[House Report 114-83]
[From the U.S. Government Publishing Office]
114th Congress } { Report
HOUSE OF REPRESENTATIVES
1st Session } { 114-83
======================================================================
NATIONAL CYBERSECURITY PROTECTION ADVANCEMENT ACT OF 2015
_______
April 17, 2015.--Committed to the Committee of the Whole House on the
State of the Union and ordered to be printed
_______
Mr. McCaul, from the Committee on Homeland Security, submitted the
following
R E P O R T
together with
ADDITIONAL VIEWS
[To accompany H.R. 1731]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security, to whom was referred
the bill (H.R. 1731) to amend the Homeland Security Act of 2002
to enhance multi-directional sharing of information related to
cybersecurity risks and strengthen privacy and civil liberties
protections, and for other purposes, having considered the
same, report favorably thereon with an amendment and recommend
that the bill as amended do pass.
CONTENTS
Page
Purpose and Summary.............................................. 15
Background and Need for Legislation.............................. 15
Hearings......................................................... 17
Committee Consideration.......................................... 18
Committee Votes.................................................. 21
Committee Oversight Findings..................................... 23
New Budget Authority, Entitlement Authority, and Tax Expenditures 23
Congressional Budget Office Estimate............................. 23
Statement of General Performance Goals and Objectives............ 25
Duplicative Federal Programs..................................... 25
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff
Benefits....................................................... 25
Federal Mandates Statement....................................... 25
Preemption Clarification......................................... 25
Disclosure of Directed Rule Makings.............................. 26
Advisory Committee Statement..................................... 26
Applicability to Legislative Branch.............................. 26
Section-by-Section Analysis of the Legislation................... 26
Changes in Existing Law Made by the Bill, as Reported............ 36
Additional Views................................................. 61
The amendment is as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``National Cybersecurity Protection
Advancement Act of 2015''.
SEC. 2. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER.
(a) Definitions.--
(1) In general.--Subsection (a) of the second section 226 of
the Homeland Security Act of 2002 (6 U.S.C. 148; relating to
the National Cybersecurity and Communications Integration
Center) is amended--
(A) in paragraph (3), by striking ``and'' at the end;
(B) in paragraph (4), by striking the period at the
end and inserting ``; and''; and
(C) by adding at the end the following new
paragraphs:
``(5) the term `cyber threat indicator' means technical
information that is necessary to describe or identify--
``(A) a method for probing, monitoring, maintaining,
or establishing network awareness of an information
system for the purpose of discerning technical
vulnerabilities of such information system, if such
method is known or reasonably suspected of being
associated with a known or suspected cybersecurity
risk, including communications that reasonably appear
to be transmitted for the purpose of gathering
technical information related to a cybersecurity risk;
``(B) a method for defeating a technical or security
control of an information system;
``(C) a technical vulnerability, including anomalous
technical behavior that may become a vulnerability;
``(D) a method of causing a user with legitimate
access to an information system or information that is
stored on, processed by, or transiting an information
system to inadvertently enable the defeat of a
technical or operational control;
``(E) a method for unauthorized remote identification
of, access to, or use of an information system or
information that is stored on, processed by, or
transiting an information system that is known or
reasonably suspected of being associated with a known
or suspected cybersecurity risk;
``(F) the actual or potential harm caused by a
cybersecurity risk, including a description of the
information exfiltrated as a result of a particular
cybersecurity risk;
``(G) any other attribute of a cybersecurity risk
that cannot be used to identify specific persons
reasonably believed to be unrelated to such
cybersecurity risk, if disclosure of such attribute is
not otherwise prohibited by law; or
``(H) any combination of subparagraphs (A) through
(G);
``(6) the term `cybersecurity purpose' means the purpose of
protecting an information system or information that is stored
on, processed by, or transiting an information system from a
cybersecurity risk or incident;
``(7)(A) except as provided in subparagraph (B), the term
`defensive measure' means an action, device, procedure,
signature, technique, or other measure applied to an
information system or information that is stored on, processed
by, or transiting an information system that detects, prevents,
or mitigates a known or suspected cybersecurity risk or
incident, or any attribute of hardware, software, process, or
procedure that could enable or facilitate the defeat of a
security control;
``(B) such term does not include a measure that destroys,
renders unusable, or substantially harms an information system
or data on an information system not belonging to--
``(i) the non-Federal entity, not including a State,
local, or tribal government, operating such measure; or
``(ii) another Federal entity or non-Federal entity
that is authorized to provide consent and has provided
such consent to the non-Federal entity referred to in
clause (i);
``(8) the term `network awareness' means to scan, identify,
acquire, monitor, log, or analyze information that is stored
on, processed by, or transiting an information system;
``(9)(A) the term `private entity' means a non-Federal entity
that is an individual or private group, organization,
proprietorship, partnership, trust, cooperative, corporation,
or other commercial or non-profit entity, including an officer,
employee, or agent thereof;
``(B) such term includes a component of a State, local, or
tribal government performing electric utility services;
``(10) the term `security control' means the management,
operational, and technical controls used to protect against an
unauthorized effort to adversely affect the confidentially,
integrity, or availability of an information system or
information that is stored on, processed by, or transiting an
information system; and
``(11) the term `sharing' means providing, receiving, and
disseminating.''.
(b) Amendment.--Subparagraph (B) of subsection (d)(1) of such second
section 226 of the Homeland Security Act of 2002 is amended--
(1) in clause (i), by striking ``and local'' and inserting
``, local, and tribal'';
(2) in clause (ii)--
(A) by inserting ``, including information sharing
and analysis centers'' before the semicolon; and
(B) by striking ``and'' at the end;
(3) in clause (iii), by striking the period at the end and
inserting ``; and''; and
(4) by adding at the end the following new clause:
``(iv) private entities.''.
SEC. 3. INFORMATION SHARING STRUCTURE AND PROCESSES.
The second section 226 of the Homeland Security Act of 2002 (6 U.S.C.
148; relating to the National Cybersecurity and Communications
Integration Center) is amended--
(1) in subsection (c)--
(A) in paragraph (1)--
(i) by striking ``a Federal civilian
interface'' and inserting ``the lead Federal
civilian interface''; and
(ii) by striking ``cybersecurity risks,'' and
inserting ``cyber threat indicators, defensive
measures, cybersecurity risks,'';
(B) in paragraph (3), by striking ``cybersecurity
risks'' and inserting ``cyber threat indicators,
defensive measures, cybersecurity risks,'';
(C) in paragraph (5)(A), by striking ``cybersecurity
risks'' and inserting ``cyber threat indicators,
defensive measures, cybersecurity risks,'';
(D) in paragraph (6)--
(i) by striking ``cybersecurity risks'' and
inserting ``cyber threat indicators, defensive
measures, cybersecurity risks,''; and
(ii) by striking ``and'' at the end;
(E) in paragraph (7)--
(i) in subparagraph (A), by striking ``and''
at the end;
(ii) in subparagraph (B), by striking the
period at the end and inserting ``; and''; and
(iii) by adding at the end the following new
subparagraph:
``(C) sharing cyber threat indicators and defensive
measures;''; and
(F) by adding at the end the following new paragraphs
``(8) engaging with international partners, in consultation
with other appropriate agencies, to--
``(A) collaborate on cyber threat indicators,
defensive measures, and information related to
cybersecurity risks and incidents; and
``(B) enhance the security and resilience of global
cybersecurity;
``(9) sharing cyber threat indicators, defensive measures,
and other information related to cybersecurity risks and
incidents with Federal and non-Federal entities, including
across sectors of critical infrastructure and with State and
major urban area fusion centers, as appropriate;
``(10) promptly notifying the Secretary and the Committee on
Homeland Security of the House of Representatives and the
Committee on Homeland Security and Governmental Affairs of the
Senate of any significant violations of the policies and
procedures specified in subsection (i)(6)(A);
``(11) promptly notifying non-Federal entities that have
shared cyber threat indicators or defensive measures that are
known or determined to be in error or in contravention of the
requirements of this section; and
``(12) participating, as appropriate, in exercises run by the
Department's National Exercise Program.'';
(2) in subsection (d)--
(A) in subparagraph (D), by striking ``and'' at the
end;
(B) by redesignating subparagraph (E) as subparagraph
(J); and
(C) by inserting after subparagraph (D) the following
new subparagraphs:
``(E) an entity that collaborates with State and
local governments on cybersecurity risks and incidents,
and has entered into a voluntary information sharing
relationship with the Center;
``(F) a United States Computer Emergency Readiness
Team that coordinates information related to
cybersecurity risks and incidents, proactively and
collaboratively addresses cybersecurity risks and
incidents to the United States, collaboratively
responds to cybersecurity risks and incidents, provides
technical assistance, upon request, to information
system owners and operators, and shares cyber threat
indicators, defensive measures, analysis, or
information related to cybersecurity risks and
incidents in a timely manner;
``(G) the Industrial Control System Cyber Emergency
Response Team that--
``(i) coordinates with industrial control
systems owners and operators;
``(ii) provides training, upon request, to
Federal entities and non-Federal entities on
industrial control systems cybersecurity;
``(iii) collaboratively addresses
cybersecurity risks and incidents to industrial
control systems;
``(iv) provides technical assistance, upon
request, to Federal entities and non-Federal
entities relating to industrial control systems
cybersecurity; and
``(v) shares cyber threat indicators,
defensive measures, or information related to
cybersecurity risks and incidents of industrial
control systems in a timely fashion;
``(H) a National Coordinating Center for
Communications that coordinates the protection,
response, and recovery of emergency communications;
``(I) an entity that coordinates with small and
medium-sized businesses; and'';
(3) in subsection (e)--
(A) in paragraph (1)--
(i) in subparagraph (A), by inserting ``cyber
threat indicators, defensive measures, and''
before ``information'';
(ii) in subparagraph (B), by inserting
``cyber threat indicators, defensive measures,
and'' before ``information'';
(iii) in subparagraph (F), by striking
``cybersecurity risks'' and inserting ``cyber
threat indicators, defensive measures,
cybersecurity risks,'';
(iv) in subparagraph (F), by striking ``and''
at the end;
(v) in subparagraph (G), by striking
``cybersecurity risks'' and inserting ``cyber
threat indicators, defensive measures,
cybersecurity risks,''; and
(vi) by adding at the end the following:
``(H) the Center ensures that it shares information
relating to cybersecurity risks and incidents with
small and medium-sized businesses, as appropriate; and
``(I) the Center designates an agency contact for
non-Federal entities;'';
(B) in paragraph (2)--
(i) by striking ``cybersecurity risks'' and
inserting ``cyber threat indicators, defensive
measures, cybersecurity risks,''; and
(ii) by inserting ``or disclosure'' before
the semicolon at the end; and
(C) in paragraph (3), by inserting before the period
at the end the following: ``, including by working with
the Chief Privacy Officer appointed under section 222
to ensure that the Center follows the policies and
procedures specified in subsection (i)(6)(A)''; and
(4) by adding at the end the following new subsections:
``(g) Rapid Automated Sharing.--
``(1) In general.--The Under Secretary for Cybersecurity and
Infrastructure Protection, in coordination with industry and
other stakeholders, shall develop capabilities making use of
existing information technology industry standards and best
practices, as appropriate, that support and rapidly advance the
development, adoption, and implementation of automated
mechanisms for the timely sharing of cyber threat indicators
and defensive measures to and from the Center and with each
Federal agency designated as the `Sector Specific Agency' for
each critical infrastructure sector in accordance with
subsection (h).
``(2) Biannual report.--The Under Secretary for Cybersecurity
and Infrastructure Protection shall submit to the Committee on
Homeland Security of the House of Representatives and the
Committee on Homeland Security and Governmental Affairs of the
Senate a biannual report on the status and progress of the
development of the capability described in paragraph (1). Such
reports shall be required until such capability is fully
implemented.
``(h) Sector Specific Agencies.--The Secretary, in collaboration with
the relevant critical infrastructure sector and the heads of other
appropriate Federal agencies, shall recognize the Federal agency
designated as of March 25, 2015, as the `Sector Specific Agency' for
each critical infrastructure sector designated in the Department's
National Infrastructure Protection Plan. If the designated Sector
Specific Agency for a particular critical infrastructure sector is the
Department, for purposes of this section, the Secretary is deemed to be
the head of such Sector Specific Agency and shall carry out this
section. The Secretary, in coordination with the heads of each such
Sector Specific Agency, shall--
``(1) support the security and resilience actives of the
relevant critical infrastructure sector in accordance with this
section;
``(2) provide institutional knowledge, specialized expertise,
and technical assistance upon request to the relevant critical
infrastructure sector; and
``(3) support the timely sharing of cyber threat indicators
and defensive measures with the relevant critical
infrastructure sector with the Center in accordance with this
section.
``(i) Voluntary Information Sharing Procedures.--
``(1) Procedures.--
``(A) In general.--The Center may enter into a
voluntary information sharing relationship with any
consenting non-Federal entity for the sharing of cyber
threat indicators and defensive measures for
cybersecurity purposes in accordance with this section.
Nothing in this section may be construed to require any
non-Federal entity to enter into any such information
sharing relationship with the Center or any other
entity. The Center may terminate a voluntary
information sharing relationship under this subsection
if the Center determines that the non-Federal entity
with which the Center has entered into such a
relationship has, after repeated notice, repeatedly
violated the terms of this subsection.
``(B) National security.--The Secretary may decline
to enter into a voluntary information sharing
relationship under this subsection if the Secretary
determines that such is appropriate for national
security.
``(2) Voluntary information sharing relationships.--A
voluntary information sharing relationship under this
subsection may be characterized as an agreement described in
this paragraph.
``(A) Standard agreement.--For the use of a non-
Federal entity, the Center shall make available a
standard agreement, consistent with this section, on
the Department's website.
``(B) Negotiated agreement.--At the request of a non-
Federal entity, and if determined appropriate by the
Center, the Department shall negotiate a non-standard
agreement, consistent with this section.
``(C) Existing agreements.--An agreement between the
Center and a non-Federal entity that is entered into
before the date of the enactment of this section, or
such an agreement that is in effect before such date,
shall be deemed in compliance with the requirements of
this subsection, notwithstanding any other provision or
requirement of this subsection. An agreement under this
subsection shall include the relevant privacy
protections as in effect under the Cooperative Research
and Development Agreement for Cybersecurity Information
Sharing and Collaboration, as of December 31, 2014.
Nothing in this subsection may be construed to require
a non-Federal entity to enter into either a standard or
negotiated agreement to be in compliance with this
subsection.
``(3) Information sharing authorization.--
``(A) In general.--Except as provided in subparagraph
(B), and notwithstanding any other provision of law, a
non-Federal entity may, for cybersecurity purposes,
share cyber threat indicators or defensive measures
obtained on its own information system, or on an
information system of another Federal entity or non-
Federal entity, upon written consent of such other
Federal entity or non-Federal entity or an authorized
representative of such other Federal entity or non-
Federal entity in accordance with this section with--
``(i) another non-Federal entity; or
``(ii) the Center, as provided in this
section.
``(B) Lawful restriction.--A non-Federal entity
receiving a cyber threat indicator or defensive measure
from another Federal entity or non-Federal entity shall
comply with otherwise lawful restrictions placed on the
sharing or use of such cyber threat indicator or
defensive measure by the sharing Federal entity or non-
Federal entity.
``(C) Removal of information unrelated to
cybersecurity risks or incidents.--Federal entities and
non-Federal entities shall, prior to such sharing, take
reasonable efforts to remove information that can be
used to identify specific persons and is reasonably
believed at the time of sharing to be unrelated to a
cybersecurity risks or incident and to safeguard
information that can be used to identify specific
persons from unintended disclosure or unauthorized
access or acquisition.
``(D) Rule of construction.--Nothing in this
paragraph may be construed to--
``(i) limit or modify an existing information
sharing relationship;
``(ii) prohibit a new information sharing
relationship;
``(iii) require a new information sharing
relationship between any non-Federal entity and
a Federal entity;
``(iv) limit otherwise lawful activity; or
``(v) in any manner impact or modify
procedures in existence as of the date of the
enactment of this section for reporting known
or suspected criminal activity to appropriate
law enforcement authorities or for
participating voluntarily or under legal
requirement in an investigation.
``(E) Coordinated vulnerability disclosure.--The
Under Secretary for Cybersecurity and Infrastructure
Protection, in coordination with industry and other
stakeholders, shall develop, publish, and adhere to
policies and procedures for coordinating vulnerability
disclosures, to the extent practicable, consistent with
international standards in the information technology
industry.
``(4) Network awareness authorization.--
``(A) In general.--Notwithstanding any other
provision of law, a non-Federal entity, not including a
State, local, or tribal government, may, for
cybersecurity purposes, conduct network awareness of--
``(i) an information system of such non-
Federal entity to protect the rights or
property of such non-Federal entity;
``(ii) an information system of another non-
Federal entity, upon written consent of such
other non-Federal entity for conducting such
network awareness to protect the rights or
property of such other non-Federal entity;
``(iii) an information system of a Federal
entity, upon written consent of an authorized
representative of such Federal entity for
conducting such network awareness to protect
the rights or property of such Federal entity;
or
``(iv) information that is stored on,
processed by, or transiting an information
system described in this subparagraph.
``(B) Rule of construction.--Nothing in this
paragraph may be construed to--
``(i) authorize conducting network awareness
of an information system, or the use of any
information obtained through such conducting of
network awareness, other than as provided in
this section; or
``(ii) limit otherwise lawful activity.
``(5) Defensive measure authorization.--
``(A) In general.--Except as provided in subparagraph
(B) and notwithstanding any other provision of law, a
non-Federal entity, not including a State, local, or
tribal government, may, for cybersecurity purposes,
operate a defensive measure that is applied to--
``(i) an information system of such non-
Federal entity to protect the rights or
property of such non-Federal entity;
``(ii) an information system of another non-
Federal entity upon written consent of such
other non-Federal entity for operation of such
defensive measure to protect the rights or
property of such other non-Federal entity;
``(iii) an information system of a Federal
entity upon written consent of an authorized
representative of such Federal entity for
operation of such defensive measure to protect
the rights or property of such Federal entity;
or
``(iv) information that is stored on,
processed by, or transiting an information
system described in this subparagraph.
``(B) Rule of construction.--Nothing in this
paragraph may be construed to--
``(i) authorize the use of a defensive
measure other than as provided in this section;
or
``(ii) limit otherwise lawful activity.
``(6) Privacy and civil liberties protections.--
``(A) Policies and procedures.--
``(i) In general.--The Under Secretary for
Cybersecurity and Infrastructure Protection
shall, in coordination with the Chief Privacy
Officer and the Chief Civil Rights and Civil
Liberties Officer of the Department, establish
and annually review policies and procedures
governing the receipt, retention, use, and
disclosure of cyber threat indicators,
defensive measures, and information related to
cybersecurity risks and incidents shared with
the Center in accordance with this section.
Such policies and procedures shall apply only
to the Department, consistent with the need to
protect information systems from cybersecurity
risks and incidents and mitigate cybersecurity
risks and incidents in a timely manner, and
shall--
``(I) be consistent with the
Department's Fair Information Practice
Principles developed pursuant to
section 552a of title 5, United States
Code (commonly referred to as the
`Privacy Act of 1974' or the `Privacy
Act'), and subject to the Secretary's
authority under subsection (a)(2) of
section 222 of this Act;
``(II) reasonably limit, to the
greatest extent practicable, the
receipt, retention, use, and disclosure
of cyber threat indicators and
defensive measures associated with
specific persons that is not necessary,
for cybersecurity purposes, to protect
a network or information system from
cybersecurity risks or mitigate
cybersecurity risks and incidents in a
timely manner;
``(III) minimize any impact on
privacy and civil liberties;
``(IV) provide data integrity through
the prompt removal and destruction of
obsolete or erroneous names and
personal information that is unrelated
to the cybersecurity risk or incident
information shared and retained by the
Center in accordance with this section;
``(V) include requirements to
safeguard cyber threat indicators and
defensive measures retained by the
Center, including information that is
proprietary or business-sensitive that
may be used to identify specific
persons from unauthorized access or
acquisition;
``(VI) protect the confidentiality of
cyber threat indicators and defensive
measures associated with specific
persons to the greatest extent
practicable; and
``(VII) ensure all relevant
constitutional, legal, and privacy
protections are observed.
