[House Report 114-284] [From the U.S. Government Publishing Office] 114th Congress } { Report HOUSE OF REPRESENTATIVES 1st Session } { 114-284 ====================================================================== DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY STRATEGY ACT OF 2015 _______ October 6, 2015.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. McCaul, from the Committee on Homeland Security, submitted the following R E P O R T [To accompany H.R. 3510] [Including cost estimate of the Congressional Budget Office] The Committee on Homeland Security, to whom was referred the bill (H.R. 3510) to amend the Homeland Security Act of 2002 to require the Secretary of Homeland Security to develop a cybersecurity strategy for the Department of Homeland Security, and for other purposes, having considered the same, reports favorably thereon with an amendment and recommends that the bill as amended do pass. CONTENTS Page Purpose and Summary.............................................. 3 Background and Need for Legislation.............................. 3 Hearings......................................................... 4 Committee Consideration.......................................... 4 Committee Votes.................................................. 5 Committee Oversight Findings..................................... 5 New Budget Authority, Entitlement Authority, and Tax Expenditures 5 Congressional Budget Office Estimate............................. 5 Statement of General Performance Goals and Objectives............ 6 Duplicative Federal Programs..................................... 6 Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits....................................................... 7 Federal Mandates Statement....................................... 7 Preemption Clarification......................................... 7 Disclosure of Directed Rule Makings.............................. 7 Advisory Committee Statement..................................... 7 Applicability to Legislative Branch.............................. 7 Section-by-Section Analysis of the Legislation................... 7 Changes in Existing Law Made by the Bill, as Reported............ 10 The amendment is as follows: Strike all after the enacting clause and insert the following: SECTION 1. SHORT TITLE. This Act may be cited as the ``Department of Homeland Security Cybersecurity Strategy Act of 2015''. SEC. 2. CYBERSECURITY STRATEGY FOR THE DEPARTMENT OF HOMELAND SECURITY. (a) In General.--Subtitle C of title II of the Homeland Security Act of 2002 (6 U.S.C. 141 et seq.) is amended by adding at the end the following new section: ``SEC. 230. CYBERSECURITY STRATEGY. ``(a) In General.--Not later than 60 days after the date of the enactment of this section, the Secretary shall develop a departmental strategy to carry out cybersecurity responsibilities as set forth in law. ``(b) Contents.--The strategy required under subsection (a) shall include the following: ``(1) Strategic and operational goals and priorities to successfully execute the full range of the Secretary's cybersecurity responsibilities. ``(2) Information on the programs, policies, and activities that are required to successfully execute the full range of the Secretary's cybersecurity responsibilities, including programs, policies, and activities in furtherance of the following: ``(A) Cybersecurity functions set forth in the second section 226 (relating to the national cybersecurity and communications integration center). ``(B) Cybersecurity investigations capabilities. ``(C) Cybersecurity research and development. ``(D) Engagement with international cybersecurity partners. ``(c) Considerations.--In developing the strategy required under subsection (a), the Secretary shall-- ``(1) consider-- ``(A) the cybersecurity strategy for the Homeland Security Enterprise published by the Secretary in November 2011; ``(B) the Department of Homeland Security Fiscal Years 2014 2018 Strategic Plan; and ``(C) the most recent Quadrennial Homeland Security Review issued pursuant to section 707; and ``(2) include information on the roles and responsibilities of components and offices of the Department, to the extent practicable, to carry out such strategy. ``(d) Implementation Plan.--Not later than 90 days after the development of the strategy required under subsection (a), the Secretary shall issue an implementation plan for the strategy that includes the following: ``(1) Strategic objectives and corresponding tasks. ``(2) Projected timelines and costs for such tasks. ``(3) Metrics to evaluate performance of such tasks. ``(e) Congressional Oversight.--The Secretary shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate for assessment the following: ``(1) A copy of the strategy required under subsection (a) upon issuance. ``(2) A copy of the implementation plan required under subsection (d) upon issuance, together with detailed information on any associated legislative or budgetary proposals. ``(f) Prohibition on Reorganization.