[115th Congress Public Law 278]
[From the U.S. Government Publishing Office]



[[Page 4167]]

      CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY ACT OF 2018

[[Page 132 STAT. 4168]]

Public Law 115-278
115th Congress

                                 An Act


 
      To amend the Homeland Security Act of 2002 to authorize the 
 Cybersecurity and Infrastructure Security Agency of the Department of 
      Homeland Security, and for other purposes. <<NOTE: Nov. 16, 
                         2018 -  [H.R. 3359]>> 

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled, <<NOTE: Cybersecurity 
and Infrastructure Security Agency Act of 2018.>> 
SECTION 1. <<NOTE: 6 USC 101 note.>>  SHORT TITLE.

    This Act may be cited as the ``Cybersecurity and Infrastructure 
Security Agency Act of 2018''.
SEC. 2. CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY.

    (a) In General.--The Homeland Security Act of 2002 (6 U.S.C. 101 et 
seq.) is amended by adding at the end the following:

     ``TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

         ``Subtitle A--Cybersecurity and Infrastructure Security

``SEC. 2201. <<NOTE: 6 USC 651.>>  DEFINITIONS.

    ``In this subtitle:
            ``(1) Critical infrastructure information.--The term 
        `critical infrastructure information' has the meaning given the 
        term in section 2222.
            ``(2) Cybersecurity risk.--The term `cybersecurity risk' has 
        the meaning given the term in section 2209.
            ``(3) Cybersecurity threat.--The term `cybersecurity threat' 
        has the meaning given the term in section 102(5) of the 
        Cybersecurity Act of 2015 (contained in division N of the 
        Consolidated Appropriations Act, 2016 (Public Law 114-113; 6 
        U.S.C. 1501)).
            ``(4) National cybersecurity asset response activities.--The 
        term `national cybersecurity asset response activities' means--
                    ``(A) furnishing cybersecurity technical assistance 
                to entities affected by cybersecurity risks to protect 
                assets, mitigate vulnerabilities, and reduce impacts of 
                cyber incidents;
                    ``(B) identifying other entities that may be at risk 
                of an incident and assessing risk to the same or similar 
                vulnerabilities;

[[Page 132 STAT. 4169]]

                    ``(C) assessing potential cybersecurity risks to a 
                sector or region, including potential cascading effects, 
                and developing courses of action to mitigate such risks;
                    ``(D) facilitating information sharing and 
                operational coordination with threat response; and
                    ``(E) providing guidance on how best to utilize 
                Federal resources and capabilities in a timely, 
                effective manner to speed recovery from cybersecurity 
                risks.
            ``(5) Sector-specific agency.--The term `Sector-Specific 
        Agency' means a Federal department or agency, designated by law 
        or presidential directive, with responsibility for providing 
        institutional knowledge and specialized expertise of a sector, 
        as well as leading, facilitating, or supporting programs and 
        associated activities of its designated critical infrastructure 
        sector in the all hazards environment in coordination with the 
        Department.
            ``(6) Sharing.--The term `sharing' has the meaning given the 
        term in section 2209.
``SEC. 2202. <<NOTE: 6 USC 652.>>  CYBERSECURITY AND 
                          INFRASTRUCTURE SECURITY AGENCY.

    ``(a) Redesignation.--
            ``(1) In general.--The National Protection and Programs 
        Directorate of the Department shall, on and after the date of 
        the enactment of this subtitle, be known as the `Cybersecurity 
        and Infrastructure Security Agency' (in this subtitle referred 
        to as the `Agency').
            ``(2) References.--Any reference to the National Protection 
        and Programs Directorate of the Department in any law, 
        regulation, map, document, record, or other paper of the United 
        States shall be deemed to be a reference to the Cybersecurity 
        and Infrastructure Security Agency of the Department.

    ``(b) Director.--
            ``(1) In general.--The Agency shall be headed by a Director 
        of Cybersecurity and Infrastructure Security (in this subtitle 
        referred to as the `Director'), who shall report to the 
        Secretary.
            ``(2) Reference.--Any reference to an Under Secretary 
        responsible for overseeing critical infrastructure protection, 
        cybersecurity, and any other related program of the Department 
        as described in section 103(a)(1)(H) as in effect on the day 
        before the date of enactment of this subtitle in any law, 
        regulation, map, document, record, or other paper of the United 
        States shall be deemed to be a reference to the Director of 
        Cybersecurity and Infrastructure Security of the Department.

    ``(c) Responsibilities <<NOTE: Coordination.>> .--The Director 
shall--
            ``(1) lead cybersecurity and critical infrastructure 
        security programs, operations, and associated policy for the 
        Agency, including national cybersecurity asset response 
        activities;
            ``(2) coordinate with Federal entities, including Sector-
        Specific Agencies, and non-Federal entities, including 
        international entities, to carry out the cybersecurity and 
        critical infrastructure activities of the Agency, as 
        appropriate;
            ``(3) carry out the responsibilities of the Secretary to 
        secure Federal information and information systems consistent 
        with law, including subchapter II of chapter 35 of title 44, 
        United States Code, and the Cybersecurity Act of 2015 (contained

[[Page 132 STAT. 4170]]

        in division N of the Consolidated Appropriations Act, 2016 
        (Public Law 114-113));
            ``(4) coordinate a national effort to secure and protect 
        against critical infrastructure risks, consistent with 
        subsection (e)(1)(E);
            ``(5) upon request, provide analyses, expertise, and other 
        technical assistance to critical infrastructure owners and 
        operators and, where appropriate, provide those analyses, 
        expertise, and other technical assistance in coordination with 
        Sector-Specific Agencies and other Federal departments and 
        agencies;
            ``(6) <<NOTE: Collaboration.>>  develop and utilize 
        mechanisms for active and frequent collaboration between the 
        Agency and Sector-Specific Agencies to ensure appropriate 
        coordination, situational awareness, and communications with 
        Sector-Specific Agencies;
            ``(7) <<NOTE: Consultation. Collaboration.>>  maintain and 
        utilize mechanisms for the regular and ongoing consultation and 
        collaboration among the Divisions of the Agency to further 
        operational coordination, integrated situational awareness, and 
        improved integration across the Agency in accordance with this 
        Act;
            ``(8) develop, coordinate, and implement--
                    ``(A) <<NOTE: Strategic plans.>>  comprehensive 
                strategic plans for the activities of the Agency; and
                    ``(B) <<NOTE: Risk assessments.>>  risk assessments 
                by and for the Agency;
            ``(9) carry out emergency communications responsibilities, 
        in accordance with title XVIII;
            ``(10) carry out cybersecurity, infrastructure security, and 
        emergency communications stakeholder outreach and engagement and 
        coordinate that outreach and engagement with critical 
        infrastructure Sector-Specific Agencies, as appropriate; and
            ``(11) carry out such other duties and powers prescribed by 
        law or delegated by the Secretary.