``(ii) Submission to congress.--Not later
than 180 days after the date of the enactment
of this section and annually thereafter, the
Chief Privacy Officer and the Officer for Civil
Rights and Civil Liberties of the Department,
in consultation with the Privacy and Civil
Liberties Oversight Board (established pursuant
to section 1061 of the Intelligence Reform and
Terrorism Prevention Act of 2004 (42 U.S.C.
2000ee)), shall submit to the Committee on
Homeland Security of the House of
Representatives and the Committee on Homeland
Security and Governmental Affairs of the Senate
the policies and procedures governing the
sharing of cyber threat indicators, defensive
measures, and information related to
cybsersecurity risks and incidents described in
clause (i) of subparagraph (A).
``(iii) Public notice and access.--The Under
Secretary for Cybersecurity and Infrastructure
Protection, in consultation with the Chief
Privacy Officer and the Chief Civil Rights and
Civil Liberties Officer of the Department, and
the Privacy and Civil Liberties Oversight Board
(established pursuant to section 1061 of the
Intelligence Reform and Terrorism Prevention
Act of 2004 (42 U.S.C. 2000ee)), shall ensure
there is public notice of, and access to, the
policies and procedures governing the sharing
of cyber threat indicators, defensive measures,
and information related to cybersecurity risks
and incidents.
``(iv) Consultation.--The Under Secretary for
Cybersecurity and Infrastructure Protection
when establishing policies and procedures to
support privacy and civil liberties may consult
with the National Institute of Standards and
Technology.
``(B) Implementation.--The Chief Privacy Officer of
the Department, on an ongoing basis, shall--
``(i) monitor the implementation of the
policies and procedures governing the sharing
of cyber threat indicators and defensive
measures established pursuant to clause (i) of
subparagraph (A);
``(ii) regularly review and update privacy
impact assessments, as appropriate, to ensure
all relevant constitutional, legal, and privacy
protections are being followed;
``(iii) work with the Under Secretary for
Cybersecurity and Infrastructure Protection to
carry out paragraphs (10) and (11) of
subsection (c);
``(iv) annually submit to the Committee on
Homeland Security of the House of
Representatives and the Committee on Homeland
Security and Governmental Affairs of the Senate
a report that contains a review of the
effectiveness of such policies and procedures
to protect privacy and civil liberties; and
``(v) ensure there are appropriate sanctions
in place for officers, employees, or agents of
the Department who intentionally or willfully
conduct activities under this section in an
unauthorized manner.
``(C) Inspector general report.--The Inspector
General of the Department, in consultation with the
Privacy and Civil Liberties Oversight Board and the
Inspector General of each Federal agency that receives
cyber threat indicators or defensive measures shared
with the Center under this section, shall, not later
than two years after the date of the enactment of this
subsection and periodically thereafter submit to the
Committee on Homeland Security of the House of
Representatives and the Committee on Homeland Security
and Governmental Affairs of the Senate a report
containing a review of the use of cybersecurity risk
information shared with the Center, including the
following:
``(i) A report on the receipt, use, and
dissemination of cyber threat indicators and
defensive measures that have been shared with
Federal entities under this section.
``(ii) Information on the use by the Center
of such information for a purpose other than a
cybersecurity purpose.
``(iii) A review of the type of information
shared with the Center under this section.
``(iv) A review of the actions taken by the
Center based on such information.
``(v) The appropriate metrics that exist to
determine the impact, if any, on privacy and
civil liberties as a result of the sharing of
such information with the Center.
``(vi) A list of other Federal agencies
receiving such information.
``(vii) A review of the sharing of such
information within the Federal Government to
identify inappropriate stove piping of such
information.
``(viii) Any recommendations of the Inspector
General of the Department for improvements or
modifications to information sharing under this
section.
``(D) Privacy and civil liberties officers report.--
The Chief Privacy Officer and the Chief Civil Rights
and Civil Liberties Officer of the Department, in
consultation with the Privacy and Civil Liberties
Oversight Board, the Inspector General of the
Department, and the senior privacy and civil liberties
officer of each Federal agency that receives cyber
threat indicators and defensive measures shared with
the Center under this section, shall biennially submit
to the appropriate congressional committees a report
assessing the privacy and civil liberties impact of the
activities under this paragraph. Each such report shall
include any recommendations the Chief Privacy Officer
and the Chief Civil Rights and Civil Liberties Officer
of the Department consider appropriate to minimize or
mitigate the privacy and civil liberties impact of the
sharing of cyber threat indicators and defensive
measures under this section.
``(E) Form.--Each report required under paragraphs
(C) and (D) shall be submitted in unclassified form,
but may include a classified annex.
``(7) Uses and protection of information.--
``(A) Non-federal entities.--A non-Federal entity,
not including a State, local, or tribal government,
that shares cyber threat indicators or defensive
measures through the Center or otherwise under this
section--
``(i) may use, retain, or further disclose
such cyber threat indicators or defensive
measures solely for cybersecurity purposes;
``(ii) shall, prior to such sharing, take
reasonable efforts to remove information that
can be used to identify specific persons and is
reasonably believed at the time of sharing to
be unrelated to a cybersecurity risk or
incident, and to safeguard information that can
be used to identify specific persons from
unintended disclosure or unauthorized access or
acquisition;
``(iii) shall comply with appropriate
restrictions that a Federal entity or non-
Federal entity places on the subsequent
disclosure or retention of cyber threat
indicators and defensive measures that it
discloses to other Federal entities or non-
Federal entities;
``(iv) shall be deemed to have voluntarily
shared such cyber threat indicators or
defensive measures;
``(v) shall implement and utilize a security
control to protect against unauthorized access
to or acquisition of such cyber threat
indicators or defensive measures; and
``(vi) may not use such information to gain
an unfair competitive advantage to the
detriment of any non-Federal entity.
``(B) Federal entities.--
``(i) Uses of information.--A Federal entity
that receives cyber threat indicators or
defensive measures shared through the Center or
otherwise under this section from another
Federal entity or a non-Federal entity--
``(I) may use, retain, or further
disclose such cyber threat indicators
or defensive measures solely for
cybersecurity purposes;
``(II) shall, prior to such sharing,
take reasonable efforts to remove
information that can be used to
identify specific persons and is
reasonably believed at the time of
sharing to be unrelated to a
cybersecurity risk or incident, and to
safeguard information that can be used
to identify specific persons from
unintended disclosure or unauthorized
access or acquisition;
``(III) shall be deemed to have
voluntarily shared such cyber threat
indicators or defensive measures;
``(IV) shall implement and utilize a
security control to protect against
unauthorized access to or acquisition
of such cyber threat indicators or
defensive measures; and
``(V) may not use such cyber threat
indicators or defensive measures to
engage in surveillance or other
collection activities for the purpose
of tracking an individual's personally
identifiable information.
``(ii) Protections for information.--The
cyber threat indicators and defensive measures
referred to in clause (i)--
``(I) are exempt from disclosure
under section 552 of title 5, United
States Code, and withheld, without
discretion, from the public under
subsection (b)(3)(B) of such section;
``(II) may not be used by the Federal
Government for regulatory purposes;
``(III) may not constitute a waiver
of any applicable privilege or
protection provided by law, including
trade secret protection;
``(IV) shall be considered the
commercial, financial, and proprietary
information of the non-Federal entity
referred to in clause (i) when so
designated by such non-Federal entity;
and
``(V) may not be subject to a rule of
any Federal entity or any judicial
doctrine regarding ex parte
communications with a decisionmaking
official.
``(C) State, local, or tribal government.--
``(i) Uses of information.--A State, local,
or tribal government that receives cyber threat
indicators or defensive measures from the
Center from a Federal entity or a non-Federal
entity--
``(I) may use, retain, or further
disclose such cyber threat indicators
or defensive measures solely for
cybersecurity purposes;
``(II) shall, prior to such sharing,
take reasonable efforts to remove
information that can be used to
identify specific persons and is
reasonably believed at the time of
sharing to be unrelated to a
cybersecurity risk or incident, and to
safeguard information that can be used
to identify specific persons from
unintended disclosure or unauthorized
access or acquisition;
``(III) shall consider such
information the commercial, financial,
and proprietary information of such
Federal entity or non-Federal entity if
so designated by such Federal entity or
non-Federal entity;
``(IV) shall be deemed to have
voluntarily shared such cyber threat
indicators or defensive measures; and
``(V) shall implement and utilize a
security control to protect against
unauthorized access to or acquisition
of such cyber threat indicators or
defensive measures.
``(ii) Protections for information.--The
cyber threat indicators and defensive measures
referred to in clause (i)--
``(I) shall be exempt from disclosure
under any State, local, or tribal law
or regulation that requires public
disclosure of information or records by
a public or quasi-public entity; and
``(II) may not be used by any State,
local, or tribal government to regulate
a lawful activity of a non-Federal
entity.
``(8) Liability exemptions.--
``(A) Network awareness.--No cause of action shall
lie or be maintained in any court, and such action
shall be promptly dismissed, against any non-Federal
entity that, for cybersecurity purposes, conducts
network awareness under paragraph (4), if such network
awareness is conducted in accordance with such
paragraph and this section.
``(B) Information sharing.--No cause of action shall
lie or be maintained in any court, and such action
shall be promptly dismissed, against any non-Federal
entity that, for cybersecurity purposes, shares cyber
threat indicators or defensive measures under paragraph
(3), or fails to act based on such sharing, if such
sharing is conducted in accordance with such paragraph
and this section.
``(C) Willful misconduct.--
``(i) Rule of construction.--Nothing in this
section may be construed to--
``(I) require dismissal of a cause of
action against a non-Federal entity
that has engaged in willful misconduct
in the course of conducting activities
authorized by this section; or
``(II) undermine or limit the
availability of otherwise applicable
common law or statutory defenses.
``(ii) Proof of willful misconduct.--In any
action claiming that subparagraph (A) or (B)
does not apply due to willful misconduct
described in clause (i), the plaintiff shall
have the burden of proving by clear and
convincing evidence the willful misconduct by
each non-Federal entity subject to such claim
and that such willful misconduct proximately
caused injury to the plaintiff.
``(iii) Willful misconduct defined.--In this
subsection, the term `willful misconduct' means
an act or omission that is taken--
``(I) intentionally to achieve a
wrongful purpose;
``(II) knowingly without legal or
factual justification; and
``(III) in disregard of a known or
obvious risk that is so great as to
make it highly probable that the harm
will outweigh the benefit.
``(D) Exclusion.--The term `non-Federal entity' as
used in this paragraph shall not include a State,
local, or tribal government.
``(9) Federal government liability for violations of
restrictions on the use and protection of voluntarily shared
information.--
``(A) In general.--If a department or agency of the
Federal Government intentionally or willfully violates
the restrictions specified in paragraph (3), (6), or
(7)(B) on the use and protection of voluntarily shared
cyber threat indicators or defensive measures, or any
other provision of this section, the Federal Government
shall be liable to a person injured by such violation
in an amount equal to the sum of--
``(i) the actual damages sustained by such
person as a result of such violation or $1,000,
whichever is greater; and
``(ii) reasonable attorney fees as determined
by the court and other litigation costs
reasonably occurred in any case under this
subsection in which the complainant has
substantially prevailed.
``(B) Venue.--An action to enforce liability under
this subsection may be brought in the district court of
the United States in--
``(i) the district in which the complainant
resides;
``(ii) the district in which the principal
place of business of the complainant is
located;
``(iii) the district in which the department
or agency of the Federal Government that
disclosed the information is located; or
``(iv) the District of Columbia.
``(C) Statute of limitations.--No action shall lie
under this subsection unless such action is commenced
not later than two years after the date of the
violation of any restriction specified in paragraph
(3), (6), or 7(B), or any other provision of this
section, that is the basis for such action.
``(D) Exclusive cause of action.--A cause of action
under this subsection shall be the exclusive means
available to a complainant seeking a remedy for a
violation of any restriction specified in paragraph
(3), (6), or 7(B) or any other provision of this
section.
``(10) Anti-trust exemption.--
``(A) In general.--Except as provided in subparagraph
(C), it shall not be considered a violation of any
provision of antitrust laws for two or more non-Federal
entities to share a cyber threat indicator or defensive
measure, or assistance relating to the prevention,
investigation, or mitigation of a cybersecurity risk or
incident, for cybersecurity purposes under this Act.
``(B) Applicability.--Subparagraph (A) shall apply
only to information that is shared or assistance that
is provided in order to assist with--
``(i) facilitating the prevention,
investigation, or mitigation of a cybersecurity
risk or incident to an information system or
information that is stored on, processed by, or
transiting an information system; or
``(ii) communicating or disclosing a cyber
threat indicator or defensive measure to help
prevent, investigate, or mitigate the effect of
a cybersecurity risk or incident to an
information system or information that is
stored on, processed by, or transiting an
information system.
``(C) Prohibited conduct.--Nothing in this section
may be construed to permit price-fixing, allocating a
market between competitors, monopolizing or attempting
to monopolize a market, or exchanges of price or cost
information, customer lists, or information regarding
future competitive planning.
``(11) Construction and preemption.--
``(A) Otherwise lawful disclosures.--Nothing in this
section may be construed to limit or prohibit otherwise
lawful disclosures of communications, records, or other
information, including reporting of known or suspected
criminal activity or participating voluntarily or under
legal requirement in an investigation, by a non-Federal
to any other non-Federal entity or Federal entity under
this section.
``(B) Whistle blower protections.--Nothing in this
section may be construed to prohibit or limit the
disclosure of information protected under section
2302(b)(8) of title 5, United States Code (governing
disclosures of illegality, waste, fraud, abuse, or
public health or safety threats), section 7211 of title
5, United States Code (governing disclosures to
Congress), section 1034 of title 10, United States Code
(governing disclosure to Congress by members of the
military), section 1104 of the National Security Act of
1947 (50 U.S.C. 3234) (governing disclosure by
employees of elements of the intelligence community),
or any similar provision of Federal or State law.
``(C) Relationship to other laws.--Nothing in this
section may be construed to affect any requirement
under any other provision of law for a non-Federal
entity to provide information to a Federal entity.
``(D) Preservation of contractual obligations and
rights.--Nothing in this section may be construed to--
``(i) amend, repeal, or supersede any current
or future contractual agreement, terms of
service agreement, or other contractual
relationship between any non-Federal entities,
or between any non-Federal entity and a Federal
entity; or
``(ii) abrogate trade secret or intellectual
property rights of any non-Federal entity or
Federal entity.
``(E) Anti-tasking restriction.--Nothing in this
section may be construed to permit a Federal entity
to--
``(i) require a non-Federal entity to provide
information to a Federal entity;
``(ii) condition the sharing of cyber threat
indicators or defensive measures with a non-
Federal entity on such non-Federal entity's
provision of cyber threat indicators or
defensive measures to a Federal entity; or
``(iii) condition the award of any Federal
grant, contract, or purchase on the sharing of
cyber threat indicators or defensive measures
with a Federal entity.
``(F) No liability for non-participation.--Nothing in
this section may be construed to subject any non-
Federal entity to liability for choosing to not engage
in the voluntary activities authorized under this
section.
``(G) Use and retention of information.--Nothing in
this section may be construed to authorize, or to
modify any existing authority of, a department or
agency of the Federal Government to retain or use any
information shared under this section for any use other
than permitted in this section.
``(H) Voluntary sharing.--Nothing in this section may
be construed to restrict or condition a non-Federal
entity from sharing, for cybersecurity purposes, cyber
threat indicators, defensive measures, or information
related to cybersecurity risks or incidents with any
other non-Federal entity, and nothing in this section
may be construed as requiring any non-Federal entity to
share cyber threat indicators, defensive measures, or
information related to cybersecurity risks or incidents
with the Center.
``(I) Federal preemption.--This section supersedes
any statute or other provision of law of a State or
political subdivision of a State that restricts or
otherwise expressly regulates an activity authorized
under this section.
``(j) Direct Reporting.--The Secretary shall develop policies and
procedures for direct reporting to the Secretary by the Director of the
Center regarding significant cybersecurity risks and incidents.
``(k) Additional Responsibilities.--The Secretary shall build upon
existing mechanisms to promote a national awareness effort to educate
the general public on the importance of securing information systems.
``(l) Reports on International Cooperation.--Not later than 180 days
after the date of the enactment of this subsection and periodically
thereafter, the Secretary of Homeland Security shall submit to the
Committee on Homeland Security of the House of Representatives and the
Committee on Homeland Security and Governmental Affairs of the Senate a
report on the range of efforts underway to bolster cybersecurity
collaboration with relevant international partners in accordance with
subsection (c)(8).
``(m) Outreach.--Not later than 60 days after the date of the
enactment of this subsection, the Secretary, acting through the Under
Secretary for Cybersecurity and Infrastructure Protection, shall--
``(1) disseminate to the public information about how to
voluntarily share cyber threat indicators and defensive
measures with the Center; and
``(2) enhance outreach to critical infrastructure owners and
operators for purposes of such sharing.''.
SEC. 4. INFORMATION SHARING AND ANALYSIS ORGANIZATIONS.
Section 212 of the Homeland Security Act of 2002 (6 U.S.C. 131) is
amended--
(1) in paragraph (5)--
(A) in subparagraph (A)--
(i) by inserting ``information related to
cybersecurity risks and incidents and'' after
``critical infrastructure information''; and
(ii) by striking ``related to critical
infrastructure'' and inserting ``related to
cybersecurity risks, incidents, critical
infrastructure, and'';
(B) in subparagraph (B)--
(i) by striking ``disclosing critical
infrastructure information'' and inserting
``disclosing cybersecurity risks, incidents,
and critical infrastructure information''; and
(ii) by striking ``related to critical
infrastructure or'' and inserting ``related to
cybersecurity risks, incidents, critical
infrastructure, or'' and
(C) in subparagraph (C), by striking ``disseminating
critical infrastructure information'' and inserting
``disseminating cybersecurity risks, incidents, and
critical infrastructure information''; and
(2) by adding at the end the following new paragraph:
``(8) Cybersecurity risk; incident.--The terms `cybersecurity
risk' and `incident' have the meanings given such terms in the
second section 226 (relating to the National Cybersecurity and
Communications Integration Center).''.
SEC. 5. STREAMLINING OF DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY
AND INFRASTRUCTURE PROTECTION ORGANIZATION.
(a) Cybersecurity and Infrastructure Protection.--The National
Protection and Programs Directorate of the Department of Homeland
Security shall, after the date of the enactment of this Act, be known
and designated as the ``Cybersecurity and Infrastructure Protection''.
Any reference to the National Protection and Programs Directorate of
the Department in any law, regulation, map, document, record, or other
paper of the United States shall be deemed to be a reference to the
Cybersecurity and Infrastructure Protection of the Department.
(b) Senior Leadership of Cybersecurity and Infrastructure
Protection.--
(1) In general.--Subsection (a) of section 103 of the
Homeland Security Act of 2002 (6 U.S.C. 113) is amended--
(A) in paragraph (1)--
(i) by amending subparagraph (H) to read as
follows:
``(H) An Under Secretary for Cybersecurity and
Infrastructure Protection.''; and
(ii) by adding at the end the following new
subparagraphs:
``(K) A Deputy Under Secretary for Cybersecurity.
