section 3552(b)’.CommentsClose CommentsPermalink





(4) Part IV of title 10, United States Code, is amended--CommentsClose CommentsPermalink





(A) in section 2222(j)(5), by striking ‘section 3542(b)(2)’ and inserting ‘section 3552(b)’;CommentsClose CommentsPermalink





(B) in section 2223(c)(3), by striking ‘section 3542(b)(2)’ and inserting ‘section 3552(b)’; andCommentsClose CommentsPermalink





(C) in section 2315, by striking ‘section 3542(b)(2)’ and inserting ‘section 3552(b)’.CommentsClose CommentsPermalink





(5) Section 8(d)(1) of the Cyber Security Research and Development Act (15 U.S.C. 7406(d)(1)) is amended by striking ‘section 3534(b)’ and inserting ‘section 3554(b)’.CommentsClose CommentsPermalink