    ``(d) Deputy Director.--There shall be in the Agency a Deputy 
Director of Cybersecurity and Infrastructure Security who shall--
            ``(1) assist the Director in the management of the Agency; 
        and
            ``(2) report to the Director.

    ``(e) Cybersecurity and Infrastructure Security Authorities of the 
Secretary.--
            ``(1) In general.--The responsibilities of the Secretary 
        relating to cybersecurity and infrastructure security shall 
        include the following:
                    ``(A) To access, receive, and analyze law 
                enforcement information, intelligence information, and 
                other information from Federal Government agencies, 
                State, local, tribal, and territorial government 
                agencies, including law enforcement agencies, and 
                private sector entities, and to integrate that 
                information, in support of the mission responsibilities 
                of the Department, in order to--
                          ``(i) identify and assess the nature and scope 
                      of terrorist threats to the homeland;
                          ``(ii) detect and identify threats of 
                      terrorism against the United States; and
                          ``(iii) understand those threats in light of 
                      actual and potential vulnerabilities of the 
                      homeland.
                    ``(B) <<NOTE: Assessments.>>  To carry out 
                comprehensive assessments of the vulnerabilities of the 
                key resources and critical infrastructure of the United 
                States, including the performance of

[[Page 132 STAT. 4171]]

                risk assessments to determine the risks posed by 
                particular types of terrorist attacks within the United 
                States, including an assessment of the probability of 
                success of those attacks and the feasibility and 
                potential efficacy of various countermeasures to those 
                attacks. At the discretion of the Secretary, such 
                assessments may be carried out in coordination with 
                Sector-Specific Agencies.
                    ``(C) <<NOTE: Recommenda- tions.>>  To integrate 
                relevant information, analysis, and vulnerability 
                assessments, regardless of whether the information, 
                analysis, or assessments are provided or produced by the 
                Department, in order to make recommendations, including 
                prioritization, for protective and support measures by 
                the Department, other Federal Government agencies, 
                State, local, tribal, and territorial government 
                agencies and authorities, the private sector, and other 
                entities regarding terrorist and other threats to 
                homeland security.
                    ``(D) To ensure, pursuant to section 202, the timely 
                and efficient access by the Department to all 
                information necessary to discharge the responsibilities 
                under this title, including obtaining that information 
                from other Federal Government agencies.
                    ``(E) <<NOTE: Coordination. Plan.>>  To develop, in 
                coordination with the Sector-Specific Agencies with 
                available expertise, a comprehensive national plan for 
                securing the key resources and critical infrastructure 
                of the United States, including power production, 
                generation, and distribution systems, information 
                technology and telecommunications systems (including 
                satellites), electronic financial and property record 
                storage and transmission systems, emergency 
                communications systems, and the physical and 
                technological assets that support those systems.
                    ``(F) <<NOTE: Recommenda- tions.>>  To recommend 
                measures necessary to protect the key resources and 
                critical infrastructure of the United States in 
                coordination with other Federal Government agencies, 
                including Sector-Specific Agencies, and in cooperation 
                with State, local, tribal, and territorial government 
                agencies and authorities, the private sector, and other 
                entities.
                    ``(G) <<NOTE: Review. Analysis. Recommenda- 
                tions.>>  To review, analyze, and make recommendations 
                for improvements to the policies and procedures 
                governing the sharing of information relating to 
                homeland security within the Federal Government and 
                between Federal Government agencies and State, local, 
                tribal, and territorial government agencies and 
                authorities.
                    ``(H) To disseminate, as appropriate, information 
                analyzed by the Department within the Department to 
                other Federal Government agencies with responsibilities 
                relating to homeland security and to State, local, 
                tribal, and territorial government agencies and private 
                sector entities with those responsibilities in order to 
                assist in the deterrence, prevention, or preemption of, 
                or response to, terrorist attacks against the United 
                States.
                    ``(I) <<NOTE: Consultation.>>  To consult with 
                State, local, tribal, and territorial government 
                agencies and private sector entities to ensure 
                appropriate exchanges of information, including law

[[Page 132 STAT. 4172]]

                enforcement-related information, relating to threats of 
                terrorism against the United States.
                    ``(J) To ensure that any material received pursuant 
                to this Act is protected from unauthorized disclosure 
                and handled and used only for the performance of 
                official duties.
                    ``(K) To request additional information from other 
                Federal Government agencies, State, local, tribal, and 
                territorial government agencies, and the private sector 
                relating to threats of terrorism in the United States, 
                or relating to other areas of responsibility assigned by 
                the Secretary, including the entry into cooperative 
                agreements through the Secretary to obtain such 
                information.
                    ``(L) To establish and utilize, in conjunction with 
                the Chief Information Officer of the Department, a 
                secure communications and information technology 
                infrastructure, including data-mining and other advanced 
                analytical tools, in order to access, receive, and 
                analyze data and information in furtherance of the 
                responsibilities under this section, and to disseminate 
                information acquired and analyzed by the Department, as 
                appropriate.
                    ``(M) <<NOTE: Coordination.>>  To coordinate 
                training and other support to the elements and personnel 
                of the Department, other Federal Government agencies, 
                and State, local, tribal, and territorial government 
                agencies that provide information to the Department, or 
                are consumers of information provided by the Department, 
                in order to facilitate the identification and sharing of 
                information revealed in their ordinary duties and the 
                optimal utilization of information received from the 
                Department.
                    ``(N) <<NOTE: Coordination.>>  To coordinate with 
                Federal, State, local, tribal, and territorial law 
                enforcement agencies, and the private sector, as 
                appropriate.
                    ``(O) To exercise the authorities and oversight of 
                the functions, personnel, assets, and liabilities of 
                those components transferred to the Department pursuant 
                to section 201(g).
                    ``(P) To carry out the functions of the national 
                cybersecurity and communications integration center 
                under section 2209.
                    ``(Q) To carry out the requirements of the Chemical 
                Facility Anti-Terrorism Standards Program established 
                under title XXI and the secure handling of ammonium 
                nitrate program established under subtitle J of title 
                VIII, or any successor programs.
            ``(2) <<NOTE: Certification. Briefing. Public 
        information. Time period.>>  Reallocation.--The Secretary may 
        reallocate within the Agency the functions specified in sections 
        2203(b) and 2204(b), consistent with the responsibilities 
        provided in paragraph (1), upon certifying to and briefing the 
        appropriate congressional committees, and making available to 
        the public, at least 60 days prior to the reallocation that the 
        reallocation is necessary for carrying out the activities of the 
        Agency.
            ``(3) Staff.--
                    ``(A) In general.--The Secretary shall provide the 
                Agency with a staff of analysts having appropriate 
                expertise and experience to assist the Agency in 
                discharging the responsibilities of the Agency under 
                this section.