``(L) A Deputy Under Secretary for Infrastructure
Protection.''; and
(B) by adding at the end the following new paragraph:
``(3) Deputy under secretaries.--The Deputy Under Secretaries
referred to in subparagraphs (K) and (L) of paragraph (1) shall
be appointed by the President without the advice and consent of
the Senate.''.
(2) Continuation in office.--The individuals who hold the
positions referred in subparagraphs (H), (K), and (L) of
paragraph (1) of section 103(a) the Homeland Security Act of
2002 (as amended and added by paragraph (1) of this subsection)
as of the date of the enactment of this Act may continue to
hold such positions.
(c) Report.--Not later than 90 days after the date of the enactment
of this Act, the Under Secretary for Cybersecurity and Infrastructure
Protection of the Department of Homeland Security shall submit to the
Committee on Homeland Security of the House of Representatives and the
Committee on Homeland Security and Governmental Affairs of the Senate a
report on the feasibility of becoming an operational component,
including an analysis of alternatives, and if a determination is
rendered that becoming an operational component is the best option for
achieving the mission of Cybersecurity and Infrastructure Protection, a
legislative proposal and implementation plan for becoming such an
operational component. Such report shall also include plans to more
effectively carry out the cybersecurity mission of Cybersecurity and
Infrastructure Protection, including expediting information sharing
agreements.
SEC. 6. CYBER INCIDENT RESPONSE PLANS.
(a) In General.--Section 227 of the Homeland Security Act of 2002 (6
U.S.C. 149) is amended--
(1) in the heading, by striking ``plan'' and inserting
``plans'';
(2) by striking ``The Under Secretary appointed under section
103(a)(1)(H) shall'' and inserting the following:
``(a) In General.--The Under Secretary for Cybersecurity and
Infrastructure Protection shall''; and
(3) by adding at the end the following new subsection:
``(b) Updates to the Cyber Incident Annex to the National Response
Framework.--The Secretary, in coordination with the heads of other
appropriate Federal departments and agencies, and in accordance with
the National Cybersecurity Incident Response Plan required under
subsection (a), shall regularly update, maintain, and exercise the
Cyber Incident Annex to the National Response Framework of the
Department.''.
(b) Clerical Amendment.--The table of contents of the Homeland
Security Act of 2002 is amended by amending the item relating to
section 227 to read as follows:
``Sec. 227. Cyber incident response plans.''.
SEC. 7. SECURITY AND RESILIENCY OF PUBLIC SAFETY COMMUNICATIONS;
CYBERSECURITY AWARENESS CAMPAIGN.
(a) In General.--Subtitle C of title II of the Homeland Security Act
of 2002 (6 U.S.C. 141 et seq.) is amended by adding at the end the
following new sections:
``SEC. 230. SECURITY AND RESILIENCY OF PUBLIC SAFETY COMMUNICATIONS.
``The National Cybersecurity and Communications Integration Center,
in coordination with the Office of Emergency Communications of the
Department, shall assess and evaluate consequence, vulnerability, and
threat information regarding cyber incidents to public safety
communications to help facilitate continuous improvements to the
security and resiliency of such communications.
``SEC. 231. CYBERSECURITY AWARENESS CAMPAIGN.
``(a) In General.--The Under Secretary for Cybersecurity and
Infrastructure Protection shall develop and implement an ongoing and
comprehensive cybersecurity awareness campaign regarding cybersecurity
risks and voluntary best practices for mitigating and responding to
such risks. Such campaign shall, at a minimum, publish and disseminate,
on an ongoing basis, the following:
``(1) Public service announcements targeted at improving
awareness among State, local, and tribal governments, the
private sector, academia, and stakeholders in specific
audiences, including the elderly, students, small businesses,
members of the Armed Forces, and veterans.
``(2) Vendor and technology-neutral voluntary best practices
information.
``(b) Consultation.--The Under Secretary for Cybersecurity and
Infrastructure Protection shall consult with a wide range of
stakeholders in government, industry, academia, and the non-profit
community in carrying out this section.''.
(b) Clerical Amendment.--The table of contents of the Homeland
Security Act of 2002 is amended by inserting after the item relating to
section 226 (relating to cybersecurity recruitment and retention) the
following new items:
``Sec. 230. Security and resiliency of public safety communications.
``Sec. 231. Cybersecurity awareness campaign.''.
SEC. 8. CRITICAL INFRASTRUCTURE PROTECTION RESEARCH AND DEVELOPMENT.
(a) Strategic Plan; Public-private Consortiums.--Title III of the
Homeland Security Act of 2002 (6 U.S.C. 181 et seq.) is amended by
adding at the end the following new section:
``SEC. 318. RESEARCH AND DEVELOPMENT STRATEGY FOR CRITICAL
INFRASTRUCTURE PROTECTION.
``(a) In General.--Not later than 180 days after the date of
enactment of this section, the Secretary, acting through the Under
Secretary for Science and Technology, shall submit to Congress a
strategic plan to guide the overall direction of Federal physical
security and cybersecurity technology research and development efforts
for protecting critical infrastructure, including against all threats.
Such plan shall be updated and submitted to Congress every two years.
``(b) Contents of Plan.--The strategic plan, including biennial
updates, required under subsection (a) shall include the following:
``(1) An identification of critical infrastructure security
risks and any associated security technology gaps, that are
developed following--
``(A) consultation with stakeholders, including
critical infrastructure Sector Coordinating Councils;
and
``(B) performance by the Department of a risk and gap
analysis that considers information received in such
consultations.
``(2) A set of critical infrastructure security technology
needs that--
``(A) is prioritized based on the risks and gaps
identified under paragraph (1);
``(B) emphasizes research and development of
technologies that need to be accelerated due to rapidly
evolving threats or rapidly advancing infrastructure
technology; and
``(C) includes research, development, and acquisition
roadmaps with clearly defined objectives, goals, and
measures.
``(3) An identification of laboratories, facilities,
modeling, and simulation capabilities that will be required to
support the research, development, demonstration, testing,
evaluation, and acquisition of the security technologies
described in paragraph (2).
``(4) An identification of current and planned programmatic
initiatives for fostering the rapid advancement and deployment
of security technologies for critical infrastructure
protection, including a consideration of opportunities for
public-private partnerships, intragovernment collaboration,
university centers of excellence, and national laboratory
technology transfer.
``(5) A description of progress made with respect to each
critical infrastructure security risk, associated security
technology gap, and critical infrastructure technology need
identified in the preceding strategic plan required under
subsection (a).
``(c) Coordination.--In carrying out this section, the Under
Secretary for Science and Technology shall coordinate with the Under
Secretary for the National Protection and Programs Directorate.
``(d) Consultation.--In carrying out this section, the Under
Secretary for Science and Technology shall consult with--
``(1) critical infrastructure Sector Coordinating Councils;
``(2) to the extent practicable, subject matter experts on
critical infrastructure protection from universities, colleges,
national laboratories, and private industry;
``(3) the heads of other relevant Federal departments and
agencies that conduct research and development relating to
critical infrastructure protection; and
``(4) State, local, and tribal governments, as
appropriate.''.
(b) Clerical Amendment.--The table of contents of the Homeland
Security Act of 2002 is amended by inserting after the item relating to
section 317 the following new item:
``Sec. 318. Research and development strategy for critical
infrastructure protection.''.
SEC. 9. REPORT ON REDUCING CYBERSECURITY RISKS IN DHS DATA CENTERS.
Not later than one year after the date of the enactment of this Act,
the Secretary of Homeland Security shall submit to the Committee on
Homeland Security of the House of Representatives and the Committee on
Homeland Security and Governmental Affairs of the Senate a report on
the feasibility of the Department of Homeland Security creating an
environment for the reduction in cybersecurity risks in Department data
centers, including by increasing compartmentalization between systems,
and providing a mix of security controls between such compartments.
SEC. 10. ASSESSMENT.
Not later than two years after the date of the enactment of this Act,
the Comptroller General of the United States shall submit to the
Committee on Homeland Security of the House of Representatives and the
Committee on Homeland Security and Governmental Affairs of the Senate a
report that contains an assessment of the implementation by the
Secretary of Homeland Security of this Act and the amendments made by
this Act and, to the extent practicable, findings regarding increases
in the sharing of cyber threat indicators, defensive measures, and
information relating to cybersecurity risks and incidents at the
National Cybersecurity and Communications Integration Center and
throughout the United States.
SEC. 11. CONSULTATION.
The Under Secretary for Cybersecurity and Infrastructure Protection
shall produce a report on the feasibility of creating a risk-informed
prioritization plan should multiple critical infrastructures experience
cyber incidents simultaneously.
SEC. 12. TECHNICAL ASSISTANCE.
The Inspector General of the Department of Homeland Security shall
review the operations of the United States Computer Emergency Readiness
Team (US-CERT) and the Industrial Control Systems Cyber Emergency
Response Team (ICS-CERT) to assess the capacity to provide technical
assistance to non-Federal entities and to adequately respond to
potential increases in requests for technical assistance.
SEC. 13. PROHIBITION ON NEW REGULATORY AUTHORITY.
Nothing in this Act or the amendments made by this Act may be
construed to grant the Secretary of Homeland Security any authority to
promulgate regulations or set standards relating to the cybersecurity
of non-Federal entities, not including State, local, and tribal
governments, that was not in effect on the day before the date of the
enactment of this Act.
SEC. 14. SUNSET.
Any requirements for reports required by this Act or the amendments
made by this Act shall terminate on the date that is seven years after
the date of the enactment of this Act.
SEC. 15. PROHIBITION ON NEW FUNDING.
No funds are authorized to be appropriated to carry out this Act and
the amendments made by this Act. This Act and such amendments shall be
carried out using amounts appropriated or otherwise made available for
such purposes.
Purpose and Summary
The purpose of H.R. 1731 is to amend the Homeland Security
Act of 2002 to enhance multi-directional sharing of information
related to cybersecurity risks, while strengthening privacy and
civil liberties protections, in order to help secure the
nation's cyber networks and critical infrastructure against
attacks.
Background and Need for Legislation
Despite the growing acknowledgement and understanding of
the threat, the U.S. economy and private citizens continue to
sustain damage from cyber attacks. The destructive attack on
Sony Pictures attributed to the Democratic People's Republic of
Korea, and breaches at health insurance providers Anthem and
Blue Cross, which compromised sensitive medical records of
millions of Americans, are the latest and most prominent
examples of intrusions that occur daily, targeting critical
infrastructure and business, and victimizing private citizens.
The Department of Homeland Security (Department) estimates
that it received nearly 100,000 cyber incident reports,
detected 64,000 major vulnerabilities, issued nearly 12,000
alerts or warnings, and responded to 115 major cyber incidents
last year alone. It is important to note that these numbers
only capture the information reported to the Department. It is
fair to say these statistics under-represent the full scope of
cyber attacks in the U.S. Moreover, they do not account for
threat reporting to other Federal agencies, or incidents that
went unreported by the private sector and the public. Still,
these numbers provide a powerful illustration of the malicious
nature and the persistence of the threats to America's public
and private networks, further demonstrating why legislation to
help enhance our awareness of the threat through multi-
directional information sharing is urgently needed.
At a summit on cybersecurity convened at Stanford
University on February 13, 2015, President Obama said that
cyberattacks are one of the Nation's most pressing national
security, economic and safety issues. He remarked that they
are, ``hurting American companies and costing American jobs.''
In his speech, the President said that ``there is only one way
to defend America from these cyber threats, and that is through
government and industry working together, sharing information
as true partners.''
While the President's Executive Order ``Promoting Private
Sector Cybersecurity Information Sharing'' was a positive step
forward, focusing attention on the need for action, Mastercard
Chief Executive Officer Ajay Banga rightly concluded, ``We need
a real legislative solution. An executive action can only take
you so far.''\1\ Mr. Banga also expressed his support for
information sharing commenting, ``Rather than fight this in
individualized groups, there's some merit in joining hands and
doing it together.''\2\ This statement aligns with the goals
industry has articulated to the Committee while drafting this
legislation.
---------------------------------------------------------------------------
\1\ Katie Zezima, ``Obama Signs Executive Order on Sharing
Cybersecurity Threat Information'', Washington Post, February 12, 2015,
available at: http://www.washingtonpost.com/blogs/post-politics/wp/
2015/02/12/obama-to-sign-executive-order-on-cybersecurity-threats/
\2\ Ibid
---------------------------------------------------------------------------
The National Cybersecurity Protection Advancement Act of
2015 (NCPA Act) will support the Department in its mission to
secure cyberspace by facilitating cooperation between the
Federal government and the private sector. While there have
been many reasons for the lack of cyber threat information
sharing in the past, this gap must be addressed to stop
criminals, terrorists, and nation states from exploiting our
Nation's sensitive intellectual property and personal data. One
way to foster greater sharing of timely cyber threat
information is to create a mechanism for the sharing of threat
information with privacy protections and legal ``safe harbors''
in which companies can exchange technical data.
The NCPA Act builds on the progress made in the 113th
Congress. The National Cybersecurity Protection Act of 2014
codified the Department's National Cybersecurity and
Communications Integration Center (NCCIC) to facilitate multi-
directional information sharing between the Federal Government
and the private sector. As the lead civilian interface for
sharing cyber threat information with the government, the NCCIC
is uniquely positioned as a sharing hub to integrate
information from multiple sources, and use it to provide
government agencies and the private sector with actionable
information to recognize, prevent and mitigate harm from cyber
attacks.
As codified in the Homeland Security Act of 2002, the NCCIC
is overseen by the Department's Privacy Office, which is the
government's first statutorily established office with a
mandate to protect civil rights and liberties. In order to
prevent personal information from inadvertently being shared,
the NCPA Act ensures that private information is scrubbed
twice: first by the entity sharing the information with the
NCCIC, and then again by the NCCIC after it is received. These
built-in privacy controls at the Department are important
factors that make the Department the logical choice for an
interface to facilitate cyber information sharing and explain
why privacy advocates have expressed support for the NCCIC's
role as the lead civilian information-sharing portal.
The NCPA Act authorizes entities to engage in the voluntary
exchange of cyber threat information and to conduct network
awareness and defensive measures on their own systems. The Act
provides liability protections for private entities that
conduct network awareness or voluntary shame technical cyber
threat information with the another private entity or the
NCCIC. Thus, the NCPA Act creates a critical ``safe harbor''
for private entities, encouraging their participation and
cooperation.
In sum, this much-needed Act will help improve the
situational awareness of the government and the private sector
to ensure that private networks, including critical
infrastructure networks, remain reliable and resilient, thereby
enhancing the Nation's economic security and safety of the
American public.
Hearings
No hearings were held on H.R. 1731. However, the Committee
held the following oversight hearings.
On February 12, 2015, the Subcommittee on Cybersecurity,
Infrastructure Protection, and Security Technologies held a
hearing entitled ``Emerging Threats and Technologies to Protect
the Homeland.'' The Subcommittee received testimony from Mr.
Andy Ozment, Assistant Secretary, Office of Cybersecurity and
Communications, National Protection and Programs Directorate,
U.S. Department of Homeland Security; Dr. Huban Gowadia,
Director, Domestic Nuclear Detection Office, U.S. Department of
Homeland Security; Mr. Joseph Martin, Acting Director, Homeland
Security Enterprise and First Responders Group, Science and
Technology Directorate, U.S. Department of Homeland Security;
Mr. William Noonan, Deputy Special Agent in Charge, Criminal
Investigative Division, Cyber Operations Branch, United States
Secret Service, U.S. Department of Homeland Security; and Mr.
William Painter, Analyst, Government and Finance Division,
Congressional Research Service, Library of Congress.
On February 25, 2015, the Committee held a hearing entitled
``Examining the President's Cybersecurity Information Sharing
Proposal.'' The Committee received testimony from Hon. Suzanne
Spaulding, Under Secretary, National Protection and Programs
Directorate, U.S. Department of Homeland Security; Dr. Phyllis
Schneck, Deputy Under Secretary, Cybersecurity and
Communications, National Protection and Programs Directorate,
U.S. Department of Homeland Security; and Dr. Eric Fischer,
Senior Specialist, Science and Technology, Congressional
Research Service, Library of Congress.
On March 4, 2015, the Subcommittee on Cybersecurity,
Infrastructure Protection, and Security Technologies held a
hearing entitled ``Industry Perspectives on the President's
Cybersecurity Information Sharing Proposal.'' The Subcommittee
received testimony from Mr. Matthew J. Eggers, Senior Director,
National Security and Emergency Preparedness, U.S. Chamber of
Commerce; Ms. Mary Ellen Callahan, Jenner & Block and the
Former Chief Privacy Officer, U.S. Department of Homeland
Security; Mr. Gregory T. Garcia, Executive Director, Financial
Services Sector Coordinating Council; and Dr. Martin Libicki,
The RAND Corporation.
Committee Consideration
The Committee met on April 14, 2015, to consider H.R. 1731,
and ordered the measure to be reported to the House with a
favorable recommendation, as amended, by voice vote. The
Committee took the following actions:
The Committee agreed to H.R. 1731, amended, by voice vote.
The following amendments were offered:
An amendment offered by Mr. Rogers of Alabama (#1) was AGREED
TO by voice vote.
In section 3 of the bill, amending the second section 226 of the
Homeland Security Act of 2002, in the proposed subsection (i)(3), add
at the end a new Subparagraph entitled ``(E) Coordinated Vulnerability
Disclosure.''
An amendment offered by Mr. Thompson of Mississippi (#2) was
AGREED TO by voice vote.
Redesignate section 8 as section 9.
Insert after section 7 a new section entitled ``Sec. 8.
Assessment.''
An amendment offered by Mr. Thompson of Mississippi (#3) was
NOT AGREED TO by a recorded vote of 10 yeas and 15 nays (Roll
Call Vote No. 12).
Redesignate section 8 as section 9.
Insert after section 7 a new section entitled ``Sec. 8. Sunset.''
An amendment offered by Mr. Richmond (#4) was NOT AGREED TO by
a recorded vote of 11 yeas and 16 nays (Roll Call Vote No. 13).
In section 3 of the bill, in the proposed subsection (i) of the
second section 226 of the Homeland Security Act of 2002, insert a new
paragraph entitled ``(8) Liability Exemptions.''
An amendment offered by Mr. Richmond (#5) was NOT AGREED TO by
a recorded vote of 12 yeas and 17 nays (Roll Call Vote No. 14).
In section 3 of the bill, in the proposed subsection (i)(8) of the
second section 226 of the Homeland Security Act of 2002, strike ``or in
good faith fails to act based on such sharing,''.
In section 3 of the bill, in the proposed subsection (i)(8) of the
second section 226 of the Homeland Security Act of 2002, add at the end
the a new subparagraph entitled ``(E) Rule of Construction.''
An amendment offered by Mr. Richmond (#6) was AGREED TO by
voice vote,
Page 11, line 19, strike ``and''.
Page 11, line 20, strike ``(iv)'' and insert ``(v)''.
Page 11, beginning line 20, insert the following:
(iv) in subparagraph (F), by striking ``and'' at the end;
Page 11, line 23, insert ``and'' after the semicolon.
Page 11, beginning line 24, insert the following:
(vi) by adding at the end the following:
``(H) the Center ensures that it shares information relating to
cybersecurity risks and incidents with small and medium-sized
businesses, as appropriate;''.
An amendment offered by Mr. Richmond (#7) was NOT AGREED TO by
a recorded vote of 12 yeas and 17 nays (Roll Call Vote No. 15).
In section 3 of the bill, in the proposed Subsection (i)(9)(C) of
the second section 226 of the Homeland Security Act of 2002, insert
``the discovery of'' before ``the date of the violation''.
