
	
		I
		111th CONGRESS
		2d Session
		H. R. 5548
		IN THE HOUSE OF REPRESENTATIVES
		
			June 16, 2010
			Ms. Harman (for
			 herself and Mr. King of New York)
			 introduced the following bill; which was referred to the
			 Committee on Oversight and Government
			 Reform, and in addition to the Committees on
			 Homeland Security,
			 Select Intelligence (Permanent
			 Select), Armed
			 Services, the
			 Judiciary, and Education
			 and Labor, for a period to be subsequently determined by the
			 Speaker, in each case for consideration of such provisions as fall within the
			 jurisdiction of the committee concerned
		
		A BILL
		To amend the Homeland Security Act of 2002 and other laws
		  to enhance the security and resiliency of the cyber and communications
		  infrastructure of the United States.
	
	
		1.Short titleThis Act may be cited as the
			 Protecting Cyberspace as a National
			 Asset Act of 2010.
		2.Table of
			 contentsThe table of contents
			 for this Act is as follows:
			
				Sec. 1. Short title.
				Sec. 2. Table of contents.
				Sec. 3. Definitions.
				TITLE I—Office of Cyberspace Policy
				Sec. 101. Establishment of the Office of Cyberspace
				Policy.
				Sec. 102. Appointment and responsibilities of the
				Director.
				Sec. 103. Prohibition on political campaigning.
				Sec. 104. Review of Federal agency budget requests relating to
				the National Strategy.
				Sec. 105. Access to intelligence.
				Sec. 106. Consultation.
				Sec. 107. Reports to Congress.
				TITLE II—National Center for Cybersecurity and
				Communications
				Sec. 201. Cybersecurity.
				TITLE III—Federal information security management
				Sec. 301. Coordination of Federal information
				policy.
				TITLE IV—Recruitment and professional development
				Sec. 401. Definitions.
				Sec. 402. Assessment of cybersecurity workforce.
				Sec. 403. Strategic cybersecurity workforce
				planning.
				Sec. 404. Cybersecurity occupation classifications.
				Sec. 405. Measures of cybersecurity hiring
				effectiveness.
				Sec. 406. Training and education.
				Sec. 407. Cybersecurity incentives.
				Sec. 408. Recruitment and retention program for the National
				Center for Cybersecurity and Communications.
				TITLE V—Other provisions
				Sec. 501. Consultation on cybersecurity matters.
				Sec. 502. Cybersecurity research and development.
				Sec. 503. Prioritized critical information
				infrastructure.
				Sec. 504. National Center for Cybersecurity and Communications
				acquisition authorities.
				Sec. 505. Technical and conforming amendments.
			
		3.DefinitionsIn this Act:
			(1)Appropriate
			 congressional committeesThe term appropriate congressional
			 committees means—
				(A)the Committee on
			 Homeland Security and Governmental Affairs of the Senate;
				(B)the Committee on
			 Homeland Security of the House of Representatives;
				(C)the Committee on
			 Oversight and Government Reform of the House of Representatives; and
				(D)any other
			 congressional committee with jurisdiction over the particular matter.
				(2)Critical
			 infrastructureThe term critical infrastructure has
			 the meaning given that term in section 1016(e) of the USA PATRIOT Act (42
			 U.S.C. 5195c(e)).
			(3)CyberspaceThe
			 term cyberspace means the interdependent network of information
			 infrastructure, and includes the Internet, telecommunications networks,
			 computer systems, and embedded processors and controllers in critical
			 industries.
			(4)DirectorThe
			 term Director means the Director of Cyberspace Policy established
			 under section 101.
			(5)Federal
			 agencyThe term Federal agency—
				(A)means any
			 executive department, Government corporation, Government-controlled
			 corporation, or other establishment in the executive branch of the Government
			 (including the Executive Office of the President), or any independent
			 regulatory agency; and
				(B)does not include
			 the governments of the District of Columbia and of the territories and
			 possessions of the United States and their various subdivisions.
				(6)Federal
			 information infrastructureThe term Federal information
			 infrastructure—
				(A)means information
			 infrastructure that is owned, operated, controlled, or licensed for use by, or
			 on behalf of, any Federal agency, including information systems used or
			 operated by another entity on behalf of a Federal agency; and
				(B)does not
			 include—
					(i)a
			 national security system; or
					(ii)information
			 infrastructure that is owned, operated, controlled, or licensed for use by, or
			 on behalf of, the Department of Defense, a military department, or another
			 element of the intelligence community.
					(7)IncidentThe
			 term incident means an occurrence that—
				(A)actually or
			 potentially jeopardizes—
					(i)the information
			 security of information infrastructure; or
					(ii)the information
			 that information infrastructure processes, stores, receives, or transmits;
			 or
					(B)constitutes a
			 violation or threat of violation of security policies, security procedures, or
			 acceptable use policies applicable to information infrastructure.
				(8)Information
			 infrastructureThe term information infrastructure
			 means the underlying framework that information systems and assets rely on to
			 process, transmit, receive, or store information electronically, including
			 programmable electronic devices and communications networks and any associated
			 hardware, software, or data.
			(9)Information
			 securityThe term information security means
			 protecting information and information systems from disruption or unauthorized
			 access, use, disclosure, modification, or destruction in order to
			 provide—
				(A)integrity, by
			 guarding against improper information modification or destruction, including by
			 ensuring information nonrepudiation and authenticity;
				(B)confidentiality,
			 by preserving authorized restrictions on access and disclosure, including means
			 for protecting personal privacy and proprietary information; and
				(C)availability, by
			 ensuring timely and reliable access to and use of information.
				(10)Information
			 technologyThe term information technology has the
			 meaning given that term in section 11101 of title 40, United States
			 Code.
			(11)Intelligence
			 communityThe term intelligence community has the
			 meaning given that term under section 3(4) of the National Security Act of 1947
			 (50 U.S.C. 401a(4)).
			(12)Key
			 resourcesThe term key resources has the meaning
			 given that term in section 2 of the Homeland Security Act of 2002 (6 U.S.C.
			 101).
			(13)National Center
			 for Cybersecurity and CommunicationsThe term National
			 Center for Cybersecurity and Communications means the National Center
			 for Cybersecurity and Communications established under section 242(a) of the
			 Homeland Security Act of 2002, as added by this Act.
			(14)National
			 information infrastructureThe term national information
			 infrastructure means information infrastructure—
				(A)(i)that is owned, operated,
			 or controlled within or from the United States; or
					(ii)if located outside the United
			 States, the disruption of which could result in national or regional
			 catastrophic damage in the United States; and
					(B)that is not owned,
			 operated, controlled, or licensed for use by a Federal agency.
				(15)National
			 security systemThe term national security system
			 has the meaning given that term in section 3551 of title 44, United States
			 Code, as added by this Act.
			(16)National
			 strategyThe term National Strategy means the
			 national strategy to increase the security and resiliency of cyberspace
			 developed under section 101(a)(1).
			(17)OfficeThe
			 term Office means the Office of Cyberspace Policy established
			 under section 101.
			(18)RiskThe
			 term risk means the potential for an unwanted outcome resulting
			 from an incident, as determined by the likelihood of the occurrence of the
			 incident and the associated consequences, including potential for an adverse
			 outcome assessed as a function of threats, vulnerabilities, and consequences
			 associated with an incident.
			(19)Risk-based
			 securityThe term risk-based security has the
			 meaning given that term in section 3551 of title 44, United States Code, as
			 added by this Act.
			IOffice of
			 Cyberspace Policy
			101.Establishment
			 of the Office of Cyberspace Policy
				(a)Establishment of
			 officeThere is established in the Executive Office of the
			 President an Office of Cyberspace Policy which shall—
					(1)develop, not later
			 than 1 year after the date of enactment of this Act, and update as needed, but
			 not less frequently than once every 2 years, a national strategy to increase
			 the security and resiliency of cyberspace, that includes goals and objectives
			 relating to—
						(A)computer network
			 operations, including offensive activities, defensive activities, and other
			 activities;
						(B)information
			 assurance;
						(C)protection of
			 critical infrastructure and key resources;
						(D)research and
			 development priorities;
						(E)law
			 enforcement;
						(F)diplomacy;
						(G)homeland security;
			 and
						(H)military and
			 intelligence activities;
						(2)oversee,
			 coordinate, and integrate all policies and activities of the Federal Government
			 across all instruments of national power relating to ensuring the security and
			 resiliency of cyberspace, including—
						(A)diplomatic,
			 economic, military, intelligence, homeland security, and law enforcement
			 policies and activities within and among Federal agencies; and
						(B)offensive
			 activities, defensive activities, and other policies and activities necessary
			 to ensure effective capabilities to operate in cyberspace;
						(3)ensure that all
			 Federal agencies comply with appropriate guidelines, policies, and directives
			 from the Department of Homeland Security, other Federal agencies with
			 responsibilities relating to cyberspace security or resiliency, and the
			 National Center for Cybersecurity and Communications; and
					(4)ensure that
			 Federal agencies have access to, receive, and appropriately disseminate law
			 enforcement information, intelligence information, terrorism information, and
			 any other information (including information relating to incidents provided
			 under subsections (a)(4) and (c) of section 246 of the Homeland Security Act of
			 2002, as added by this Act) relevant to—
						(A)the security of
			 the Federal information infrastructure or the national information
			 infrastructure; and
						(B)the security
			 of—
							(i)information
			 infrastructure that is owned, operated, controlled, or licensed for use by, or
			 on behalf of, the Department of Defense, a military department, or another
			 element of the intelligence community; or
							(ii)a
			 national security system.
							(b)Director of
			 Cyberspace Policy
					(1)In
			 generalThere shall be a Director of Cyberspace Policy, who shall
			 be the head of the Office.
					(2)Executive
			 schedule positionSection 5312 of title 5, United States Code, is
			 amended by adding at the end the following:
						
								Director of Cyberspace
				  Policy.
							.
					102.Appointment and
			 responsibilities of the Director
				(a)Appointment
					(1)In
			 generalThe Director shall be appointed by the President, by and
			 with the advice and consent of the Senate.
					(2)QualificationsThe
			 President shall appoint the Director from among individuals who have
			 demonstrated ability and knowledge in information technology, cybersecurity,
			 and the operations, security, and resiliency of communications networks.
					(3)ProhibitionNo
			 person shall serve as Director while serving in any other position in the
			 Federal Government.
					(b)ResponsibilitiesThe
			 Director shall—
					(1)advise the
			 President regarding the establishment of policies, goals, objectives, and
			 priorities for securing the information infrastructure of the Nation;
					(2)advise the
			 President and other entities within the Executive Office of the President
			 regarding mechanisms to build, and improve the resiliency and efficiency of,
			 the information and communication industry of the Nation, in collaboration with
			 the private sector, while promoting national economic interests;
					(3)work with Federal
			 agencies to—
						(A)oversee,
			 coordinate, and integrate the implementation of the National Strategy,
			 including coordination with—
							(i)the
			 Department of Homeland Security;
							(ii)the
			 Department of Defense;
							(iii)the Department
			 of Commerce;
							(iv)the
			 Department of State;
							(v)the
			 Department of Justice;
							(vi)the
			 Department of Energy;
							(vii)through the
			 Director of National Intelligence, the intelligence community; and
							(viii)and any other
			 Federal agency with responsibilities relating to the National Strategy;
			 and
							(B)resolve any
			 disputes that arise between Federal agencies relating to the National Strategy
			 or other matters within the responsibility of the Office;
						(4)if the policies or
			 activities of a Federal agency are not in compliance with the responsibilities
			 of the Federal agency under the National Strategy—
						(A)notify the Federal
			 agency;
						(B)transmit a copy of
			 each notification under subparagraph (A) to the President and the appropriate
			 congressional committees; and
						(C)coordinate the
			 efforts to bring the Federal agency into compliance;
						(5)ensure the
			 adequacy of protections for privacy and civil liberties in carrying out the
			 responsibilities of the Director under this title, including through
			 consultation with the Privacy and Civil Liberties Oversight Board established
			 under section 1061 of the National Security Intelligence Reform Act of 2004 (42
			 U.S.C. 2000ee);
					(6)upon reasonable
			 request, appear before any duly constituted committees of the Senate or of the
			 House of Representatives;
					(7)recommend to the
			 Office of Management and Budget or the head of a Federal agency actions
			 (including requests to Congress relating to the reprogramming of funds) that
			 the Director determines are necessary to ensure risk-based security of—
						(A)the Federal
			 information infrastructure;
						(B)information
			 infrastructure that is owned, operated, controlled, or licensed for use by, or
			 on behalf of, the Department of Defense, a military department, or another
			 element of the intelligence community; or
						(C)a national
			 security system;
						(8)advise the
			 Administrator of the Office of E-Government and Information Technology and the
			 Administrator of the Office of Information and Regulatory Affairs on the
			 development, and oversee the implementation, of policies, principles,
			 standards, guidelines, and budget priorities for information technology
			 functions and activities of the Federal Government;
					(9)coordinate and
			 ensure, to the maximum extent practicable, that the standards and guidelines
			 developed for national security systems and the standards and guidelines under
			 section 20 of the National Institute of Standards and Technology Act (15 U.S.C.
			 278g–3) are complementary and unified;
					(10)in consultation
			 with the Administrator of the Office of Information and Regulatory Affairs,
			 coordinate efforts of Federal agencies relating to the development of
			 regulations, rules, requirements, or other actions applicable to the national
			 information infrastructure to ensure, to the maximum extent practicable, that
			 the efforts are complementary;
					(11)coordinate the
			 activities of the Office of Science and Technology Policy, the National
			 Economic Council, the Office of Management and Budget, the National Security
			 Council, the Homeland Security Council, and the United States Trade
			 Representative related to the National Strategy and other matters within the
			 purview of the Office; and
					(12)as assigned by
			 the President, other duties relating to the security and resiliency of
			 cyberspace.
					103.Prohibition on
			 political campaigningSection
			 7323(b)(2)(B) of title 5, United States Code, is amended—
				(1)in clause (i), by
			 striking or at the end;
				(2)in clause (ii), by
			 striking the period at the end and inserting ; or; and
				(3)by adding at the
			 end the following:
					
						(iii)notwithstanding
				the exception under subparagraph (A) (relating to an appointment made by the
				President, by and with the advice and consent of the Senate), the Director of
				Cyberspace
				Policy.
						.
				104.Review of
			 Federal agency budget requests relating to the National Strategy
				(a)In
			 generalFor each fiscal year, the head of each Federal agency
			 shall transmit to the Director a copy of any portion of the budget of the
			 Federal agency intended to implement the National Strategy at the same time as
			 that budget request is submitted to the Office of Management and Budget in the
			 preparation of the budget of the President submitted to Congress under section
			 1105 (a) of title 31, United States Code.
				(b)Timely
			 submissionsThe head of each Federal agency shall ensure the
			 timely development and submission to the Director of each proposed budget under
			 this section, in such format as may be designated by the Director with the
			 concurrence of the Director of the Office of Management and Budget.
				(c)Adequacy of the
			 proposed budget requestsWith the assistance of, and in
			 coordination with, the Office of E-Government and Information Technology and
			 the National Center for Cybersecurity and Communications, the Director shall
			 review each budget submission to assess the adequacy of the proposed request
			 with regard to implementation of the National Strategy.
				(d)Inadequate
			 budget requestsIf the Director concludes that a budget request
			 submitted under subsection (a) is inadequate, in whole or in part, to implement
			 the objectives of the National Strategy, the Director shall submit to the
			 Director of the Office of Management and Budget and the head of the Federal
			 agency submitting the budget request a written description of funding levels
			 and specific initiatives that would, in the determination of the Director, make
			 the request adequate.
