[House Report 114-363] [From the U.S. Government Publishing Office] 114th Congress } { Report 1st Session } HOUSE OF REPRESENTATIVES { 114-363 ====================================================================== STATE AND LOCAL CYBER PROTECTION ACT OF 2015 _______ December 3, 2015.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. McCaul, from the Committee on Homeland Security, submitted the following R E P O R T [To accompany H.R. 3869] The Committee on Homeland Security, to whom was referred the bill (H.R. 3869) to amend the Homeland Security Act of 2002 to require State and local coordination on cybersecurity with the national cybersecurity and communications integration center, and for other purposes, having considered the same, reports favorably thereon without amendment and recommends that the bill do pass. CONTENTS Page Purpose and Summary.............................................. 1 Background and Need for Legislation.............................. 2 Hearings......................................................... 3 Committee Consideration.......................................... 3 Committee Votes.................................................. 3 Committee Oversight Findings..................................... 3 New Budget Authority, Entitlement Authority, and Tax Expenditures 3 Congressional Budget Office Estimate............................. 3 Statement of General Performance Goals and Objectives............ 3 Duplicative Federal Programs..................................... 4 Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits....................................................... 4 Federal Mandates Statement....................................... 4 Preemption Clarification......................................... 4 Disclosure of Directed Rule Makings.............................. 4 Advisory Committee Statement..................................... 4 Applicability to Legislative Branch.............................. 4 Section-by-Section Analysis of the Legislation................... 5 Changes in Existing Law Made by the Bill, as Reported............ 6 Purpose and Summary The purpose of H.R. 3869 is to amend the Homeland Security Act of 2002 to assist State and local coordination on cybersecurity with the national cybersecurity and communications integration center, and for other purposes.The State and Local Cyber Protection Act of 2015 would codify ongoing efforts by instructing the National Cybersecurity and Communications Integration Center (NCCIC) at the Department of Homeland Security (DHS) to coordinate with State and local governments and to, upon request, provide assistance to secure their information systems. The legislation is intended to codify DHS' ongoing coordination effort to give assurances to State and local governments that DHS stands ready to partner with them to protect their networks through existing programs. The NCCIC would, to the extent practicable, assist in the identification of cyber vulnerabilities and related protections for State and local information security systems, develop a web portal to communicate available tools for State and locals to utilize, provide voluntary technical training for State and local cybersecurity analysts, provide assistance in implementing cybersecurity tools, provide privacy and civil liberties training, and inform State and locals about cybersecurity best practices. The bill would further direct the NCCIC to submit information on the effectiveness of their activities with State and locals to Congress two years after enactment. Background and Need for Legislation Cybersecurity remains one of the most significant challenges facing the nation. State and Local governments host a wide range of sensitive citizen and critical infrastructure data that make them especially attractive targets for cyber attacks. In an October 2015 survey sponsored by Hewlett Packard, 71 percent of information technology (IT) and IT security practitioners in State, Local, Tribal and Territorial (SLTT) government identified that their current cybersecurity practices are not clearly defined and that only 19 percent of these SLTT IT practitioners rated their ability in preventing a cyber-attack highly. In November of 2010 in Gregg County, Texas, hackers, reportedly from Russia, managed to steal $200,000 in electronic fund transfers intended for delivery to schools and cities within the county\1\. In January of 2015, pro-ISIS hackers took over a government website of a County government in Virginia for the purpose of spreading propaganda\2\. --------------------------------------------------------------------------- \1\ http://www.news-journal.com/news/2010/dec/06/cyber-thieves- hit-gregg-county-for-200k/. \2\ http://www.newsmax.com/Newsfront/isis-hacker-government- website/2015/01/17/id/619210/. --------------------------------------------------------------------------- DHS has an important role to play in coordinating with State and locals to help them protect their information systems. For many State and local governments, DHS is the primary federal government point of contact for assisting with cybersecurity and recovering from a cyber incident and seeking information to bolster their current defenses. DHS presently offers such assistance and collaborates heavily with state and local stakeholders in its cybersecurity activities through the Multi State Information Sharing Analysis Center, the C-Cubed Voluntary Critical Infrastructure Program, the Cyber Resilience Review, the Enhanced Cybersecurity Services Program, the Continuous Diagnostics and Mitigation Program, the National Cyber Awareness System, the Cybersecurity Evaluation Tool (CSET) and the On-Site Cybersecurity Consulting. Hearings No hearings were held on H.R. 2869, however, the Committee held the following oversight hearing: On June 24, 2015, the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing entitled ``DHS' Efforts to Secure .Gov.'' The Subcommittee received testimony from Dr. Andy Ozment, Assistant Secretary, Office of Cybersecurity and Communications, National Protections and Programs Directorate, U.S. Department of Homeland Security; Mr. Gregory C. Wilshusen, Director, Information Security Issues, Government Accountability Office; and Dr. Daniel M. Gerstein, The RAND Corporation. Committee