[[Page 132 STAT. 4173]]

                    ``(B) Private sector analysts.--Analysts under this 
                subsection may include analysts from the private sector.
                    ``(C) Security clearances.--Analysts under this 
                subsection shall possess security clearances appropriate 
                for their work under this section.
            ``(4) Detail of personnel.--
                    ``(A) In general.--In order to assist the Agency in 
                discharging the responsibilities of the Agency under 
                this section, personnel of the Federal agencies 
                described in subparagraph (B) may be detailed to the 
                Agency for the performance of analytic functions and 
                related duties.
                    ``(B) Agencies.--The Federal agencies described in 
                this subparagraph are--
                          ``(i) the Department of State;
                          ``(ii) the Central Intelligence Agency;
                          ``(iii) the Federal Bureau of Investigation;
                          ``(iv) the National Security Agency;
                          ``(v) the National Geospatial-Intelligence 
                      Agency;
                          ``(vi) the Defense Intelligence Agency;
                          ``(vii) Sector-Specific Agencies; and
                          ``(viii) any other agency of the Federal 
                      Government that the President considers 
                      appropriate.
                    ``(C) Interagency agreements.--The Secretary and the 
                head of a Federal agency described in subparagraph (B) 
                may enter into agreements for the purpose of detailing 
                personnel under this paragraph.
                    ``(D) Basis.--The detail of personnel under this 
                paragraph may be on a reimbursable or non-reimbursable 
                basis.

    ``(f) Composition.--The Agency shall be composed of the following 
divisions:
            ``(1) The Cybersecurity Division, headed by an Assistant 
        Director.
            ``(2) The Infrastructure Security Division, headed by an 
        Assistant Director.
            ``(3) The Emergency Communications Division under title 
        XVIII, headed by an Assistant Director.

    ``(g) Co-location.--
            ``(1) In general.--To the maximum extent practicable, the 
        Director shall examine the establishment of central locations in 
        geographical regions with a significant Agency presence.
            ``(2) Coordination.--When establishing the central locations 
        described in paragraph (1), the Director shall coordinate with 
        component heads and the Under Secretary for Management to co-
        locate or partner on any new real property leases, renewing any 
        occupancy agreements for existing leases, or agreeing to extend 
        or newly occupy any Federal space or new construction.

    ``(h) Privacy.--
            ``(1) In general.--There shall be a Privacy Officer of the 
        Agency with primary responsibility for privacy policy and 
        compliance for the Agency.
            ``(2) Responsibilities <<NOTE: Personal information.>> .--
        The responsibilities of the Privacy Officer of the Agency shall 
        include--
                    ``(A) assuring that the use of technologies by the 
                Agency sustain, and do not erode, privacy protections 
                relating to the use, collection, and disclosure of 
                personal information;

[[Page 132 STAT. 4174]]

                    ``(B) assuring that personal information contained 
                in systems of records of the Agency is handled in full 
                compliance as specified in section 552a of title 5, 
                United States Code (commonly known as the `Privacy Act 
                of 1974');
                    ``(C) <<NOTE: Evaluation.>>  evaluating legislative 
                and regulatory proposals involving collection, use, and 
                disclosure of personal information by the Agency; and
                    ``(D) <<NOTE: Assessment.>>  conducting a privacy 
                impact assessment of proposed rules of the Agency on the 
                privacy of personal information, including the type of 
                personal information collected and the number of people 
                affected.

    ``(i) Savings.--Nothing in this title may be construed as affecting 
in any manner the authority, existing on the day before the date of 
enactment of this title, of any other component of the Department or any 
other Federal department or agency, including the authority provided to 
the Sector-Specific Agency specified in section 61003(c) of division F 
of the Fixing America's Surface Transportation Act (6 U.S.C. 121 note; 
Public Law 114-94).
``SEC. 2203. <<NOTE: 6 USC 653.>>  CYBERSECURITY DIVISION.

    ``(a) Establishment.--
            ``(1) In general.--There is established in the Agency a 
        Cybersecurity Division.
            ``(2) Assistant director.--The Cybersecurity Division shall 
        be headed by an Assistant Director for Cybersecurity (in this 
        section referred to as the `Assistant Director'), who shall--
                    ``(A) be at the level of Assistant Secretary within 
                the Department;
                    ``(B) <<NOTE: Appointment. President.>>  be 
                appointed by the President without the advice and 
                consent of the Senate; and
                    ``(C) report to the Director.
            ``(3) Reference.--Any reference to the Assistant Secretary 
        for Cybersecurity and Communications in any law, regulation, 
        map, document, record, or other paper of the United States shall 
        be deemed to be a reference to the Assistant Director for 
        Cybersecurity.

    ``(b) Functions.--The Assistant Director shall--
            ``(1) direct the cybersecurity efforts of the Agency;
            ``(2) carry out activities, at the direction of the 
        Director, related to the security of Federal information and 
        Federal information systems consistent with law, including 
        subchapter II of chapter 35 of title 44, United States Code, and 
        the Cybersecurity Act of 2015 (contained in division N of the 
        Consolidated Appropriations Act, 2016 (Public Law 114-113));
            ``(3) fully participate in the mechanisms required under 
        section 2202(c)(7); and
            ``(4) carry out such other duties and powers as prescribed 
        by the Director.
``SEC. 2204. <<NOTE: 6 USC 654.>>  INFRASTRUCTURE SECURITY 
                          DIVISION.

    ``(a) Establishment.--
            ``(1) In general.--There is established in the Agency an 
        Infrastructure Security Division.
            ``(2) Assistant director.--The Infrastructure Security 
        Division shall be headed by an Assistant Director for 
        Infrastructure Security (in this section referred to as the 
        `Assistant Director'), who shall--

[[Page 132 STAT. 4175]]

                    ``(A) be at the level of Assistant Secretary within 
                the Department;
                    ``(B) <<NOTE: Appointment. President.>>  be 
                appointed by the President without the advice and 
                consent of the Senate; and
                    ``(C) report to the Director.
            ``(3) Reference.--Any reference to the Assistant Secretary 
        for Infrastructure Protection in any law, regulation, map, 
        document, record, or other paper of the United States shall be 
        deemed to be a reference to the Assistant Director for 
        Infrastructure Security.

    ``(b) Functions.--The Assistant Director shall--
            ``(1) direct the critical infrastructure security efforts of 
        the Agency;
            ``(2) carry out, at the direction of the Director, the 
        Chemical Facilities Anti-Terrorism Standards Program established 
        under title XXI and the secure handling of ammonium nitrate 
        program established under subtitle J of title VIII, or any 
        successor programs;
            ``(3) fully participate in the mechanisms required under 
        section 2202(c)(7); and
            ``(4) carry out such other duties and powers as prescribed 
        by the Director.''.