An amendment offered by Mr. Perry (#8) was AGREED TO by voice
vote.
In section 3 of the bill, amending the second section 226 of the
Homeland Security Act of 2002, add at the end a new clause entitled
``(j) Direct Reporting.''
An amendment offered by Mr. Katko (#9) was AGREED TO by voice
vote,
In section 3 of the bill, amending the second section 226 of the
Homeland Security Act of 2002, add at the end a new clause entitled
``(j) Additional Responsibilities.''
An en bloc amendment offered by Mr. Keating (#10) was AGREED
TO by voice vote.
Consisting of the following amendments:
An amendment : Redesignate section 8 as section 9.
Insert after section 7 a new section entitled ``Sec. 8. Technical
Assistance.''
An amendment : In section 3(4) of the bill, amending the second
section 226 of the Homeland Security Act of 2002, add at the end a new
clause entitled ``(j) Reports on International Cooperation.
An en bloc amendment offered by Ms. McSally (#11) was AGREED
TO by voice vote.
Consisting of the following amendments:
An amendment: In section 3 of the bill, amending the second
section 226 of the Homeland Security Act of 2002, in subsection (c), in
the proposed paragraph (9), insert ``and with State and major urban
area fusion centers, as appropriate'' before the semicolon at the end.
In section 3 of the bill, amending the second section 226 of the
Homeland Security Act of 2002, in subsection (c), in the proposed
paragraph (10), strike ``and'' at the end.
In section 3 of the bill, amending the second section 226 of the
Homeland Security Act of 2002, in subsection (c), in the proposed
paragraph (11), strike the period at the end and insert a semicolon.
In section 3 of the bill, amending the second section 226 of the
Homeland Security Act of 2002, in subsection (c), add at the end the
following:
``(12) participating, as appropriate, in exercises run by the
Department's National Exercise Program; and
``(13) assessing and evaluating consequence, vulnerability, and
threat information regarding cyber incidents in coordination with the
Office of Emergency Communications of the Department to help facilitate
continuous improvements to the security and resiliency of public safety
communications.''
An amendment: Redesignate section 8 as section 9.
Insert after section 7 a new section entitled ``Sec. 8. Cyber
Incident Response Plans.''
An amendment offered by Mrs. Watson Coleman (#12) was AGREED
TO by voice vote.
Redesignate section 8 as section 9.
Insert after section 7 a new section entitled ``Sec. 8.
Cybersecurity Awareness Campaign.''
An en bloc amendment offered by Ms. Jackson Lee (#13) was
AGREED TO by voice vote.
Consisting of the following amendments:
An amendment: Redesignate section 8 as section 9.Insert after
section 7 a new section entitled ``Sec. 8. Consultation.''
An amendment: Page 10, line 16, after ``defensive measures: insert
``, analysis''.
An amendment: In section 3 of the bill, amending the second
section 226 of the Homeland Security Act of 2002, in the proposed
subsection (i)(6)(A), add at the end a new clause entitled ``(iv)
Consultation.''
An amendment: Page 11, line 19, insert ``, and by striking `and'
at the end'' before the semicolon.
Page 11, line 23, insert ``, by inserting `and' after the
semicolon at the end'' before the semicolon.
Page 11, beginning line 24, insert the following:
(V) by adding at the end the following new subparagraph: ``(H) an
agency contact for nongovernment entities;''.
An amendment offered by Mr. Ratcliffe (#14) was AGREED TO by
voice vote.
In section 3 of the bill, amending the second section of 226 of
the Homeland Security Act of 2002, in the proposed subsection (i)(8(A),
strike ``in good faith''.
In section 3 of the bill, amending the second section 226 of the
Homeland Security Act of 2002, in the proposed subsection (i)(8)(B),
strike ``in good faith'' each place it appears.
An amendment offered by Mr. Ratcliffe (#15) was AGREED TO by
voice vote.
In section 2 of the bill, amending the second section 226 of the
Homeland Security Act of 2002, in the proposed subsection (i)(7)(B)(i),
in subclause (III), strike ``and'' at the end.
In section 3 of the bill, amending the second section 226 of the
Homeland Security Act of 2002, in the proposed subsection (i)(7)(B)(i),
in subclause (IV) strike the period at the end and insert ``: and''.
In section 3 of the bill, amending the second section 226 of the
Homeland Security Act of 2002, in the proposed subsection (i)(7)(B)(i),
add at the end the following;
``(V) may not be used to engage in surveillance or other
collection activities for the purpose of tracking an individual's
personally identifiable information.''
An amendment offered by Mr. Ratcliffe (#16) was AGREED TO by
voice vote.
Redesignate section 8 as section 9.
Insert after section 7 a new section entitled ``Sec. 8. Critical
Infrastructure Protection Research and Development.''
An amendment offered by Mr. Payne (#17) was AGREED TO by voice
vote.
In section 3 of the bill, amending the second section 226 of the
Homeland Security Act of 2002, add at the end a new clause entitled
``(j) Outreach.''
An amendment offered by Mr. Hurd of Texas (#18) was AGREED TO
by voice vote.
Page 9, line 14, strike ``(I) and insert ``(J)''.
Page 11, line 7, strike ``and''.
Page 11, beginning line 8, insert the following:
``(I) an entity that coordinates with small and medium sized
businesses; and''.
An en bloc amendment offered by Mr. Langevin (#19); was AGREED
TO by voice vote.
Consisting of the following amendments:
An amendment: in section 3 of the bill, amending the second
section 226 of the Homeland Security Act of 2002, in the proposed
subsection (i)(1)(A), in the third sentence, strike ``and
intentionally''.
An amendment: In section 3(4) of the bill, amending the second
section 226 of the Homeland Security Act of 2002, amend the proposed
subsection (g)(1) with a new subsection entitled (1) In General.''
An amendment offered by Mr, Loudermilk (#20) was AGREED TO by
voice vote.
Redesignate section 8 as section 9.
Insert after section 7 a new section entitled ``Sec. 8. Sunset.''
Committee Votes
Clause 3(b) of Rule XIII of the Rules of the House of
Representatives requires the Committee to list the recorded
votes on the motion to report legislation and amendments
thereto.
An amendment offered by Mr. Thompson of Mississippi (#3)
was NOT AGREED TO, by a recorded vote of 10 yeas and 15 nays
(Roll Call Vote No. 12). The vote was as follows:
?
COMMITTEE ON HOMELAND SECURITY
ROLL CALL NO. 12
H.R. 1731
----------------------------------------------------------------------------------------------------------------
Representative Yea Nay Representative Yea Nay
----------------------------------------------------------------------------------------------------------------
Mr. McCaul, P Chair..................... X Mr. Thompson of Mississippi, P X
Ranking Member.
Mr. Smith of Texas........................... Ms. Loretta Sanchez of California....
Mr. King of New York......................... X Ms. Jackson Lee...................... X
Mr. Rogers of Alabama........................ X Mr. Langevin......................... X
Mrs. Miller of Michigan...................... X Mr. Higgins.......................... X
Mr. Duncan of South Carolina................. Mr. Richmond......................... X
Mr. Marino................................... Mr. Keating..........................
Mr. Meehan................................... X Mr. Payne............................ X
Mr. Barletta................................. X Mr. Vela............................. X
Mr. Perry.................................... X Mrs. Watson Coleman.................. X
Mr. Clawson of Florida....................... X Miss Rice............................ X
Mr. Katko.................................... X Mrs. Torres.......................... X
Mr. Hurd of Texas............................ X
Mr. Carter of Georgia........................ X
Mr. Walker................................... X
Mr. Loudermilk............................... X
Ms. McSally.................................. X
Mr. Ratcliffe................................ X
-------------
Vote Total: 10 15
----------------------------------------------------------------------------------------------------------------
An amendment offered by Mr. Richmond (#4) was NOT AGREED
TO, by a recorded vote of 11 yeas and 16 nays (Roll Call Vote
No. 13). The vote was as follows:
?
COMMITTEE ON HOMELAND SECURITY
ROLL CALL NO. 13
H.R. 1731
----------------------------------------------------------------------------------------------------------------
Representative Yea Nay Representative Yea Nay
----------------------------------------------------------------------------------------------------------------
Mr. McCaul, Chair............................ X Mr. Thompson of Mississippi, Ranking X
Member.
Mr. Smith of Texas........................... X Ms. Loretta Sanchez of California....
Mr. King of New York......................... X Ms. Jackson Lee...................... X
Mr. Rogers of Alabama........................ X Mr. Langevin......................... X
Mrs. Miller of Michigan...................... X Mr. Higgins.......................... X
Mr. Duncan of South Carolina................. Mr. Richmond......................... X
Mr. Marino................................... Mr. Keating.......................... X
Mr. Meehan................................... X Mr. Payne............................ X
Mr. Barletta................................. X Mr. Vela............................. X
Mr. Perry.................................... X Mrs. Watson Coleman.................. X
Mr. Clawson of Florida....................... X Miss Rice............................ X
Mr. Katko.................................... X Mrs. Torres.......................... X
Mr. Hurd of Texas............................ X
Mr. Carter of Georgia........................ X
Mr. Walker................................... X
Mr. Loudermilk............................... X
Ms. McSally.................................. X
Mr. Ratcliffe................................ X
-------------
Vote Total: 11 16
----------------------------------------------------------------------------------------------------------------
An amendment offered by Mr. Richmond (#5) was NOT AGREED
TO, by a recorded vote of 12 yeas and 17 nays (Roll Call Vote
No. 14). The vote was as follows:
?
COMMITTEE ON HOMELAND SECURITY
ROLL CALL NO. 14
H.R. 1731
----------------------------------------------------------------------------------------------------------------
Representative Yea Nay Representative Yea Nay
----------------------------------------------------------------------------------------------------------------
Mr. McCaul, Chair............................ X Mr. Thompson of Mississippi, Ranking X
Member.
Mr. Smith of Texas........................... X Ms. Loretta Sanchez of California.... X
Mr. King of New York......................... X Ms. Jackson Lee...................... X
Mr. Rogers of Alabama........................ X Mr. Langevin......................... X
Mrs. Miller of Michigan...................... X Mr. Higgins.......................... X
Mr. Duncan of South Carolina................. Mr. Richmond......................... X
Mr. Marino................................... X Mr. Keating.......................... X
Mr. Meehan................................... X Mr. Payne............................ X
Mr. Barletta................................. X Mr. Vela............................. X
Mr. Perry.................................... X Mrs. Watson Coleman.................. X
Mr. Clawson of Florida....................... X Miss Rice............................ X
Mr. Katko.................................... X Mrs. Torres.......................... X
Mr. Hurd of Texas............................ X
Mr. Carter of Georgia........................ X
Mr. Walker................................... X
Mr. Loudermilk............................... X
Ms. McSally.................................. X
Mr. Ratcliffe................................ X
-------------
Vote Total: 12 17
----------------------------------------------------------------------------------------------------------------
An amendment offered by Mr. Richmond (#7) was NOT AGREED
TO, by a recorded vote of 12 yeas and 17 nays (Roll Call Vote
No. 15). The vote was as follows:
?
COMMITTEE ON HOMELAND SECURITY
ROLL CALL NO. 15
H.R. 1731
----------------------------------------------------------------------------------------------------------------
Representative Yea Nay Representative Yea Nay
----------------------------------------------------------------------------------------------------------------
Mr. McCaul, Chair............................ X Mr. Thompson of Mississippi, Ranking X
Member.
Mr. Smith of Texas........................... X Ms. Loretta Sanchez of California.... X
Mr. King of New York......................... X Ms. Jackson Lee...................... X
Mr. Rogers of Alabama........................ X Mr. Langevin......................... X
Mrs. Miller of Michigan...................... X Mr. Higgins.......................... X
Mr. Duncan of South Carolina................. Mr. Richmond......................... X
Mr. Marino................................... X Mr. Keating.......................... X
Mr. Meehan................................... X Mr. Payne............................ X
Mr. Barletta................................. X Mr. Vela............................. X
Mr. Perry.................................... X Mrs. Watson Coleman.................. X
Mr. Clawson of Florida....................... X Miss Rice............................ X
Mr. Katko.................................... X Mrs. Torres.......................... X
Mr. Hurd of Texas............................ X
Mr. Carter of Georgia........................ X
Mr. Walker................................... X
Mr. Loudermilk............................... X
Ms. McSally.................................. X
Mr. Ratcliffe................................ X
-------------
Vote Total: 12 17
----------------------------------------------------------------------------------------------------------------
Committee Oversight Findings
Pursuant to clause 3(c)(1) of Rule XIII of the Rules of the
House of Representatives, the Committee has held oversight
hearings and made findings that are reflected in this report.
New Budget Authority, Entitlement Authority, and Tax Expenditures
In compliance with clause 3(c)(2) of Rule XIII of the Rules
of the House of Representatives, the Committee finds that H.R.
1731, the National Cybersecurity Protection Advancement Act of
2015, would result in no new or increased budget authority,
entitlement authority, or tax expenditures or revenues.
Congressional Budget Office Estimate
The Committee adopts as its own the cost estimate prepared
by the Director of the Congressional Budget Office pursuant to
section 402 of the Congressional Budget Act of 1974.
U.S. Congress,
Congressional Budget Office,
Washington, DC, April 16, 2015.
Hon. Michael McCaul,
Chairman, Committee on Homeland Security,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 1731, the National
Cybersecurity Protection Advancement Act of 2015.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Jason
Wheelock.
Sincerely,
Keith Hall,
Director.
Enclosure.
H.R. 1731--National Cybersecurity Protection Advancement Act of 2015
H.R. 1731 would largely codify the role of the National
Cybersecurity and Communications Integration Center of the
Department of Homeland Security in exchanging information about
cyber threats with other federal agencies and nonfederal
entities. The legislation also would require that certain
additional procedures be followed when that information is
shared, such as checking for and expunging personal
information. Finally, the bill would require several reports to
the Congress on cybersecurity information sharing. CBO
anticipates that approximately 20 additional personnel would be
needed to administer the new aspects of the program, prepare
the required reports, and manage the exchange of information.
Based on information from the Department of Homeland Security,
the Office of Management and Budget, and other cybersecurity
experts, CBO estimates that the requirements imposed by H.R.
1731 would cost approximately $20 million over the 2016-2020
period, assuming appropriation of the estimated amounts.
H.R. 1731 would make the government liable if an agency or
department violates privacy and civil liberty guidelines and
restrictions on the use of information required by the bill.
While such liability could result in additional direct
spending, CBO does not have sufficient basis to estimate the
type or frequency of violations or the budgetary effect that
might occur if the legislation was enacted. Because the bill
could affect direct spending, pay-as-you-go procedures apply.
H.R. 1731 would not affect revenues.
H.R. 1731 would impose intergovernmental and private-sector
mandates, as defined in the Unfunded Mandates Reform Act
(UMRA), by extending civil and criminal liability protection to
cybersecurity providers and other entities that monitor, share,
or use information on cyber threats. Doing so would prevent
public and private entities from seeking compensation for
damages from those protected entities for sharing or using
cybersecurity information. The bill also would impose
additional intergovernmental mandates on state and local
governments by preempting disclosure and liability laws and by
preempting any laws that restrict the cybersecurity monitoring,
sharing, and countermeasure activities authorized by the bill.
Because of uncertainty about the number of cases that would be
limited and any foregone compensation that would result from
compensatory damages that might otherwise go to private-sector
entities, CBO cannot determine whether the costs of the mandate
would exceed the annual thresholds established in UMRA for
private-sector mandates ($154 million in 2015, adjusted
annually for inflation). The amount of cybersecurity
information shared by state, local, and tribal governments is
much smaller than that shared by the private sector, and public
entities are much less likely to bring lawsuits as plaintiffs
in such cases. Consequently, CBO estimates that the aggregate
costs of the mandates on public entities would fall below the
threshold for intergovernmental mandates ($77 million in 2015,
adjusted annually for inflation).
On April 13, 2015, CBO transmitted a cost estimate for H.R.
1560 as ordered reported by the House Permanent Select
Committee on Intelligence on March 26, 2015, and on April 14,
2015, CBO transmitted a cost estimate for S. 754 as reported by
the Senate Select Committee on Intelligence on March 17, 2015.
Both bills are similar to H.R. 1731, but each contains
provisions not included in H.R. 1731 that would allow the
government to use information shared by nonfederal entities in
investigating and prosecuting certain violent crimes. In
addition, H.R. 1560 contains a provision not included in H.R.
1731 that would establish a National Cyber Threat Intelligence
Integration Center. Differences in the estimated costs of these
bills reflect differences in the legislative language.
The CBO staff contact for this estimate is Jason Wheelock.
The estimate was approved by Theresa Gullo, Assistant Director
for Budget Analysis.
Statement of General Performance Goals and Objectives
Pursuant to clause 3(c)(4) of Rule XIII of the Rules of the
House of Representatives, H.R. 1731 contains the following
general performance goals and objectives, including outcome
related goals and objectives authorized.
H.R. 1731 seeks to enhance multi-directional sharing of
information related to cybersecurity risks, while also
strengthening privacy and civil liberties protections, in order
to help secure the nation's cyber networks and critical
infrastructure against attacks. The legislation requires a
number of reports to Congress from the Department, the
Department's Privacy Officer, and the Department's Office of
Inspector General that will provide insight to Congress on the
scope of information sharing, the NCCIC's role in facilitating
cyber information sharing, and any privacy and civil liberties
concerns that have been raised as a result of this effort.
Duplicative Federal Programs
Pursuant to clause 3(c) of Rule XIII, the Committee finds
that H.R. 1731 does not contain any provision that establishes
or reauthorizes a program known to be duplicative of another
Federal program.
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff
Benefits
In compliance with Rule XXI of the Rules of the House of
Representatives, this bill, as reported, contains no
congressional earmarks, limited tax benefits, or limited tariff
benefits as defined in clause 9(e), 9(f), or 9(g) of the Rule
XXI.
Federal Mandates Statement
The Committee adopts as its own the estimate of Federal
mandates prepared by the Director of the Congressional Budget
Office pursuant to section 423 of the Unfunded Mandates Reform
Act.
Preemption Clarification
In compliance with section 423 of the Congressional Budget
Act of 1974, requiring the report of any Committee on a bill or
joint resolution to include a statement on the extent to which
the bill or joint resolution is intended to preempt State,
local, or Tribal law, the Committee finds that H.R. 1731 does
preempt all State, local, or Tribal law that restricts or
otherwise expressly regulates an activity that is authorized
under this legislation with respect to a Federal civilian
cybersecurity information sharing program.
Disclosure of Directed Rule Makings
The Committee estimates that H.R. 1731 would require no
directed rule makings.
Advisory Committee Statement
No advisory committees within the meaning of section 5(b)
of the Federal Advisory Committee Act were created by this
legislation.
Applicability to Legislative Branch
The Committee finds that the legislation does not relate to
the terms and conditions of employment or access to public
services or accommodations within the meaning of section
102(b)(3) of the Congressional Accountability Act.
Section-by-Section Analysis of the Legislation
Section 1. Short Title.
This section provides that the bill may be cited as the
``National Cybersecurity Protection Advancement Act of 2015.''
Section 2. National Cybersecurity and Communications Integration
Center.
This section amends subsection (a) of the second section
226 (6 U.S. Code 148) of the Homeland Security Act of 2002 by
adding definitions of terms used in the bill, including:
``cyber threat indicator'', ``cybersecurity purpose'',
``defensive measure'', ``network awareness'', ``private
entity'', ``security control'', and ``sharing''.
Section 3. Information Sharing Structure and Process.
This section amends subsection (a) of the second section
226 of the Homeland Security Act of 2002 as described below.
Amendments to the National Cybersecurity and Communications
Integration Center.