--In the event that the strategy required under subsection (a) or implementation plan required under subsection (d) includes actions to reorganize departmental components or offices, such actions may not be executed without prior congressional authorization. ``(g) Classified Information.--The strategy required under subsection (a) shall be in an unclassified form but may contain a classified annex. ``(h) Rule of Construction.--Nothing in this section may be construed as permitting the Department to engage in monitoring, surveillance, exfiltration, or other collection activities for the purpose of tracking an individual's personally identifiable information. ``(i) Definitions.--In this section: ``(1) Cybersecurity risk.--The term `cybersecurity risk' has the meaning given such term in the second section 226, relating to the national cybersecurity and communications integration center. ``(2) Homeland security enterprise.--The term `Homeland Security Enterprise' means relevant governmental and nongovernmental entities involved in homeland security, including Federal, State, local, and tribal government officials, private sector representatives, academics, and other policy experts. ``(3) Incident.--The term `incident' has the meaning given such term in the second section 226, relating to the national cybersecurity and communications integration center.''. (b) Clerical Amendment.--The table of contents in section 1(b) of the Homeland Security Act of 2002 is amended by adding at the end of the list of items for subtitle C of title II the following new item: ``Sec. 230. Cybersecurity strategy.''. (c) Amendment to Definition.--Paragraph (2) of subsection (a) of the second section 226 of the Homeland Security Act of 2002 (6 U.S.C. 148; relating to the national cybersecurity and communications integration center) is amended to read as follows: ``(2) the term `incident' means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system;''. Purpose and Summary The purpose of H.R. 3510 is to amend the Homeland Security Act of 2002 to instruct the Secretary of the Department of Homeland Security (Department or DHS) to develop a departmental cybersecurity strategy and implementation plan to carry out the cybersecurity responsibilities of the department and to prohibit the department from reorganizing or realigning offices within the National Protection and Programs Directorate without Congressional approval. Background and Need for Legislation Cyber attacks stand to disrupt the operations of government, businesses, and the lives of the American people. Increasingly sophisticated cyber threats have underscored the need to manage and strengthen the cybersecurity of the nation's critical infrastructure. The Government Accountability Office (GAO) recommended that an overarching Federal cybersecurity strategy be implemented and that such strategy should define key elements of a national strategy including roles and responsibilities. H.R.3510 ensures DHS develops such a strategy. On September 4, 2015, the Department's Inspector General issued a report entitled ``DHS Can Strengthen Its Cyber Mission Coordination Efforts''' that recommended that DHS develop a comprehensive, cross-departmental strategic implementation plan that defines components' cyber missions and responsibilities, including long-term goals, performance metrics, and milestones to measure progress in unifying the Department's incident response and coordination efforts'' (DHS-OIG-15-140). H.R. 3510 directs the Department to develop a department-wide strategy and implementation plan to ensure performance of its multi- faceted cybersecurity mission. At present, efforts are underway within the Department for a wide-scale reorganization of the National Protection and Programs Directorate (NPPD). It is critical that Congress be a legislative proposal to determine whether or not the proposed changes would provide a clear mission, streamline the organization's structure, and ensure a qualified workforce to successfully carry out its mission. H.R. 3510 also seeks to ensure such congressional oversight by requiring congressional authorization for any such action. The Committee is concerned with the lack of transparency on the Department's efforts to reorganize to carry out its cybersecurity and infrastructure protection missions. The Committee communicated this concern to the Secretary of Homeland Security in a letter sent September 15, 2015, and made it clear that any reorganization or realignment will require Congressional authorization. Given this Committee's legislative and oversight efforts to strengthen Departmental cybersecurity functions, it's essential that DHS submit any proposal to Congress prior to reorganization or realignment. Congressional interest is evident in the numerous pieces of legislation this Committee has considered and hearings this Committee has conducted. Hearings The Committee on Homeland Security did not hold any legislative hearings on H.R. 3510, however the Committee held oversight hearings listed below. On February 12, 2015, the Subcommittee held a hearing entitled ``Emerging Threats and Technologies to Protect the Homeland.'' The