Consideration The Committee met on November 4, 2015, to consider H.R. 3869, and ordered the measure to be reported to the House with a favorable recommendation, as amended, by voice vote. Committee Votes Clause 3(b) of Rule XIII of the Rules of the House of Representatives requires the Committee to list the recorded votes on the motion to report legislation and amendments thereto. No recorded votes were requested during consideration of H.R. 3869. Committee Oversight Findings Pursuant to clause 3(c)(1) of Rule XIII of the Rules of the House of Representatives, the Committee has held oversight hearings and made findings that are reflected in this report. New Budget Authority, Entitlement Authority, and Tax Expenditures In compliance with clause 3(c)(2) of Rule XIII of the Rules of the House of Representatives, the Committee finds that H.R. 3869, the State and Local Cyber Protection Act of 2015, would result in no new or increased budget authority, entitlement authority, or tax expenditures or revenues. Congressional Budget Office Estimate Pursuant to clause 3(c)(3) of Rule XIII of the Rules of the House of Representatives, a cost estimate provided by the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974 was not made available to the Committee in time for the filing of this report. The Chairman of the Committee shall cause such estimate to be printed in the Congressional Record upon its receipt by the Committee. Statement of General Performance Goals and Objectives Pursuant to clause 3(c)(4) of Rule XIII of the Rules of the House of Representatives, H.R. 3869 contains the following general performance goals and objectives, including outcome related goals and objectives authorized. H.R. 3869 provides that, not later than 2 years after the date of enactment of this Act, the national cybersecurity and communications integration center of the Department of Homeland Security shall provide to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate information on the activities and effectiveness of such activities and will include feedback from State and local governments in this information. Duplicative Federal Programs Pursuant to clause 3(c) of Rule XIII, the Committee finds that H.R. 3869 does not contain any provision that establishes or reauthorizes a program known to be duplicative of another Federal program. Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits In compliance with Rule XXI of the Rules of the House of Representatives, this bill, as reported, contains no congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9(e), 9(f), or 9(g) of the Rule XXI. Federal Mandates Statement An estimate of Federal mandates prepared by the Director of the Congressional Budget Office pursuant to section 423 of the Unfunded Mandates Reform Act was not made available to the Committee in time for the filing of this report. The Chairman of the Committee shall cause such estimate to be printed in the Congressional Record upon its receipt by the Committee. Preemption Clarification In compliance with section 423 of the Congressional Budget Act of 1974, requiring the report of any Committee on a bill or joint resolution to include a statement on the extent to which the bill or joint resolution is intended to preempt State, local, or Tribal law, the Committee finds that H.R. 3869 does not preempt any State, local, or Tribal law. Disclosure of Directed Rule Makings The Committee estimates that H.R. 3869 would require no directed rule makings. Advisory Committee Statement No advisory committees within the meaning of section 5(b) of the Federal Advisory Committee Act were created by this legislation. Applicability to Legislative Branch The Committee finds that the legislation does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(b)(3) of the Congressional Accountability Act. Section-by-Section Analysis of the Legislation Section 1. Short Title. This section provides that this bill may be cited as the ``State and Local Cyber Protection Act of 2015''. Sec. 2. State and Local Coordination on Cybersecurity with the National Cybersecurity and Communications Integration Center. Subsection (a). This subsection amends the second section 226 of the Homeland Security Act (HSA) by adding the following: ``Subsection (g) State and Local Coordination on Cybersecurity. The National Cybersecurity and Communications Integration Center (Center) shall, to the extent practicable, offer assistance, tools, and training to State and local governments to address cybersecurity risks and incidents. This subsection instructs the Center to offer assistance, upon request, to State and Local governments to secure information systems through the identification of cybersecurity risks and relevant protective security tools and the deployment of technology to continuously diagnose and mitigate against cyber threats and vulnerabilities. This subsection instructs the Center to provide a web portal developed in consultation with State and local governments. This subsection also instructs the Center to coordinate nationwide efforts, working with national associations, to secure information systems at the State and local level. One potential mechanism for doing so would be participation and coordination in national meetings that are already in place such as current meetings coordinated by the National Governors Association, the National Association of State Chief Information Officers and other relevant groups. This subsection instructs the Center to, upon request, provide to State and locals technical cybersecurity training to relevant analysts such as the cyber analysis training course held at Argonne National Laboratory which includes in its target audience analysts supporting State Chief Information Officers and/or Chief Information Security Officers. This subsection also instructs the Center, in coordination with the Chief Privacy Officer and the Chief Civil Rights and Civil Liberties Officer of the Department, to provide privacy and civil liberties training. The subsection also instructs the Center to provide operational and technical assistance for implementing tools, products, resources, policies, guidelines, and procedures for information security. The Center is also instructed to compile and analyze data on State and local information security, and develop