    (b) Treatment of Certain Positions.--
            (1) Under secretary <<NOTE: 6 USC 652 note.>> .--The 
        individual serving as the Under Secretary appointed pursuant to 
        section 103(a)(1)(H) of the Homeland Security Act of 2002 (6 
        U.S.C. 113(a)(1)(H)) of the Department of Homeland Security on 
        the day before the date of enactment of this Act may continue to 
        serve as the Director of Cybersecurity and Infrastructure 
        Security of the Department on and after such date.
            (2) Director for emergency <<NOTE: 6 USC 571 
        note.>> communications.--The individual serving as the Director 
        for Emergency Communications of the Department of Homeland 
        Security on the day before the date of enactment of this Act may 
        continue to serve as the Assistant Director for Emergency 
        Communications of the Department on and after such date.
            (3) Assistant secretary for cybersecurity and 
        communications <<NOTE: 6 USC 653 note.>> .--The individual 
        serving as the Assistant Secretary for Cybersecurity and 
        Communications on the day before the date of enactment of this 
        Act may continue to serve as the Assistant Director for 
        Cybersecurity on and after such date.
            (4) Assistant secretary for infrastructure 
        protection <<NOTE: 6 USC 654 note.>> .--The individual serving 
        as the Assistant Secretary for Infrastructure Protection on the 
        day before the date of enactment of this Act may continue to 
        serve as the Assistant Director for Infrastructure Security on 
        and after such date.

    (c) Reference <<NOTE: 6 USC 571 note.>> .--Any reference to--
            (1) the Office of Emergency Communications in any law, 
        regulation, map, document, record, or other paper of the United 
        States shall be deemed to be a reference to the Emergency 
        Communications Division; and
            (2) the Director for Emergency Communications in any law, 
        regulation, map, document, record, or other paper of the United 
        States shall be deemed to be a reference to the Assistant 
        Director for Emergency Communications.

    (d) Oversight <<NOTE: Deadlines.>> .--The Director of Cybersecurity 
and Infrastructure Security of the Department of Homeland Security shall 
provide

[[Page 132 STAT. 4176]]

to Congress, in accordance with the deadlines specified in paragraphs 
(1) through (6), information on the following:
            (1) <<NOTE: Briefing.>>  Not later than 60 days after the 
        date of enactment of this Act, a briefing on the activities of 
        the Agency relating to the development and use of the mechanisms 
        required pursuant to section 2202(c)(6) of the Homeland Security 
        Act of 2002 (as added by subsection (a)).
            (2) <<NOTE: Briefing.>>  Not later than 1 year after the 
        date of the enactment of this Act, a briefing on the activities 
        of the Agency relating to the use and improvement by the Agency 
        of the mechanisms required pursuant to section 2202(c)(6) of the 
        Homeland Security Act of 2002 and how such activities have 
        impacted coordination, situational awareness, and communications 
        with Sector-Specific Agencies.
            (3) Not later than 90 days after the date of the enactment 
        of this Act, information on the mechanisms of the Agency for 
        regular and ongoing consultation and collaboration, as required 
        pursuant to section 2202(c)(7) of the Homeland Security Act of 
        2002 (as added by subsection (a)).
            (4) Not later than 1 year after the date of the enactment of 
        this Act, information on the activities of the consultation and 
        collaboration mechanisms of the Agency as required pursuant to 
        section 2202(c)(7) of the Homeland Security Act of 2002, and how 
        such mechanisms have impacted operational coordination, 
        situational awareness, and integration across the Agency.
            (5) Not later than 180 days after the date of enactment of 
        this Act, information, which shall be made publicly available 
        and updated as appropriate, on the mechanisms and structures of 
        the Agency responsible for stakeholder outreach and engagement, 
        as required under section 2202(c)(10) of the Homeland Security 
        Act of 2002 (as added by subsection (a)).

    (e) Cyber Workforce <<NOTE: Coordination. Reports.>> .--Not later 
than 90 days after the date of enactment of this Act, the Director of 
the Cybersecurity and Infrastructure Security Agency of the Department 
of Homeland Security, in coordination with the Director of the Office of 
Personnel Management, shall submit to Congress a report detailing how 
the Agency is meeting legislative requirements under the Cybersecurity 
Workforce Assessment Act (Public Law 113-246; 128 Stat. 2880) and the 
Homeland Security Cybersecurity Workforce Assessment Act (enacted as 
section 4 of the Border Patrol Agent Pay Reform Act of 2014; Public Law 
113-277) to address cyber workforce needs.

    (f) Facility <<NOTE: Reports.>> .--Not later than 180 days after the 
date of enactment of this Act, the Director of the Cybersecurity and 
Infrastructure Security Agency of the Department of Homeland Security 
shall report to Congress on the most efficient and effective methods of 
consolidating Agency facilities, personnel, and programs to most 
effectively carry out the Agency's mission.

    (g) Technical and Conforming Amendments to the Homeland Security Act 
of 2002.--The Homeland Security Act of 2002 (6 U.S.C. 101 et seq.) is 
amended--
            (1) by amending section 103(a)(1)(H) (6 U.S.C. 113(a)(1)(H)) 
        to read as follows:
                    ``(H) A Director of the Cybersecurity and 
                Infrastructure Security Agency.'';
            (2) in title II (6 U.S.C. 121 et seq.)--
                    (A) in the title heading, by striking ``AND 
                INFRASTRUCTURE PROTECTION'';

[[Page 132 STAT. 4177]]