Subcommittee received testimony from Mr. Andy Ozment, Assistant Secretary, Office of Cybersecurity and Communications, National Protection and Programs Directorate, U.S. Department of Homeland Security; Dr. Huban Gowadia, Director, Domestic Nuclear Detection Office, U.S. Department of Homeland Security; Mr.Joseph Martin, Acting Director, Homeland Security Enterprise and First Responders Group, Science and Technology Directorate, U.S. Department of Homeland Security; Mr. William Noonan, Deputy Special Agent in Charge, Criminal Investigative Division, Cyber Operations Branch, United States Secret Service, U.S. Department of Homeland Security; and Mr. William Painter, Analyst, Government and Finance Division, Congressional Research Service, Library of Congress. On March 4, 2015, the Subcommittee held a hearing entitled ``Industry Perspectives on the President's Cybersecurity Information Sharing Proposal.'' The Subcommittee received testimony from Mr.Matthew J. Eggers, Senior Director, National Security and Emergency Preparedness, U.S. Chamber of Commerce; Ms. Mary Ellen Callahan, Jenner & Block and the Former Chief Privacy Officer, U.S. Department of Homeland Security; Mr. Gregory T. Garcia, Executive Director, Financial Services Sector Coordinating Council; and Dr. Martin Libicki, The RAND Corporation. On June 24, 2015, the Subcommittee held a hearing entitled ``DHS' Efforts to Secure .Gov.'' The Subcommittee received testimony from Dr. Andy Ozment, Assistant Secretary, Office of Cybersecurity and Communications, National Protections and Programs Directorate, U.S. Department of Homeland Security; Mr. Gregory C. Wilshusen, Director, Information Security Issues, Government Accountability Office; and Dr. Daniel M. Gerstein, The RAND Corporation. Committee Consideration The Committee met on September 30, 2015, to consider H.R.3510, and ordered the measure to be reported to the House with a favorable recommendation, as amended, by voice vote. The Committee took the following actions: The following amendments were offered: An Amendment offered by Mr. Clawson (#1); was AGREED TO by voice vote. Page 5, line 4, insert a new clause entitled ``(h) Rule of Construction.'' The Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies met on September 17, 2015, to consider H.R. 3510 and reported the measure to the Full Committee with a favorable recommendation, without amendment, by voice vote. Committee Votes Clause 3(b) of rule XIII of the Rules of the House of Representatives requires the Committee to list the recorded votes on the motion to report legislation and amendments thereto. No recorded votes were requested during consideration of H.R.3510. Committee Oversight Findings Pursuant to clause 3(c)(1) of rule XIII of the Rules of the House of Representatives, the Committee has held oversight hearings and made findings that are reflected in this report. New Budget Authority, Entitlement Authority, and Tax Expenditures In compliance with clause 3(c)(2) of rule XIII of the Rules of the House of Representatives, the Committee finds that H.R. 3510, the Department of Homeland Security Cybersecurity Strategy Act of 2015, would result in no new or increased budget authority, entitlement authority, or tax expenditures or revenues. Congressional Budget Office Estimate The Committee adopts as its own the cost estimate prepared by the Director of the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974. U.S. Congress, Congressional Budget Office, Washington, DC, October 5, 2015. Hon. Michael McCaul, Chairman, Committee on Homeland Security, House of Representatives, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for H.R. 3510, the Department of Homeland Security Cybersecurity Strategy Act of 2015. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is William Ma. Sincerely, Keith Hall. Enclosure. H.R. 3510--Department of Homeland Security Cybersecurity Strategy Act of 2015 H.R. 3510 would require the Department of Homeland Security (DHS), within 60 days of the bill's enactment, to develop a strategy to execute the department's cybersecurity responsibilities under current law. The bill also would require DHS to issue a plan to implement that strategy not later than 90 days after the strategy is developed and to deliver the strategy and the plan to the Congress. Because DHS is currently developing a cybersecurity strategy and would be able to meet the deadlines established in the bill, CBO estimates that implementing the bill would not have a significant effect on the budget. Enacting H.R. 3510 would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply. H.R. 3510 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act and would not affect the budgets of state, local, or tribal governments. The CBO staff contact for this estimate is William Ma. The estimate was approved by H. Samuel Papenfuss, Deputy Assistant Director for Budget Analysis. Statement of General Performance Goals and Objectives Pursuant to clause 3(c)(4) of rule XIII of the Rules of the House of Representatives, H.R. 3510 contains the following general performance goals and