				105.Access to
			 intelligenceThe Director
			 shall have access to law enforcement information, intelligence information,
			 terrorism information, and any other information (including information
			 relating to incidents provided under subsections (a)(4) and (c) of section 246
			 of the Homeland Security Act of 2002, as added by this Act) that is obtained
			 by, or in the possession of, any Federal agency that the Director determines
			 relevant to the security of—
				(1)the Federal information
			 infrastructure;
				(2)information infrastructure that is owned,
			 operated, controlled, or licensed for use by, or on behalf of, the Department
			 of Defense, a military department, or another element of the intelligence
			 community;
				(3)a national security system; or
				(4)national information infrastructure.
				106.Consultation
				(a)In
			 generalThe Director may consult and obtain recommendations from,
			 as needed, such Presidential and other advisory entities as the Director
			 determines will assist in carrying out the mission of the Office,
			 including—
					(1)the National
			 Security Telecommunications Advisory Committee;
					(2)the National
			 Infrastructure Advisory Council;
					(3)the Privacy and
			 Civil Liberties Oversight Board;
					(4)the President’s
			 Intelligence Advisory Board;
					(5)the Critical
			 Infrastructure Partnership Advisory Council; and
					(6)the National
			 Cybersecurity Advisory Council established under section 239 of the Homeland
			 Security Act of 2002, as added by this Act.
					(b)National
			 StrategyIn developing and updating the National Strategy the
			 Director shall consult with the National Cybersecurity Advisory Council and, as
			 appropriate, State and local governments and private entities.
				107.Reports to
			 Congress
				(a)In
			 generalThe Director shall submit an annual report to the
			 appropriate congressional committees describing the activities, ongoing
			 projects, and plans of the Federal Government designed to meet the goals and
			 objectives of the National Strategy.
				(b)Classified
			 annexA report submitted under this section shall be submitted in
			 an unclassified form, but may include a classified annex, if necessary.
				(c)Public
			 reportAn unclassified version of each report submitted under
			 this section shall be made available to the public.
				IINational Center
			 for Cybersecurity and Communications
			201.CybersecurityTitle II of the Homeland Security Act of
			 2002 (6 U.S.C. 121 et seq.) is amended by adding at the end the
			 following:
				
					ECybersecurity
						241.DefinitionsIn this subtitle—
							(1)the term
				agency information infrastructure means the Federal information
				infrastructure of a particular Federal agency;
							(2)the term
				appropriate committees of Congress means the Committee on Homeland
				Security and Governmental Affairs of the Senate and the Committee on Homeland
				Security of the House of Representatives;
							(3)the term
				Center means the National Center for Cybersecurity and
				Communications established under section 242(a);
							(4)the term
				covered critical infrastructure means a system or asset—
								(A)that is on the
				prioritized critical infrastructure list established by the Secretary under
				section 210E(a)(2); and
								(B)(i)that is a component of
				the national information infrastructure; or
									(ii)for which the national information
				infrastructure is essential to the reliable operation of the system or
				asset;
									(5)the term
				cyber vulnerability means any security vulnerability that, if
				exploited, could pose a significant risk of disruption to the operation of
				information infrastructure essential to the reliable operation of covered
				critical infrastructure;
							(6)the term
				Director means the Director of the Center appointed under section
				242(b)(1);
							(7)the term
				Federal agency—
								(A)means any
				executive department, military department, Government corporation,
				Government-controlled corporation, or other establishment in the executive
				branch of the Government (including the Executive Office of the President), or
				any independent regulatory agency; and
								(B)does not include
				the governments of the District of Columbia and of the territories and
				possessions of the United States and their various subdivisions;
								(8)the term
				Federal information infrastructure—
								(A)means information
				infrastructure that is owned, operated, controlled, or licensed for use by, or
				on behalf of, any Federal agency, including information systems used or
				operated by another entity on behalf of a Federal agency; and
								(B)does not
				include—
									(i)a
				national security system; or
									(ii)information
				infrastructure that is owned, operated, controlled, or licensed for use by, or
				on behalf of, the Department of Defense, a military department, or another
				element of the intelligence community;
									(9)the term
				incident means an occurrence that—
								(A)actually or
				potentially jeopardizes—
									(i)the information
				security of information infrastructure; or
									(ii)the information
				that information infrastructure processes, stores, receives, or transmits;
				or
									(B)constitutes a
				violation or threat of violation of security policies, security procedures, or
				acceptable use policies applicable to information infrastructure.
								(10)the term
				information infrastructure means the underlying framework that
				information systems and assets rely on to process, transmit, receive, or store
				information electronically, including—
								(A)programmable
				electronic devices and communications networks; and
								(B)any associated
				hardware, software, or data;
								(11)the term
				information security means protecting information and information
				systems from disruption or unauthorized access, use, disclosure, modification,
				or destruction in order to provide—
								(A)integrity, by
				guarding against improper information modification or destruction, including by
				ensuring information nonrepudiation and authenticity;
								(B)confidentiality,
				by preserving authorized restrictions on access and disclosure, including means
				for protecting personal privacy and proprietary information; and
								(C)availability, by
				ensuring timely and reliable access to and use of information;
								(12)the term
				information sharing and analysis center means a self-governed
				forum whose members work together within a specific sector of critical
				infrastructure to identify, analyze, and share with other members and the
				Federal Government critical information relating to threats,
				vul­ner­a­bil­i­ties, or incidents to the security and resiliency of the
				critical infrastructure that comprises the specific sector;
							(13)the term
				information system has the meaning given that term in section 3502
				of title 44, United States Code;
							(14)the term
				intelligence community has the meaning given that term in section
				3(4) of the National Security Act of 1947 (50 U.S.C. 401a(4));
							(15)the term
				management controls means safeguards or countermeasures for an
				information system that focus on the management of risk and the management of
				information system security;
							(16)the term
				National Cybersecurity Advisory Council means the National
				Cybersecurity Advisory Council established under section 239;
							(17)the term
				national cyber emergency means an actual or imminent action by any
				individual or entity to exploit a cyber vulnerability in a manner that
				disrupts, attempts to disrupt, or poses a significant risk of disruption to the
				operation of the information infrastructure essential to the reliable operation
				of covered critical infrastructure;
							(18)the term
				national information infrastructure means information
				infrastructure—
								(A)(i)that is owned, operated,
				or controlled within or from the United States; or
									(ii)if located outside the United
				States, the disruption of which could result in national or regional
				catastrophic damage in the United States; and
									(B)that is not owned,
				operated, controlled, or licensed for use by a Federal agency;
								(19)the term
				national security system has the same meaning given that term in
				section 3551 of title 44, United States Code;
							(20)the term
				operational controls means the safeguards and countermeasures for
				an information system that are primarily implemented and executed by
				individuals not systems;
							(21)the term
				sector-specific agency means the relevant Federal agency
				responsible for infrastructure protection activities in a designated critical
				infrastructure sector or key resources category under the National
				Infrastructure Protection Plan, or any other appropriate Federal agency
				identified by the President after the date of enactment of this
				subtitle;
							(22)the term
				sector coordinating councils means self-governed councils that are
				composed of representatives of key stakeholders within a specific sector of
				critical infrastructure that serve as the principal private sector policy
				coordination and planning entities with the Federal Government relating to the
				security and resiliency of the critical infrastructure that comprise that
				sector;
							(23)the term
				security controls means the management, operational, and technical
				controls prescribed for an information system to protect the information
				security of the system;
							(24)the term
				small business concern has the meaning given that term under
				section 3 of the Small Business Act (15 U.S.C. 632);
							(25)the term
				technical controls means the safeguards or countermeasures for an
				information system that are primarily implemented and executed by the
				information system through mechanisms contained in the hardware, software, or
				firmware components of the system;
							(26)the term
				terrorism information has the meaning given that term in section
				1016 of the Intelligence Reform and Terrorism Prevention Act of 2004 (6 U.S.C.
				485);
							(27)the term
				United States person has the meaning given that term in section
				101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801);
				and
							(28)the term
				US–CERT means the United States Computer Readiness Team
				established under section 244.
							242.National Center
				for Cybersecurity and Communications
							(a)Establishment
								(1)In
				generalThere is established within the Department a National
				Center for Cybersecurity and Communications.
								(2)Operational
				entityThe Center may—
									(A)enter into
				contracts for the procurement of property and services for the Center;
				and
									(B)appoint employees
				of the Center in accordance with the civil service laws of the United
				States.
									(b)Director
								(1)In
				generalThe Center shall be headed by a Director, who shall be
				appointed by the President, by and with the advice and consent of the
				Senate.
								(2)Reporting to
				SecretaryThe Director shall report directly to the Secretary and
				serve as the principal advisor to the Secretary on cybersecurity and the
				operations, security, and resiliency of the communications infrastructure of
				the United States.
								(3)Presidential
				adviceThe Director shall regularly advise the President on the
				exercise of the authorities provided under this subtitle or any other provision
				of law relating to the security of the Federal information infrastructure or an
				agency information infrastructure.
								(4)QualificationsThe
				Director shall be appointed from among individuals who have—
									(A)a demonstrated
				ability in and knowledge of information technology, cybersecurity, and the
				operations, security and resiliency of communications networks; and
									(B)significant
				executive leadership and management experience in the public or private
				sector.
									(5)Limitation on
				service
									(A)In
				generalSubject to subparagraph (B), the individual serving as
				the Director may not, while so serving, serve in any other capacity in the
				Federal Government, except to the extent that the individual serving as
				Director is doing so in an acting capacity.
									(B)ExceptionThe
				Director may serve on any commission, board, council, or similar entity with
				responsibilities or duties relating to cybersecurity or the operations,
				security, and resiliency of the communications infrastructure of the United
				States at the direction of the President or as otherwise provided by
				law.
									(c)Deputy
				Directors
								(1)In
				generalThere shall be not less than 2 Deputy Directors for the
				Center, who shall report to the Director.
								(2)Infrastructure
				protection
									(A)AppointmentThere
				shall be a Deputy Director appointed by the Secretary, who shall have expertise
				in infrastructure protection.
									(B)ResponsibilitiesThe
				Deputy Director appointed under subparagraph (A) shall—
										(i)assist the
				Director and the Assistant Secretary for Infrastructure Protection in
				coordinating, managing, and directing the information, communications, and
				physical infrastructure protection responsibilities and activities of the
				Department, including activities under Homeland Security Presidential
				Directive–7, or any successor thereto, and the National Infrastructure
				Protection Plan, or any successor thereto;
										(ii)review the budget
				for the Center and the Office of Infrastructure Protection before submission of
				the budget to the Secretary to ensure that activities are appropriately
				coordinated;
										(iii)develop, update
				periodically, and submit to the appropriate committees of Congress a strategic
				plan detailing how critical infrastructure protection activities will be
				coordinated between the Center, the Office of Infrastructure Protection, and
				the private sector;
										(iv)subject to the
				direction of the Director resolve conflicts between the Center and the Office
				of Infrastructure Protection relating to the information, communications, and
				physical infrastructure protection responsibilities of the Center and the
				Office of Infrastructure Protection; and
										(v)perform such other
				duties as the Director may assign.
										(C)Annual
				evaluationThe Assistant Secretary for Infrastructure Protection
				shall submit annually to the Director an evaluation of the performance of the
				Deputy Director appointed under subparagraph (A).
									(3)Intelligence
				communityThe Director of National Intelligence shall identify an
				employee of an element of the intelligence community to serve as a Deputy
				Director of the Center. The employee shall be detailed to the Center on a
				reimbursable basis for such period as is agreed to by the Director and the
				Director of National Intelligence, and, while serving as Deputy Director, shall
				report directly to the Director of the Center.
								(d)Liaison
				officersThe Secretary of Defense, the Attorney General, the
				Secretary of Commerce, and the Director of National Intelligence shall detail
				personnel to the Center to act as full-time liaisons with the Department of
				Defense, the Department of Justice, the National Institute of Standards and
				Technology, and elements of the intelligence community to assist in
				coordination between and among the Center, the Department of Defense, the
				Department of Justice, the National Institute of Standards and Technology, and
				elements of the intelligence community.
							(e)Privacy
				officer
								(1)In
				generalThe Director, in consultation with the Secretary, shall
				designate a full-time privacy officer, who shall report to the Director.
								(2)DutiesThe
				privacy officer designated under paragraph (1) shall have primary
				responsibility for implementation by the Center of the privacy policy for the
				Department established by the Privacy Officer appointed under section
				222.