This section amends the functions of the NCCIC. It
designates the NCCIC as the ``lead Federal civilian interface''
for multi-directional and cross-sector information sharing
related to cybersecurity.
It also adds cyber threat indicators and defensive measures
to the types of technical threat data that the NCCIC will
collect, analyze, and share to provide enhanced situational
awareness to Federal, non-Federal and private entities. It
directs the NCCIC to share information relating to
cybersecurity risks and incidents with small and medium-sized
businesses, as appropriate. The Committee believes that the
NCCIC should strive to partner with small and medium-sized
businesses for cybersecurity risks and incidents, and seeks to
emphasize this in the legislation.
It directs the NCCIC to promptly notify the Secretary of
Homeland Security (the Secretary) and Congress of any
significant violations of information sharing policies and
procedures, and promptly notify non-Federal entities that have
shared information that is known or determined to be in error.
The Committee understands that certain entities have pre-
existing relationships with other Federal civilian portals
representing their specific critical infrastructure sectors,
and those entities will be able to maintain those relationships
for information sharing related to cybersecurity. As the lead
civilian interface for sharing cyber threat information with
the Government, the NCCIC is uniquely positioned as a sharing
hub to integrate information from multiple sources, and use the
information to Government Agencies and the private sector with
actionable information to recognize and stop attacks before
harm is done.
The Committee believes that the NCCIC should coordinate
with other Federal civilian portals to ensure that it receives
and shares relevant cyber threat indicators and defensive
measures.
This section directs the NCCIC to engage with international
partners on cybersecurity, and expands the composition of the
NCCIC to include an entity to collaborate with state and local
governments; the U.S. Computer Emergency Readiness Team to
coordinate information related to cybersecurity risks and
incidents and provide technical assistance; the Industrial
Control System Cyber Emergency Response Team to coordinate with
industrial control systems owners and operators; and the
National Coordinating Center for Communications to coordinate
the resilience and recovery of national security emergency
communications. The Committee recognizes that the entities
described above play a critical role in the Department's
ability to execute its cybersecurity mission, and seeks to
codify their functions and statutory roles within the NCCIC in
this section.
H.R. 1731 amends second section 226, the provisions of
which are described below:
(g) Rapid Automated Sharing.
This subsection requires the Under Secretary for
Cybersecurity and Infrastructure Protection, in coordination
with industry and other stakeholders, to develop an automated
capability for the timely sharing of cyber threat indicators
and defensive measures. It also directs the NCCIC to develop
the capability to share cyber threat indicators and defensive
measures with each Federal Agency designated as the `Sector
Specific Agency' (SSA) for each critical infrastructure sector
in as close to real time as practicable. It directs the Under
Secretary for Cybersecurity and Infrastructure Protection to
submit a biannual report to the appropriate congressional
committees on the progress of developing this capability. The
Committee believes that it is critical for the Department to
develop an automated system and supporting processes for the
NCCIC to disseminate cyber threat indicators and defensive
measures in a timely manner. The Committee recognizes that
timely sharing is compatible with reasonable efforts at
minimization, particularly if the information shared is cyber
threat indicator information.
(h) Sector Specific Agencies
This subsection directs the Secretary to recognize the SSA
for each critical infrastructure sector based on the
Department's National Infrastructure Protection Plan as of
March 25, 2015. It directs the Secretary, in coordination with
the heads of each SSA, to support the security and resilience
activities of the specific sectors, provide institutional
knowledge and expertise, and support timely sharing of
information. The Committee believes that SSAs play a central
role in cybersecurity information sharing within their
respective sector and wants to ensure that the NCCIC has the
procedures and capabilities in place to facilitate information
sharing with each SSA.
(i) Voluntary Information Sharing Procedures
Subsection (i) outlines the information sharing procedures
and permits the NCCIC to enter into voluntary information
sharing relationships with any consenting non-Federal entity
for the sharing of cyber threat indicators and defensive
measures for cybersecurity purposes. To prevent personal
information from inadvertently being shared, the non-Federal
entity sharing the information is required to remove all
personal information unrelated to the cybersecurity risk before
sharing with the NCCIC or other non-Federal entities. This
subsection outlines the information sharing agreements,
authorizations, civil liberty and information protections, and
anti-trust exemption of these relationships.
The Committee believes that sharing cybersecurity
information is a voluntary decision. In order to encourage the
sharing of cybersecurity information to secure the nation's
cyber networks and critical infrastructure against attacks, the
Committee believes that any non-Federal entity can voluntarily
enter into an information sharing relationship with the NCCIC.
This relationship is dependent on adherence to information
protection and privacy and civil liberties protections, in
return for receiving a legal ``safe harbor'' for appropriately
sharing technical data about cyber threat indicators and
defensive measures. The Committee believes technical data to
mean the specific composition, or the ``bits and bytes,'' that
make up cyber threat indicators and defensive measures.
(2) Agreements
Subsection (i)(2) allows the Center to utilize standard and
negotiated agreements as the types of agreements that non-
Federal entities may enter into with the NCCIC for the purposes
of this Act. However, it makes clear that agreements are not
limited to just these types, and pre-existing agreements
between the NCCIC and the non-Federal entity will be in
compliance with this section.
The Committee believes that there are various ways to
structure agreements, with the primary types being standard and
negotiated agreements. The Department should develop a standard
template that will inform entities on the expectations and
requirements of sharing cybersecurity information with the
NCCIC. It may turn out that, in some cases, standardized terms
of use agreements will suffice. However, for those entities
that have specific requirements, they should be able to
negotiate with the Department on specific terms, so long as
foundational privacy protections are maintained. Due to the
fact information sharing under this Act is a voluntary
activity, the Committee also recognizes that an entity may not
feel the need to have any agreement with the NCCIC, but may
still want to share cybersecurity information.
(3) Information Sharing Authorization
Subsection (i)(3) authorizes a non-Federal entity to share
cyber threat indicators or defensive measures obtained from its
own information system or, with written consent, from an
information system of another Federal or non-Federal entity,
with another non-Federal entity and the NCCIC for cybersecurity
purposes. It requires that recipients of this information
comply with lawful restrictions on sharing or use. It also
requires a recipient of information from another Federal or
non-Federal entity to comply with lawful restrictions placed on
the information by the sharing Federal or non-Federal entity.
This subsection also requires the Under Secretary for
Cybersecurity and Infrastructure Protection, in coordination
with industry and other stakeholders to develop and adhere to
policies and procedures for coordinating vulnerability
disclosures, to the extent practicable, with international
standards in the information technology industry.
The Committee believes that in order to facilitate robust
information sharing, non-Federal entities need the right to
place lawful restrictions on the use of the technical data they
are sharing, and that these restrictions must be respected by
the recipients of the information.
This subsection also requires a non-Federal entity to take
reasonable efforts to remove information that could be used to
identify specific persons reasonably believed at the time of
sharing to be unrelated to a cybersecurity threat, and
safeguard information that can be used to identify specific
persons from unintended disclosure and unauthorized access or
acquisition.
The Committee's intent in this section is to specifically
forbid non-Federal entities from sharing data that has not had
personal information unrelated to the cybersecurity risk
removed by the non-Federal entity prior to sharing.
Additionally, the NCCIC is required to review the same
cybersecurity threat indicator or defensive measure information
and destroy any personal information unrelated to the
cybersecurity risk prior to sharing with any other Federal or
non-Federal entity.
The purpose of this legislation is to secure the nation's
cyber networks and private citizen's sensitive digital
information. The Committee believes that in order to ensure
that privacy is protected when cyber security information is
shared, and to build trust in this effort, the public must feel
confident that companies and the government have robust
controls in place to remove any specific personal information
not related to the cyber attack, and safeguard it from
unintended disclosure and unauthorized use or acquisition.
(4) Network Awareness Authorization
Subsection (i)(4) authorizes a non-Federal entity, not
including a State, local, or Tribal government, to conduct
network awareness of its own information system, or the
information system of another non-Federal or Federal entity
with written consent, for cybersecurity purposes.
(5) Defensive Measure Authorization
Subsection (i)(5) authorizes a non-Federal entity, not
including a State, local, or Tribal government, to conduct
network awareness defensive measure that is applied only to its
own information system, or the information system of another
non-Federal or Federal entity with written consent, for
cybersecurity purposes.
The Committee does not intend the language of the Act to
authorize a private company to ``hack'' (knowingly access a
protected computer without authorization, or to intentionally
access a protected computer to cause damage) the computer of
another entity.
The intent is only to authorize the use of defensive
measures--not countermeasures. This authorization does not
allow a measure that destroys, renders unusable, or
substantially harms an information system not belonging to that
company without authorization.
(6) Privacy and Civil Liberties Protections
Subsection (i)(6) requires the Under Secretary in
coordination with the Chief Privacy Officer and the Officer for
Civil Rights and Civil Liberties at the Department to establish
and annually review policies and procedures for the Department
that govern the receipt, retention, use, and disclosure of
cyber threat indicators and information related to
cybersecurity risks and incidents.
This subsection requires that certain policies and
procedures to minimize any impact on privacy and civil
liberties should be established consistent with the need to
protect information systems from, and conduct mitigation of,
cybersecurity risks and incidents in a timely manner.
The subsection requires the Chief Privacy Officer to submit
a report to the appropriate congressional committees, no later
than 180 days after enactment of this Act, that describes the
policies and procedures governing the sharing of cyber threat
indicators and defensive measures. The subsection also requires
the Chief Privacy Officer to monitor the implementation of
these policies and procedures, and regularly review and update
privacy impact assessments to ensure all relevant
constitutional, legal, and privacy protections are being
followed. The subsection further requires the Chief Privacy
Officer to submit an annual report to Congress on the
effectiveness of these policies and procedures, ensuring
appropriate sanctions are in place for employees, agents, and
contractors of the Department who intentionally or willfully
conduct unauthorized activities under this section.
Additionally, the subsection requires the Undersecretary to
ensure that a public notice is made of the policies and
procedures governing the sharing of cyber threat indicators and
defensive measures.
This subsection requires the Department's Office of the
Inspector General (DHS OIG) to submit a report to Congress
within two years of enactment of this Act and periodically
thereafter that includes a review of the type of information
shared with NCCIC, the use of any information and actions taken
by NCCIC, and the impact, if any, of sharing of such
information on privacy and civil liberties.
This subsection requires that the Department's Chief
Privacy Officer and Officer for Civil Rights and Civil
Liberties also submit a report to Congress within two years of
enactment of this Act that assesses the impact on privacy and
civil liberties of the information sharing activities under
this section. The report shall include appropriate
recommendations to minimize or mitigate the impact of the
sharing of cyber threat indicators and defensive measures under
this section.
The Committee believes that this legislation strengthens
the NCCIC's position as the trusted partner for industry and
the public by setting forth robust privacy protections and
civil liberties standards. To ensure the appropriate protection
of individual privacy and civil liberties, the Department's
Privacy and Civil Rights and Civil Liberties Offices will
monitor the NCCIC as it carries out its functions. The
Committee believes that the required reports in this subsection
will assist the Department in defining the policies and
procedures for the sharing of cyber threat indicators and
defensive measures with the NCCIC, and provide Congress with
assessments on the impact to privacy and civil liberties of
this information sharing.
The Committee believes that privacy is further reinforced
by requiring non-Federal entities to remove personal
information unrelated to a cybersecurity risk or incident
before sharing with the NCCIC or other non-Federal entities,
and further requiring the NCCIC to destroy any personal
information that is unrelated to the cybersecurity risk or
incident before further sharing with other Federal entities or
non-Federal entities.
(7) Uses and Protection of Information
This subsection sets forth the roles and responsibilities
for non-Federal entities, Federal entities, and State, Tribal,
and local governments for using and protecting information
shared through the NCCIC or otherwise.
Non-Federal Entities
Subsection (i)(7) permits a non-Federal entity that shares
cybersecurity information with the NCCIC, or another non-
Federal entity, to use, retain, or disclose those cyber threat
indicators and defensive measures solely for cybersecurity
purposes. It requires non-Federal entities to remove
information that could be used to identify specific persons
reasonably believed at the time of sharing to be unrelated to a
cybersecurity threat and safeguard information that can be used
to identify specific persons prior to sharing the information.
Non-Federal entities must comply with appropriate restrictions
placed on the subsequent disclosure or retention of cyber
threat indicators or defensive measures by a Federal or non-
Federal entity. This subsection further stipulates that
information shared with the NCCIC will be deemed to have been
voluntarily shared. This subsection requires that a non-Federal
entity implements and utilizes a security control to protect
against unauthorized access to or acquisition of cyber threat
indicators or defensive measures, and it prohibits the use of
such cyber security information to gain an unfair or
competitive advantage over any non-Federal entity.
Federal Entities
This subsection permits Federal entities that receive cyber
threat indicators or defensive measures to use, retain, or
further disclose this information solely for cybersecurity
purposes. This subsection requires Federal entities to take
reasonable to efforts to remove information that could be used
to identify specific persons reasonably believed at the time of
sharing to be unrelated to a cybersecurity threat and safeguard
information that can be used to identify specific persons prior
to sharing the information. This subsection further stipulates
that information shared with the NCCIC will be deemed to have
been voluntarily shared. This subsection requires that a
Federal entity implements and utilizes a security control to
protect against unauthorized access to or acquisition of cyber
threat indicators or defensive measures.
The cybersecurity information is exempt from disclosure
under the Freedom of Information Act (FOIA), 5 U.S. Code 552,
or non-Federal disclosure laws and withheld, without
discretion, from the public under 5 U.S. Code 552(3)B). This
subsection allows a Federal or non-Federal entity to designate
information shared with the Center as commercial, financial,
and proprietary information. The information shared is
prohibited from being used for regulatory purposes, and may not
constitute a waiver of applicable privileges or protections
provided by law, including trade secret protections. The
information is also not subject to judicial doctrine or rules
of federal entities regarding ex parte communications.
The Committee believes that in order to encourage entities,
particularly businesses, to voluntarily share cybersecurity
information with the NCCIC, the information shared must be
exempt from disclosure laws including FOIA, and be prohibited
from being used for regulatory purposes. The Committee believes
that it is also within the right of the entity sharing the
information to put certain restrictions on how the information
maybe used or further shared, as articulated in the
legislation.
The Committee intends this to be a private sector-driven
program. The government itself will not conduct any network
monitoring. The NCCIC is simply a repository, a hub, for threat
information that is identified by private entities and
voluntarily shared with the government.
The sole purpose of the activities codified in this
legislation is to prevent cyber attacks--e.g. the stealing of
credit card numbers; the shutting down of infrastructure, like
a power grid; the shutting down of a network--not to collect
evidence to prosecute crimes.
State, Tribal, or Local Government
This subsection permits State, Tribal or local governments
that receive cyber threat indicators or defensive measures to
use, retain, or further disclose this information solely for
cybersecurity purposes. It requires prior to sharing that
reasonable efforts be made to remove information that could be
used to identify specific persons reasonably believed to be
unrelated to a cybersecurity threat and safeguard information
that can be used to identify specific persons prior to sharing
the information. This subsection allows a Federal or non-
Federal entity to designate information shared with the Center
as commercial, financial, and proprietary information. This
subsection further stipulates that information shared with the
NCCIC will be deemed to have been voluntarily shared. This
subsection requires that a State, Tribal or local government
implement and utilize security controls to protect against
unauthorized access to or acquisition of cyber threat
indicators or defensive measures. This subsection states that
cybersecurity information is exempt from disclosure under
State, Tribal or local disclosure laws, and may not be used to
regulate the lawful activity of a non-Federal entity.
The Committee believes it is important to re-emphasize that
prior to sharing entities remove information that can be used
to identity specific persons and is reasonably believed at the
time of sharing to be unrelated to a cybersecurity risk or
incident. Cybersecurity information that is shared with the
NCCIC would then be reviewed again prior to the NCCIC sharing
it with another entity, to ensure that personal information is
removed.
In this section, the Committee expressly states that cyber
threat indicators and defensive measures may not be used to
track individuals for purposes of surveillance. Again, the
purpose of this legislation is to help prevent and respond to
cyber attacks--not to surveil individuals, or collect evidence
to prosecute crimes.
(8) Liability Exemptions
Subsection (i)(8) provides that no cause of action shall
lie or be maintained in any court, and such action shall be
promptly dismissed, against any non-Federal entity that
conducts network awareness or shares cyber threat indicators or
defensive measures, for cybersecurity purposes, in accordance
with paragraphs (4) and (3), respectively, and the other
provisions in section 3 of the bill. This subsection also
provides liability protection for a non-Federal entity that
fails to act upon shared cyber threat indicators or defensive
measures.
However, non-Federal entities do not receive liability
protection for egregious actions that rise to the level of
willful misconduct. Willful misconduct is defined in the
subsection as an act or omission that is taken intentionally to
achieve a wrongful purpose, knowingly without legal or factual
justification, and in disregard of a known or obvious risk that
is so great as to make it highly probable that the harm will
outweigh the benefit. If a plaintiff files suit claiming
willful misconduct by a non-Federal entity, the plaintiff must
prove willful misconduct by clear and convincing evidence and
establish that the non-Federal entity's willful misconduct
proximately caused the plaintiff's injury.
As used in this paragraph, the term ``non-Federal entity''
does not include a State, local, or tribal government.
This language was developed in coordination with the House
Judiciary Committee, which provided standard language for
liability exemptions for all House-generated cybersecurity
related information sharing bills.
(9) Federal Government Liability for Violations of
Restrictions on the Use and Protection of
Voluntarily Shared Information
Subsection (i)(9) provides a clear path for injured persons
to sue a Federal government department or agency for an
intentional or willful violation of the uses and protections of
voluntarily shared cyber threat indicators, defensive measures,
or cybersecurity information as laid out in subsections (i)(3),
(i)6), and (i)(7)(B), and any other applicable provisions of
section 3. This subsection further provides for statutory
damages for such a violation, venue selection for an action
under this provision, and the statute of limitations for
bringing such an action.
(10) Anti-Trust Exemption
This subsection exempts non-Federal entities from
violations of U.S. antitrust law for sharing cybersecurity
information, or providing assistance for cybersecurity
purposes, provided that the action is taken to assist with
preventing, investigating, or mitigating a cybersecurity risk
or incident. This subsection makes it clear that the exemption
cannot be utilized for monopolistic activities such as price-
fixing, or sharing of price or cost information, customer
lists, or information regarding future planning.
(11) Construction and Preemption
Subsection (i)(11) contains a number of construction and
preemption provisions that address the scope of the Act.
Specifically, the provisions address otherwise lawful
disclosures and preserve whistleblower protections. Nothing in
the Act should be construed to affect any requirements under
other provisions of law for non-Federal entities providing
information to Federal entities. The provisions preserve
existing contractual obligations and rights. They also prohibit
the Federal government from requiring non-Federal entities to
provide it with cybersecurity related information as a
condition for the award of a grant, contract or purchase
agreement. This subsection reiterates that any sharing of
cybersecurity information under this legislation is purely
voluntary, and that non-Federal entities are not subject to
liability for choosing not to engage in such voluntary
information sharing activities. This subsection also does not
authorize or modify any existing Federal authority to retain
and use cybersecurity information shared under the bill for
purposes other than those permitted in this Act. This
legislation also supersedes any provision of state or local law
that may restrict or otherwise expressly regulate an activity
authorized under this Act.
Section 4. Information Sharing and Analysis Organizations.
This section amends Section 212 of the Homeland Security
Act to broaden the functions of Information Sharing and
Analysis Organizations (ISAOs) to include cybersecurity risk
and incident information beyond that pertaining to critical
infrastructure. This section also adds references to the
definitions of `cybersecurity risk' and `incident' as they
relate to the NCCIC in the second section 226 of the Homeland
Security Act.