objectives, including outcome related goals and objectives authorized. This legislation requires the Secretary of Homeland Security to develop a cybersecurity strategy for the Department of Homeland Security (DHS) and to submit such strategy to Congress no later than 60 days after the enactment of this legislation. The Secretary is also directed to submit an implementation plan for the cybersecurity strategy 90 days after the development of the strategy. Additionally, this legislation would clarify the requirement for DHS to submit proposals to Congress prior to reorganization or realignment. H.R. 3510 helps to strengthen the security and resiliency of cyberspace by requiring the Secretary to thoroughly examine the goals, priorities, roles, and responsibilities that are necessary to execute its mission. The development of a strategy will ensure the Secretary considers cybersecurity functions across the Department holistically in order to more effectively achieve the cybersecurity priorities of the Department. Efforts are presently underway within the Department for a wide-scale reorganization of the National Protection and Programs Directorate (NPPD). It is critical that Congress be provided a legislative proposal to determine whether or not the proposed changes would provide a clear mission, streamline the organization's structure, and ensure a qualified workforce to successfully carry out its mission. H.R. 3510 also seeks to ensure proper oversight and transparency and reflects the appropriate roles of both the Legislative and Executive branches of the Government. Duplicative Federal Programs Pursuant to clause 3(c) of rule XIII, the Committee finds that H.R. 3510 does not contain any provision that establishes or reauthorizes a program known to be duplicative of another Federal program. Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits In compliance with rule XXI of the Rules of the House of Representatives, this bill, as reported, contains no congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9(e), 9(f), or 9(g) of the rule XXI. Federal Mandates Statement The Committee adopts as its own the estimate of Federal mandates prepared by the Director of the Congressional Budget Office pursuant to section 423 of the Unfunded Mandates Reform Act. Preemption Clarification In compliance with section 423 of the Congressional Budget Act of 1974, requiring the report of any Committee on a bill or joint resolution to include a statement on the extent to which the bill or joint resolution is intended to preempt State, local, or Tribal law, the Committee finds that H.R. 3510 does not preempt any State, local, or Tribal law. Disclosure of Directed Rule Makings The Committee estimates that H.R. 3510 would require no directed rule makings. Advisory Committee Statement No advisory committees within the meaning of section 5(b) of the Federal Advisory Committee Act were created by this legislation. Applicability to Legislative Branch The Committee finds that the legislation does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(b)(3) of the Congressional Accountability Act. Section-by-Section Analysis of the Legislation Section 1. Short title This section provides that bill may be cited as the ``Department of Homeland Security Cybersecurity Strategy Act of 2015''. Section 2. Cybersecurity strategy for the Department of Homeland Security (a) Subtitle C of title II of the Homeland Security Act of 2002 is amended to add the following new section: ``Sec. 230. Cybersecurity Strategy.'' (a) In General. This subsection directs the Secretary of the Department of Homeland Security to develop a departmental strategy to carry out cybersecurity responsibilities as set forth in law. (b) Contents of Strategy. This subsection details the contents of the strategy to include the strategic and operational goals and priorities needed to execute the Department's cybersecurity responsibilities including information on its programs, policies, and activities. These programs, policies, and activities should include the Department's cybersecurity functions set forth in the second section 226 of the Homeland Security Act (HSA), cybersecurity investigations capabilities, cybersecurity research and development, and engagement with international cybersecurity partners. Cybersecurity functions set forth in the second section 226 of the HSA include: (1) Being a Federal civilian interface for the multi-directional and cross-sector sharing of information related to cyber- security risks, incidents, analysis, and warnings for Federal and non-Federal entities; (2) providing shared situational awareness to enable real-time, integrated, and operational actions across the Federal Government and non- Federal entities to address cybersecurity risks and incidents to Federal and non-Federal entities; (3) coordinating the sharing of information related to cybersecurity risks and incidents across the Federal Government; (4) facilitating cross-sector coordination to address cybersecurity risks and incidents, including cybersecurity risks and incidents that may be related or