								(f)Duties of
				Director
								(1)In
				generalThe Director shall—
									(A)working
				cooperatively with the private sector, lead the Federal effort to secure,
				protect, and ensure the resiliency of the Federal information infrastructure
				and national information infrastructure of the United States, including
				communications networks;
									(B)assist in the
				identification, remediation, and mitigation of vulnerabilities to the Federal
				information infrastructure and the national information infrastructure;
									(C)provide dynamic,
				comprehensive, and continuous situational awareness of the security status of
				the Federal information infrastructure, national information infrastructure,
				and information infrastructure that is owned, operated, controlled, or licensed
				for use by, or on behalf of, the Department of Defense, a military department,
				or another element of the intelligence community by sharing and integrating
				classified and unclassified information, including information relating to
				threats, vulnerabilities, traffic, trends, incidents, and other anomalous
				activities affecting the infrastructure or systems, on a routine and continuous
				basis with—
										(i)the National
				Threat Operations Center of the National Security Agency;
										(ii)the United States
				Cyber Command, including the Joint Task Force-Global Network Operations;
										(iii)the Cyber Crime
				Center of the Department of Defense;
										(iv)the National
				Cyber Investigative Joint Task Force;
										(v)the Intelligence
				Community Incident Response Center;
										(vi)any other Federal
				agency, or component thereof, identified by the Director; and
										(vii)any non-Federal
				entity, including, where appropriate, information sharing and analysis centers,
				identified by the Director, with the concurrence of the owner or operator of
				that entity and consistent with applicable law;
										(D)work with the
				entities described in subparagraph (C) to establish policies and procedures
				that enable information sharing between and among the entities;
									(E)develop, in
				coordination with the Assistant Secretary for Infrastructure Protection, other
				Federal agencies, the private sector, and State and local governments, a
				national incident response plan that details the roles of Federal agencies,
				State and local governments, and the private sector, including plans to be
				executed in response to a declaration of a national cyber emergency by the
				President under section 249;
									(F)conduct risk-based
				assessments of the Federal information infrastructure with respect to acts of
				terrorism, natural disasters, and other large-scale disruptions and provide the
				results of the assessments to the Director of Cyberspace Policy;
									(G)develop, oversee
				the implementation of, and enforce policies, principles, and guidelines on
				information security for the Federal information infrastructure, including
				timely adoption of and compliance with standards developed by the National
				Institute of Standards and Technology under section 20 of the National
				Institute of Standards and Technology Act (15 U.S.C. 278g–3);
									(H)provide assistance
				to the National Institute of Standards and Technology in developing standards
				under section 20 of the National Institute of Standards and Technology Act (15
				U.S.C. 278g–3);
									(I)provide to Federal
				agencies mandatory security controls to mitigate and remediate vulnerabilities
				of and incidents affecting the Federal information infrastructure;
									(J)subject to
				paragraph (2), and as needed, assist the Director of the Office of Management
				and Budget and the Director of Cyberspace Policy in conducting analysis and
				prioritization of budgets, relating to the security of the Federal information
				infrastructure;
									(K)in accordance with
				section 253, develop, periodically update, and implement a supply chain risk
				management strategy to enhance, in a risk-based and cost-effective manner, the
				security of the communications and information technology products and services
				purchased by the Federal Government;
									(L)notify the
				Director of Cyberspace Policy of any incident involving the Federal information
				infrastructure, information infrastructure that is owned, operated, controlled,
				or licensed for use by, or on behalf of, the Department of Defense, a military
				department, or another element of the intelligence community, or the national
				information infrastructure that could compromise or significantly affect
				economic or national security;
									(M)consult, in
				coordination with the Director of Cyberspace Policy, with appropriate
				international partners to enhance the security of the Federal information
				infrastructure and national information infrastructure;
									(N)(i)coordinate and integrate
				information to analyze the composite security state of the Federal information
				infrastructure and information infrastructure that is owned, operated,
				controlled, or licensed for use by, or on behalf of, the Department of Defense,
				a military department, or another element of the intelligence community;
										(ii)ensure the information required
				under clause (i) and section 3553(c)(1)(A) of title 44, United States Code,
				including the views of the Director on the adequacy and effectiveness of
				information security throughout the Federal information infrastructure and
				information infrastructure that is owned, operated, controlled, or licensed for
				use by, or on behalf of, the Department of Defense, a military department, or
				another element of the intelligence community, is available on an automated and
				continuous basis through the system maintained under section 3552(a)(3)(D) of
				title 44, United States Code;
										(iii)in conjunction with the
				quadrennial homeland security review required under section 707, and at such
				other times determined appropriate by the Director, analyze the composite
				security state of the national information infrastructure and submit to the
				President, Congress, and the Secretary a report regarding actions necessary to
				enhance the composite security state of the national information infrastructure
				based on the analysis; and
										(iv)foster collaboration and serve as
				the primary contact between the Federal Government, State and local
				governments, and private entities on matters relating to the security of the
				Federal information infrastructure and the national information
				infrastructure;
										(O)oversee the
				development, implementation, and management of security requirements for
				Federal agencies relating to the external access points to or from the Federal
				information infrastructure;
									(P)establish,
				develop, and oversee the capabilities and operations within the US–CERT as
				required by section 244;
									(Q)oversee the
				operations of the National Communications System, as described in Executive
				Order 12472 (49 Fed. Reg. 13471; relating to the assignment of national
				security and emergency preparedness telecommunications functions), as amended
				by Executive Order 13286 (68 Fed. Reg. 10619) and Executive Order 13407 (71
				Fed. Reg. 36975), or any successor thereto, including planning for and
				providing communications for the Federal Government under all circumstances,
				including crises, emergencies, attacks, recoveries, and reconstitutions;
									(R)ensure, in
				coordination with the privacy officer designated under subsection (e), the
				Privacy Officer appointed under section 222, and the Director of the Office of
				Civil Rights and Civil Liberties appointed under section 705, that the
				activities of the Center comply with all policies, regulations, and laws
				protecting the privacy and civil liberties of United States persons;
									(S)subject to the
				availability of resources, and at the discretion of the Director, provide
				voluntary technical assistance—
										(i)at
				the request of an owner or operator of covered critical infrastructure, to
				assist the owner or operator in complying with sections 248 and 249, including
				implementing required security or emergency measures and developing response
				plans for national cyber emergencies declared under section 249; and
										(ii)at the request of
				the owner or operator of national information infrastructure that is not
				covered critical infrastructure, and based on risk, to assist the owner or
				operator in implementing best practices, and related standards and guidelines,
				recommended under section 247 and other measures necessary to mitigate or
				remediate vulnerabilities of the information infrastructure and the
				consequences of efforts to exploit the vulnerabilities;
										(T)(i)conduct, in consultation
				with the National Cybersecurity Advisory Council, the head of appropriate
				sector-specific agencies, and any private sector entity determined appropriate
				by the Director, risk-based assessments of national information infrastructure,
				on a sector-by-sector basis, with respect to acts of terrorism, natural
				disasters, and other large-scale disruptions or financial harm, which shall
				identify and prioritize risks to the national information infrastructure,
				including vulnerabilities and associated consequences; and
										(ii)coordinate and evaluate the
				mitigation or remediation of cyber vulnerabilities and consequences identified
				under clause (i);
										(U)regularly evaluate
				and assess technologies designed to enhance the protection of the Federal
				information infrastructure and national information infrastructure, including
				an assessment of the cost-effectiveness of the technologies;
									(V)promote the use of
				the best practices recommended under section 247 to State and local governments
				and the private sector;
									(W)develop and
				implement outreach and awareness programs on cybersecurity, including—
										(i)a
				public education campaign to increase the awareness of cybersecurity, cyber
				safety, and cyber ethics, which shall include use of the Internet, social
				media, entertainment, and other media to reach the public;
										(ii)an education
				campaign to increase the understanding of State and local governments and
				private sector entities of the costs of failing to ensure effective security of
				information infrastructure and cost-effective methods to mitigate and remediate
				vulnerabilities; and
										(iii)outcome-based
				performance measures to determine the success of the programs;
										(X)develop and
				implement a national cybersecurity exercise program that includes—
										(i)the participation
				of State and local governments, international partners of the United States,
				and the private sector; and
										(ii)an after action
				report analyzing lessons learned from exercises and identifying vulnerabilities
				to be remediated or mitigated;
										(Y)coordinate with
				the Assistant Secretary for Infrastructure Protection to ensure that—
										(i)cybersecurity is
				appropriately addressed in carrying out the infrastructure protection
				responsibilities described in section 201(d); and
										(ii)the operations of
				the Center and the Office of Infrastructure Protection avoid duplication and
				use, to the maximum extent practicable, joint mechanisms for information
				sharing and coordination with the private sector;
										(Z)oversee the
				activities of the Office of Emergency Communications established under section
				1801; and
									(AA)perform such
				other duties as the Secretary may direct relating to the security and
				resiliency of the information and communications infrastructure of the United
				States.
									(2)Budget
				analysisIn conducting analysis and prioritization of budgets
				under paragraph (1)(J), the Director—
									(A)in coordination
				with the Director of the Office of Management and Budget, may access
				information from any Federal agency regarding the finances, budget, and
				programs of the Federal agency relevant to the security of the Federal
				information infrastructure;
									(B)may make
				recommendations to the Director of the Office of Management and Budget and the
				Director of Cyberspace Policy regarding the budget for each Federal agency to
				ensure that adequate funding is devoted to securing the Federal information
				infrastructure, in accordance with policies, principles, and guidelines
				established by the Director under this subtitle; and
									(C)shall provide
				copies of any recommendations made under subparagraph (B) to—
										(i)the Committee on
				Appropriations of the Senate;
										(ii)the Committee on
				Appropriations of the House of Representatives; and
										(iii)the appropriate
				committees of Congress.
										(g)Use of
				mechanisms for collaborationIn carrying out the responsibilities
				and authorities of the Director under this subtitle, to the maximum extent
				practicable, the Director shall use mechanisms for collaboration and
				information sharing (including mechanisms relating to the identification and
				communication of threats, vulnerabilities, and associated consequences)
				established by other components of the Department or other Federal agencies to
				avoid unnecessary duplication or waste.
							(h)Sufficiency of
				resources plan
								(1)ReportNot
				later than 120 days after the date of enactment of this subtitle, the Director
				of the Office of Management and Budget shall submit to the appropriate
				committees of Congress and the Comptroller General of the United States a
				report on the resources and staff necessary to carry out fully the
				responsibilities under this subtitle.
								(2)Comptroller
				General review
									(A)In
				generalThe Comptroller General of the United States shall
				evaluate the reasonableness and adequacy of the report submitted by the
				Director under paragraph (1).
									(B)ReportNot
				later than 60 days after the date on which the report is submitted under
				paragraph (1), the Comptroller General shall submit to the appropriate
				committees of Congress a report containing the findings of the review under
				subparagraph (A).
									(i)Functions
				transferredThere are transferred to the Center the National
				Cyber Security Division, the Office of Emergency Communications, and the
				National Communications System, including all the functions, personnel, assets,
				authorities, and liabilities of the National Cyber Security Division and the
				National Communications System.
							243.Physical and
				cyber infrastructure collaboration
							(a)In
				generalThe Director and the Assistant Secretary for
				Infrastructure Protection shall coordinate the information, communications, and
				physical infrastructure protection responsibilities and activities of the
				Center and the Office of Infrastructure Protection.
							(b)OversightThe
				Secretary shall ensure that the coordination described in subsection (a)
				occurs.
							244.United States
				Computer Emergency Readiness Team
							(a)Establishment of
				officeThere is established within the Center, the United States
				Computer Emergency Readiness Team, which shall be headed by a Director, who
				shall be selected from the Senior Executive Service by the Secretary.
							(b)ResponsibilitiesThe
				US–CERT shall—
								(1)collect,
				coordinate, and disseminate information on—
									(A)risks to the
				Federal information infrastructure, information infrastructure that is owned,
				operated, controlled, or licensed for use by, or on behalf of, the Department
				of Defense, a military department, or another element of the intelligence
				community, or the national information infrastructure; and
									(B)security controls
				to enhance the security of the Federal information infrastructure or the
				national information infrastructure against the risks identified in
				subparagraph (A); and
									(2)establish a
				mechanism for engagement with the private sector.
								(c)Monitoring,
				analysis, warning, and response
								(1)DutiesSubject
				to paragraph (2), the US–CERT shall—
									(A)provide analysis
				and reports to Federal agencies on the security of the Federal information
				infrastructure;
									(B)provide
				continuous, automated monitoring of the Federal information infrastructure at
				external Internet access points, which shall include detection and warning of
				threats, vulnerabilities, traffic, trends, incidents, and other anomalous
				activities affecting the information security of the Federal information
				infrastructure;
									(C)warn Federal
				agencies of threats, vulnerabilities, incidents, and anomalous activities that
				could affect the Federal information infrastructure;
									(D)develop,
				recommend, and deploy security controls to mitigate or remediate
				vulnerabilities;
									(E)support Federal
				agencies in conducting risk assessments of the agency information
				infrastructure;
									(F)disseminate to
				Federal agencies risk analyses of incidents that could impair the risk-based
				security of the Federal information infrastructure;
									(G)develop and
				acquire predictive analytic tools to evaluate threats, vulnerabilities,
				traffic, trends, incidents, and anomalous activities;
									(H)aid in the
				detection of, and warn owners or operators of national information
				infrastructure regarding, threats, vulnerabilities, and incidents, affecting
				the national information infrastructure, including providing—
										(i)timely, targeted,
				and actionable notifications of threats, vulnerabilities, and incidents;
				and
										(ii)recommended
				security controls to mitigate or remediate vulnerabilities; and
										(I)respond to
				assistance requests from Federal agencies and, subject to the availability of
				resources, owners or operators of the national information infrastructure
				to—
										(i)isolate, mitigate,
				or remediate incidents;
										(ii)recover from
				damages and mitigate or remediate vulnerabilities; and
										(iii)evaluate
				security controls and other actions taken to secure information infrastructure
				and incorporate lessons learned into best practices, policies, principles, and
				guidelines.
										(2)RequirementWith
				respect to the Federal information infrastructure, the US–CERT shall conduct
				the activities described in paragraph (1) in a manner consistent with the
				responsibilities of the head of a Federal agency described in section 3553 of
				title 44, United States Code.
								(3)ReportNot
				later than 1 year after the date of enactment of this subtitle, and every year
				thereafter, the Secretary shall—
									(A)in conjunction
				with the Inspector General of the Department, conduct an independent audit or
				review of the activities of the US–CERT under paragraph (1)(B); and
									(B)submit to the
				appropriate committees of Congress and the President a report regarding the
				audit or report.
									(d)Procedures for
				Federal GovernmentNot later than 90 days after the date of
				enactment of this subtitle, the head of each Federal agency shall establish
				procedures for the Federal agency that ensure that the US–CERT can perform the
				functions described in subsection (c) in relation to the Federal agency.
							(e)Operational
				updatesThe US–CERT shall provide unclassified and, as
				appropriate, classified updates regarding the composite security state of the
				Federal information infrastructure to the Federal Information Security
				Taskforce.
							(f)Federal points
				of contactThe Director of the US–CERT shall designate a
				principal point of contact within the US–CERT for each Federal agency
				to—
								(1)maintain
				communication;
								(2)ensure cooperative
				engagement and information sharing; and
								(3)respond to
				inquiries or requests.
								(g)Requests for
				information or physical access
								(1)Information
				accessUpon request of the Director of the US–CERT, the head of a
				Federal agency or an Inspector General for a Federal agency shall provide any
				law enforcement information, intelligence information, terrorism information,
				or any other information (including information relating to incidents provided
				under subsections (a)(4) and (c) of section 246) relevant to the security of
				the Federal information infrastructure or the national information
				infrastructure necessary to carry out the duties, responsibilities, and
				authorities under this subtitle.
								(2)Physical
				accessUpon request of the Director, and in consultation with the
				head of a Federal agency, the Federal agency shall provide physical access to
				any facility of the Federal agency necessary to determine whether the Federal
				agency is in compliance with any policies, principles, and guidelines
				established by the Director under this subtitle, or otherwise necessary to
				carry out the duties, responsibilities, and authorities of the Director
				applicable to the Federal information infrastructure.
								245.Additional
				authorities of the Director of the National Center for Cybersecurity and
				Communications
							(a)Access to
				informationUnless otherwise directed by the President—
								(1)the Director shall
				access, receive, and analyze law enforcement information, intelligence
				information, terrorism information, and any other information (including
				information relating to incidents provided under subsections (a)(4) and (c) of
				section 246) relevant to the security of the Federal information
				infrastructure, information infrastructure that is owned, operated, controlled,
				or licensed for use by, or on behalf of, the Department of Defense, a military
				department, or another element of the intelligence community, or national
				information infrastructure from Federal agencies and, consistent with
				applicable law, State and local governments (including law enforcement
				agencies), and private entities, including information provided by any
				contractor to a Federal agency regarding the security of the agency information
				infrastructure;
								(2)any Federal agency
				in possession of law enforcement information, intelligence information,
				terrorism information, or any other information (including information relating
				to incidents provided under subsections (a)(4) and (c) of section 246) relevant
				to the security of the Federal information infrastructure, information
				infrastructure that is owned, operated, controlled, or licensed for use by, or
				on behalf of, the Department of Defense, a military department, or another
				element of the intelligence community, or national information infrastructure
				shall provide that information to the Director in a timely manner; and
								(3)the Director, in
				coordination with the Attorney General, the Privacy and Civil Liberties
				Oversight Board established under section 1061 of the National Security
				Intelligence Reform Act of 2004 (42 U.S.C. 2000ee), the Director of National
				Intelligence, and the Archivist of the United States, shall establish
				guidelines to ensure that information is transferred, stored, and preserved in
				accordance with applicable law and in a manner that protects the privacy and
				civil liberties of United States persons.
								(b)Operational
				evaluations
								(1)In
				generalThe Director—
									(A)subject to
				paragraph (2), shall develop, maintain, and enhance capabilities to evaluate
				the security of the Federal information infrastructure as described in section
				3554(a)(3) of title 44, United States Code, including the ability to conduct
				risk-based penetration testing and vulnerability assessments;
									(B)in carrying out
				subparagraph (A), may request technical assistance from the Director of the
				Federal Bureau of Investigation, the Director of the National Security Agency,
				the head of any other Federal agency that may provide support, and any
				nongovernmental entity contracting with the Department or another Federal
				agency; and
									(C)in consultation
				with the Attorney General and the Privacy and Civil Liberties Oversight Board
				established under section 1061 of the National Security Intelligence Reform Act
				of 2004 (42 U.S.C. 2000ee), shall develop guidelines to ensure compliance with
				all applicable laws relating to the privacy of United States persons in
				carrying out the operational evaluations under subparagraph (A).
									(2)Operational
				evaluations
									(A)In
				generalThe Director may conduct risk-based operational
				evaluations of the agency information infrastructure of any Federal agency, at
				a time determined by the Director, in consultation with the head of the Federal
				agency, using the capabilities developed under paragraph (1)(A).
									(B)Annual
				evaluation requirementIf the Director conducts an operational
				evaluation under subparagraph (A) or an operational evaluation at the request
				of a Federal agency to meet the requirements of section 3554 of title 44,
				United States Code, the operational evaluation shall satisfy the requirements
				of section 3554 for the Federal agency for the year of the evaluation, unless
				otherwise specified by the Director.