                    (B) in the subtitle A heading, by striking ``and 
                Infrastructure Protection'';
                    (C) in section 201 (6 U.S.C. 121)--
                          (i) in the section heading, by striking ``and 
                      infrastructure protection'';
                          (ii) in subsection (a)--
                                    (I) in the subsection heading, by 
                                striking ``and Infrastructure 
                                Protection''; and
                                    (II) by striking ``and an Office of 
                                Infrastructure Protection'';
                          (iii) in subsection (b)--
                                    (I) in the subsection heading, by 
                                striking ``and Assistant Secretary for 
                                Infrastructure Protection''; and
                                    (II) by striking paragraph (3);
                          (iv) in subsection (c)--
                                    (I) by striking ``and infrastructure 
                                protection''; and
                                    (II) by striking ``or the Assistant 
                                Secretary for Infrastructure Protection, 
                                as appropriate'';
                          (v) in subsection (d)--
                                    (I) in the subsection heading, by 
                                striking ``and Infrastructure 
                                Protection'';
                                    (II) in the matter preceding 
                                paragraph (1), by striking ``and 
                                infrastructure protection'';
                                    (III) by striking paragraphs (5), 
                                (6), and (25);
                                    (IV) by redesignating paragraphs (7) 
                                through (24) as paragraphs (5) through 
                                (22), respectively;
                                    (V) by redesignating paragraph (26) 
                                as paragraph (23); and
                                    (VI) in paragraph (23)(B)(i), as so 
                                redesignated, by striking ``section 
                                319'' and inserting ``section 320'';
                          (vi) in subsection (e)(1), by striking ``and 
                      the Office of Infrastructure Protection''; and
                          (vii) in subsection (f)(1), by striking ``and 
                      the Office of Infrastructure Protection'';
                    (D) in section 202 (6 U.S.C. 122)--
                          (i) in subsection (c), in the matter preceding 
                      paragraph (1), by striking ``Director of Central 
                      Intelligence'' and inserting ``Director of 
                      National Intelligence''; and
                          (ii) in subsection (d)(2), by striking 
                      ``Director of Central Intelligence'' and inserting 
                      ``Director of National Intelligence'';
                    (E) in section 204 (6 U.S.C. 124a)--
                          (i) in subsection (c)(1), in the matter 
                      preceding subparagraph (A), by striking 
                      ``Assistant Secretary for Infrastructure 
                      Protection'' and inserting ``Director of the 
                      Cybersecurity and Infrastructure Security 
                      Agency''; and
                          (ii) in subsection (d)(1), in the matter 
                      preceding subparagraph (A), by striking 
                      ``Assistant Secretary for Infrastructure 
                      Protection'' and inserting ``Director of the 
                      Cybersecurity and Infrastructure Security 
                      Agency'';
                    (F) in section 210A(c)(2)(B) (6 U.S.C. 
                124h(c)(2)(B)), by striking ``Office of Infrastructure 
                Protection'' and

[[Page 132 STAT. 4178]]

                inserting ``Cybersecurity and Infrastructure Security 
                Agency'';
                    (G) by redesignating section 210E (6 U.S.C. 124l) as 
                section 2214 <<NOTE: 6 USC 664.>>  and transferring such 
                section to appear after section 2213 (as redesignated by 
                subparagraph (I));
                    (H) <<NOTE: 6 USC 671-674.>>  in subtitle B, by 
                redesignating sections 211 through 215 (6 U.S.C. 101 
                note, and 131 through 134) as sections 2221 through 
                2225, respectively, and transferring such subtitle, 
                including the enumerator and heading of subtitle B and 
                such sections, to appear after section 2214 (as 
                redesignated by subparagraph (G));
                    (I) <<NOTE: 6 USC 655-663.>>  by redesignating 
                sections 223 through 230 (6 U.S.C. 143 through 151) as 
                sections 2205 through 2213, respectively, and 
                transferring such sections to appear after section 2204, 
                as added by this Act;
                    (J) <<NOTE: 6 USC 124m.>>  by redesignating section 
                210F as section 210E; and
                    (K) by redesignating subtitles C and D as subtitles 
                B and C, respectively;
            (3) in title III (6 U.S.C. 181 et seq.)--
                    (A) in section 302 (6 U.S.C. 182)--
                          (i) by striking ``biological,,'' each place 
                      that term appears and inserting ``biological,''; 
                      and
                          (ii) in paragraph (3), by striking ``Assistant 
                      Secretary for Infrastructure Protection'' and 
                      inserting ``Director of the Cybersecurity and 
                      Infrastructure Security Agency'';
                    (B) by redesignating the second section 319 (6 
                U.S.C. 195f) (relating to EMP and GMD mitigation 
                research and development) as section 320; and
                    (C) in section 320(c)(1), as so redesignated, by 
                striking ``Section 214'' and inserting ``Section 2224'';
            (4) in title V (6 U.S.C. 311 et seq.)--
                    (A) in section 508(d)(2)(D) (6 U.S.C. 318(d)(2)(D)), 
                by striking ``The Director of the Office of Emergency 
                Communications of the Department of Homeland Security'' 
                and inserting ``The Assistant Director for Emergency 
                Communications'';
                    (B) in section 514 (6 U.S.C. 321c)--
                          (i) by striking subsection (b); and
                          (ii) by redesignating subsection (c) as 
                      subsection (b); and
                    (C) in section 523 (6 U.S.C. 321l)--
                          (i) in subsection (a), in the matter preceding 
                      paragraph (1), by striking ``Assistant Secretary 
                      for Infrastructure Protection'' and inserting 
                      ``Director of Cybersecurity and Infrastructure 
                      Security''; and
                          (ii) in subsection (c), by striking 
                      ``Assistant Secretary for Infrastructure 
                      Protection'' and inserting ``Director of 
                      Cybersecurity and Infrastructure Security'';
            (5) in title VIII (6 U.S.C. 361 et seq.)--
                    (A) in section 884(d)(4)(A)(ii) (6 U.S.C. 
                464(d)(4)(A)(ii)), by striking ``Under Secretary 
                responsible for overseeing critical infrastructure 
                protection, cybersecurity, and other related programs of 
                the Department'' and inserting ``Director of 
                Cybersecurity and Infrastructure Security''; and

[[Page 132 STAT. 4179]]

                    (B) in section 899B(a) (6 U.S.C. 488a(a)), by adding 
                at the end the following: ``Such regulations shall be 
                carried out by the Cybersecurity and Infrastructure 
                Security Agency.'';
            (6) in title XVIII (6 U.S.C. 571 et seq.)--
                    (A) in section 1801 (6 U.S.C. 571)--
                          (i) in the section heading, by striking 
                      ``office of emergency communications'' and 
                      inserting ``emergency communications division'';
                          (ii) in subsection (a)--
                                    (I) by striking ``Office of 
                                Emergency Communications'' and inserting 
                                ``Emergency Communications Division''; 
                                and
                                    (II) by adding at the end the 
                                following: ``The Division shall be 
                                located in the Cybersecurity and 
                                Infrastructure Security Agency.'';
                          (iii) by amending subsection (b) to read as 
                      follows:

    ``(b) Assistant Director.--The head of the Division shall be the 
Assistant Director for Emergency Communications. The Assistant Director 
shall report to the Director of Cybersecurity and Infrastructure 
Security. All decisions of the Assistant Director that entail the 
exercise of significant authority shall be subject to the approval of 
the Director of Cybersecurity and Infrastructure Security.'';
                          (iv) in subsection (c)--
                                    (I) in the matter preceding 
                                paragraph (1), by inserting 
                                ``Assistant'' before ``Director'';
                                    (II) in paragraph (14), by striking 
                                ``and'' at the end;
                                    (III) in paragraph (15), by striking 
                                the period at the end and inserting ``; 
                                and''; and
                                    (IV) by inserting after paragraph 
                                (15) the following:
            ``(16) fully participate in the mechanisms required under 
        section 2202(c)(7).'';
                          (v) in subsection (d), in the matter preceding 
                      paragraph (1), by inserting ``Assistant'' before 
                      ``Director''; and
                          (vi) in subsection (e), in the matter 
                      preceding paragraph (1), by inserting 
                      ``Assistant'' before ``Director'';
                    (B) in sections 1802 through 1805 (6 U.S.C. 572 
                through 575), by striking ``Director for Emergency 
                Communications'' each place that term appears and 
                inserting ``Assistant Director for Emergency 
                Communications'';
                    (C) in section 1809 (6 U.S.C. 579)--
                          (i) by striking ``Director of Emergency 
                      Communications'' each place that term appears and 
                      inserting ``Assistant Director for Emergency 
                      Communications'';
                          (ii) in subsection (b)--
                                    (I) by striking ``Director for 
                                Emergency Communications'' and inserting 
                                ``Assistant Director for Emergency 
                                Communications''; and
                                    (II) by striking ``Office of 
                                Emergency Communications'' and inserting 
                                ``Emergency Communications Division'';
                          (iii) in subsection (e)(3), by striking ``the 
                      Director'' and inserting ``the Assistant 
                      Director''; and
                          (iv) in subsection (m)(1)--