could have consequential impacts across multiple sectors; (5)(A) conducting integration and analysis, including cross sector integration and analysis, of cybersecurity risks and incidents; and (B) sharing the analysis conducted under subparagraph (A) with Federal and non Federal entities; (6) upon request, providing timely technical assistance, risk management support, and incident response capabilities to Federal and non-Federal entities with respect to cybersecurity risks and incidents, which may include attribution, mitigation, and remediation; and (7) providing information and recommendations on security and resilience measures to Federal and non-Federal entities, including information and recommendations to: (A) facilitate information security; and (B) strengthen information systems against cybersecurity risks and incidents. (c) Considerations. This subsection requires the Secretary to consider other DHS strategic documents when developing the cybersecurity strategy including the cybersecurity strategy for the Homeland Security Enterprise published by the Secretary in November 2011, the Department of Homeland Security Fiscal Years 2014- 2018 Strategic Plan, the most recent Quadrennial Homeland Security Review issued pursuant to section 707 of the HAS. It must also include information on the roles and responsibilities of components and offices across the Department when developing the strategy. (d) Implementation Plan. The Secretary is required no later than 90 days to develop a plan for implementing the strategy that includes strategic objectives and corresponding tasks, projected timelines and costs for such tasks, and metrics to evaluate performance. (e) Congressional Oversight. This subsection requires the Secretary to submit the required strategy and the implementation plan, along with information on any associated legislative or budgetary proposals, to the House Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate for an assessment. (f) Prohibition of Reorganization. The Committee intends this subsection to prohibit the reorganization or realignment of NPPD without Congressional authorization. It is the role of the legislative branch to authorize and appropriate dollars for the Department of Homeland Security. In particular, it is this Committee's role and responsibility to legislate and oversee Department activities. The Committee has previously reviewed Administrative legislative proposals and worked with DHS to authorize various cyber programs. For example; S. 2521, the Federal Information Security Modernization Act of 2014, in which the Secretary of Homeland Security was given authority to administer the implementation of information security policies and practices, H.R. 2952, the Cybersecurity Workforce Assessment Act, in which the Secretary was directed to conduct an assessment of the cybersecurity workforce of the Department of Homeland Security, H.R. 3696 which established the National Cybersecurity and Communications Integration Center (NCCIC) and required that the Secretary of Homeland Security conduct cybersecurity activities, H.R. 3107 which directed the Secretary to develop a workforce strategy that enhances the readiness, capacity, training, recruitment, and retention of the DHS cybersecurity workforce, and H.R.1731 which would rename NPPD as Cybersecurity and Infrastructure Protection and codify a Deputy Under Secretary for Cybersecurity and a Deputy Under Secretary for Infrastructure Protection. These and other efforts serve to represent the important role of Congressional oversight. (g) Classified Information. This subsection requires that the proposed plan must be available in an unclassified form, but that it may have a classified annex. (h) Rule of Construction. This subsection ensures that nothing in this act can be construed to permit the Department to engage in monitoring, surveillance, exfiltration, or other collection activities for the purpose of tracking an individual's personally identifiable information. (i) Definitions. This subsection defines ``cybersecurity risk'' and ``incident'' as the meaning given to both in the second section 226 relating to the national cybersecurity and communications integration. ``Homeland Security Enterprise'' is defined as the relevant governmental and nongovernmental entities involved in homeland security, including Federal, State, local, and tribal governmental officials, private sector representatives, academics, and other policy experts. (b) Clerical Amendment. This subsection amends the table of contents of the Homeland Security Act of 2002. (c) Amendment to Definition. This subsection strikes and replaces the definition of ``incident'' in the second section 226 of the Homeland Security Act to mean an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentially, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system. Changes in Existing Law Made by the Bill, as Reported In compliance with clause 3(e) of rule XIII of the Rules of the House of Representatives, changes in existing law made by the bill, as reported, are shown as follows (existing law proposed to be omitted is enclosed in black brackets, new matter is printed in italic, and existing law in which no change is proposed is shown in roman): HOMELAND SECURITY ACT OF 2002 SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) Short Title.