and conduct targeted operational evaluations for State and local governments. The Committee believes this legislation reinforces the support and assistance DHS is already providing for State and local governments through existing funded programs. This subsection also instructs the Center to assist State and locals to develop procedures for coordinating vulnerability disclosures using current standards. It informs State and local governments on the tools, products, resources, policies, guidelines, and procedures on information security best practices. Subsection (b) Congressional Oversight. This subsection requires the Center to submit to the U.S. House of Representatives Committee on Homeland Security and U.S. Senate Committee on Homeland Security and Governmental Affairs two years after the enactment of this bill information on the activities and effectiveness of their coordination efforts with State and local governments. The Center is required to seek feedback from State and local governments and incorporate such feedback into this submitted information. The Committee intends for this legislation to instruct the Center to execute and provide cybersecurity assistance to State and local governments including by assisting governors and other appointed and elected SLTT government officials with identifying cybersecurity initiatives and partnership opportunities with Federal agencies and State and local associations to help protect their citizens online. The Committee underscores this point by noting that the bill provides no new funding and, as such, is not intended to place new unfunded mandates on DHS. Instead, it seeks to codify the NCCIC to manage existing efforts and to strengthen partnerships with State and local governments. Changes in Existing Law Made by the Bill, as Reported In compliance with clause 3(e) of rule XIII of the Rules of the House of Representatives, changes in existing law made by the bill, as reported, are shown as follows (new matter is printed in italics and existing law in which no change is proposed is shown in roman): HOMELAND SECURITY ACT OF 2002 * * * * * * * TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION * * * * * * * Subtitle C--Information Security * * * * * * * SEC. 226. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER. (a) Definitions.--In this section-- (1) the term ``cybersecurity risk'' means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of information or information systems, including such related consequences caused by an act of terrorism; (2) the term ``incident'' means an occurrence that-- (A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system; or (B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies; (3) the term ``information sharing and analysis organization'' has the meaning given that term in section 212(5); and (4) the term ``information system'' has the meaning given that term in section 3502(8) of title 44, United States Code. (b) Center.--There is in the Department a national cybersecurity and communications integration center (referred to in this section as the ``Center'') to carry out certain responsibilities of the Under Secretary appointed under section 103(a)(1)(H). (c) Functions.--The cybersecurity functions of the Center shall include-- (1) being a Federal civilian interface for the multi- directional and cross-sector sharing of information related to cybersecurity risks, incidents, analysis, and warnings for Federal and non-Federal entities; (2) providing shared situational awareness to enable real-time, integrated, and operational actions across the Federal Government and non-Federal entities to address cybersecurity risks and incidents to Federal and non-Federal entities; (3) coordinating the sharing of information related to cybersecurity risks and incidents across the Federal Government; (4) facilitating cross-sector coordination to address cybersecurity risks and incidents, including cybersecurity risks and incidents that may be related or could have consequential impacts across multiple sectors; (5)(A) conducting integration and analysis, including cross-sector integration and analysis, of cybersecurity risks and incidents; and (B) sharing the analysis conducted under subparagraph (A) with Federal and non-Federal entities; (6) upon request, providing timely technical assistance, risk management support, and incident response capabilities to Federal and non-Federal entities with respect to cybersecurity risks and incidents, which may include attribution, mitigation, and remediation; and (7) providing information and recommendations on security and resilience measures to Federal and non- Federal entities, including information and recommendations to-- (A) facilitate information security; and (B) strengthen information systems against cybersecurity risks and incidents. (d) Composition.-- (1) In general.--The Center shall be composed of-- (A) appropriate representatives of Federal entities, such as-- (i) sector-specific agencies; (ii) civilian and law enforcement agencies; and (iii) elements of the intelligence community, as that term is defined under section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4)); (B) appropriate representatives of non- Federal entities, such as-- (i) State and local governments; (ii) information sharing and analysis organizations; and (iii) owners and operators of critical information systems; (C) components within the Center that carry out cybersecurity and communications activities; (D) a designated Federal official for operational coordination with and across each sector; and (E) other appropriate representatives or entities, as determined by the Secretary. (2) Incidents.--In the event of an incident, during exigent circumstances the Secretary may grant a Federal or non-Federal entity immediate temporary access to the Center. (e) Principles.