									(c)Corrective
				measures and mitigation plansIf the Director determines that a
				Federal agency is not in compliance with applicable policies, principles,
				standards, and guidelines applicable to the Federal information
				infrastructure—
								(1)the Director, in
				consultation with the Director of the Office of Management and Budget, may
				direct the head of the Federal agency to—
									(A)take corrective
				measures to meet the policies, principles, standards, and guidelines;
				and
									(B)develop a plan to
				remediate or mitigate any vulnerabilities addressed by the policies,
				principles, standards, and guidelines;
									(2)within such time
				period as the Director shall prescribe, the head of the Federal agency
				shall—
									(A)implement a
				corrective measure or develop a mitigation plan in accordance with paragraph
				(1); or
									(B)submit to the
				Director, the Director of the Office of Management and Budget, the Inspector
				General for the Federal agency, and the appropriate committees of Congress a
				report indicating why the Federal agency has not implemented the corrective
				measure or developed a mitigation plan; and
									(3)the Director may
				direct the isolation of any component of the agency information infrastructure,
				consistent with the contingency or continuity of operation plans applicable to
				the agency information infrastructure, until corrective measures are taken or
				mitigation plans approved by the Director are put in place, if—
									(A)the head of the
				Federal agency has failed to comply with the corrective measures prescribed
				under paragraph (1); and
									(B)the failure to
				comply presents a significant danger to the Federal information
				infrastructure.
									246.Information
				sharing
							(a)Federal
				agencies
								(1)Information
				sharing programConsistent with the responsibilities described in
				section 242 and 244, the Director, in consultation with the other members of
				the Chief Information Officers Council established under section 3603 of title
				44, United States Code, and the Federal Information Security Taskforce, shall
				establish a program for sharing information with and between the Center and
				other Federal agencies that includes processes and procedures, including
				standard operating procedures—
									(A)under which the
				Director regularly shares with each Federal agency—
										(i)analysis and
				reports on the composite security state of the Federal information
				infrastructure and information infrastructure that is owned, operated,
				controlled, or licensed for use by, or on behalf of, the Department of Defense,
				a military department, or another element of the intelligence community, which
				shall include information relating to threats, vul­ner­a­bil­i­ties, incidents,
				or anomalous activities;
										(ii)any available
				analysis and reports regarding the security of the agency information
				infrastructure; and
										(iii)means and
				methods of preventing, responding to, mitigating, and remediating
				vulnerabilities; and
										(B)under which the
				Director may request information from Federal agencies concerning the security
				of the Federal information infrastructure, information infrastructure that is
				owned, operated, controlled, or licensed for use by, or on behalf of, the
				Department of Defense, a military department, or another element of the
				intelligence community, or the national information infrastructure necessary to
				carry out the duties of the Director under this subtitle or any other provision
				of law.
									(2)ContentsThe
				program established under this section shall include—
									(A)timeframes for the
				sharing of information under paragraph (1);
									(B)guidance on what
				information shall be shared, including information regarding incidents;
									(C)a tiered structure
				that provides guidance for the sharing of urgent information; and
									(D)processes and
				procedures under which the Director or the head of a Federal agency may report
				noncompliance with the program to the Director of Cyberspace Policy.
									(3)US–CERTThe
				Director of the US–CERT shall ensure that the head of each Federal agency has
				continual access to data collected by the US–CERT regarding the agency
				information infrastructure of the Federal agency.
								(4)Federal
				agencies
									(A)In
				generalThe head of a Federal agency shall comply with all
				processes and procedures established under this subsection regarding
				notification to the Director relating to incidents.
									(B)Immediate
				notification requiredUnless otherwise directed by the President,
				any Federal agency with a national security system shall immediately notify the
				Director regarding any incident affecting the risk-based security of the
				national security system.
									(b)State and local
				governments, private sector, and international partners
								(1)In
				generalThe Director, shall establish processes and procedures,
				including standard operating procedures, to promote bidirectional information
				sharing with State and local governments, private entities, and international
				partners of the United States on—
									(A)threats,
				vulnerabilities, incidents, and anomalous activities affecting the national
				information infrastructure; and
									(B)means and methods
				of preventing, responding to, and mitigating and remediating
				vulnerabilities.
									(2)ContentsThe
				processes and procedures established under paragraph (1) shall include—
									(A)means or methods
				of accessing classified or unclassified information, as appropriate, that will
				provide situational awareness of the security of the Federal information
				infrastructure and the national information infrastructure relating to threats,
				vulnerabilities, traffic, trends, incidents, and other anomalous activities
				affecting the Federal information infrastructure or the national information
				infrastructure;
									(B)a mechanism,
				established in consultation with the heads of the relevant sector-specific
				agencies, sector coordinating councils, and information sharing and analysis
				centers, by which owners and operators of covered critical infrastructure shall
				report incidents in the information infrastructure for covered critical
				infrastructure, to the extent the incident might indicate an actual or
				potential cyber vulnerability, or exploitation of that vulnerability;
				and
									(C)an evaluation of
				the need to provide security clearances to employees of State and local
				governments, private entities, and international partners to carry out this
				subsection.
									(3)GuidelinesThe
				Director, in consultation with the Attorney General and the Director of
				National Intelligence, shall develop guidelines to protect the privacy and
				civil liberties of United States persons and intelligence sources and methods,
				while carrying out this subsection.
								(c)Incidents
								(1)Non-Federal
				entities
									(A)In
				general
										(i)Mandatory
				reportingSubject to clause (i), the owner or operator of covered
				critical infrastructure shall report any incident affecting the information
				infrastructure of covered critical infrastructure to the extent the incident
				might indicate an actual or potential cyber vulnerability, or exploitation of a
				cyber vulnerability, in accordance with the policies and procedures for the
				mechanism established under subsection (b)(2)(B) and guidelines developed under
				subsection (b)(3).
										(ii)LimitationClause
				(i) shall not authorize the Director, the Center, the Department, or any other
				Federal entity to compel the disclosure of information relating to an incident
				or conduct surveillance unless otherwise authorized under chapter 119, chapter
				121, or chapter 206 of title 18, United States Code, the Foreign Intelligence
				Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), or any other provision of
				law.
										(B)Reporting
				proceduresThe Director shall establish procedures that enable
				and encourage the owner or operator of national information infrastructure to
				report to the Director regarding incidents affecting such information
				infrastructure.
									(2)Information
				protectionNotwithstanding any other provision of law,
				information reported under paragraph (1) shall be protected from unauthorized
				disclosure, in accordance with section 251.
								(d)Additional
				responsibilitiesIn accordance with section 251, the Director
				shall—
								(1)share data
				collected on the Federal information infrastructure with the National Science
				Foundation and other accredited research institutions for the sole purpose of
				cybersecurity research in a manner that protects privacy and civil liberties of
				United States persons and intelligence sources and methods;
								(2)establish a Web
				site to provide an opportunity for the public to provide—
									(A)input about the
				operations of the Center; and
									(B)recommendations
				for improvements of the Center; and
									(3)in coordination
				with the Secretary of Defense, the Director of National Intelligence, the
				Secretary of State, and the Attorney General, develop information sharing pilot
				programs with international partners of the United States.
								247.Private sector
				assistance
							(a)In
				generalThe Director, in consultation with the Director of the
				National Institute of Standards and Technology, the Director of the National
				Security Agency, the head of any relevant sector-specific agency, the National
				Cybersecurity Advisory Council, State and local governments, and any private
				entities the Director determines appropriate, shall establish a program to
				promote, and provide technical assistance authorized under section 242(f)(1)(S)
				relating to the implementation of, best practices and related standards and
				guidelines for securing the national information infrastructure, including the
				costs and benefits associated with the implementation of the best practices and
				related standards and guidelines.
							(b)Analysis and
				improvement of standards and guidelinesFor purposes of the
				program established under subsection (a), the Director shall—
								(1)regularly assess
				and evaluate cybersecurity standards and guidelines issued by private sector
				organizations, recognized international and domestic standards setting
				organizations, and Federal agencies; and
								(2)in coordination
				with the National Institute of Standards and Technology, encourage the
				development of, and recommend changes to, the standards and guidelines
				described in paragraph (1) for securing the national information
				infrastructure.
								(c)Guidance and
				technical assistance
								(1)In
				generalThe Director shall promote best practices and related
				standards and guidelines to assist owners and operators of national information
				infrastructure in increasing the security of the national information
				infrastructure and protecting against and mitigating or remediating known
				vul­ner­a­bil­i­ties.
								(2)RequirementTechnical
				assistance provided under section 242(f)(1)(S) and best practices promoted
				under this section shall be prioritized based on risk.
								(d)CriteriaIn
				promoting best practices or recommending changes to standards and guidelines
				under this section, the Director shall ensure that best practices, and related
				standards and guidelines—
								(1)address
				cybersecurity in a comprehensive, risk-based manner;
								(2)include
				consideration of the cost of implementing such best practices or of
				implementing recommended changes to standards and guidelines;
								(3)increase the
				ability of the owners or operators of national information infrastructure to
				protect against and mitigate or remediate known vul­ner­a­bil­i­ties;
								(4)are suitable, as
				appropriate, for implementation by small business concerns;
								(5)as necessary and
				appropriate, are sector specific;
								(6)to the maximum
				extent possible, incorporate standards and guidelines established by private
				sector organizations, recognized international and domestic standards setting
				organizations, and Federal agencies; and
								(7)provide sufficient
				flexibility to permit a range of security solutions.
								248.Cyber
				vulnerabilities to covered critical infrastructure
							(a)Identification
				of cyber vul­ner­a­bil­i­ties
								(1)In
				generalBased on the risk-based assessments conducted under
				section 242(f)(1)(T)(i), the Director, in coordination with the head of the
				sector-specific agency with responsibility for covered critical infrastructure
				and the head of any Federal agency that is not a sector-specific agency with
				responsibilities for regulating the covered critical infrastructure, and in
				consultation with the National Cybersecurity Advisory Council and any private
				sector entity determined appropriate by the Director, shall, on a continuous
				and sector-by-sector basis, identify and evaluate the cyber vulnerabilities to
				covered critical infrastructure.
								(2)Factors to be
				consideredIn identifying and evaluating cyber vulnerabilities
				under paragraph (1), the Director shall consider—
									(A)the perceived
				threat, including a consideration of adversary capabilities and intent,
				preparedness, target attractiveness, and deterrence capabilities;
									(B)the potential
				extent and likelihood of death, injury, or serious adverse effects to human
				health and safety caused by a disruption of the reliable operation of covered
				critical infrastructure;
									(C)the threat to or
				potential impact on national security caused by a disruption of the reliable
				operation of covered critical infrastructure;
									(D)the extent to
				which the disruption of the reliable operation of covered critical
				infrastructure will disrupt the reliable operation of other covered critical
				infrastructure;
									(E)the potential for
				harm to the economy that would result from a disruption of the reliable
				operation of covered critical infrastructure; and
									(F)other risk-based
				security factors that the Director, in consultation with the head of the
				sector-specific agency with responsibility for the covered critical
				infrastructure and the head of any Federal agency that is not a sector-specific
				agency with responsibilities for regulating the covered critical
				infrastructure, determine to be appropriate and necessary to protect public
				health and safety, critical infrastructure, or national and economic
				security.
									(3)Report
									(A)In
				generalNot later than 180 days after the date of enactment of
				this subtitle, and annually thereafter, the Director, in coordination with the
				head of the sector-specific agency with responsibility for the covered critical
				infrastructure and the head of any Federal agency that is not a sector-specific
				agency with responsibilities for regulating the covered critical
				infrastructure, shall submit to the appropriate committees of Congress a report
				on the findings of the identification and evaluation of cyber vulnerabilities
				under this subsection. Each report submitted under this paragraph shall be
				submitted in an unclassified form, but may include a classified annex.
									(B)InputFor
				purposes of the reports required under subparagraph (A), the Director shall
				create a process under which owners and operators of covered critical
				infrastructure may provide input on the findings of the reports.
									(b)Risk-Based
				performance requirements
								(1)In
				generalNot later than 270 days after the date of the enactment
				of this subtitle, in coordination with the heads of the sector-specific
				agencies with responsibility for covered critical infrastructure and the head
				of any Federal agency that is not a sector-specific agency with
				responsibilities for regulating the covered critical infrastructure, and in
				consultation with the National Cybersecurity Advisory Council and any private
				sector entity determined appropriate by the Director, the Director shall issue
				interim final regulations establishing risk-based security performance
				requirements to secure covered critical infrastructure against cyber
				vul­ner­a­bil­i­ties through the adoption of security measures that satisfy the
				security performance requirements identified by the Director.
								(2)ProceduresThe
				regulations issued under this subsection shall—
									(A)include a process
				under which owners and operators of covered critical infrastructure are
				informed of identified cyber vulnerabilities and security performance
				requirements designed to remediate or mitigate the cyber vulnerabilities, in
				combination with best practices recommended under section 247;
									(B)establish a
				process for owners and operators of covered critical infrastructure to select
				security measures, including any best practices recommended under section 247,
				that, in combination, satisfy the security performance requirements established
				by the Director under this subsection;
									(C)establish a
				process for owners and operators of covered critical infrastructure to develop
				response plans for a national cyber emergency declared under section 249;
				and
									(D)establish a
				process by which the Director—
										(i)is
				notified of the security measures selected by the owner or operator of covered
				critical infrastructure under subparagraph (B); and
										(ii)may determine
				whether the proposed security measures satisfy the security performance
				requirements established by the Director under this subsection.
										(3)International
				cooperation on securing covered critical infrastructure
									(A)In
				generalThe Director, in coordination with the head of the
				sector-specific agency with responsibility for covered critical infrastructure
				and the head of any Federal agency that is not a sector-specific agency with
				responsibilities for regulating the covered critical infrastructure,
				shall—
										(i)consistent with
				the protection of intelligence sources and methods and other sensitive matters,
				inform the owner or operator of covered critical infrastructure that is located
				outside the United States and the government of the country in which the
				covered critical infrastructure is located of any cyber vulnerabilities to the
				covered critical infrastructure; and
										(ii)coordinate with
				the government of the country in which the covered critical infrastructure is
				located and, as appropriate, the owner or operator of the covered critical
				infrastructure, regarding the implementation of security measures or other
				measures to the covered critical infrastructure to mitigate or remediate cyber
				vulnerabilities.
										(B)International
				agreementsThe Director shall carry out the this paragraph in a
				manner consistent with applicable international agreements.
									(4)Risk-based
				security performance requirements
									(A)In
				generalThe security performance requirements established by the
				Director under this subsection shall be—
										(i)based on the
				factors listed in subsection (a)(2); and
										(ii)designed to
				remediate or mitigate identified cyber vulnerabilities and any associated
				consequences of an exploitation based on such vulnerabilities.
										(B)ConsultationIn
				establishing security performance requirements under this subsection, the
				Director shall, to the maximum extent practicable, consult with—
										(i)the Director of
				the National Security Agency;
										(ii)the Director of
				the National Institute of Standards and Technology;
										(iii)the National
				Cybersecurity Advisory Council;
										(iv)the heads of
				sector-specific agencies; and
										(v)the heads of
				Federal agencies that are not a sector-specific agency with responsibilities
				for regulating the covered critical infrastructure.
										(C)Alternative
				measures
										(i)In
				generalThe owners and operators of covered critical
				infrastructure shall have flexibility to implement any security measure, or
				combination thereof, to satisfy the security performance requirements described
				in subparagraph (A) and the Director may not disapprove under this section any
				proposed security measures, or combination thereof, based on the presence or
				absence of any particular security measure if the proposed security measures,
				or combination thereof, satisfy the security performance requirements
				established by the Director under this section.
										(ii)Recommended
				security measuresThe Director may recommend to an owner and
				operator of covered critical infrastructure a specific security measure, or
				combination thereof, that will satisfy the security performance requirements
				established by the Director. The absence of the recommended security measures,
				or combination thereof, may not serve as the basis for a disapproval of the
				security measure, or combination thereof, proposed by the owner or operator of
				covered critical infrastructure if the proposed security measure, or
				combination thereof, otherwise satisfies the security performance requirements
				established by the Director under this section.
										249.National cyber
				emergencies
							(a)Declaration
								(1)In
				generalThe President may issue a declaration of a national cyber
				emergency to covered critical infrastructure. Any declaration under this
				section shall specify the covered critical infrastructure subject to the
				national cyber emergency.