--This Act may be cited as the ``Homeland Security Act of 2002''. (b) Table of Contents.--The table of contents for this Act is as follows: * * * * * * * TITLE V--NATIONAL EMERGENCY MANAGEMENT * * * * * * * Sec. 230. Cybersecurity strategy. * * * * * * * TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION * * * * * * * Subtitle C--Information Security * * * * * * * SEC. 226. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER. (a) Definitions.--In this section-- (1) the term ``cybersecurity risk'' means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of information or information systems, including such related consequences caused by an act of terrorism; [(2) the term ``incident'' means an occurrence that-- [(A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system; or [(B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies;] (2) the term ``incident'' means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system; (3) the term ``information sharing and analysis organization'' has the meaning given that term in section 212(5); and (4) the term ``information system'' has the meaning given that term in section 3502(8) of title 44, United States Code. (b) Center.--There is in the Department a national cybersecurity and communications integration center (referred to in this section as the ``Center'') to carry out certain responsibilities of the Under Secretary appointed under section 103(a)(1)(H). (c) Functions.--The cybersecurity functions of the Center shall include-- (1) being a Federal civilian interface for the multi- directional and cross-sector sharing of information related to cybersecurity risks, incidents, analysis, and warnings for Federal and non-Federal entities; (2) providing shared situational awareness to enable real-time, integrated, and operational actions across the Federal Government and non-Federal entities to address cybersecurity risks and incidents to Federal and non-Federal entities; (3) coordinating the sharing of information related to cybersecurity risks and incidents across the Federal Government; (4) facilitating cross-sector coordination to address cybersecurity risks and incidents, including cybersecurity risks and incidents that may be related or could have consequential impacts across multiple sectors; (5)(A) conducting integration and analysis, including cross-sector integration and analysis, of cybersecurity risks and incidents; and (B) sharing the analysis conducted under subparagraph (A) with Federal and non-Federal entities; (6) upon request, providing timely technical assistance, risk management support, and incident response capabilities to Federal and non-Federal entities with respect to cybersecurity risks and incidents, which may include attribution, mitigation, and remediation; and (7) providing information and recommendations on security and resilience measures to Federal and non- Federal entities, including information and recommendations to-- (A) facilitate information security; and (B) strengthen information systems against cybersecurity risks and incidents. (d) Composition.-- (1) In general.-- The Center shall be composed of-- (A) appropriate representatives of Federal entities, such as-- (i) sector-specific agencies; (ii) civilian and law enforcement agencies; and (iii) elements of the intelligence community, as that term is defined under section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4)); (B) appropriate representatives of non- Federal entities, such as-- (i) State and local governments; (ii) information sharing and analysis organizations; and (iii) owners and operators of critical information systems; (C) components within the Center that carry out cybersecurity and communications activities; (D) a designated Federal official for operational coordination with and across each sector; and (E) other appropriate representatives or entities, as determined by the Secretary. (2) Incidents.-- In the event of an incident, during exigent circumstances the Secretary may grant a Federal or non-Federal entity immediate temporary access to the Center. (e) Principles.