The Committee believes that ISAOs have an important role to
play in facilitating information sharing going forward and has
clarified their functions as defined in the Homeland Security
Act. The Committee, on a bipartisan basis, views ISAOs,
including ISACs as tools to expand voluntary information
sharing.
Section 5. Streamlining of Department of Homeland Security
Cybersecurity and Infrastructure Protection Organization.
This section renames The National Protection and Programs
Directorate of the Department of Homeland Security, the
``Cybersecurity and Infrastructure Protection Directorate''. It
requires the Secretary to submit a report to Congress on the
feasibility of making the Cybersecurity and Communications
Office an operational component of the Department. The
Committee is pleased that this legislation elevates the role of
the NCCIC to a direct report to the Assistant Secretary of
Cybersecurity and Communications within the Department. The
Committee believes this re-organization aligns with its goals
to reduce the bureaucracy that has stifled the NCCIC's growth
to date.
Nothing in this section should be construed to alter the
mission or reporting structure of the Office of Emergency
Communications. Pursuant to 6 U.S.C. 571, the Director of the
Office of Emergency Communications reports to the Assistant
Secretary for Cybersecurity and Communications. The Department
shall submit any proposed changes to this reporting structure
to the Committee for review and approval.
Section 6. Cyber Incident Response Plans.
This section requires the Secretary, in coordination with
the heads of other Federal departments and agencies to update,
maintain, and exercise the Cyber Incident Annex to the National
Response Framework of the Department.
Section 7. Security and Resiliency of Public Safety Communications;
Cybersecurity Awareness Campaign.
This section requires the NCCIC, in coordination with the
Office of Emergency Communications, to assess the effects of
cyber incidents on public safety communications.
This section also requires the Under Secretary for
Cybersecurity and Infrastructure Protection to develop and
implement a cybersecurity awareness campaign regarding
cybersecurity risks and voluntary best practices for mitigating
and responding to cybersecurity risks.
The Committee has observed the perceived inadequacy of the
Department's current cybersecurity awareness campaign, STOP.
THINK. CONNECT.TM While the Department and a
coalition of private companies, non-profits and government
organizations developed and coordinated this message, purported
to help all digital citizens stay safer and more secure online,
the Committee feels there needs to be a renewed effort to use
and target more widely used media and public knowledge bases.
The Committee believes that the Department should put out
effective Public Service announcements, widely advertised web
sites, apps, written collateral, social media, and other
creative sources to help folks understand that many simple
measures will improve their cyber security protection posture.
The Committee believes that the Department should be offering
specific information, not just slogans, and advising where to
get information along with technology-neutral best practices,
and working with a wide range of stakeholders to get it done.
Such measures include simple steps like: improving password
management; enabling firewall protection; installing anti-virus
and anti-spam protection; installing software updates; and
refrain from opening links and attachments from unknown and
untrusted senders.
Section 8. Critical Infrastructure Protection Research and
Development.
This section requires the Secretary, acting through the
Under Secretary for Science and Technology, to submit a
strategic plan to Congress within 180 days for guiding the
direction of Federal physical security and cybersecurity
technology research and development efforts for protecting
critical infrastructure against all threats.
Section 9. Report on Reducing Cybersecurity Risks in DHS Data
Centers.
This section requires the Secretary to submit a report to
Congress on the feasibility of the Department creating an
environment for the reduction of cybersecurity risks at the
Department's data centers.
Section 10. Assessment.
This section requires the Comptroller General of the United
States to submit a report to Congress assessing the
implementation of this Act no later than two years after the
date of enactment of this Act.
Section 11. Consultation.
This section requires the Under Secretary for Cybersecurity
and Infrastructure Protection to produce a report on the
feasibility of creating a risk-informed plan should multiple
critical infrastructure sectors experience cyber incidents
simultaneously.
Section 12. Technical Assistance.
This section requires the Inspector General of the
Department to review the operations of the United States
Computer Emergency Readiness Team (US-CERT) and the Industrial
Control Systems Cyber Emergency Response Team (ICS-CERT) to
assess their capacity to provide technical assistance to non-
Federal entities.
Section 13. Prohibition on New Regulatory Authority.
This section clarifies that nothing in this Act shall be
construed to grant the Secretary any authority to promulgate
regulations or set standards relating to the cybersecurity of
non-Federal entities, not including State, local, or Tribal
governments.
Section 14. Sunset.
This section requires that any reporting requirements
required by this Act terminate seven years after the date of
enactment of this Act.
Section 15. Prohibition on New Funding.
This section states that no new funds are authorized to be
appropriated to carry out this Act.
Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3(e) of rule XIII of the Rules of
the House of Representatives, changes in existing law made by
the bill, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
matter is printed in italic, and existing law in which no
change is proposed is shown in roman):
HOMELAND SECURITY ACT OF 2002
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Homeland
Security Act of 2002''.
(b) Table of Contents.--The table of contents for this Act is
as follows:
* * * * * * *
TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION
* * * * * * *
Subtitle C--Information Security
* * * * * * *
[Sec. 227. Cyber incident response plan.]
Sec. 227. Cyber incident response plans.
* * * * * * *
Sec. 230. Security and resiliency of public safety communications.
Sec. 231. Cybersecurity awareness campaign.
* * * * * * *
TITLE III--SCIENCE AND TECHNOLOGY IN SUPPORT OF HOMELAND SECURITY
* * * * * * *
Sec. 318. Research and development strategy for critical infrastructure
protection.
* * * * * * *
TITLE I--DEPARTMENT OF HOMELAND SECURITY
* * * * * * *
SEC. 103. OTHER OFFICERS.
(a) Deputy Secretary; Under Secretaries.--(1) In general.--
Except as provided under paragraph (2), there are the following
officers, appointed by the President, by and with the advice
and consent of the Senate:
(A) A Deputy Secretary of Homeland Security, who
shall be the Secretary's first assistant for purposes
of subchapter III of chapter 33 of title 5, United
States Code.
(B) An Under Secretary for Science and Technology.
(C) An Under Secretary for Border and Transportation
Security.
(D) An Administrator of the Federal Emergency
Management Agency.
(E) A Director of the Bureau of Citizenship and
Immigration Services.
(F) An Under Secretary for Management.
(G) A Director of the Office of Counternarcotics
Enforcement.
[(H) An Under Secretary responsible for overseeing
critical infrastructure protection, cybersecurity, and
other related programs of the Department.]
(H) An Under Secretary for Cybersecurity and
Infrastructure Protection.
(I) Not more than 12 Assistant Secretaries.
(J) A General Counsel, who shall be the chief legal
officer of the Department.
(K) A Deputy Under Secretary for
Cybersecurity.
(L) A Deputy Under Secretary for
Infrastructure Protection.
(2) Assistant secretaries.--If any of the Assistant
Secretaries referred to under paragraph (1)(I) is
designated to be the Assistant Secretary for Health
Affairs, the Assistant Secretary for Legislative
Affairs, or the Assistant Secretary for Public Affairs,
that Assistant Secretary shall be appointed by the
President without the advice and consent of the Senate.
(3) Deputy under secretaries.--The Deputy Under
Secretaries referred to in subparagraphs (K) and (L) of
paragraph (1) shall be appointed by the President
without the advice and consent of the Senate.
(b) Inspector General.--There shall be in the Department an
Office of Inspector General and an Inspector General at the
head of such office, as provided in the Inspector General Act
of 1978 (5 U.S.C. App.).
(c) Commandant of the Coast Guard.--To assist the Secretary
in the performance of the Secretary's functions, there is a
Commandant of the Coast Guard, who shall be appointed as
provided in section 44 of title 14, United States Code, and who
shall report directly to the Secretary. In addition to such
duties as may be provided in this Act and as assigned to the
Commandant by the Secretary, the duties of the Commandant shall
include those required by section 2 of title 14, United States
Code.
(d) Other Officers.--To assist the Secretary in the
performance of the Secretary's functions, there are the
following officers, appointed by the President:
(1) A Director of the Secret Service.
(2) A Chief Information Officer.
(3) An Officer for Civil Rights and Civil Liberties.
(4) A Director for Domestic Nuclear Detection.
(f) Performance of Specific Functions.--Subject to the
provisions of this Act, every officer of the Department shall
perform the functions specified by law for the official's
office or prescribed by the Secretary.
(e) Chief Financial Officer.--There shall be in the
Department a Chief Financial Officer, as provided in chapter 9
of title 31, United States Code.
TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION
* * * * * * *
Subtitle B--Critical Infrastructure Information
* * * * * * *
SEC. 212. DEFINITIONS.
In this subtitle:
(1) Agency.--The term ``agency'' has the meaning
given it in section 551 of title 5, United States Code.
(2) Covered federal agency.--The term ``covered
Federal agency'' means the Department of Homeland
Security.
(3) Critical infrastructure information.--The term
``critical infrastructure information'' means
information not customarily in the public domain and
related to the security of critical infrastructure or
protected systems--
(A) actual, potential, or threatened
interference with, attack on, compromise of, or
incapacitation of critical infrastructure or
protected systems by either physical or
computer-based attack or other similar conduct
(including the misuse of or unauthorized access
to all types of communications and data
transmission systems) that violates Federal,
State, or local law, harms interstate commerce
of the United States, or threatens public
health or safety;
(B) the ability of any critical
infrastructure or protected system to resist
such interference, compromise, or
incapacitation, including any planned or past
assessment, projection, or estimate of the
vulnerability of critical infrastructure or a
protected system, including security testing,
risk evaluation thereto, risk management
planning, or risk audit; or
(C) any planned or past operational problem
or solution regarding critical infrastructure
or protected systems, including repair,
recovery, reconstruction, insurance, or
continuity, to the extent it is related to such
interference, compromise, or incapacitation.
(4) Critical infrastructure protection program.--The
term ``critical infrastructure protection program''
means any component or bureau of a covered Federal
agency that has been designated by the President or any
agency head to receive critical infrastructure
information.
(5) Information sharing and analysis organization.--
The term ``Information Sharing and Analysis
Organization'' means any formal or informal entity or
collaboration created or employed by public or private
sector organizations, for purposes of--
(A) gathering and analyzing critical
infrastructure information information related
to cybersecurity risks and incidents and in
order to better understand security problems
and interdependencies [related to critical
infrastructure] related to cybersecurity risks,
incidents, critical infrastructure, and and
protected systems, so as to ensure the
availability, integrity, and reliability
thereof;
(B) communicating or [disclosing critical
infrastructure information] disclosing
cybersecurity risks, incidents, and critical
infrastructure information to help prevent,
detect, mitigate, or recover from the effects
of a interference, compromise, or a
incapacitation problem [related to critical
infrastructure or] related to cybersecurity
risks, incidents, critical infrastructure, or
protected systems; and
(C) voluntarily [disseminating critical
infrastructure information] disseminating
cybersecurity risks, incidents, and critical
infrastructure information to its members,
State, local, and Federal Governments, or any
other entities that may be of assistance in
carrying out the purposes specified in
subparagraphs (A) and (B).
(6) Protected system.--The term ``protected
system''--
(A) means any service, physical or computer-
based system, process, or procedure that
directly or indirectly affects the viability of
a facility of critical infrastructure; and
(B) includes any physical or computer-based
system, including a computer, computer system,
computer or communications network, or any
component hardware or element thereof, software
program, processing instructions, or
information or data in transmission or storage
therein, irrespective of the medium of
transmission or storage.
(7) Voluntary.--
(A) In general.--The term ``voluntary'', in
the case of any submittal of critical
infrastructure information to a covered Federal
agency, means the submittal thereof in the
absence of such agency's exercise of legal
authority to compel access to or submission of
such information and may be accomplished by a
single entity or an Information Sharing and
Analysis Organization on behalf of itself or
its members.
(B) Exclusions.--The term ``voluntary''--
(i) in the case of any action brought
under the securities laws as is defined
in section 3(a)(47) of the Securities
Exchange Act of 1934 (15 U.S.C.
78c(a)(47))--
(I) does not include
information or statements
contained in any documents or
materials filed with the
Securities and Exchange
Commission, or with Federal
banking regulators, pursuant to
section 12(i) of the Securities
Exchange Act of 1934 (15 U.S.C.
781(I)); and
(II) with respect to the
submittal of critical
infrastructure information,
does not include any disclosure
or writing that when made
accompanied the solicitation of
an offer or a sale of
securities; and
(ii) does not include information or
statements submitted or relied upon as
a basis for making licensing or
permitting determinations, or during
regulatory proceedings.
(8) Cybersecurity risk; incident.--The terms
``cybersecurity risk'' and ``incident'' have the
meanings given such terms in the second section 226
(relating to the National Cybersecurity and
Communications Integration Center).
* * * * * * *
Subtitle C--Information Security
* * * * * * *
SEC. 226. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER.
(a) Definitions.--In this section--
(1) the term ``cybersecurity risk'' means threats to
and vulnerabilities of information or information
systems and any related consequences caused by or
resulting from unauthorized access, use, disclosure,
degradation, disruption, modification, or destruction
of information or information systems, including such
related consequences caused by an act of terrorism;
(2) the term ``incident'' means an occurrence that--
(A) actually or imminently jeopardizes,
without lawful authority, the integrity,
confidentiality, or availability of information
on an information system; or
(B) constitutes a violation or imminent
threat of violation of law, security policies,
security procedures, or acceptable use
policies;
(3) the term ``information sharing and analysis
organization'' has the meaning given that term in
section 212(5); [and]
(4) the term ``information system'' has the meaning
given that term in section 3502(8) of title 44, United
States Code[.]; and
(5) the term ``cyber threat indicator'' means
technical information that is necessary to describe or
identify--
(A) a method for probing, monitoring,
maintaining, or establishing network awareness
of an information system for the purpose of
discerning technical vulnerabilities of such
information system, if such method is known or
reasonably suspected of being associated with a
known or suspected cybersecurity risk,
including communications that reasonably appear
to be transmitted for the purpose of gathering
technical information related to a
cybersecurity risk;
(B) a method for defeating a technical or
security control of an information system;
(C) a technical vulnerability, including
anomalous technical behavior that may become a
vulnerability;
(D) a method of causing a user with
legitimate access to an information system or
information that is stored on, processed by, or
transiting an information system to
inadvertently enable the defeat of a technical
or operational control;
(E) a method for unauthorized remote
identification of, access to, or use of an
information system or information that is
stored on, processed by, or transiting an
information system that is known or reasonably
suspected of being associated with a known or
suspected cybersecurity risk;
(F) the actual or potential harm caused by a
cybersecurity risk, including a description of
the information exfiltrated as a result of a
particular cybersecurity risk;
(G) any other attribute of a cybersecurity
risk that cannot be used to identify specific
persons reasonably believed to be unrelated to
such cybersecurity risk, if disclosure of such
attribute is not otherwise prohibited by law;
or
(H) any combination of subparagraphs (A)
through (G);
(6) the term ``cybersecurity purpose'' means the
purpose of protecting an information system or
information that is stored on, processed by, or
transiting an information system from a cybersecurity
risk or incident;
(7)(A) except as provided in subparagraph (B), the
term ``defensive measure'' means an action, device,
procedure, signature, technique, or other measure
applied to an information system or information that is
stored on, processed by, or transiting an information
system that detects, prevents, or mitigates a known or
suspected cybersecurity risk or incident, or any
attribute of hardware, software, process, or procedure
that could enable or facilitate the defeat of a
security control;
(B) such term does not include a measure that
destroys, renders unusable, or substantially harms an
information system or data on an information system not
belonging to--
(i) the non-Federal entity, not including a
State, local, or tribal government, operating
such measure; or
(ii) another Federal entity or non-Federal
entity that is authorized to provide consent
and has provided such consent to the non-
Federal entity referred to in clause (i);
(8) the term ``network awareness'' means to scan,
identify, acquire, monitor, log, or analyze information
that is stored on, processed by, or transiting an
information system;
(9)(A) the term ``private entity'' means a non-
Federal entity that is an individual or private group,
organization, proprietorship, partnership, trust,
cooperative, corporation, or other commercial or non-
profit entity, including an officer, employee, or agent
thereof;
(B) such term includes a component of a State, local,
or tribal government performing electric utility
services;
(10) the term ``security control'' means the
management, operational, and technical controls used to
protect against an unauthorized effort to adversely
affect the confidentially, integrity, or availability
of an information system or information that is stored
on, processed by, or transiting an information system;
and
(11) the term ``sharing'' means providing, receiving,
and disseminating.
(b) Center.--There is in the Department a national
cybersecurity and communications integration center (referred
to in this section as the ``Center'') to carry out certain
responsibilities of the Under Secretary appointed under section
103(a)(1)(H).
(c) Functions.--The cybersecurity functions of the Center
shall include--
(1) being [a Federal civilian interface] the lead
Federal civilian interface for the multi-directional
and cross-sector sharing of information related to
[cybersecurity risks,] cyber threat indicators,
defensive measures, cybersecurity risks, incidents,
analysis, and warnings for Federal and non-Federal
entities;
(2) providing shared situational awareness to enable
real-time, integrated, and operational actions across
the Federal Government and non-Federal entities to
address cybersecurity risks and incidents to Federal
and non-Federal entities;
(3) coordinating the sharing of information related
to [cybersecurity risks] cyber threat indicators,
defensive measures, cybersecurity risks, and incidents
across the Federal Government;
(4) facilitating cross-sector coordination to address
cybersecurity risks and incidents, including
cybersecurity risks and incidents that may be related
or could have consequential impacts across multiple
sectors;
(5)(A) conducting integration and analysis, including
cross-sector integration and analysis, of
[cybersecurity risks] cyber threat indicators,
defensive measures, cybersecurity risks, and incidents;
and
(B) sharing the analysis conducted under subparagraph
(A) with Federal and non-Federal entities;
(6) upon request, providing timely technical
assistance, risk management support, and incident
response capabilities to Federal and non-Federal
entities with respect to [cybersecurity risks] cyber
threat indicators, defensive measures, cybersecurity
risks, and incidents, which may include attribution,
mitigation, and remediation; [and]
(7) providing information and recommendations on
security and resilience measures to Federal and non-
Federal entities, including information and
recommendations to--
(A) facilitate information security; [and]
(B) strengthen information systems against
cybersecurity risks and incidents[.]; and
(C) sharing cyber threat indicators and
defensive measures;
(8) engaging with international partners, in
consultation with other appropriate agencies, to--
(A) collaborate on cyber threat indicators,
defensive measures, and information related to
cybersecurity risks and incidents; and
(B) enhance the security and resilience of
global cybersecurity;
(9) sharing cyber threat indicators, defensive
measures, and other information related to
cybersecurity risks and incidents with Federal and non-
Federal entities, including across sectors of critical
infrastructure and with State and major urban area
fusion centers, as appropriate;
(10) promptly notifying the Secretary and the
Committee on Homeland Security of the House of
Representatives and the Committee on Homeland Security
and Governmental Affairs of the Senate of any
significant violations of the policies and procedures
specified in subsection (i)(6)(A);
(11) promptly notifying non-Federal entities that
have shared cyber threat indicators or defensive
measures that are known or determined to be in error or
in contravention of the requirements of this section;
and
(12) participating, as appropriate, in exercises run
by the Department's National Exercise Program.
(d) Composition.--
(1) In general.--The Center shall be composed of--
(A) appropriate representatives of Federal
entities, such as--
(i) sector-specific agencies;
(ii) civilian and law enforcement
agencies; and
(iii) elements of the intelligence
community, as that term is defined
under section 3(4) of the National
Security Act of 1947 (50 U.S.C.
3003(4));
(B) appropriate representatives of non-
Federal entities, such as--
(i) State [and local], local, and
tribal governments;
(ii) information sharing and analysis
organizations, including information
sharing and analysis centers; [and]
(iii) owners and operators of
critical information systems;
(iv) private entities.