								(2)NotificationUpon
				issuing a declaration under paragraph (1), the President shall, consistent with
				the protection of intelligence sources and methods, notify the owners and
				operators of the specified covered critical infrastructure of the nature of the
				national cyber emergency.
								(3)AuthoritiesIf
				the President issues a declaration under paragraph (1), the Director
				shall—
									(A)immediately direct
				the owners and operators of covered critical infrastructure subject to the
				declaration under paragraph (1) to implement response plans required under
				section 248(b)(2)(C);
									(B)develop and
				coordinate emergency measures or actions necessary to preserve the reliable
				operation, and mitigate or remediate the consequences of the potential
				disruption, of covered critical infrastructure;
									(C)ensure that
				emergency measures or actions directed under this section represent the least
				disruptive means feasible to the operations of the covered critical
				infrastructure;
									(D)subject to
				subsection (f), direct actions by other Federal agencies to respond to the
				national cyber emergency;
									(E)coordinate with
				officials of State and local governments, international partners of the United
				States, and private owners and operators of covered critical infrastructure
				specified in the declaration to respond to the national cyber emergency;
									(F)initiate a process
				under section 248 to address the cyber vulnerability that may be exploited by
				the national cyber emergency; and
									(G)provide voluntary
				technical assistance, if requested, under section 242(f)(1)(S).
									(4)ReimbursementA
				Federal agency shall be reimbursed for expenditures under this section from
				funds appropriated for the purposes of this section. Any funds received by a
				Federal agency as reimbursement for services or supplies furnished under the
				authority of this section shall be deposited to the credit of the appropriation
				or appropriations available on the date of the deposit for the services or
				supplies.
								(5)ConsultationIn
				carrying out this section, the Director shall consult with the Secretary, the
				Secretary of Defense, the Director of the National Security Agency, the
				Director of the National Institute of Standards and Technology, and any other
				official, as directed by the President.
								(6)PrivacyIn
				carrying out this section, the Director shall ensure that the privacy and civil
				liberties of United States persons are protected.
								(b)Discontinuance
				of emergency measures
								(1)In
				generalAny emergency measure or action developed under this
				section shall cease to have effect not later than 30 days after the date on
				which the President issued the declaration of a national cyber emergency,
				unless—
									(A)the Director
				affirms in writing that the emergency measure or action remains necessary to
				address the identified national cyber emergency; and
									(B)the President
				issues a written order or directive reaffirming the national cyber emergency,
				the continuing nature of the national cyber emergency, or the need to continue
				the adoption of the emergency measure or action.
									(2)ExtensionsAn
				emergency measure or action extended in accordance with paragraph (1)
				may—
									(A)remain in effect
				for not more than 30 days after the date on which the emergency measure or
				action was to cease to have effect; and
									(B)be extended for
				additional 30-day periods, if the requirements of paragraph (1) and subsection
				(d) are met.
									(c)Compliance with
				emergency measures
								(1)In
				generalSubject to paragraph (2), the owner or operator of
				covered critical infrastructure shall immediately comply with any emergency
				measure or action developed by the Director under this section during the
				pendency of any declaration by the President under subsection (a)(1) or an
				extension under subsection (b)(2).
								(2)Alternative
				measuresIf the Director determines that a proposed security
				measure, or any combination thereof, submitted by the owner or operator of
				covered critical infrastructure in accordance with the process established
				under section 248(b)(2) addresses the cyber vulnerability associated with the
				national cyber emergency that is the subject of the declaration under this
				section, the owner or operator may comply with paragraph (1) of this subsection
				by implementing the proposed security measure, or combination thereof, approved
				by the Director under the process established under section 248. Before
				submission of a proposed security measure, or combination thereof, and during
				the pendency of any review by the Director under the process established under
				section 248, the owner or operator of covered critical infrastructure shall
				remain in compliance with any emergency measure or action developed by the
				Director under this section during the pendency of any declaration by the
				President under subsection (a)(1) or an extension under subsection (b)(2),
				until such time as the Director has approved an alternative proposed security
				measure, or combination thereof, under this paragraph.
								(3)International
				cooperation on national cyber emergencies
									(A)In
				generalThe Director, in coordination with the head of the
				sector-specific agency with responsibility for covered critical infrastructure
				and the head of any Federal agency that is not a sector-specific agency with
				responsibilities for regulating the covered critical infrastructure,
				shall—
										(i)consistent with
				the protection of intelligence sources and methods and other sensitive matters,
				inform the owner or operator of covered critical infrastructure that is located
				outside of the United States and the government of the country in which the
				covered critical infrastructure is located of any national cyber emergency
				affecting the covered critical infrastructure; and
										(ii)coordinate with
				the government of the country in which the covered critical infrastructure is
				located and, as appropriate, the owner or operator of the covered critical
				infrastructure, regarding the implementation of emergency measures or actions
				necessary to preserve the reliable operation, and mitigate or remediate the
				consequences of the potential disruption, of the covered critical
				infrastructure.
										(B)International
				agreementsThe Director shall carry out this paragraph in a
				manner consistent with applicable international agreements.
									(4)Limitation on
				compliance authorityThe authority to direct compliance with an
				emergency measure or action under this section shall not authorize the
				Director, the Center, the Department, or any other Federal entity to compel the
				disclosure of information or conduct surveillance unless otherwise authorized
				under chapter 119, chapter 121, or chapter 206 of title 18, United States Code,
				the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), or
				any other provision of law.
								(d)Reporting
								(1)In
				generalExcept as provided in paragraph (2), the President shall
				ensure that any declaration under subsection (a)(1) or any extension under
				subsection (b)(2) is reported to the appropriate committees of Congress before
				the Director mandates any emergency measure or actions under subsection
				(a)(3).
								(2)ExceptionIf
				notice cannot be given under paragraph (1) before mandating any emergency
				measure or actions under subsection (a)(3), the President shall provide the
				report required under paragraph (1) as soon as possible, along with a statement
				of the reasons for not providing notice in accordance with paragraph
				(1).
								(3)ContentsEach
				report under this subsection shall describe—
									(A)the nature of the
				national cyber emergency;
									(B)the reasons that
				risk-based security requirements under section 248 are not sufficient to
				address the national cyber emergency; and
									(C)the actions
				necessary to preserve the reliable operation and mitigate the consequences of
				the potential disruption of covered critical infrastructure.
									(e)Statutory
				defenses and civil liability limitations for compliance with emergency
				measures
								(1)DefinitionsIn
				this subsection—
									(A)the term
				covered civil action—
										(i)means a civil
				action filed in a Federal or State court against a covered entity; and
										(ii)does not include
				an action brought under section 2520 or 2707 of title 18, United States Code,
				or section 110 or 308 of the Foreign Intelligence Surveillance Act of 1978 (50
				U.S.C. 1810 and 1828);
										(B)the term
				covered entity means any entity that owns or operates covered
				critical infrastructure, including any owner, operator, officer, employee,
				agent, landlord, custodian, or other person acting for or on behalf of that
				entity with respect to the covered critical infrastructure; and
									(C)the term
				noneconomic damages means damages for losses for physical and
				emotional pain, suffering, inconvenience, physical impairment, mental anguish,
				disfigurement, loss of enjoyment of life, loss of society and companionship,
				loss of consortium, hedonic damages, injury to reputation, and any other
				nonpecuniary losses.
									(2)Application of
				limitations on civil liabilityThe limitations on civil liability
				under paragraph (3) apply if—
									(A)the President has
				issued a declaration of national cyber emergency under subsection
				(a)(1);
									(B)the Director
				has—
										(i)issued emergency
				measures or actions for which compliance is required under subsection (c)(1);
				or
										(ii)approved security
				measures under subsection (c)(2);
										(C)the covered entity
				is in compliance with—
										(i)the emergency
				measures or actions required under subsection (c)(1); or
										(ii)security measures
				which the Director has approved under subsection (c)(2); and
										(D)(i)the Director certifies
				to the court in which the covered civil action is pending that the actions
				taken by the covered entity during the period covered by the declaration under
				subsection (a)(1) were consistent with—
											(I)emergency measures or actions for which
				compliance is required under subsection (c)(1); or
											(II)security measures which the Director has
				approved under subsection (c)(2); or
											(ii)notwithstanding the lack of a
				certification, the covered entity demonstrates by a preponderance of the
				evidence that the actions taken during the period covered by the declaration
				under subsection (a)(1) are consistent with the implementation of—
											(I)emergency measures or actions for which
				compliance is required under subsection (c)(1); or
											(II)security measures which the Director has
				approved under subsection (c)(2).
											(3)Limitations on
				civil liabilityIn any covered civil action that is related to
				any incident associated with a cyber vulnerability covered by a declaration of
				a national cyber emergency and for which Director has issued emergency measures
				or actions for which compliance is required under subsection (c)(1) or for
				which the Director has approved security measures under subsection (c)(2), or
				that is the direct consequence of actions taken in good faith for the purpose
				of implementing security measures or actions which the Director has approved
				under subsection (c)(2)—
									(A)the covered entity
				shall not be liable for any punitive damages intended to punish or deter,
				exemplary damages, or other damages not intended to compensate a plaintiff for
				actual losses; and
									(B)noneconomic
				damages may be awarded against a defendant only in an amount directly
				proportional to the percentage of responsibility of such defendant for the harm
				to the plaintiff, and no plaintiff may recover noneconomic damages unless the
				plaintiff suffered physical harm.
									(4)Civil actions
				arising out of implementation of emergency measures or actionsA
				covered civil action may not be maintained against a covered entity that is the
				direct consequence of actions taken in good faith for the purpose of
				implementing specific emergency measures or actions for which compliance is
				required under subsection (c)(1), if—
									(A)the President has
				issued a declaration of national cyber emergency under subsection (a)(1) and
				the action was taken during the period covered by that declaration;
									(B)the Director has
				issued emergency measures or actions for which compliance is required under
				subsection (c)(1);
									(C)the covered entity
				is in compliance with the emergency measures required under subsection (c)(1);
				and
									(D)(i)the Director certifies
				to the court in which the covered civil action is pending that the actions
				taken by the entity during the period covered by the declaration under
				subsection (a)(1) were consistent with the implementation of emergency measures
				or actions for which compliance is required under subsection (c)(1); or
										(ii)notwithstanding the lack of a
				certification, the entity demonstrates by a preponderance of the evidence that
				the actions taken during the period covered by the declaration under subsection
				(a)(1) are consistent with the implementation of emergency measures or actions
				for which compliance is required under subsection (c)(1).
										(5)Certain actions
				not subject to limitations on liability
									(A)Additional or
				intervening actsParagraphs (2) through (4) shall not apply to a
				civil action relating to any additional or intervening acts or omissions by any
				covered entity.
									(B)Serious or
				substantial damageParagraph (4) shall not apply to any civil
				action brought by an individual—
										(i)whose recovery is
				otherwise precluded by application of paragraph (4); and
										(ii)who has
				suffered—
											(I)serious physical
				injury or death; or
											(II)substantial
				damage or destruction to his primary residence.
											(C)Rule of
				constructionRecovery available under subparagraph (B) shall be
				limited to those damages available under subparagraphs (A) and (B) of paragraph
				(3), except that neither reasonable and necessary medical benefits nor lifetime
				total benefits for lost employment income due to permanent and total disability
				shall be limited herein.
									(D)IndemnificationIn
				any civil action brought under subparagraph (B), the United States shall defend
				and indemnify any covered entity. Any covered entity defended and indemnified
				under this subparagraph shall fully cooperate with the United States in the
				defense by the United States in any proceeding and shall be reimbursed the
				reasonable costs associated with such cooperation.
									(f)Rule of
				constructionNothing in this section shall be construed
				to—
								(1)alter or supersede
				the authority of the Secretary of Defense, the Attorney General, or the
				Director of National Intelligence in responding to a national cyber emergency;
				or
								(2)limit the
				authority of the Director under section 248, after a declaration issued under
				this section expires.
								250.Enforcement
							(a)Annual
				certification of compliance
								(1)In
				generalNot later than 6 months after the date on which the
				Director promulgates regulations under section 248(b), and every year
				thereafter, each owner or operator of covered critical infrastructure shall
				certify in writing to the Director whether the owner or operator has developed
				and implemented, or is implementing, security measures approved by the Director
				under section 248 and any applicable emergency measures or actions required
				under section 249 for any cyber vulnerabilities and national cyber
				emergencies.
								(2)Failure to
				complyIf an owner or operator of covered critical infrastructure
				fails to submit a certification in accordance with paragraph (1), or if the
				certification indicates the owner or operator is not in compliance, the
				Director may issue an order requiring the owner or operator to submit proposed
				security measures under section 248 or comply with specific emergency measures
				or actions under section 249.
								(b)Risk-Based
				evaluations
								(1)In
				generalConsistent with the factors described in paragraph (3),
				the Director may perform an evaluation of the information infrastructure of any
				specific system or asset constituting covered critical infrastructure to assess
				the validity of a certification of compliance submitted under subsection
				(a)(1).
								(2)Document review
				and inspectionAn evaluation performed under paragraph (1) may
				include—
									(A)a review of all
				documentation submitted to justify an annual certification of compliance
				submitted under subsection (a)(1); and
									(B)a physical or
				electronic inspection of relevant information infrastructure to which the
				security measures required under section 248 or the emergency measures or
				actions required under section 249 apply.
									(3)Evaluation
				selection factorsIn determining whether sufficient risk exists
				to justify an evaluation under this subsection, the Director shall
				consider—
									(A)the specific cyber
				vulnerabilities affecting or potentially affecting the information
				infrastructure of the specific system or asset constituting covered critical
				infrastructure;
									(B)any reliable
				intelligence or other information indicating a cyber vulnerability or credible
				national cyber emergency to the information infrastructure of the specific
				system or asset constituting covered critical infrastructure;
									(C)actual knowledge
				or reasonable suspicion that the certification of compliance submitted by a
				specific owner or operator of covered critical infrastructure is false or
				otherwise inaccurate;
									(D)a request by a
				specific owner or operator of covered critical infrastructure for such an
				evaluation; and
									(E)such other
				risk-based factors as identified by the Director.
									(4)Sector-specific
				agenciesTo carry out the risk-based evaluation authorized under
				this subsection, the Director may use the resources of a sector-specific agency
				with responsibility for the covered critical infrastructure or any Federal
				agency that is not a sector-specific agency with responsibilities for
				regulating the covered critical infrastructure with the concurrence of the head
				of the agency.
								(5)Information
				protectionInformation provided to the Director during the course
				of an evaluation under this subsection shall be protected from disclosure in
				accordance with section 251.
								(c)Civil
				penalties
								(1)In
				generalAny person who violates section 248 or 249 shall be
				liable for a civil penalty.
								(2)No private right
				of actionNothing in this section confers upon any person, except
				the Director, a right of action against an owner or operator of covered
				critical infrastructure to enforce any provision of this subtitle.
								(d)Limitation on
				civil liability
								(1)DefinitionIn
				this subsection—
									(A)the term
				covered civil action—
										(i)means a civil
				action filed in a Federal or State court against a covered entity; and
										(ii)does not include
				an action brought under section 2520 or 2707 of title 18, United States Code,
				or section 110 or 308 of the Foreign Intelligence Surveillance Act of 1978 (50
				U.S.C. 1810 and 1828);
										(B)the term
				covered entity means any entity that owns or operates covered
				critical infrastructure, including any owner, operator, officer, employee,
				agent, landlord, custodian, or other person acting for or on behalf of that
				entity with respect to the covered critical infrastructure; and
									(C)the term
				noneconomic damages means damages for losses for physical and
				emotional pain, suffering, inconvenience, physical impairment, mental anguish,
				disfigurement, loss of enjoyment of life, loss of society and companionship,
				loss of consortium, hedonic damages, injury to reputation, and any other
				nonpecuniary losses.