[[Page 132 STAT. 4180]]

                                    (I) by striking ``The Director'' and 
                                inserting ``The Assistant Director'';
                                    (II) by striking ``the Director 
                                determines'' and inserting ``the 
                                Assistant Director determines''; and
                                    (III) by striking ``Office of 
                                Emergency Communications'' and inserting 
                                ``Cybersecurity and Infrastructure 
                                Security Agency'';
                    (D) in section 1810 (6 U.S.C. 580)--
                          (i) in subsection (a)(1), by striking 
                      ``Director of the Office of Emergency 
                      Communications (referred to in this section as the 
                      `Director')'' and inserting ``Assistant Director 
                      for Emergency Communications (referred to in this 
                      section as the `Assistant Director')'';
                          (ii) in subsection (c), by striking ``Office 
                      of Emergency Communications'' and inserting 
                      ``Emergency Communications Division''; and
                          (iii) by striking ``Director'' each place that 
                      term appears and inserting ``Assistant Director'';
            (7) in title XX (6 U.S.C. 601 et seq.)--
                    (A) in paragraph (4)(A)(iii)(II) of section 2001 (6 
                U.S.C. 601), by striking ``section 210E(a)(2)'' and 
                inserting ``section 2214(a)(2)'';
                    (B) in section 2008(a)(3) (6 U.S.C. 609(a)(3)), by 
                striking ``section 210E(a)(2)'' and inserting ``section 
                2214(a)(2)''; and
                    (C) in section 2021 (6 U.S.C. 611)--
                          (i) by striking subsection (c); and
                          (ii) by redesignating subsection (d) as 
                      subsection (c);
            (8) in title XXI (6 U.S.C. 621 et seq.)--
                    (A) in section 2102(a)(1) (6 U.S.C. 622(a)(1)), by 
                inserting ``, which shall be located in the 
                Cybersecurity and Infrastructure Security Agency'' 
                before the period at the end; and
                    (B) in section 2104(c)(2) (6 U.S.C. 624(c)(2)), by 
                striking ``Under Secretary responsible for overseeing 
                critical infrastructure protection, cybersecurity, and 
                other related programs of the Department appointed under 
                section 103(a)(1)(H)'' and inserting ``Director of 
                Cybersecurity and Infrastructure Security''; and
            (9) in title XXII, as added by this Act--
                    (A) in subtitle A--
                          (i) in section 2205, as so redesignated--
                                    (I) in the matter preceding 
                                paragraph (1)--
                                            (aa) by striking ``section 
                                        201'' and inserting ``section 
                                        2202''; and
                                            (bb) by striking ``Under 
                                        Secretary appointed under 
                                        section 103(a)(1)(H)'' and 
                                        inserting ``Director of 
                                        Cybersecurity and Infrastructure 
                                        Security''; and
                                    (II) in paragraph (1)(B), by 
                                striking ``and'' at the end;
                          (ii) in section 2206, as so redesignated, by 
                      striking ``Assistant Secretary for Infrastructure 
                      Protection'' and inserting ``Director of 
                      Cybersecurity and Infrastructure Security'';
                          (iii) in section 2209, as so redesignated--

[[Page 132 STAT. 4181]]

                                    (I) by striking ``Under Secretary 
                                appointed under section 103(a)(1)(H)'' 
                                each place that term appears and 
                                inserting ``Director'';
                                    (II) in subsection (a)(4), by 
                                striking ``section 212(5)'' and 
                                inserting ``section 2222(5)'';
                                    (III) in subsection (b), by adding 
                                at the end the following: ``The Center 
                                shall be located in the Cybersecurity 
                                and Infrastructure Security Agency. The 
                                head of the Center shall report to the 
                                Assistant Director for Cybersecurity.''; 
                                and
                                    (IV) in subsection (c)(11), by 
                                striking ``Office of Emergency 
                                Communications'' and inserting 
                                ``Emergency Communications Division'';
                          (iv) in section 2210, as so redesignated--
                                    (I) by striking ``section 227'' each 
                                place that term appears and inserting 
                                ``section 2209''; and
                                    (II) in subsection (c)--
                                            (aa) by striking ``Under 
                                        Secretary appointed under 
                                        section 103(a)(1)(H)'' and 
                                        inserting ``Director of 
                                        Cybersecurity and Infrastructure 
                                        Security''; and
                                            (bb) by striking ``section 
                                        212(5)'' and inserting ``section 
                                        2222(5)'';
                          (v) in section 2211(b)(2)(A), as so 
                      redesignated, by striking ``the section 227'' and 
                      inserting ``section 2209'';
                          (vi) in section 2212, as so redesignated, by 
                      striking ``section 212(5)'' and inserting 
                      ``section 2222(5)'';
                          (vii) in section 2213(a), as so redesignated--
                                    (I) in paragraph (3), by striking 
                                ``section 228'' and inserting ``section 
                                2210''; and
                                    (II) in paragraph (4), by striking 
                                ``section 227'' and inserting ``section 
                                2209''; and
                          (viii) in section 2214, as so redesignated--
                                    (I) by striking subsection (e); and
                                    (II) by redesignating subsection (f) 
                                as subsection (e); and
                    (B) in subtitle B--
                          (i) in section 2222(8), as so redesignated, by 
                      striking ``section 227'' and inserting ``section 
                      2209''; and
                          (ii) in section 2224(h), as so redesignated, 
                      by striking ``section 213'' and inserting 
                      ``section 2223'';

    (h) Technical and Conforming Amendments to Other Laws.--
            (1) Cybersecurity act of 2015.--The Cybersecurity Act of 
        2015 (6 U.S.C. 1501 et seq.) is amended--
                    (A) in section 202(2) (6 U.S.C. 131 note)--
                          (i) by striking ``section 227'' and inserting 
                      ``section 2209''; and
                          (ii) by striking ``, as so redesignated by 
                      section 223(a)(3) of this division'';
                    (B) in section 207(2) (Public Law 114-113; 129 Stat. 
                2962)--
                          (i) by striking ``section 227'' and inserting 
                      ``section 2209''; and
                          (ii) by striking ``, as redesignated by 
                      section 223(a) of this division,'';