(C) components within the Center that carry
out cybersecurity and communications
activities;
(D) a designated Federal official for
operational coordination with and across each
sector; [and]
(E) an entity that collaborates with State
and local governments on cybersecurity risks
and incidents, and has entered into a voluntary
information sharing relationship with the
Center;
(F) a United States Computer Emergency
Readiness Team that coordinates information
related to cybersecurity risks and incidents,
proactively and collaboratively addresses
cybersecurity risks and incidents to the United
States, collaboratively responds to
cybersecurity risks and incidents, provides
technical assistance, upon request, to
information system owners and operators, and
shares cyber threat indicators, defensive
measures, analysis, or information related to
cybersecurity risks and incidents in a timely
manner;
(G) the Industrial Control System Cyber
Emergency Response Team that--
(i) coordinates with industrial
control systems owners and operators;
(ii) provides training, upon request,
to Federal entities and non-Federal
entities on industrial control systems
cybersecurity;
(iii) collaboratively addresses
cybersecurity risks and incidents to
industrial control systems;
(iv) provides technical assistance,
upon request, to Federal entities and
non-Federal entities relating to
industrial control systems
cybersecurity; and
(v) shares cyber threat indicators,
defensive measures, or information
related to cybersecurity risks and
incidents of industrial control systems
in a timely fashion;
(H) a National Coordinating Center for
Communications that coordinates the protection,
response, and recovery of emergency
communications;
(I) an entity that coordinates with small and
medium-sized businesses; and
[(E)] (J) other appropriate representatives
or entities, as determined by the Secretary.
(2) Incidents.--In the event of an incident, during
exigent circumstances the Secretary may grant a Federal
or non-Federal entity immediate temporary access to the
Center.
(e) Principles.--In carrying out the functions under
subsection (c), the Center shall ensure--
(1) to the extent practicable, that--
(A) timely, actionable, and relevant cyber
threat indicators, defensive measures, and
information related to cybersecurity risks,
incidents, and analysis is shared;
(B) when appropriate, cyber threat
indicators, defensive measures, and information
related to cybersecurity risks, incidents, and
analysis is integrated with other relevant
information and tailored to the specific
characteristics of a sector;
(C) activities are prioritized and conducted
based on the level of risk;
(D) industry sector-specific, academic, and
national laboratory expertise is sought and
receives appropriate consideration;
(E) continuous, collaborative, and inclusive
coordination occurs--
(i) across sectors; and
(ii) with--
(I) sector coordinating
councils;
(II) information sharing and
analysis organizations; and
(III) other appropriate non-
Federal partners;
(F) as appropriate, the Center works to
develop and use mechanisms for sharing
information related to [cybersecurity risks]
cyber threat indicators, defensive measures,
cybersecurity risks, and incidents that are
technology-neutral, interoperable, real-time,
cost-effective, and resilient; [and]
(G) the Center works with other agencies to
reduce unnecessarily duplicative sharing of
information related to [cybersecurity risks]
cyber threat indicators, defensive measures,
cybersecurity risks, and incidents;
(H) the Center ensures that it shares
information relating to cybersecurity risks and
incidents with small and medium-sized
businesses, as appropriate; and
(I) the Center designates an agency contact
for non-Federal entities;
(2) that information related to [cybersecurity risks]
cyber threat indicators, defensive measures,
cybersecurity risks, and incidents is appropriately
safeguarded against unauthorized access or disclosure;
and
(3) that activities conducted by the Center comply
with all policies, regulations, and laws that protect
the privacy and civil liberties of United States
persons, including by working with the Chief Privacy
Officer appointed under section 222 to ensure that the
Center follows the policies and procedures specified in
subsection (i)(6)(A).
(f) No Right or Benefit.--
(1) In general.--The provision of assistance or
information to, and inclusion in the Center of,
governmental or private entities under this section
shall be at the sole and unreviewable discretion of the
Under Secretary appointed under section 103(a)(1)(H).
(2) Certain assistance or information.--The provision
of certain assistance or information to, or inclusion
in the Center of, one governmental or private entity
pursuant to this section shall not create a right or
benefit, substantive or procedural, to similar
assistance or information for any other governmental or
private entity.
(g) Rapid Automated Sharing.--
(1) In general.--The Under Secretary for
Cybersecurity and Infrastructure Protection, in
coordination with industry and other stakeholders,
shall develop capabilities making use of existing
information technology industry standards and best
practices, as appropriate, that support and rapidly
advance the development, adoption, and implementation
of automated mechanisms for the timely sharing of cyber
threat indicators and defensive measures to and from
the Center and with each Federal agency designated as
the ``Sector Specific Agency'' for each critical
infrastructure sector in accordance with subsection
(h).
(2) Biannual report.--The Under Secretary for
Cybersecurity and Infrastructure Protection shall
submit to the Committee on Homeland Security of the
House of Representatives and the Committee on Homeland
Security and Governmental Affairs of the Senate a
biannual report on the status and progress of the
development of the capability described in paragraph
(1). Such reports shall be required until such
capability is fully implemented.
(h) Sector Specific Agencies.--The Secretary, in
collaboration with the relevant critical infrastructure sector
and the heads of other appropriate Federal agencies, shall
recognize the Federal agency designated as of March 25, 2015,
as the ``Sector Specific Agency'' for each critical
infrastructure sector designated in the Department's National
Infrastructure Protection Plan. If the designated Sector
Specific Agency for a particular critical infrastructure sector
is the Department, for purposes of this section, the Secretary
is deemed to be the head of such Sector Specific Agency and
shall carry out this section. The Secretary, in coordination
with the heads of each such Sector Specific Agency, shall--
(1) support the security and resilience actives of
the relevant critical infrastructure sector in
accordance with this section;
(2) provide institutional knowledge, specialized
expertise, and technical assistance upon request to the
relevant critical infrastructure sector; and
(3) support the timely sharing of cyber threat
indicators and defensive measures with the relevant
critical infrastructure sector with the Center in
accordance with this section.
(i) Voluntary Information Sharing Procedures.--
(1) Procedures.--
(A) In general.--The Center may enter into a
voluntary information sharing relationship with
any consenting non-Federal entity for the
sharing of cyber threat indicators and
defensive measures for cybersecurity purposes
in accordance with this section. Nothing in
this section may be construed to require any
non-Federal entity to enter into any such
information sharing relationship with the
Center or any other entity. The Center may
terminate a voluntary information sharing
relationship under this subsection if the
Center determines that the non-Federal entity
with which the Center has entered into such a
relationship has, after repeated notice,
repeatedly violated the terms of this
subsection.
(B) National security.--The Secretary may
decline to enter into a voluntary information
sharing relationship under this subsection if
the Secretary determines that such is
appropriate for national security.
(2) Voluntary information sharing relationships.--A
voluntary information sharing relationship under this
subsection may be characterized as an agreement
described in this paragraph.
(A) Standard agreement.--For the use of a
non-Federal entity, the Center shall make
available a standard agreement, consistent with
this section, on the Department's website.
(B) Negotiated agreement.--At the request of
a non-Federal entity, and if determined
appropriate by the Center, the Department shall
negotiate a non-standard agreement, consistent
with this section.
(C) Existing agreements.--An agreement
between the Center and a non-Federal entity
that is entered into before the date of the
enactment of this section, or such an agreement
that is in effect before such date, shall be
deemed in compliance with the requirements of
this subsection, notwithstanding any other
provision or requirement of this subsection. An
agreement under this subsection shall include
the relevant privacy protections as in effect
under the Cooperative Research and Development
Agreement for Cybersecurity Information Sharing
and Collaboration, as of December 31, 2014.
Nothing in this subsection may be construed to
require a non-Federal entity to enter into
either a standard or negotiated agreement to be
in compliance with this subsection.
(3) Information sharing authorization.--
(A) In general.--Except as provided in
subparagraph (B), and notwithstanding any other
provision of law, a non-Federal entity may, for
cybersecurity purposes, share cyber threat
indicators or defensive measures obtained on
its own information system, or on an
information system of another Federal entity or
non-Federal entity, upon written consent of
such other Federal entity or non-Federal entity
or an authorized representative of such other
Federal entity or non-Federal entity in
accordance with this section with--
(i) another non-Federal entity; or
(ii) the Center, as provided in this
section.
(B) Lawful restriction.--A non-Federal entity
receiving a cyber threat indicator or defensive
measure from another Federal entity or non-
Federal entity shall comply with otherwise
lawful restrictions placed on the sharing or
use of such cyber threat indicator or defensive
measure by the sharing Federal entity or non-
Federal entity.
(C) Removal of information unrelated to
cybersecurity risks or incidents.--Federal
entities and non-Federal entities shall, prior
to such sharing, take reasonable efforts to
remove information that can be used to identify
specific persons and is reasonably believed at
the time of sharing to be unrelated to a
cybersecurity risks or incident and to
safeguard information that can be used to
identify specific persons from unintended
disclosure or unauthorized access or
acquisition.
(D) Rule of construction.--Nothing in this
paragraph may be construed to--
(i) limit or modify an existing
information sharing relationship;
(ii) prohibit a new information
sharing relationship;
(iii) require a new information
sharing relationship between any non-
Federal entity and a Federal entity;
(iv) limit otherwise lawful activity;
or
(v) in any manner impact or modify
procedures in existence as of the date
of the enactment of this section for
reporting known or suspected criminal
activity to appropriate law enforcement
authorities or for participating
voluntarily or under legal requirement
in an investigation.
(E) Coordinated vulnerability disclosure.--
The Under Secretary for Cybersecurity and
Infrastructure Protection, in coordination with
industry and other stakeholders, shall develop,
publish, and adhere to policies and procedures
for coordinating vulnerability disclosures, to
the extent practicable, consistent with
international standards in the information
technology industry.
(4) Network awareness authorization.--
(A) In general.--Notwithstanding any other
provision of law, a non-Federal entity, not
including a State, local, or tribal government,
may, for cybersecurity purposes, conduct
network awareness of--
(i) an information system of such
non-Federal entity to protect the
rights or property of such non-Federal
entity;
(ii) an information system of another
non-Federal entity, upon written
consent of such other non-Federal
entity for conducting such network
awareness to protect the rights or
property of such other non-Federal
entity;
(iii) an information system of a
Federal entity, upon written consent of
an authorized representative of such
Federal entity for conducting such
network awareness to protect the rights
or property of such Federal entity; or
(iv) information that is stored on,
processed by, or transiting an
information system described in this
subparagraph.
(B) Rule of construction.--Nothing in this
paragraph may be construed to--
(i) authorize conducting network
awareness of an information system, or
the use of any information obtained
through such conducting of network
awareness, other than as provided in
this section; or
(ii) limit otherwise lawful activity.
(5) Defensive measure authorization.--
(A) In general.--Except as provided in
subparagraph (B) and notwithstanding any other
provision of law, a non-Federal entity, not
including a State, local, or tribal government,
may, for cybersecurity purposes, operate a
defensive measure that is applied to--
(i) an information system of such
non-Federal entity to protect the
rights or property of such non-Federal
entity;
(ii) an information system of another
non-Federal entity upon written consent
of such other non-Federal entity for
operation of such defensive measure to
protect the rights or property of such
other non-Federal entity;
(iii) an information system of a
Federal entity upon written consent of
an authorized representative of such
Federal entity for operation of such
defensive measure to protect the rights
or property of such Federal entity; or
(iv) information that is stored on,
processed by, or transiting an
information system described in this
subparagraph.
(B) Rule of construction.--Nothing in this
paragraph may be construed to--
(i) authorize the use of a defensive
measure other than as provided in this
section; or
(ii) limit otherwise lawful activity.
(6) Privacy and civil liberties protections.--
(A) Policies and procedures.--
(i) In general.--The Under Secretary
for Cybersecurity and Infrastructure
Protection shall, in coordination with
the Chief Privacy Officer and the Chief
Civil Rights and Civil Liberties
Officer of the Department, establish
and annually review policies and
procedures governing the receipt,
retention, use, and disclosure of cyber
threat indicators, defensive measures,
and information related to
cybersecurity risks and incidents
shared with the Center in accordance
with this section. Such policies and
procedures shall apply only to the
Department, consistent with the need to
protect information systems from
cybersecurity risks and incidents and
mitigate cybersecurity risks and
incidents in a timely manner, and
shall--
(I) be consistent with the
Department's Fair Information
Practice Principles developed
pursuant to section 552a of
title 5, United States Code
(commonly referred to as the
``Privacy Act of 1974'' or the
``Privacy Act''), and subject
to the Secretary's authority
under subsection (a)(2) of
section 222 of this Act;
(II) reasonably limit, to the
greatest extent practicable,
the receipt, retention, use,
and disclosure of cyber threat
indicators and defensive
measures associated with
specific persons that is not
necessary, for cybersecurity
purposes, to protect a network
or information system from
cybersecurity risks or mitigate
cybersecurity risks and
incidents in a timely manner;
(III) minimize any impact on
privacy and civil liberties;
(IV) provide data integrity
through the prompt removal and
destruction of obsolete or
erroneous names and personal
information that is unrelated
to the cybersecurity risk or
incident information shared and
retained by the Center in
accordance with this section;
(V) include requirements to
safeguard cyber threat
indicators and defensive
measures retained by the
Center, including information
that is proprietary or
business-sensitive that may be
used to identify specific
persons from unauthorized
access or acquisition;
(VI) protect the
confidentiality of cyber threat
indicators and defensive
measures associated with
specific persons to the
greatest extent practicable;
and
(VII) ensure all relevant
constitutional, legal, and
privacy protections are
observed.
(ii) Submission to congress.--Not
later than 180 days after the date of
the enactment of this section and
annually thereafter, the Chief Privacy
Officer and the Officer for Civil
Rights and Civil Liberties of the
Department, in consultation with the
Privacy and Civil Liberties Oversight
Board (established pursuant to section
1061 of the Intelligence Reform and
Terrorism Prevention Act of 2004 (42
U.S.C. 2000ee)), shall submit to the
Committee on Homeland Security of the
House of Representatives and the
Committee on Homeland Security and
Governmental Affairs of the Senate the
policies and procedures governing the
sharing of cyber threat indicators,
defensive measures, and information
related to cybsersecurity risks and
incidents described in clause (i) of
subparagraph (A).
(iii) Public notice and access.--The
Under Secretary for Cybersecurity and
Infrastructure Protection, in
consultation with the Chief Privacy
Officer and the Chief Civil Rights and
Civil Liberties Officer of the
Department, and the Privacy and Civil
Liberties Oversight Board (established
pursuant to section 1061 of the
Intelligence Reform and Terrorism
Prevention Act of 2004 (42 U.S.C.
2000ee)), shall ensure there is public
notice of, and access to, the policies
and procedures governing the sharing of
cyber threat indicators, defensive
measures, and information related to
cybersecurity risks and incidents.
(iv) Consultation.--The Under
Secretary for Cybersecurity and
Infrastructure Protection when
establishing policies and procedures to
support privacy and civil liberties may
consult with the National Institute of
Standards and Technology.
(B) Implementation.--The Chief Privacy
Officer of the Department, on an ongoing basis,
shall--
(i) monitor the implementation of the
policies and procedures governing the
sharing of cyber threat indicators and
defensive measures established pursuant
to clause (i) of subparagraph (A);
(ii) regularly review and update
privacy impact assessments, as
appropriate, to ensure all relevant
constitutional, legal, and privacy
protections are being followed;
(iii) work with the Under Secretary
for Cybersecurity and Infrastructure
Protection to carry out paragraphs (10)
and (11) of subsection (c);
(iv) annually submit to the Committee
on Homeland Security of the House of
Representatives and the Committee on
Homeland Security and Governmental
Affairs of the Senate a report that
contains a review of the effectiveness
of such policies and procedures to
protect privacy and civil liberties;
and
(v) ensure there are appropriate
sanctions in place for officers,
employees, or agents of the Department
who intentionally or willfully conduct
activities under this section in an
unauthorized manner.
(C) Inspector general report.--The Inspector
General of the Department, in consultation with
the Privacy and Civil Liberties Oversight Board
and the Inspector General of each Federal
agency that receives cyber threat indicators or
defensive measures shared with the Center under
this section, shall, not later than two years
after the date of the enactment of this
subsection and periodically thereafter submit
to the Committee on Homeland Security of the
House of Representatives and the Committee on
Homeland Security and Governmental Affairs of
the Senate a report containing a review of the
use of cybersecurity risk information shared
with the Center, including the following:
(i) A report on the receipt, use, and
dissemination of cyber threat
indicators and defensive measures that
have been shared with Federal entities
under this section.
(ii) Information on the use by the
Center of such information for a
purpose other than a cybersecurity
purpose.
(iii) A review of the type of
information shared with the Center
under this section.
(iv) A review of the actions taken by
the Center based on such information.
(v) The appropriate metrics that
exist to determine the impact, if any,
on privacy and civil liberties as a
result of the sharing of such
information with the Center.
(vi) A list of other Federal agencies
receiving such information.
(vii) A review of the sharing of such
information within the Federal
Government to identify inappropriate
stove piping of such information.
(viii) Any recommendations of the
Inspector General of the Department for
improvements or modifications to
information sharing under this section.
(D) Privacy and civil liberties officers
report.--The Chief Privacy Officer and the
Chief Civil Rights and Civil Liberties Officer
of the Department, in consultation with the
Privacy and Civil Liberties Oversight Board,
the Inspector General of the Department, and
the senior privacy and civil liberties officer
of each Federal agency that receives cyber
threat indicators and defensive measures shared
with the Center under this section, shall
biennially submit to the appropriate
congressional committees a report assessing the
privacy and civil liberties impact of the
activities under this paragraph. Each such
report shall include any recommendations the
Chief Privacy Officer and the Chief Civil
Rights and Civil Liberties Officer of the
Department consider appropriate to minimize or
mitigate the privacy and civil liberties impact
of the sharing of cyber threat indicators and
defensive measures under this section.
(E) Form.--Each report required under
paragraphs (C) and (D) shall be submitted in
unclassified form, but may include a classified
annex.
(7) Uses and protection of information.--
(A) Non-federal entities.--A non-Federal
entity, not including a State, local, or tribal
government, that shares cyber threat indicators
or defensive measures through the Center or
otherwise under this section--
(i) may use, retain, or further
disclose such cyber threat indicators
or defensive measures solely for
cybersecurity purposes;
(ii) shall, prior to such sharing,
take reasonable efforts to remove
information that can be used to
identify specific persons and is
reasonably believed at the time of
sharing to be unrelated to a
cybersecurity risk or incident, and to
safeguard information that can be used
to identify specific persons from
unintended disclosure or unauthorized
access or acquisition;
(iii) shall comply with appropriate
restrictions that a Federal entity or
non-Federal entity places on the
subsequent disclosure or retention of
cyber threat indicators and defensive
measures that it discloses to other
Federal entities or non-Federal
entities;
(iv) shall be deemed to have
voluntarily shared such cyber threat
indicators or defensive measures;
(v) shall implement and utilize a
security control to protect against
unauthorized access to or acquisition
of such cyber threat indicators or
defensive measures; and
(vi) may not use such information to
gain an unfair competitive advantage to
the detriment of any non-Federal
entity.
(B) Federal entities.--
(i) Uses of information.--A Federal
entity that receives cyber threat
indicators or defensive measures shared
through the Center or otherwise under
this section from another Federal
entity or a non-Federal entity--
(I) may use, retain, or
further disclose such cyber
threat indicators or defensive
measures solely for
cybersecurity purposes;
(II) shall, prior to such
sharing, take reasonable
efforts to remove information
that can be used to identify
specific persons and is
reasonably believed at the time
of sharing to be unrelated to a
cybersecurity risk or incident,
and to safeguard information
that can be used to identify
specific persons from
unintended disclosure or
unauthorized access or
acquisition;
(III) shall be deemed to have
voluntarily shared such cyber
threat indicators or defensive
measures;
(IV) shall implement and
utilize a security control to
protect against unauthorized
access to or acquisition of
such cyber threat indicators or
defensive measures; and
(V) may not use such cyber
threat indicators or defensive
measures to engage in
surveillance or other
collection activities for the
purpose of tracking an
individual's personally
identifiable information.