--In carrying out the functions under subsection (c), the Center shall ensure-- (1) to the extent practicable, that-- (A) timely, actionable, and relevant information related to cybersecurity risks, incidents, and analysis is shared; (B) when appropriate, information related to cybersecurity risks, incidents, and analysis is integrated with other relevant information and tailored to the specific characteristics of a sector; (C) activities are prioritized and conducted based on the level of risk; (D) industry sector-specific, academic, and national laboratory expertise is sought and receives appropriate consideration; (E) continuous, collaborative, and inclusive coordination occurs-- (i) across sectors; and (ii) with-- (I) sector coordinating councils; (II) information sharing and analysis organizations; and (III) other appropriate non- Federal partners; (F) as appropriate, the Center works to develop and use mechanisms for sharing information related to cybersecurity risks and incidents that are technology-neutral, interoperable, real-time, cost-effective, and resilient; and (G) the Center works with other agencies to reduce unnecessarily duplicative sharing of information related to cybersecurity risks and incidents; (2) that information related to cybersecurity risks and incidents is appropriately safeguarded against unauthorized access; and (3) that activities conducted by the Center comply with all policies, regulations, and laws that protect the privacy and civil liberties of United States persons. (f) No Right or Benefit.-- (1) In general.--The provision of assistance or information to, and inclusion in the Center of, governmental or private entities under this section shall be at the sole and unreviewable discretion of the Under Secretary appointed under section 103(a)(1)(H). (2) Certain assistance or information.--The provision of certain assistance or information to, or inclusion in the Center of, one governmental or private entity pursuant to this section shall not create a right or benefit, substantive or procedural, to similar assistance or information for any other governmental or private entity. (g) State and Local Coordination on Cybersecurity.-- (1) In general.--The Center shall, to the extent practicable-- (A) assist State and local governments, upon request, in identifying information system vulnerabilities; (B) assist State and local governments, upon request, in identifying information security protections commensurate with cybersecurity risks and the magnitude of the potential harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of-- (i) information collected or maintained by or on behalf of a State or local government; or (ii) information systems used or operated by an agency or by a contractor of a State or local government or other organization on behalf of a State or local government; (C) in consultation with State and local governments, provide and periodically update via a web portal tools, products, resources, policies, guidelines, and procedures related to information security; (D) work with senior State and local government officials, including State and local Chief Information Officers, through national associations to coordinate a nationwide effort to ensure effective implementation of tools, products, resources, policies, guidelines, and procedures related to information security to secure and ensure the resiliency of State and local information systems; (E) provide, upon request, operational and technical cybersecurity training to State and local government and fusion center analysts and operators to address cybersecurity risks or incidents; (F) provide, in coordination with the Chief Privacy Officer and the Chief Civil Rights and Civil Liberties Officer of the Department, privacy and civil liberties training to State and local governments related to cybersecurity; (G) provide, upon request, operational and technical assistance to State and local governments to implement tools, products, resources, policies, guidelines, and procedures on information security by-- (i) deploying technology to assist such State or local government to continuously diagnose and mitigate against cyber threats and vulnerabilities, with or without reimbursement; (ii) compiling and analyzing data on State and local information security; and (iii) developing and conducting targeted operational evaluations, including threat and vulnerability assessments, on the information systems of State and local governments; (H) assist State and local governments to develop policies and procedures for coordinating vulnerability disclosures, to the extent practicable, consistent with international and national standards in the information technology industry, including standards developed by the National Institute of Standards and Technology; and (I) ensure that State and local governments, as appropriate, are made aware of the tools, products, resources, policies, guidelines, and procedures on information security developed by the Department and other appropriate Federal departments and agencies for ensuring the security and resiliency of Federal civilian information systems. (2) Training.--Privacy and civil liberties training provided pursuant to subparagraph (F) of paragraph (1) shall include processes, methods, and information that-- (A) are consistent with the Department's Fair Information Practice Principles developed pursuant to section 552a of title 5, United States Code (commonly referred to as the ``Privacy Act of 1974'' or the ``Privacy Act''); (B) reasonably limit, to the greatest extent practicable, the receipt, retention, use, and disclosure of information related to cybersecurity risks and incidents associated with specific persons that is not necessary, for cybersecurity purposes, to protect an information system or network of information systems from cybersecurity risks or to mitigate cybersecurity risks and incidents in a timely manner; (C) minimize any impact on privacy and civil liberties; (D) provide data integrity through the prompt removal and destruction of obsolete or erroneous names and personal information that is unrelated to the cybersecurity risk or incident information shared and retained by the Center in accordance with this section; (E) include requirements to safeguard cyber threat indicators and defensive measures retained by the Center, including information that is proprietary or business-sensitive that may be used to identify specific persons from unauthorized access or acquisition; (F) protect the confidentiality of cyber threat indicators and defensive measures associated with specific persons to the greatest extent practicable; and (G) ensure all relevant constitutional, legal, and privacy protections are observed. * * * * * * * [all]