[[Page 132 STAT. 4182]]

                    (C) in section 208 (Public Law 114-113; 129 Stat. 
                2962), by striking ``Under Secretary appointed under 
                section 103(a)(1)(H) of the Homeland Security Act of 
                2002 (6 U.S.C. 113(a)(1)(H))'' and inserting ``Director 
                of Cybersecurity and Infrastructure Security of the 
                Department'';
                    (D) in section 222 (6 U.S.C. 1521)--
                          (i) in paragraph (2)--
                                    (I) by striking ``section 228'' and 
                                inserting ``section 2210''; and
                                    (II) by striking ``, as added by 
                                section 223(a)(4) of this division''; 
                                and
                          (ii) in paragraph (4)--
                                    (I) by striking ``section 227'' and 
                                inserting ``section 2209''; and
                                    (II) by striking ``, as so 
                                redesignated by section 223(a)(3) of 
                                this division'';
                    (E) in section 223(b) (6 U.S.C. 151 note)--
                          (i) by striking ``section 230(b)(1) of the 
                      Homeland Security Act of 2002, as added by 
                      subsection (a)'' each place that term appears and 
                      inserting ``section 2213(b)(1) of the Homeland 
                      Security Act of 2002''; and
                          (ii) in paragraph (1)(B), by striking 
                      ``section 230(b)(2) of the Homeland Security Act 
                      of 2002, as added by subsection (a)'' and 
                      inserting ``section 2213(b)(2) of the Homeland 
                      Security Act of 2002'';
                    (F) in section 226 (6 U.S.C. 1524)--
                          (i) in subsection (a)--
                                    (I) in paragraph (1)--
                                            (aa) by striking ``section 
                                        230'' and inserting ``section 
                                        2213''; and
                                            (bb) by striking ``, as 
                                        added by section 223(a)(6) of 
                                        this division'';
                                    (II) in paragraph (4)--
                                            (aa) by striking ``section 
                                        228(b)(1)'' and inserting 
                                        ``section 2210(b)(1)''; and
                                            (bb) by striking ``, as 
                                        added by section 223(a)(4) of 
                                        this division''; and
                                    (III) in paragraph (5)--
                                            (aa) by striking ``section 
                                        230(b)'' and inserting ``section 
                                        2213(b)''; and
                                            (bb) by striking ``, as 
                                        added by section 223(a)(6) of 
                                        this division''; and
                          (ii) in subsection (c)(1)(A)(vi)--
                                    (I) by striking ``section 
                                230(c)(5)'' and inserting ``section 
                                2213(c)(5)''; and
                                    (II) by striking ``, as added by 
                                section 223(a)(6) of this division'';
                    (G) in section 227 (6 U.S.C. 1525)--
                          (i) in subsection (a)--
                                    (I) by striking ``section 230'' and 
                                inserting ``section 2213''; and
                                    (II) by striking ``, as added by 
                                section 223(a)(6) of this division,''; 
                                and
                          (ii) in subsection (b)--
                                    (I) by striking ``section 
                                230(d)(2)'' and inserting ``section 
                                2213(d)(2)''; and

[[Page 132 STAT. 4183]]

                                    (II) by striking ``, as added by 
                                section 223(a)(6) of this division,''; 
                                and
                    (H) in section 404 (6 U.S.C. 1532)--
                          (i) by striking ``Director for Emergency 
                      Communications'' each place that term appears and 
                      inserting ``Assistant Director for Emergency 
                      Communications''; and
                          (ii) in subsection (a)--
                                    (I) by striking ``section 227'' and 
                                inserting ``section 2209''; and
                                    (II) by striking ``, as redesignated 
                                by section 223(a)(3) of this 
                                division,''.
            (2) Small business act.--Section 21(a)(8)(B) of the Small 
        Business Act (15 U.S.C. 648(a)(8)(B)) is amended by striking 
        ``section 227(a) of the Homeland Security Act of 2002 (6 U.S.C. 
        148(a))'' and inserting ``section 2209(a) of the Homeland 
        Security Act of 2002''.
            (3) Title 5.--Subchapter II of chapter 53 of title 5, United 
        States Code, is amended--
                    (A) in section 5314, by inserting after ``Under 
                Secretaries, Department of Homeland Security.'' the 
                following:
            ``Director, Cybersecurity and Infrastructure Security 
        Agency.''; and
                    (B) in section 5315, by inserting after ``Assistant 
                Secretaries, Department of Homeland Security.'' the 
                following:
            ``Assistant Director for Cybersecurity, Cybersecurity and 
        Infrastructure Security Agency.
            ``Assistant Director for Infrastructure Security, 
        Cybersecurity and Infrastructure Security Agency.''.

    (i) Table of Contents Amendments.--The table of contents in section 
1(b) of the Homeland Security Act of 2002 (Public Law 107-296; 116 Stat. 
2135) is amended--
            (1) by striking the item relating to title II and inserting 
        the following:

                   ``TITLE II--INFORMATION ANALYSIS'';

            (2) by striking the item relating to subtitle A of title II 
        and inserting the following:

    ``Subtitle A--Information and Analysis; Access to Information'';

            (3) by striking the item relating to section 201 and 
        inserting the following:

``Sec. 201. Information and analysis.'';

            (4) by striking the items relating to sections 210E and 210F 
        and inserting the following:

``Sec. 210E. Classified Information Advisory Officer.'';

            (5) by striking the items relating to subtitle B of title II 
        and sections 211 through 215;
            (6) by striking the items relating to section 223 through 
        section 230;
            (7) by striking the item relating to subtitle C and 
        inserting the following:

[[Page 132 STAT. 4184]]

                  ``Subtitle B--Information Security'';

            (8) by striking the item relating to subtitle D and 
        inserting the following:

            ``Subtitle C--Office of Science and Technology'';

            (9) by striking the items relating to sections 317, 319, 
        318, and 319 and inserting the following:

``Sec. 317. Promoting antiterrorism through international cooperation 
           program.
``Sec. 318. Social media working group.
``Sec. 319. Transparency in research and development.
``Sec. 320. EMP and GMD mitigation research and development.'';

            (10) by striking the item relating to section 1801 and 
        inserting the following:

``Sec. 1801. Emergency Communications Division.''; and

            (11) by adding at the end the following:

     ``TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

         ``Subtitle A--Cybersecurity and Infrastructure Security

``Sec. 2201. Definitions.
``Sec. 2202. Cybersecurity and Infrastructure Security Agency.
``Sec. 2203. Cybersecurity Division.
``Sec. 2204. Infrastructure Security Division.
``Sec. 2205. Enhancement of Federal and non-Federal cybersecurity.
``Sec. 2206. Net guard.
``Sec. 2207. Cyber Security Enhancement Act of 2002.
``Sec. 2208. Cybersecurity recruitment and retention.
``Sec. 2209. National cybersecurity and communications integration 
           center.
``Sec. 2210. Cybersecurity plans.
``Sec. 2211. Cybersecurity strategy.
``Sec. 2212. Clearances.
``Sec. 2213. Federal intrusion detection and prevention system.
``Sec. 2214. National Asset Database.