--In carrying out the functions under subsection (c), the Center shall ensure-- (1) to the extent practicable, that-- (A) timely, actionable, and relevant information related to cybersecurity risks, incidents, and analysis is shared; (B) when appropriate, information related to cybersecurity risks, incidents, and analysis is integrated with other relevant information and tailored to the specific characteristics of a sector; (C) activities are prioritized and conducted based on the level of risk; (D) industry sector-specific, academic, and national laboratory expertise is sought and receives appropriate consideration; (E) continuous, collaborative, and inclusive coordination occurs-- (i) across sectors; and (ii) with-- (I) sector coordinating councils; (II) information sharing and analysis organizations; and (III) other appropriate non- Federal partners; (F) as appropriate, the Center works to develop and use mechanisms for sharing information related to cybersecurity risks and incidents that are technology-neutral, interoperable, real-time, cost-effective, and resilient; and (G) the Center works with other agencies to reduce unnecessarily duplicative sharing of information related to cybersecurity risks and incidents; (2) that information related to cybersecurity risks and incidents is appropriately safeguarded against unauthorized access; and (3) that activities conducted by the Center comply with all policies, regulations, and laws that protect the privacy and civil liberties of United States persons. (f) No Right or Benefit.-- (1) In general.-- The provision of assistance or information to, and inclusion in the Center of, governmental or private entities under this section shall be at the sole and unreviewable discretion of the Under Secretary appointed under section 103(a)(1)(H). (2) Certain assistance or information.-- The provision of certain assistance or information to, or inclusion in the Center of, one governmental or private entity pursuant to this section shall not create a right or benefit, substantive or procedural, to similar assistance or information for any other governmental or private entity. * * * * * * * SEC. 230. CYBERSECURITY STRATEGY. (a) In General.--Not later than 60 days after the date of the enactment of this section, the Secretary shall develop a departmental strategy to carry out cybersecurity responsibilities as set forth in law. (b) Contents.--The strategy required under subsection (a) shall include the following: (1) Strategic and operational goals and priorities to successfully execute the full range of the Secretary's cybersecurity responsibilities. (2) Information on the programs, policies, and activities that are required to successfully execute the full range of the Secretary's cybersecurity responsibilities, including programs, policies, and activities in furtherance of the following: (A) Cybersecurity functions set forth in the second section 226 (relating to the national cybersecurity and communications integration center). (B) Cybersecurity investigations capabilities. (C) Cybersecurity research and development. (D) Engagement with international cybersecurity partners. (c) Considerations.--In developing the strategy required under subsection (a), the Secretary shall-- (1) consider-- (A) the cybersecurity strategy for the Homeland Security Enterprise published by the Secretary in November 2011; (B) the Department of Homeland Security Fiscal Years 2014 2018 Strategic Plan; and (C) the most recent Quadrennial Homeland Security Review issued pursuant to section 707; and (2) include information on the roles and responsibilities of components and offices of the Department, to the extent practicable, to carry out such strategy. (d) Implementation Plan.--Not later than 90 days after the development of the strategy required under subsection (a), the Secretary shall issue an implementation plan for the strategy that includes the following: (1) Strategic objectives and corresponding tasks. (2) Projected timelines and costs for such tasks. (3) Metrics to evaluate performance of such tasks. (e) Congressional Oversight.--The Secretary shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate for assessment the following: (1) A copy of the strategy required under subsection (a) upon issuance. (2) A copy of the implementation plan required under subsection (d) upon issuance, together with detailed information on any associated legislative or budgetary proposals. (f) Prohibition on Reorganization.--In the event that the strategy required under subsection (a) or implementation plan required under subsection (d) includes actions to reorganize departmental components or offices, such actions may not be executed without prior congressional authorization. (g) Classified Information.--The strategy required under subsection (a) shall be in an unclassified form but may contain a classified annex. (h) Rule of Construction.--Nothing in this section may be construed as permitting the Department to engage in monitoring, surveillance, exfiltration, or other collection activities for the purpose of tracking an individual's personally identifiable information. (i) Definitions.--In this section: (1) Cybersecurity risk.-- The term ``cybersecurity risk'' has the meaning given such term in the second section 226, relating to the national cybersecurity and communications integration center. (2) Homeland security enterprise.-- The term ``Homeland Security Enterprise'' means relevant governmental and nongovernmental entities involved in homeland security, including Federal, State, local, and tribal government officials, private sector representatives, academics, and other policy experts. (3) Incident.-- The term ``incident'' has the meaning given such term in the second section 226, relating to the national cybersecurity and communications integration center. [all]