(ii) Protections for information.--
The cyber threat indicators and
defensive measures referred to in
clause (i)--
(I) are exempt from
disclosure under section 552 of
title 5, United States Code,
and withheld, without
discretion, from the public
under subsection (b)(3)(B) of
such section;
(II) may not be used by the
Federal Government for
regulatory purposes;
(III) may not constitute a
waiver of any applicable
privilege or protection
provided by law, including
trade secret protection;
(IV) shall be considered the
commercial, financial, and
proprietary information of the
non-Federal entity referred to
in clause (i) when so
designated by such non-Federal
entity; and
(V) may not be subject to a
rule of any Federal entity or
any judicial doctrine regarding
ex parte communications with a
decisionmaking official.
(C) State, local, or tribal government.--
(i) Uses of information.--A State,
local, or tribal government that
receives cyber threat indicators or
defensive measures from the Center from
a Federal entity or a non-Federal
entity--
(I) may use, retain, or
further disclose such cyber
threat indicators or defensive
measures solely for
cybersecurity purposes;
(II) shall, prior to such
sharing, take reasonable
efforts to remove information
that can be used to identify
specific persons and is
reasonably believed at the time
of sharing to be unrelated to a
cybersecurity risk or incident,
and to safeguard information
that can be used to identify
specific persons from
unintended disclosure or
unauthorized access or
acquisition;
(III) shall consider such
information the commercial,
financial, and proprietary
information of such Federal
entity or non-Federal entity if
so designated by such Federal
entity or non-Federal entity;
(IV) shall be deemed to have
voluntarily shared such cyber
threat indicators or defensive
measures; and
(V) shall implement and
utilize a security control to
protect against unauthorized
access to or acquisition of
such cyber threat indicators or
defensive measures.
(ii) Protections for information.--
The cyber threat indicators and
defensive measures referred to in
clause (i)--
(I) shall be exempt from
disclosure under any State,
local, or tribal law or
regulation that requires public
disclosure of information or
records by a public or quasi-
public entity; and
(II) may not be used by any
State, local, or tribal
government to regulate a lawful
activity of a non-Federal
entity.
(8) Liability exemptions.--
(A) Network awareness.--No cause of action
shall lie or be maintained in any court, and
such action shall be promptly dismissed,
against any non-Federal entity that, for
cybersecurity purposes, conducts network
awareness under paragraph (4), if such network
awareness is conducted in accordance with such
paragraph and this section.
(B) Information sharing.--No cause of action
shall lie or be maintained in any court, and
such action shall be promptly dismissed,
against any non-Federal entity that, for
cybersecurity purposes, shares cyber threat
indicators or defensive measures under
paragraph (3), or fails to act based on such
sharing, if such sharing is conducted in
accordance with such paragraph and this
section.
(C) Willful misconduct.--
(i) Rule of construction.--Nothing in
this section may be construed to--
(I) require dismissal of a
cause of action against a non-
Federal entity that has engaged
in willful misconduct in the
course of conducting activities
authorized by this section; or
(II) undermine or limit the
availability of otherwise
applicable common law or
statutory defenses.
(ii) Proof of willful misconduct.--In
any action claiming that subparagraph
(A) or (B) does not apply due to
willful misconduct described in clause
(i), the plaintiff shall have the
burden of proving by clear and
convincing evidence the willful
misconduct by each non-Federal entity
subject to such claim and that such
willful misconduct proximately caused
injury to the plaintiff.
(iii) Willful misconduct defined.--In
this subsection, the term ``willful
misconduct'' means an act or omission
that is taken--
(I) intentionally to achieve
a wrongful purpose;
(II) knowingly without legal
or factual justification; and
(III) in disregard of a known
or obvious risk that is so
great as to make it highly
probable that the harm will
outweigh the benefit.
(D) Exclusion.--The term ``non-Federal
entity'' as used in this paragraph shall not
include a State, local, or tribal government.
(9) Federal government liability for violations of
restrictions on the use and protection of voluntarily
shared information.--
(A) In general.--If a department or agency of
the Federal Government intentionally or
willfully violates the restrictions specified
in paragraph (3), (6), or (7)(B) on the use and
protection of voluntarily shared cyber threat
indicators or defensive measures, or any other
provision of this section, the Federal
Government shall be liable to a person injured
by such violation in an amount equal to the sum
of--
(i) the actual damages sustained by
such person as a result of such
violation or $1,000, whichever is
greater; and
(ii) reasonable attorney fees as
determined by the court and other
litigation costs reasonably occurred in
any case under this subsection in which
the complainant has substantially
prevailed.
(B) Venue.--An action to enforce liability
under this subsection may be brought in the
district court of the United States in--
(i) the district in which the
complainant resides;
(ii) the district in which the
principal place of business of the
complainant is located;
(iii) the district in which the
department or agency of the Federal
Government that disclosed the
information is located; or
(iv) the District of Columbia.
(C) Statute of limitations.--No action shall
lie under this subsection unless such action is
commenced not later than two years after the
date of the violation of any restriction
specified in paragraph (3), (6), or 7(B), or
any other provision of this section, that is
the basis for such action.
(D) Exclusive cause of action.--A cause of
action under this subsection shall be the
exclusive means available to a complainant
seeking a remedy for a violation of any
restriction specified in paragraph (3), (6), or
7(B) or any other provision of this section.
(10) Anti-trust exemption.--
(A) In general.--Except as provided in
subparagraph (C), it shall not be considered a
violation of any provision of antitrust laws
for two or more non-Federal entities to share a
cyber threat indicator or defensive measure, or
assistance relating to the prevention,
investigation, or mitigation of a cybersecurity
risk or incident, for cybersecurity purposes
under this Act.
(B) Applicability.--Subparagraph (A) shall
apply only to information that is shared or
assistance that is provided in order to assist
with--
(i) facilitating the prevention,
investigation, or mitigation of a
cybersecurity risk or incident to an
information system or information that
is stored on, processed by, or
transiting an information system; or
(ii) communicating or disclosing a
cyber threat indicator or defensive
measure to help prevent, investigate,
or mitigate the effect of a
cybersecurity risk or incident to an
information system or information that
is stored on, processed by, or
transiting an information system.
(C) Prohibited conduct.--Nothing in this
section may be construed to permit price-
fixing, allocating a market between
competitors, monopolizing or attempting to
monopolize a market, or exchanges of price or
cost information, customer lists, or
information regarding future competitive
planning.
(11) Construction and preemption.--
(A) Otherwise lawful disclosures.--Nothing in
this section may be construed to limit or
prohibit otherwise lawful disclosures of
communications, records, or other information,
including reporting of known or suspected
criminal activity or participating voluntarily
or under legal requirement in an investigation,
by a non-Federal to any other non-Federal
entity or Federal entity under this section.
(B) Whistle blower protections.--Nothing in
this section may be construed to prohibit or
limit the disclosure of information protected
under section 2302(b)(8) of title 5, United
States Code (governing disclosures of
illegality, waste, fraud, abuse, or public
health or safety threats), section 7211 of
title 5, United States Code (governing
disclosures to Congress), section 1034 of title
10, United States Code (governing disclosure to
Congress by members of the military), section
1104 of the National Security Act of 1947 (50
U.S.C. 3234) (governing disclosure by employees
of elements of the intelligence community), or
any similar provision of Federal or State law.
(C) Relationship to other laws.--Nothing in
this section may be construed to affect any
requirement under any other provision of law
for a non-Federal entity to provide information
to a Federal entity.
(D) Preservation of contractual obligations
and rights.--Nothing in this section may be
construed to--
(i) amend, repeal, or supersede any
current or future contractual
agreement, terms of service agreement,
or other contractual relationship
between any non-Federal entities, or
between any non-Federal entity and a
Federal entity; or
(ii) abrogate trade secret or
intellectual property rights of any
non-Federal entity or Federal entity.
(E) Anti-tasking restriction.--Nothing in
this section may be construed to permit a
Federal entity to--
(i) require a non-Federal entity to
provide information to a Federal
entity;
(ii) condition the sharing of cyber
threat indicators or defensive measures
with a non-Federal entity on such non-
Federal entity's provision of cyber
threat indicators or defensive measures
to a Federal entity; or
(iii) condition the award of any
Federal grant, contract, or purchase on
the sharing of cyber threat indicators
or defensive measures with a Federal
entity.
(F) No liability for non-participation.--
Nothing in this section may be construed to
subject any non-Federal entity to liability for
choosing to not engage in the voluntary
activities authorized under this section.
(G) Use and retention of information.--
Nothing in this section may be construed to
authorize, or to modify any existing authority
of, a department or agency of the Federal
Government to retain or use any information
shared under this section for any use other
than permitted in this section.
(H) Voluntary sharing.--Nothing in this
section may be construed to restrict or
condition a non-Federal entity from sharing,
for cybersecurity purposes, cyber threat
indicators, defensive measures, or information
related to cybersecurity risks or incidents
with any other non-Federal entity, and nothing
in this section may be construed as requiring
any non-Federal entity to share cyber threat
indicators, defensive measures, or information
related to cybersecurity risks or incidents
with the Center.
(I) Federal preemption.--This section
supersedes any statute or other provision of
law of a State or political subdivision of a
State that restricts or otherwise expressly
regulates an activity authorized under this
section.
(j) Direct Reporting.--The Secretary shall develop policies
and procedures for direct reporting to the Secretary by the
Director of the Center regarding significant cybersecurity
risks and incidents.
(k) Additional Responsibilities.--The Secretary shall build
upon existing mechanisms to promote a national awareness effort
to educate the general public on the importance of securing
information systems.
(l) Reports on International Cooperation.--Not later than 180
days after the date of the enactment of this subsection and
periodically thereafter, the Secretary of Homeland Security
shall submit to the Committee on Homeland Security of the House
of Representatives and the Committee on Homeland Security and
Governmental Affairs of the Senate a report on the range of
efforts underway to bolster cybersecurity collaboration with
relevant international partners in accordance with subsection
(c)(8).
(m) Outreach.--Not later than 60 days after the date of the
enactment of this subsection, the Secretary, acting through the
Under Secretary for Cybersecurity and Infrastructure
Protection, shall--
(1) disseminate to the public information about how
to voluntarily share cyber threat indicators and
defensive measures with the Center; and
(2) enhance outreach to critical infrastructure
owners and operators for purposes of such sharing.
SEC. 227. CYBER INCIDENT RESPONSE [PLAN] PLANS.
[The Under Secretary appointed under section 103(a)(1)(H)
shall] (a) In General._The Under Secretary for Cybersecurity
and Infrastructure Protection shall, in coordination with
appropriate Federal departments and agencies, State and local
governments, sector coordinating councils, information sharing
and analysis organizations (as defined in section 212(5)),
owners and operators of critical infrastructure, and other
appropriate entities and individuals, develop, regularly
update, maintain, and exercise adaptable cyber incident
response plans to address cybersecurity risks (as defined in
section 226) to critical infrastructure.
(b) Updates to the Cyber Incident Annex to the National
Response Framework.--The Secretary, in coordination with the
heads of other appropriate Federal departments and agencies,
and in accordance with the National Cybersecurity Incident
Response Plan required under subsection (a), shall regularly
update, maintain, and exercise the Cyber Incident Annex to the
National Response Framework of the Department.
* * * * * * *
SEC. 230. SECURITY AND RESILIENCY OF PUBLIC SAFETY COMMUNICATIONS.
The National Cybersecurity and Communications Integration
Center, in coordination with the Office of Emergency
Communications of the Department, shall assess and evaluate
consequence, vulnerability, and threat information regarding
cyber incidents to public safety communications to help
facilitate continuous improvements to the security and
resiliency of such communications.
SEC. 231. CYBERSECURITY AWARENESS CAMPAIGN.
(a) In General.--The Under Secretary for Cybersecurity and
Infrastructure Protection shall develop and implement an
ongoing and comprehensive cybersecurity awareness campaign
regarding cybersecurity risks and voluntary best practices for
mitigating and responding to such risks. Such campaign shall,
at a minimum, publish and disseminate, on an ongoing basis, the
following:
(1) Public service announcements targeted at
improving awareness among State, local, and tribal
governments, the private sector, academia, and
stakeholders in specific audiences, including the
elderly, students, small businesses, members of the
Armed Forces, and veterans.
(2) Vendor and technology-neutral voluntary best
practices information.
(b) Consultation.--The Under Secretary for Cybersecurity and
Infrastructure Protection shall consult with a wide range of
stakeholders in government, industry, academia, and the non-
profit community in carrying out this section.
* * * * * * *
TITLE III--SCIENCE AND TECHNOLOGY IN SUPPORT OF HOMELAND SECURITY
* * * * * * *
SEC. 318. RESEARCH AND DEVELOPMENT STRATEGY FOR CRITICAL INFRASTRUCTURE
PROTECTION.
(a) In General.--Not later than 180 days after the date of
enactment of this section, the Secretary, acting through the
Under Secretary for Science and Technology, shall submit to
Congress a strategic plan to guide the overall direction of
Federal physical security and cybersecurity technology research
and development efforts for protecting critical infrastructure,
including against all threats. Such plan shall be updated and
submitted to Congress every two years.
(b) Contents of Plan.--The strategic plan, including biennial
updates, required under subsection (a) shall include the
following:
(1) An identification of critical infrastructure
security risks and any associated security technology
gaps, that are developed following--
(A) consultation with stakeholders, including
critical infrastructure Sector Coordinating
Councils; and
(B) performance by the Department of a risk
and gap analysis that considers information
received in such consultations.
(2) A set of critical infrastructure security
technology needs that--
(A) is prioritized based on the risks and
gaps identified under paragraph (1);
(B) emphasizes research and development of
technologies that need to be accelerated due to
rapidly evolving threats or rapidly advancing
infrastructure technology; and
(C) includes research, development, and
acquisition roadmaps with clearly defined
objectives, goals, and measures.
(3) An identification of laboratories, facilities,
modeling, and simulation capabilities that will be
required to support the research, development,
demonstration, testing, evaluation, and acquisition of
the security technologies described in paragraph (2).
(4) An identification of current and planned
programmatic initiatives for fostering the rapid
advancement and deployment of security technologies for
critical infrastructure protection, including a
consideration of opportunities for public-private
partnerships, intragovernment collaboration, university
centers of excellence, and national laboratory
technology transfer.
(5) A description of progress made with respect to
each critical infrastructure security risk, associated
security technology gap, and critical infrastructure
technology need identified in the preceding strategic
plan required under subsection (a).
(c) Coordination.--In carrying out this section, the Under
Secretary for Science and Technology shall coordinate with the
Under Secretary for the National Protection and Programs
Directorate.
(d) Consultation.--In carrying out this section, the Under
Secretary for Science and Technology shall consult with--
(1) critical infrastructure Sector Coordinating
Councils;
(2) to the extent practicable, subject matter experts
on critical infrastructure protection from
universities, colleges, national laboratories, and
private industry;
(3) the heads of other relevant Federal departments
and agencies that conduct research and development
relating to critical infrastructure protection; and
(4) State, local, and tribal governments, as
appropriate.
* * * * * * *
ADDITIONAL VIEWS
On behalf of Committee on Homeland Security Democrats, I
submit the following additional views on H.R. 1731, the
``National Cybersecurity Protection Advancement Act of 2015,''
as amended.
Improving cyber information sharing is a top legislative
priority for Committee on Homeland Security Democrats for the
114th Congress. H.R. 1731 is the product of months of
bipartisan stakeholder discussions with private sector
stakeholders, including representatives from critical
infrastructure sectors, technology companies, privacy
organizations, as well as Federal stakeholders, most especially
the Department of Homeland Security. Committee Democrats
support efforts to bolster information sharing with the
Department and agree with President Obama about the need for
targeted liability protection to address addressing what some
in industry have identified as a major barrier to sharing cyber
threat information--the risk that sharing such information
would expose companies to legal liability. Committee Democrats
are disappointed that while the Majority worked collaboratively
with us on the bulk of this legislation, when it came time to
crafting liability protection language, Democrats were shut
out. The liability protection provision that was negotiated
between Chairman Michael McCaul and House Judiciary Committee
Chairman Bob Goodlatte is unduly complicated and runs the risk
of directly or inadvertently providing liability relief to
entities that act negligently as lawsuits would only be allowed
for ``willful misconduct.'' It also may incentivize companies
to not act on timely cyber threat information as it explicitly
immunizes a non-Federal entity who ``in good faith fails to
act'' on cyber information against lawsuits. This approach is
counter to the fundamental goal of the Act--to provide
companies with timely information to act and protect their
networks and the information stored on them.
Although Committee Democrats are disappointed with the
liability protection provision in H.R. 1731, Committee
Democrats are pleased that our efforts to bolster the privacy
provisions in the underlying bill were largely successful;
however, it is worth noting that bipartisan discussions
continue with privacy stakeholders about further refinements,
as this measure moves to the Full House.
In general, we are pleased that H.R. 1731, as amended,
limits the sharing and allowable uses for cyber threat
information to ``solely for cybersecurity purposes,'' requires
participating non-Federal entities and the National
Cybersecurity and Communications Integration Center (NCCIC) to
remove unrelated information that identifies persons from cyber
threat data (minimization), and builds in privacy protections
and oversight at all levels of the NCCIC operation.
Committee Democrats are disappointed that amendments
offered by Cybersecurity, Infrastructure Protection, and
Security Technologies (CIPST) Subcommittee Ranking Member
Cedric Richmond to improve the liability protection language
were rejected at the Full Committee markup. They would have
streamlined the language in key respects. Also rejected was an
amendment that I offered to sunset this Act after five years to
allow for the Committee to make adjustments to the law based on
oversight findings.
Committee Democrats are pleased, however that twelve
amendments offered by Committee Democrats were accepted. Two
amendments that we would like to highlight in particular would
seek to bolster the reach of this bill to Main Street America
and every U.S. household.
The first was offered by CIPST Ranking Member Richmond. It
directed DHS to bolster outreach to small and medium-size
business, and to help ensure that Main Street businesses get
the attention and assistance they need. Most small and medium-
size businesses do not have the resources to focus on cyber
threats but by requiring DHS to amplify its efforts with
respect to small and medium-size businesses specifically
regarding cyber security, we can help Main Street America
participate, ensuring that information-sharing, on the larger
scale, adds to the cyber security of a broad array of
businesses all across our nation.
The second was offered by Oversight and Management
Efficiency Subcommittee Ranking Member Bonnie Watson Coleman.
It directs DHS to begin a concerted and sustained campaign to
raise national awareness about cybersecurity. The campaign is
to include public service announcements, widely advertised web
sites, Apps, written collateral; social media; and other
creative sources to help Americans understand that many simple
measures will improve their cyber security protection posture.
Such measures include simple steps like: improving password
management; enabling firewall protection; installing anti-virus
and anti-spam protection; installing software updates; ``know
your sender'' and refrain from opening links and attachments
from unknown and untrusted senders.
As we work to enhance information sharing about cyber
threats, it is important to keep in mind that as much as 80
percent of exploitable vulnerabilities in cyberspace are a
direct result of poor, or no cyber hygiene and software
vulnerabilities. The American people must be made more aware
about the basic fundamentals of cybersecurity.
Sincerely,
Bennie G. Thompson,
Ranking Member.
[all]