									(2)Limitations on
				civil liabilityIf a covered entity experiences an incident
				related to a cyber vulnerability identified under section 248(a), in any
				covered civil action for damages directly caused by the incident related to
				that cyber vulnerability—
									(A)the covered entity
				shall not be liable for any punitive damages intended to punish or deter,
				exemplary damages, or other damages not intended to compensate a plaintiff for
				actual losses; and
									(B)noneconomic
				damages may be awarded against a defendant only in an amount directly
				proportional to the percentage of responsibility of such defendant for the harm
				to the plaintiff, and no plaintiff may recover noneconomic damages unless the
				plaintiff suffered physical harm.
									(3)ApplicationThis
				subsection shall apply to claims made by any individual or nongovernmental
				entity, including claims made by a State or local government agency on behalf
				of such individuals or nongovernmental entities, against a covered
				entity—
									(A)whose proposed
				security measures, or combination thereof, satisfy the security performance
				requirements established under subsection 248(b) and have been approved by the
				Director;
									(B)that has been
				evaluated under subsection (b) and has been found by the Director to have
				implemented the proposed security measures approved under section 248;
				and
									(C)that is in actual
				compliance with the approved security measures at the time of the incident
				related to that cyber vulnerability.
									(4)LimitationThis
				subsection shall only apply to harm directly caused by the incident related to
				the cyber vulnerability and shall not apply to damages caused by any additional
				or intervening acts or omissions by the covered entity.
								(5)Rule of
				constructionExcept as provided under paragraph (3), nothing in
				this subsection shall be construed to abrogate or limit any right, remedy, or
				authority that the Federal Government or any State or local government, or any
				entity or agency thereof, may possess under any law, or that any individual is
				authorized by law to bring on behalf of the government.
								(e)Report to
				CongressThe Director shall submit an annual report to the
				appropriate committees of Congress on the implementation and enforcement of the
				risk-based performance requirements of covered critical infrastructure under
				subsection 248(b) and this section including—
								(1)the level of
				compliance of covered critical infrastructure with the risk-based security
				performance requirements issued under section 248(b);
								(2)how frequently the
				evaluation authority under subsection (b) was utilized and a summary of the
				aggregate results of the evaluations; and
								(3)any civil
				penalties imposed on covered critical infrastructure.
								251.Protection of
				information
							(a)DefinitionIn
				this section, the term covered information—
								(1)means—
									(A)any information
				required to be submitted under sections 246, 248, and 249 to the Center by the
				owners and operators of covered critical infrastructure; and
									(B)any information
				submitted to the Center under the processes and procedures established under
				section 246 by State and local governments, private entities, and international
				partners of the United States regarding threats, vulnerabilities, and incidents
				affecting—
										(i)the Federal
				information infrastructure;
										(ii)information
				infrastructure that is owned, operated, controlled, or licensed for use by, or
				on behalf of, the Department of Defense, a military department, or another
				element of the intelligence community; or
										(iii)the national
				information infrastructure; and
										(2)shall not include
				any information described under paragraph (1), if that information is submitted
				to—
									(A)conceal violations
				of law, inefficiency, or administrative error;
									(B)prevent
				embarrassment to a person, organization, or agency; or
									(C)interfere with
				competition in the private sector.
									(b)Voluntarily
				shared critical infrastructure informationCovered information
				submitted in accordance with this section shall be treated as voluntarily
				shared critical infrastructure information under section 214, except that the
				requirement of section 214 that the information be voluntarily submitted,
				including the requirement for an express statement, shall not be required for
				submissions of covered information.
							(c)Guidelines
								(1)In
				generalSubject to paragraph (2), the Director shall develop and
				issue guidelines, in consultation with the Secretary, Attorney General, and the
				National Cybersecurity Advisory Council, as necessary to implement this
				section.
								(2)RequirementsThe
				guidelines developed under this section shall—
									(A)consistent with
				section 214(e)(2)(D) and (g) and the guidelines developed under section
				246(b)(3), include provisions for information sharing among Federal, State, and
				local and officials, private entities, or international partners of the United
				States necessary to carry out the authorities and responsibilities of the
				Director;
									(B)be consistent, to
				the maximum extent possible, with policy guidance and implementation standards
				developed by the National Archives and Records Administration for controlled
				unclassified information, including with respect to marking, safeguarding,
				dissemination and dispute resolution; and
									(C)describe, with as
				much detail as possible, the categories and type of information entities should
				voluntarily submit under subsections (b) and (c)(1)(B) of section 246.
									(d)Process for
				reporting security problems
								(1)Establishment of
				processThe Director shall establish through regulation, and
				provide information to the public regarding, a process by which any person may
				submit a report to the Secretary regarding cybersecurity threats,
				vul­ner­a­bil­i­ties, and incidents affecting—
									(A)the Federal
				information infrastructure;
									(B)information
				infrastructure that is owned, operated, controlled, or licensed for use by, or
				on behalf of, the Department of Defense, a military department, or another
				element of the intelligence community; or
									(C)national
				information infrastructure.
									(2)Acknowledgment
				of receiptIf a report submitted under paragraph (1) identifies
				the person making the report, the Director shall respond promptly to such
				person and acknowledge receipt of the report.
								(3)Steps to address
				problemThe Director shall review and consider the information
				provided in any report submitted under paragraph (1) and, at the sole,
				unreviewable discretion of the Director, determine what, if any, steps are
				necessary or appropriate to address any problems or deficiencies
				identified.
								(4)Disclosure of
				identity
									(A)In
				generalExcept as provided in subparagraph (B), or with the
				written consent of the person, the Secretary may not disclose the identity of a
				person who has provided information described in paragraph (1).
									(B)Referral to the
				Attorney GeneralThe Secretary shall disclose to the Attorney
				General the identity of a person described under subparagraph (A) if the matter
				is referred to the Attorney General for enforcement. The Director shall provide
				reasonable advance notice to the affected person if disclosure of that person’s
				identity is to occur, unless such notice would risk compromising a criminal or
				civil enforcement investigation or proceeding.
									(e)Rules of
				constructionNothing in this section shall be construed
				to—
								(1)limit or otherwise
				affect the right, ability, duty, or obligation of any entity to use or disclose
				any information of that entity, including in the conduct of any judicial or
				other proceeding;
								(2)prevent the
				classification of information submitted under this section if that information
				meets the standards for classification under Executive Order 12958 or any
				successor of that order;
								(3)limit the right of
				an individual to make any disclosure—
									(A)protected or
				authorized under section 2302(b)(8) or 7211 of title 5, United States
				Code;
									(B)to an appropriate
				official of information that the individual reasonably believes evidences a
				violation of any law, rule, or regulation, gross mismanagement, or substantial
				and specific danger to public health, safety, or security, and that is
				protected under any Federal or State law (other than those referenced in
				subparagraph (A)) that shields the disclosing individual against retaliation or
				discrimination for having made the disclosure if such disclosure is not
				specifically prohibited by law and if such information is not specifically
				required by Executive order to be kept secret in the interest of national
				defense or the conduct of foreign affairs; or
									(C)to the Special
				Counsel, the inspector general of an agency, or any other employee designated
				by the head of an agency to receive similar disclosures;
									(4)prevent the
				Director from using information required to be submitted under sections 246,
				248, or 249 for enforcement of this subtitle, including enforcement proceedings
				subject to appropriate safeguards;
								(5)authorize
				information to be withheld from Congress, the Government Accountability Office,
				or Inspector General of the Department; or
								(6)create a private
				right of action for enforcement of any provision of this section.
								(f)Audit
								(1)In
				generalNot later than 1 year after the date of enactment of the
				Protecting Cyberspace as a National Asset Act
				of 2010, the Inspector General of the Department shall conduct an
				audit of the management of information submitted under subsection (b) and
				report the findings to appropriate committees of Congress.
								(2)ContentsThe
				audit under paragraph (1) shall include assessments of—
									(A)whether the
				information is adequately safeguarded against inappropriate disclosure;
									(B)the processes for
				marking and disseminating the information and resolving any disputes;
									(C)how the
				information is used for the purposes of this section, and whether that use is
				effective;
									(D)whether
				information sharing has been effective to fulfill the purposes of this
				section;
									(E)whether the kinds
				of information submitted have been appropriate and useful, or overbroad or
				overnarrow;
									(F)whether the
				information protections allow for adequate accountability and transparency of
				the regulatory, enforcement, and other aspects of implementing this subtitle;
				and
									(G)any other factors
				at the discretion of the Inspector General.
									252.Sector-specific
				agencies
							(a)In
				generalThe head of each sector-specific agency and the head of
				any Federal agency that is not a sector-specific agency with responsibilities
				for regulating covered critical infrastructure shall coordinate with the
				Director on any activities of the sector-specific agency or Federal agency that
				relate to the efforts of the agency regarding security or resiliency of the
				national information infrastructure, including critical infrastructure and
				covered critical infrastructure, within or under the supervision of the
				agency.
							(b)Duplicative
				reporting requirementsThe head of each sector-specific agency
				and the head of any Federal agency that is not a sector-specific agency with
				responsibilities for regulating covered critical infrastructure shall
				coordinate with the Director to eliminate and avoid the creation of duplicate
				reporting or compliance requirements relating to the security or resiliency of
				the national information infrastructure, including critical infrastructure and
				covered critical infrastructure, within or under the supervision of the
				agency.
							(c)Requirements
								(1)In
				generalTo the extent that the head of each sector-specific
				agency and the head of any Federal agency that is not a sector-specific agency
				with responsibilities for regulating covered critical infrastructure has the
				authority to establish regulations, rules, or requirements or other required
				actions that are applicable to the security of national information
				infrastructure, including critical infrastructure and covered critical
				infrastructure, the head of that agency shall—
									(A)notify the
				Director in a timely fashion of the intent to establish the regulations, rules,
				requirements, or other required actions;
									(B)coordinate with
				the Director to ensure that the regulations, rules, requirements, or other
				required actions are consistent with, and do not conflict or impede, the
				activities of the Director under sections 247, 248, and 249; and
									(C)in coordination
				with the Director, ensure that the regulations, rules, requirements, or other
				required actions are implemented, as they relate to covered critical
				infrastructure, in accordance with subsection (a).
									(2)CoordinationCoordination
				under paragraph (1)(B) shall include the active participation of the Director
				in the process for developing regulations, rules, requirements, or other
				required actions.
								(3)Rule of
				constructionNothing in this section shall be construed to
				provide additional authority for any sector-specific agency or any Federal
				agency that is not a sector-specific agency with responsibilities for
				regulating national information infrastructure, including critical
				infrastructure or covered critical infrastructure, to establish standards or
				other measures that are applicable to the security of national information
				infrastructure not otherwise authorized by law.
								253.Strategy for
				Federal cybersecurity supply chain management
							(a)In
				generalThe Secretary, in consultation with the Director of
				Cyberspace Policy, the Director, the Secretary of Defense, the Secretary of
				Commerce, the Secretary of State, the Director of National Intelligence, the
				Administrator of General Services, the Administrator for Federal Procurement
				Policy, the other members of the Chief Information Officers Council established
				under section 3603 of title 44, United States Code, the Chief Acquisition
				Officers Council established under section 16A of the Office of Federal
				Procurement Policy Act (41 U.S.C. 414b), the Chief Financial Officers Council
				established under section 302 of the Chief Financial Officers Act of 1990 (31
				U.S.C. 901 note), and the private sector, shall develop, periodically update,
				and implement a supply chain risk management strategy designed to ensure the
				security of the Federal information infrastructure, including protection
				against unauthorized access to, alteration of information in, disruption of
				operations of, interruption of communications or services of, and insertion of
				malicious software, engineering vulnerabilities, or otherwise corrupting
				software, hardware, services, or products intended for use in Federal
				information infrastructure.
							(b)ContentsThe
				supply chain risk management strategy developed under subsection (a)
				shall—
								(1)address risks in
				the supply chain during the entire life cycle of any part of the Federal
				information infrastructure;
								(2)place particular
				emphasis on—
									(A)securing critical
				information systems and the Federal information infrastructure;
									(B)developing
				processes that—
										(i)incorporate
				all-source intelligence analysis into assessments of the supply chain for the
				Federal information infrastructure;
										(ii)assess risks from
				potential suppliers providing critical components or services of the Federal
				information infrastructure;
										(iii)assess risks
				from individual components, including all subcomponents, or software used in or
				affecting the Federal information infrastructure;
										(iv)manage the
				quality, configuration, and security of software, hardware, and systems of the
				Federal information infrastructure throughout the life cycle of the software,
				hardware, or system, including components or subcomponents from secondary and
				tertiary sources;
										(v)detect the
				occurrence, reduce the likelihood of occurrence, and mitigate or remediate the
				risks associated with products containing counterfeit components or malicious
				functions;
										(vi)enhance
				developmental and operational test and evaluation capabilities, including
				software vulnerability detection methods and automated tools that shall be
				integrated into acquisition policy practices by Federal agencies and, where
				appropriate, make the capabilities available for use by the private sector;
				and
										(vii)protect the
				intellectual property and trade secrets of suppliers of information and
				communications technology products and services;
										(C)the use of
				internationally recognized standards and standards developed by the private
				sector and developing a process, with the National Institute for Standards and
				Technology, to make recommendations for improvements of the standards;
									(D)identifying
				acquisition practices of Federal agencies that increase risks in the supply
				chain and developing a process to provide recommendations for revisions to
				those processes; and
									(E)sharing with the
				private sector, to the fullest extent possible, the threats identified in the
				supply chain and working with the private sector to develop responses to those
				threats as identified; and
									(3)to the extent
				practicable, promote the ability of Federal agencies to procure commercial off
				the shelf information and communications technology products and services from
				a diverse pool of suppliers.
								(c)ImplementationThe
				Federal Acquisition Regulatory Council established under section 25(a) of the
				Office of Federal Procurement Policy Act (41 U.S.C. 421(a)) shall—
								(1)amend the Federal
				Acquisition Regulation issued under section 25 of that Act to—
									(A)incorporate, where
				relevant, the supply chain risk management strategy developed under subsection
				(a) to improve security throughout the acquisition process; and
									(B)direct that all
				software and hardware purchased by the Federal Government shall comply with
				standards developed or be interoperable with automated tools approved by the
				National Institute of Standards and Technology, to continually enhance
				security; and
									(2)develop a clause
				or set of clauses for inclusion in solicitations, contracts, and task and
				delivery orders that sets forth the responsibility of the contractor under the
				Federal Acquisition Regulation provisions implemented under this
				subsection.
								.
			IIIFederal
			 information security management
			301.Coordination of
			 Federal information policy
				(a)FindingsCongress
			 finds that—
					(1)since 2002 the
			 Federal Government has experienced multiple high-profile incidents that
			 resulted in the theft of sensitive information amounting to more than the
			 entire print collection contained in the Library of Congress, including
			 personally identifiable information, advanced scientific research, and
			 prenegotiated United States diplomatic positions; and
					(2)chapter 35 of
			 title 44, United States Code, must be amended to increase the coordination of
			 Federal agency activities and to enhance situational awareness throughout the
			 Federal Government using more effective enterprise-wide automated monitoring,
			 detection, and response capabilities.
					(b)In
			 generalChapter 35 of title 44, United States Code, is amended by
			 striking subchapters II and III and inserting the following:
					
						IIInformation
				security
							3550.PurposesThe purposes of this subchapter are
				to—
								(1)provide a
				comprehensive framework for ensuring the effectiveness of information security
				controls over information resources that support the Federal information
				infrastructure and the operations and assets of agencies;
								(2)recognize the
				highly networked nature of the current Federal information infrastructure and
				provide effective Government-wide management and oversight of the related
				information security risks, including coordination of information security
				efforts throughout the civilian, national security, and law enforcement
				communities;
								(3)provide for
				development and maintenance of prioritized and risk-based security controls
				required to protect Federal information infrastructure and information
				systems;
								(4)provide a
				mechanism for improved oversight of Federal agency information security
				programs;
								(5)acknowledge that
				commercially developed information security products offer advanced, dynamic,
				robust, and effective information security solutions, reflecting market
				solutions for the protection of critical information infrastructures important
				to the national defense and economic security of the Nation that are designed,
				built, and operated by the private sector; and
								(6)recognize that the
				selection of specific technical hardware and software information security
				solutions should be left to individual agencies from among commercially
				developed products.