            ``Subtitle B--Critical Infrastructure Information

``Sec. 2221. Short title.
``Sec. 2222. Definitions.
``Sec. 2223. Designation of critical infrastructure protection program.
``Sec. 2224. Protection of voluntarily shared critical infrastructure 
           information.
``Sec. 2225. No private right of action.''.

SEC. 3. <<NOTE: 6 USC 452 note.>>  TRANSFER OF OTHER ENTITIES.

    (a) <<NOTE: Effective date.>>  Office of Biometric Identity 
Management.--The Office of Biometric Identity Management of the 
Department of Homeland Security located in the National Protection and 
Programs Directorate of the Department of Homeland Security on the day 
before the date of enactment of this Act is hereby transferred to the 
Management Directorate of the Department.

    (b) Federal Protective Service.--
            (1) In general <<NOTE: Deadline. Determination.>> .--Not 
        later than 90 days after the completion of the Government 
        Accountability Office review of the organizational placement of 
        the Federal Protective Service (authorized under section 1315 of 
        title 40, United States Code), the Secretary of Homeland 
        Security shall determine the appropriate placement of the 
        Service within the Department of Homeland Security and commence 
        the transfer of the Service to such component, directorate, or 
        other office of the Department that the Secretary so determines 
        appropriate.
            (2) Exception. <<NOTE: Determination. Deadlines.>> --If the 
        Secretary of Homeland Security determines pursuant to paragraph 
        (1) that no component, directorate, or other office of the 
        Department of Homeland Security

[[Page 132 STAT. 4185]]

        is an appropriate placement for the Federal Protective Service, 
        the Secretary shall--
                    (A) provide to the Committee on Homeland Security 
                and the Committee on Transportation and Infrastructure 
                of the House of Representatives and the Committee on 
                Homeland Security and Governmental Affairs of the Senate 
                and the Office of Management and Budget a detailed 
                explanation, in writing, of the reason for such 
                determination that includes--
                          (i) information on how the Department 
                      considered the Government Accountability Office 
                      review described in such paragraph;
                          (ii) <<NOTE: Lists.>>  a list of the 
                      components, directorates, or other offices of the 
                      Department that were considered for such 
                      placement; and
                          (iii) information on why each such component, 
                      directorate, or other office of the Department was 
                      determined to not be an appropriate placement for 
                      the Service;
                    (B) <<NOTE: Coordination plan. Determination.>>  not 
                later than 120 days after the completion of the 
                Government Accountability Office review described in 
                such paragraph, develop and submit to the committees 
                specified in subparagraph (A) and the Office of 
                Management and Budget a plan to coordinate with other 
                appropriate Federal agencies, including the General 
                Services Administration, to determine a more appropriate 
                placement for the Service; and
                    (C) <<NOTE: Recommenda- tions.>>  not later than 180 
                days after the completion of such Government 
                Accountability Office review, submit to such committees 
                and the Office of Management and Budget a recommendation 
                regarding the appropriate placement of the Service 
                within the executive branch of the Federal Government.
SEC. 4. DHS REPORT ON CLOUD-BASED CYBERSECURITY.

    (a) Definition.--In this section, the term ``Department'' means the 
Department of Homeland Security.
    (b) <<NOTE: Coordination.>>  Report.--Not later than 120 days after 
the date of enactment of this Act, the Secretary of Homeland Security, 
in coordination with the Director of the Office of Management and Budget 
and the Administrator of General Services, shall submit to the Committee 
on Homeland Security and Governmental Affairs of the Senate and the 
Committee on Oversight and Government Reform and the Committee on 
Homeland Security of the House of Representatives a report on the 
leadership role of the Department in cloud-based cybersecurity 
deployments for civilian Federal departments and agencies, which shall 
include--
            (1) information on the plan of the Department for ensuring 
        access to a security operations center as a service capability 
        in accordance with the December 19, 2017 Report to the President 
        on Federal IT Modernization issued by the American Technology 
        Council;
            (2) information on what service capabilities under paragraph 
        (1) the Department will prioritize, including--
                    (A) <<NOTE: Criteria.>>  criteria the Department 
                will use to evaluate capabilities offered by the private 
                sector; and

[[Page 132 STAT. 4186]]

                    (B) how Federal government- and private sector-
                provided capabilities will be integrated to enable 
                visibility and consistency of such capabilities across 
                all cloud and on premise environments, as called for in 
                the report described in paragraph (1); and
            (3) information on how the Department will adapt the current 
        capabilities of, and future enhancements to, the intrusion 
        detection and prevention system of the Department and the 
        Continuous Diagnostics and Mitigation Program of the Department 
        to secure civilian Federal government networks in a cloud 
        environment.
SEC. 5. <<NOTE: 6 USC 651 note.>>  RULE OF CONSTRUCTION.

    Nothing in this Act or an amendment made by this Act may be 
construed as--
            (1) conferring new authorities to the Secretary of Homeland 
        Security, including programmatic, regulatory, or enforcement 
        authorities, outside of the authorities in existence on the day 
        before the date of enactment of this Act;
            (2) reducing or limiting the programmatic, regulatory, or 
        enforcement authority vested in any other Federal agency by 
        statute; or
            (3) affecting in any manner the authority, existing on the 
        day before the date of enactment of this Act, of any other 
        Federal agency or component of the Department of Homeland 
        Security.
SEC. 6. PROHIBITION ON ADDITIONAL FUNDING.

    No additional funds are authorized to be appropriated to carry out 
this Act or the amendments made by this Act. This Act and the amendments 
made by this Act shall be carried out using amounts otherwise 
authorized.

    Approved November 16, 2018.

LEGISLATIVE HISTORY--H.R. 3359:
---------------------------------------------------------------------------

HOUSE REPORTS: No. 115-454, Pt. 1 (Comm. on Homeland Security).
CONGRESSIONAL RECORD:
                                                        Vol. 163 (2017):
                                    Dec. 11, considered and passed 
                                        House.
                                                        Vol. 164 (2018):
                                    Oct. 3, considered and passed 
                                        Senate, amended.
                                    Nov. 13, House concurred in Senate 
                                        amendment.
DAILY COMPILATION OF PRESIDENTIAL DOCUMENTS (2018):
            Nov. 16, Presidential remarks.

                                  <all>