								3551.Definitions
								(a)In
				generalExcept as provided under subsection (b), the definitions
				under section 3502 shall apply to this subchapter.
								(b)Additional
				definitionsIn this subchapter:
									(1)The term
				agency information infrastructure—
										(A)means information
				infrastructure that is owned, operated, controlled, or licensed for use by, or
				on behalf of, an agency, including information systems used or operated by
				another entity on behalf of the agency; and
										(B)does not include
				national security systems.
										(2)The term
				automated and continuous monitoring means monitoring at a
				frequency and sufficiency such that the data exchange requires little to no
				human involvement and is not interrupted;
									(3)The term
				incident means an occurrence that—
										(A)actually or
				potentially jeopardizes—
											(i)the information
				security of an information system; or
											(ii)the information
				the system processes, stores, or transmits; or
											(B)constitutes a
				violation or threat of violation of security policies, security procedures, or
				acceptable use policies.
										(4)The term
				information infrastructure means the underlying framework that
				information systems and assets rely on to process, transmit, receive, or store
				information electronically, including programmable electronic devices and
				communications networks and any associated hardware, software, or data.
									(5)The term
				information security means protecting information and information
				systems from disruption or unauthorized access, use, disclosure, modification,
				or destruction in order to provide—
										(A)integrity, by
				guarding against improper information modification or destruction, including by
				ensuring information nonrepudiation and authenticity;
										(B)confidentiality,
				by preserving authorized restrictions on access and disclosure, including means
				for protecting personal privacy and proprietary information; and
										(C)availability, by
				ensuring timely and reliable access to and use of information.
										(6)The term
				information technology has the meaning given that term in section
				11101 of title 40.
									(7)The term
				management controls means safeguards or countermeasures for an
				information system that focus on the management of risk and the management of
				information system security.
									(8)(A)The term national
				security system means any information system (including any
				telecommunications system) used or operated by an agency or by a contractor of
				an agency, or other organization on behalf of an agency—
											(i)the function, operation, or use of
				which—
												(I)involves intelligence activities;
												(II)involves cryptologic activities related
				to national security;
												(III)involves command and control of
				military forces;
												(IV)involves equipment that is an integral
				part of a weapon or weapons system; or
												(V)subject to subparagraph (B), is critical
				to the direct fulfillment of military or intelligence missions; or
												(ii)that is protected at all times by
				procedures established for information that have been specifically authorized
				under criteria established by an Executive order or an Act of Congress to be
				kept classified in the interest of national defense or foreign policy.
											(B)Subparagraph (A)(i)(V) does not
				include a system that is to be used for routine administrative and business
				applications (including payroll, finance, logistics, and personnel management
				applications).
										(9)The term
				operational controls means the safeguards and countermeasures for
				an information system that are primarily implemented and executed by
				individuals, not systems.
									(10)The term
				risk means the potential for an unwanted outcome resulting from an
				incident, as determined by the likelihood of the occurrence of the incident and
				the associated consequences, including potential for an adverse outcome
				assessed as a function of threats, vulnerabilities, and consequences associated
				with an incident.
									(11)The term
				risk-based security means security commensurate with the risk and
				magnitude of harm resulting from the loss, misuse, or unauthorized access to,
				or modification, of information, including assuring that systems and
				applications used by the agency operate effectively and provide appropriate
				confidentiality, integrity, and availability.
									(12)The term
				security controls means the management, operational, and technical
				controls prescribed for an information system to protect the information
				security of the system.
									(13)The term
				technical controls means the safeguards or countermeasures for an
				information system that are primarily implemented and executed by the
				information system through mechanism contained in the hardware, software, or
				firmware components of the system.
									3552.Authority and
				functions of the National Center for Cybersecurity and Communications
								(a)In
				generalThe Director of the National Center for Cybersecurity and
				Communications shall—
									(1)develop, oversee
				the implementation of, and enforce policies, principles, and guidelines on
				information security, including through ensuring timely agency adoption of and
				compliance with standards developed under section 20 of the National Institute
				of Standards and Technology Act (15 U.S.C. 278g–3) and subtitle E of title II
				of the Homeland Security Act of 2002;
									(2)provide to
				agencies security controls that agencies shall be required to be implemented to
				mitigate and remediate vulnerabilities, attacks, and exploitations discovered
				as a result of activities required under this subchapter or subtitle E of title
				II of the Homeland Security Act of 2002;
									(3)to the extent
				practicable—
										(A)prioritize the
				policies, principles, standards, and guidelines promulgated under section 20 of
				the National Institute of Standards and Technology Act (15 U.S.C. 278g–3),
				paragraph (1), and subtitle E of title II of the Homeland Security Act of 2002,
				based upon the risk of an incident; and
										(B)develop guidance
				that requires agencies to monitor, including automated and continuous
				monitoring of, the effective implementation of policies, principles, standards,
				and guidelines developed under section 20 of the National Institute of
				Standards and Technology Act (15 U.S.C. 278g–3), paragraph (1), and subtitle E
				of title II of the Homeland Security Act of 2002;
										(C)ensure the
				effective operation of technical capabilities within the National Center for
				Cybersecurity and Communications to enable automated and continuous monitoring
				of any information collected as a result of the guidance developed under
				subparagraph (B) and use the information to enhance the risk-based security of
				the Federal information infrastructure; and
										(D)ensure the
				effective operation of a secure system that satisfies information reporting
				requirements under sections 3553(c) and 3556(c);
										(4)require agencies,
				consistent with the standards developed under section 20 of the National
				Institute of Standards and Technology Act (15 U.S.C. 278g–3) or paragraph (1)
				and the requirements of this subchapter, to identify and provide information
				security protections commensurate with the risk resulting from the disruption
				or unauthorized access, use, disclosure, modification, or destruction
				of—
										(A)information
				collected or maintained by or on behalf of an agency; or
										(B)information
				systems used or operated by an agency or by a contractor of an agency or other
				organization on behalf of an agency;
										(5)oversee agency
				compliance with the requirements of this subchapter, including coordinating
				with the Office of Management and Budget to use any authorized action under
				section 11303 of title 40 to enforce accountability for compliance with such
				requirements;
									(6)review, at least
				annually, and approve or disapprove, agency information security programs
				required under section 3553(b); and
									(7)coordinate
				information security policies and procedures with the Administrator for
				Electronic Government and the Administrator for the Office of Information and
				Regulatory Affairs with related information resources management policies and
				procedures.
									(b)National
				security systemsThe authorities of the Director under this
				section shall not apply to national security systems.
								3553.Agency
				responsibilities
								(a)In
				generalThe head of each agency shall—
									(1)be responsible
				for—
										(A)providing
				information security protections commensurate with the risk and magnitude of
				the harm resulting from unauthorized access, use, disclosure, disruption,
				modification, or destruction of—
											(i)information
				collected or maintained by or on behalf of the agency; and
											(ii)agency
				information infrastructure;
											(B)complying with the
				requirements of this subchapter and related policies, procedures, standards,
				and guidelines, including—
											(i)information
				security requirements, including security controls, developed by the Director
				of the National Center for Cybersecurity and Communications under section 3552,
				subtitle E of title II of the Homeland Security Act of 2002, or any other
				provision of law;
											(ii)information
				security policies, principles, standards, and guidelines promulgated under
				section 20 of the National Institute of Standards and Technology Act (15 U.S.C.
				278g–3) and section 3552(a)(1);
											(iii)information
				security standards and guidelines for national security systems issued in
				accordance with law and as directed by the President; and
											(iv)ensuring the
				standards implemented for information systems and national security systems of
				the agency are complementary and uniform, to the extent practicable;
											(C)ensuring that
				information security management processes are integrated with agency strategic
				and operational planning processes, including policies, procedures, and
				practices described in subsection (c)(1)(C);
										(D)as appropriate,
				maintaining secure facilities that have the capability of accessing, sending,
				receiving, and storing classified information;
										(E)maintaining a
				sufficient number of personnel with security clearances, at the appropriate
				levels, to access, send, receive and analyze classified information to carry
				out the responsibilities of this subchapter; and
										(F)ensuring that
				information security performance indicators and measures are included in the
				annual performance evaluations of all managers, senior managers, senior
				executive service personnel, and political appointees;
										(2)ensure that senior
				agency officials provide information security for the information and
				information systems that support the operations and assets under the control of
				those officials, including through—
										(A)assessing the risk
				and magnitude of the harm that could result from the disruption or unauthorized
				access, use, disclosure, modification, or destruction of such information or
				information systems;
										(B)determining the
				levels of information security appropriate to protect such information and
				information systems in accordance with policies, principles, standards, and
				guidelines promulgated under section 20 of the National Institute of Standards
				and Technology Act (15 U.S.C. 278g–3), section 3552(a)(1), and subtitle E of
				title II of the Homeland Security Act of 2002, for information security
				categorizations and related requirements;
										(C)implementing
				policies and procedures to cost effectively reduce risks to an acceptable
				level;
										(D)periodically
				testing and evaluating information security controls and techniques to ensure
				that such controls and techniques are operating effectively; and
										(E)withholding all
				bonus and cash awards to senior agency officials accountable for the operation
				of such agency information infrastructure that are recognized by the Chief
				Information Security Officer as impairing the risk-based security information,
				information system, or agency information infrastructure;
										(3)delegate to a
				senior agency officer designated as the Chief Information Security Officer the
				authority and budget necessary to ensure and enforce compliance with the
				requirements imposed on the agency under this subchapter, subtitle E of title
				II of the Homeland Security Act of 2002, or any other provision of law,
				including—
										(A)overseeing the
				establishment, maintenance, and management of a security operations center that
				has technical capabilities that can, through automated and continuous
				monitoring—
											(i)detect, report,
				respond to, contain, remediate, and mitigate incidents that impair risk-based
				security of the information, information systems, and agency information
				infrastructure, in accordance with policy provided by the National Center for
				Cybersecurity and Communications;
											(ii)monitor and, on a
				risk-based basis, mitigate and remediate the vul­ner­a­bil­i­ties of every
				information system within the agency information infrastructure;
											(iii)continually
				evaluate risks posed to information collected or maintained by or on behalf of
				the agency and information systems and hold senior agency officials accountable
				for ensuring the risk-based security of such information and information
				systems;
											(iv)collaborate with
				the National Center for Cybersecurity and Communications and appropriate public
				and private sector security operations centers to address incidents that impact
				the security of information and information systems that extend beyond the
				control of the agency; and
											(v)report any
				incident described under clauses (i) and (ii), as directed by the policy of the
				National Center for Cybersecurity and Communications or the Inspector General
				of the agency;
											(B)collaborating with
				the Administrator for E–Government and the Chief Information Officer to
				establish, maintain, and update an enterprise network, system, storage, and
				security architecture, that can be accessed by the National Cybersecurity
				Communications Center and includes—
											(i)information on how
				security controls are implemented throughout the agency information
				infrastructure; and
											(ii)information on
				how the controls described under subparagraph (A) maintain the appropriate
				level of confidentiality, integrity, and availability of information and
				information systems based on—
												(I)the policy of the
				National Center for Cybersecurity and Communications; and
												(II)the standards or
				guidance developed by the National Institute of Standards and
				Technology;
												(C)developing,
				maintaining, and overseeing an agency-wide information security program as
				required by subsection (b);
										(D)developing,
				maintaining, and overseeing information security policies, procedures, and
				control techniques to address all applicable requirements, including those
				issued under section 3552;
										(E)training,
				consistent with the requirements of section 406 of the
				Protecting Cyberspace as a National Asset Act
				of 2010, and overseeing personnel with significant
				responsibilities for information security with respect to such
				responsibilities; and
										(F)assisting senior
				agency officers concerning their responsibilities under paragraph (2);
										(4)ensure that the
				Chief Information Security Officer has a sufficient number of cleared and
				trained personnel with technical skills identified by the National Center for
				Cybersecurity and Communications as critical to maintaining the risk-based
				security of agency information infrastructure as required by the subchapter and
				other applicable laws;
									(5)ensure that the
				agency Chief Information Security Officer, in coordination with appropriate
				senior agency officials, reports not less than annually to the head of the
				agency on the effectiveness of the agency information security program,
				including progress of remedial actions;
									(6)ensure that the
				Chief Information Security Officer—
										(A)possesses
				necessary qualifications, including education, professional certifications,
				training, experience, and the security clearance required to administer the
				functions described under this subchapter; and
										(B)has information
				security duties as the primary duty of that officer; and
										(7)ensure that
				components of that agency establish and maintain an automated reporting
				mechanism that allows the Chief Information Security Officer with
				responsibility for the entire agency, and all components thereof, to implement,
				monitor, and hold senior agency officers accountable for the implementation of
				appropriate security policies, procedures, and controls of agency
				components.
									(b)Agency-Wide
				information security programEach agency shall develop, document,
				and implement an agency-wide information security program, approved by the
				National Center for Cybersecurity and Communications under section 3552(a)(6)
				and consistent with components across and within agencies, to provide
				information security for the information and information systems that support
				the operations and assets of the agency, including those provided or managed by
				another agency, contractor, or other source, that includes—
									(1)frequent
				assessments, at least twice each month—
										(A)of the risk and
				magnitude of the harm that could result from the disruption or unauthorized
				access, use, disclosure, modification, or destruction of information and
				information systems that support the operations and assets of the agency;
				and
										(B)that assess
				whether information or information systems should be removed or migrated to
				more secure networks or standards and make recommendations to the head of the
				agency and the Director of the National Center for Cybersecurity and
				Communications based on that assessment;
										(2)consistent with
				guidance developed under section 3554, vulnerability assessments and
				penetration tests commensurate with the risk posed to an agency information
				infrastructure;
									(3)ensure that
				information security vul­ner­a­bil­i­ties are remediated or mitigated based on
				the risk posed to the agency;
									(4)policies and
				procedures that—
										(A)are informed and
				revised by the assessments required under paragraphs (1) and (2);
										(B)cost effectively
				reduce information security risks to an acceptable level;
										(C)ensure that
				information security is addressed throughout the life cycle of each agency
				information system; and
										(D)ensure compliance
				with—
											(i)the requirements
				of this subchapter;
											(ii)policies and
				procedures prescribed by the National Center for Cybersecurity and
				Communications;
											(iii)minimally
				acceptable system configuration requirements, as determined by the National
				Center for Cybersecurity and Communications; and
											(iv)any other
				applicable requirements, including standards and guidelines for national
				security systems issued in accordance with law and as directed by the
				President;
											(5)subordinate plans
				for providing risk-based information security for networks, facilities, and
				systems or groups of information systems, as appropriate;
									(6)role-based
				security awareness training, consistent with the requirements of section 406 of
				the Protecting Cyberspace as a National Asset
				Act of 2010, to inform personnel with access to the agency
				network, including contractors and other users of information systems that
				support the operations and assets of the agency, of—
										(A)information
				security risks associated with agency activities; and
										(B)agency
				responsibilities in complying with agency policies and procedures designed to
				reduce those risks;
										(7)periodic testing
				and evaluation of the effectiveness of information security policies,
				procedures, and practices, to be performed with a rigor and frequency depending
				on risk, which shall include—
										(A)testing and
				evaluation not less than twice each year of security controls of information
				collected or maintained by or on behalf of the agency and every information
				system identified in the inventory required under section 3505(c);
										(B)the effectiveness
				of ongoing monitoring, including automated and continuous monitoring,
				vulnerability scanning, and intrusion detection and prevention of incidents
				posed to the risk-based security of information and information systems as
				required under subsection (a)(3); and
										(C)testing relied on
				in—
											(i)an
				operational evaluation under section 3554;
											(ii)an independent
				assessment under section 3556; or
											(iii)another
				evaluation, to the extent specified by the Director;
											(8)a process for
				planning, implementing, evaluating, and documenting remedial action to address
				any deficiencies in the information security policies, procedures, and
				practices of the agency;
									(9)procedures for
				detecting, reporting, and responding to incidents, consistent with requirements
				issued under section 3552, that include—
										(A)to the extent
				practicable, automated and continuous monitoring of the use of information and
				information systems;
										(B)requirements for
				mitigating risks and remediating vulnerabilities associated with such incidents
				systemically within the agency information infrastructure before substantial
				damage is done; and
										(C)notifying and
				coordinating with the National Center for Cybersecurity and Communications, as
				required by this subchapter, subtitle E of title II of the Homeland Security
				Act of 2002, and any other provision of law; and
										(10)plans and
				procedures to ensure continuity of operations for information systems that
				support the operations and assets of the agency.
									(c)Agency
				reporting
									(1)In
				generalEach agency shall—
										(A)ensure that
				information relating to the adequacy and effectiveness of information security
				policies, procedures, and practices, is available to the entities identified
				under paragraph (2) through the system developed under section 3552(a)(3),
				including information relating to—
											(i)compliance with
				the requirements of this subchapter;
											(ii)the effectiveness
				of the information security policies, procedures, and practices of the agency
				based on a determination of the aggregate effect of identified deficiencies and
				vulnerabilities;
											(iii)an
				identification and analysis of any significant deficiencies identified in such
				policies, procedures, and practices;
											(iv)an identification
				of any vulnerability that could impair the risk-based security of the agency
				information infrastructure; and
											(v)results of any
				operational evaluation conducted under section 3554 and plans of action to
				address the deficiencies and vulnerabilities identified as a result of such
				operational evaluation;
											(B)follow the policy,
				guidance, and standards of the National Center for Cybersecurity and
				Communications, in consultation with the Federal Information Security
				Taskforce, to continually update, and ensure the electronic availability of
				both a classified and unclassified version of the information required under
				subparagraph (A);
										(C)ensure the
				information under subparagraph (A) addresses the adequacy and effectiveness of
				information security policies, procedures, and practices in plans and reports
				relating to—
											(i)annual agency
				budgets;
											(ii)information
				resources management of this subchapter;
											(iii)information
				technology management and procurement under this chapter or any other
				applicable provision of law;
											(iv)subtitle E of
				title II of the Homeland Security Act of 2002;
											(v)program
				performance under sections 1105 and 1115 through 1119 of title 31, and sections
				2801 and 2805 of title 39;
											(vi)financial
				management under chapter 9 of title 31, and the Chief Financial Officers Act of
				1990 (31 U.S.C. 501 note; Public Law 101–576) (and the amendments made by that
				Act);
											(vii)financial
				management systems under the Federal Financial Management Improvement Act (31
				U.S.C. 3512 note);
											(viii)internal
				accounting and administrative controls under section 3512 of title 31;
				and
											(ix)performance
				ratings, salaries, and bonuses provided to the senior managers and supporting
				personnel taking into account program performance as it relates to complying
				with this subchapter; and
											(D)report any
				significant deficiency in a policy, procedure, or practice identified under
				subparagraph (A) or (B)—
											(i)as
				a material weakness in reporting under section 3512 of title 31; and
											(ii)if relating to
				financial management systems, as an instance of a lack of substantial
				compliance under the Federal Financial Management Improvement Act (31 U.S.C.
				3512 note).
											(2)Adequacy and
				effectiveness informationInformation required under paragraph
				(1)(A) shall, to the extent possible and in accordance with applicable law,
				policy, guidance, and standards, be available on an automated and continuous
				basis to—
										(A)the National
				Center for Cybersecurity and Communications;
										(B)the Committee on
				Homeland Security and Governmental Affairs of the Senate;
										(C)the Committee on
				Government Oversight and Reform of the House of Representatives;
										(D)the Committee on
				Homeland Security of the House of Representatives;
										(E)other appropriate
				authorization and appropriations committees of Congress;
										(F)the Inspector
				General of the Federal agency; and
										(G)the Comptroller
				General.
										(d)Inclusions in
				performance plans
									(1)In
				GeneralIn addition to the requirements of subsection (c), each
				agency, in consultation with the National Center for Cybersecurity and
				Communications, shall include as part of the performance plan required under
				section 1115 of title 31 a description of the time periods the resources,
				including budget, staffing, and training, that are necessary to implement the
				program required under subsection (b).
									(2)Risk
				assessmentsThe description under paragraph (1) shall be based on
				the risk and vulnerability assessments required under subsection (b) and
				evaluations required under section 3554.
									(e)Notice and
				commentEach agency shall provide the public with timely notice
				and opportunities for comment on proposed information security policies and
				procedures to the extent that such policies and procedures affect communication
				with the public.
								(f)More stringent
				standardsThe head of an agency may employ standards for the cost
				effective information security for information systems within or under the
				supervision of that agency that are more stringent than the standards the
				Director of the National Center for Cybersecurity and Communications prescribes
				under this subchapter, subtitle E of title II of the Homeland Security Act of
				2002, or any other provision of law, if the more stringent standards—
									(1)contain at least
				the applicable standards made compulsory and binding by the Director of the
				National Center for Cybersecurity and Communications; and
									(2)are otherwise
				consistent with policies and guidelines issued under section 3552.
									3554.Annual
				operational evaluation
								(a)Guidance
									(1)In
				generalEach year the National Center for Cybersecurity and
				Communications shall oversee, coordinate, and develop guidance for the
				effective implementation of operational evaluations of the Federal information
				infrastructure and agency information security programs and practices to
				determine the effectiveness of such program and practices.
									(2)Collaboration in
				developmentIn developing guidance for the operational
				evaluations described under this section, the National Center for Cybersecurity
				and Communications shall collaborate with the Federal Information Security
				Taskforce and the Council of Inspectors General on Integrity and Efficiency,
				and other agencies as necessary, to develop and update risk-based performance
				indicators and measures that assess the adequacy and effectiveness of
				information security of an agency and the Federal information
				infrastructure.
									(3)Contents of
				operational evaluationEach operational evaluation under this
				section—
										(A)shall be
				prioritized based on risk; and
										(B)shall—
											(i)test the
				effectiveness of agency information security policies, procedures, and
				practices of the information systems of the agency, or a representative subset
				of those information systems;
											(ii)assess (based on
				the results of the testing) compliance with—
												(I)the requirements
				of this subchapter; and
												(II)related
				information security policies, procedures, standards, and guidelines;
												(iii)evaluate whether
				agencies—
												(I)effectively
				monitor, detect, analyze, protect, report, and respond to vulnerabilities and
				incidents;
												(II)report to and
				collaborate with the appropriate public and private security operation centers,
				the National Center for Cybersecurity and Communications, and law enforcement
				agencies; and
												(III)remediate or
				mitigate the risk posed by attacks and exploitations in a timely fashion in
				order to prevent future vulnerabilities and incidents; and
												(iv)identify
				deficiencies of agency information security policies, procedures, and controls
				on the agency information infrastructure.
											(b)Conduct an
				operational evaluation
									(1)In
				generalExcept as provided under paragraph (2), and in
				consultation with the Chief Information Officer and senior officials
				responsible for the affected systems, the Chief Information Security Officer of
				each agency shall not less than annually—
										(A)conduct an
				operational evaluation of the agency information infrastructure for
				vulnerabilities, attacks, and exploitations of the agency information
				infrastructure;
										(B)evaluate the
				ability of the agency to monitor, detect, correlate, analyze, report, and
				respond to incidents; and
										(C)report to the head
				of the agency, the National Center for Cybersecurity and Communications, the
				Chief Information Officer, and the Inspector General for the agency the
				findings of the operational evaluation.
										(2)Satisfaction of
				requirements by other evaluationUnless otherwise specified by
				the Director of the National Center for Cybersecurity and Communications, if
				the National Center for Cybersecurity and Communications conducts an
				operational evaluation of the agency information infrastructure under section
				245(b)(2)(A) of the Homeland Security Act of 2002, the Chief Information
				Security Officer may deem the requirements of paragraph (1) satisfied for the
				year in which the operational evaluation described under this paragraph is
				conducted.
									(c)Corrective
				measures mitigation and remediation plans
									(1)In
				generalIn consultation with the National Center for
				Cybersecurity and Communications and the Chief Information Officer, Chief
				Information Security Officers shall remediate or mitigate vulnerabilities in
				accordance with this subsection.
									(2)Risk-based
				planAfter an operational evaluation is conducted under this
				section or under section 245(b) of the Homeland Security Act of 2002, the
				agency shall submit to the National Center for Cybersecurity and Communications
				in a timely fashion a risk-based plan for addressing recommendations and
				mitigating and remediating vulnerabilities identified as a result of such
				operational evaluation, including a timeline and budget for implementing such
				plan.
									(3)Approval or
				disapprovalNot later than 15 days after receiving a plan
				submitted under paragraph (2), the National Center for Cybersecurity and
				Communications shall—
										(A)approve or
				disprove the agency plan; and
										(B)comment on the
				adequacy and effectiveness of the plan.
										(4)Isolation from
				infrastructure
										(A)In
				generalThe Director of the National Center for Cybersecurity and
				Communications may, consistent with the contingency or continuity of operation
				plans applicable to such agency information infrastructure, order the isolation
				of any component of the Federal information infrastructure from any other
				Federal information infrastructure, if—
											(i)an agency does not
				implement measures in a risk-based plan approved under this subsection;
				and
											(ii)the failure to
				comply presents a significant danger to the Federal information
				infrastructure.
											(B)DurationAn
				isolation under subparagraph (A) shall remain in effect until—
											(i)the Director of
				the National Center for Cybersecurity and Communications determines that
				corrective measures have been implemented; or
											(ii)an updated
				risk-based plan is approved by the National Center for Cybersecurity and
				Communications and implemented by the agency.
											(d)Operational
				guidanceThe Director of the National Center for Cybersecurity
				and Communications shall—
									(1)not later than 180
				days after the date of enactment of the Protecting Cyberspace as a National Asset Act of
				2010, develop operational guidance for operational evaluations as
				required under this section that are risk-based and cost effective; and
									(2)periodically
				evaluate and ensure information is available on an automated and continuous
				basis through the system required under section 3552(a)(3)(D) to Congress
				on—
										(A)the adequacy and
				effectiveness of the operational evaluations conducted under this section or
				section 245(b) of the Homeland Security Act of 2002; and
										(B)possible executive
				and legislative actions for cost-effectively managing the risks to the Federal
				information infrastructure.
										3555.Federal
				Information Security Taskforce
								(a)EstablishmentThere
				is established in the executive branch a Federal Information Security
				Taskforce.
								(b)MembershipThe
				members of the Federal Information Security Taskforce shall be full-time senior
				Government employees and shall be as follows:
									(1)The Director of
				the National Center for Cybersecurity and Communications.
									(2)The Administrator
				of the Office of Electronic Government of the Office of Management and
				Budget.
									(3)The Chief
				Information Security Officer of each agency described under section 901(b) of
				title 31.
									(4)The Chief
				Information Security Officer of the Department of the Army, the Department of
				the Navy, and the Department of the Air Force.
									(5)A representative
				from the Office of Cyberspace Policy.
									(6)A representative
				from the Office of the Director of National Intelligence.
									(7)A representative
				from the United States Cyber Command.
									(8)A representative
				from the National Security Agency.
									(9)A representative
				from the United States Computer Emergency Readiness Team.
									(10)A representative
				from the Intelligence Community Incident Response Center.
									(11)A representative
				from the Committee on National Security Systems.
									(12)A representative
				from the National Institute for Standards and Technology.
									(13)A representative
				from the Council of Inspectors General on Integrity and Efficiency.
									(14)A representative
				from State and local government.
									(15)Any other officer
				or employee of the United States designated by the chairperson.
									(c)Chairperson and
				Vice-Chairperson
									(1)ChairpersonThe
				Director of the National Center for Cybersecurity and Communications shall act
				as chairperson of the Federal Information Security Taskforce.
									(2)Vice-chairpersonThe
				vice chairperson of the Federal Information Security Taskforce shall—
										(A)be selected by the
				Federal Information Security Taskforce from among its members;
										(B)serve a 1-year
				term and may serve multiple terms; and
										(C)serve as a liaison
				to the Chief Information Officer, Council of the Inspectors General on
				Integrity and Efficiency, Committee on National Security Systems, and other
				councils or committees as appointed by the chairperson.
										(d)FunctionsThe
				Federal Information Security Taskforce shall—
									(1)be the principal
				interagency forum for collaboration regarding best practices and
				recommendations for agency information security and the security of the Federal
				information infrastructure;
									(2)assist in the
				development of and annually evaluate guidance to fulfill the requirements under
				sections 3554 and 3556;
									(3)share experiences
				and innovative approaches relating to threats against the Federal information
				infrastructure, information sharing and information security best practices,
				penetration testing regimes, and incident response, mitigation, and
				remediation;
									(4)promote the
				development and use of standard performance indicators and measures for agency
				information security that—
										(A)are
				outcome-based;
										(B)focus on risk
				management;
										(C)align with the
				business and program goals of the agency;
										(D)measure
				improvements in the agency security posture over time; and
										(E)reduce burdensome
				and efficient performance indicators and measures;
										(5)recommend to the
				Office of Personnel Management the necessary qualifications to be established
				for Chief Information Security Officers to be capable of administering the
				functions described under this subchapter including education, training, and
				experience;
									(6)enhance
				information system processes by establishing a prioritized baseline of
				information security measures and controls that can be continuously monitored
				through automated mechanisms;
									(7)evaluate the
				effectiveness and efficiency of any reporting and compliance requirements that
				are required by law related to the information security of Federal information
				infrastructure; and
									(8)submit proposed
				enhancements developed under paragraphs (1) through (7) to the Director of the
				National Center for Cybersecurity and Communications.
									(e)Termination
									(1)In
				generalExcept as provided under paragraph (2), the Federal
				Information Security Taskforce shall terminate 4 years after the date of
				enactment of the Protecting Cyberspace as a
				National Asset Act of 2010.
									(2)ExtensionThe
				President may—
										(A)extend the Federal
				Information Security Taskforce by executive order; and
										(B)make more than 1
				extension under this paragraph for any period as the President may
				determine.
										3556.Independent
				assessments
								(a)In
				general
									(1)Inspectors
				General assessmentsNot less than every 2 years, each agency with
				an Inspector General appointed under the Inspector General Act of 1978 (5
				U.S.C. App.) shall assess the adequacy and effectiveness of the information
				security program developed under section 3553(b) and (c), and evaluations
				conducted under section 3554.
									(2)Independent
				assessmentsFor each agency to which paragraph (1) does not
				apply, the head of the agency shall engage an independent external auditor to
				perform the assessment.
									(b)Existing
				assessmentsThe assessments required by this section may be based
				in whole or in part on an audit, evaluation, or report relating to programs or
				practices of the applicable agency.
								(c)Inspectors
				General reportingInspectors General shall ensure information
				obtained as a result of the assessment required under this section, or any
				other relevant information, is available through the system required under
				section 3552(a)(3)(D) to Congress and the National Center for Cybersecurity and
				Communications.
								3557.Protection of
				information
								In complying
				with this subchapter, agencies, evaluators, and Inspectors General shall take
				appropriate actions to ensure the protection of information which, if
				disclosed, may adversely affect information security. Protections under this
				chapter shall be commensurate with the risk and comply with all applicable laws
				and
				regulations.
								.
				(c)Technical and
			 conforming amendments
					(1)Table of
			 sectionsThe table of sections for chapter 35 of title 44, United
			 States Code, is amended by striking the matter relating to subchapters II and
			 III and inserting the following:
						
							
								SUBCHAPTER II—Information security
								3550. Purposes.
								3551. Definitions.
								3552. Authority and functions of the National Center for
				Cybersecurity and Communications.
								3553. Agency responsibilities.
								3554. Annual operational evaluation.
								3555. Federal Information Security Taskforce.
								3556. Independent
				assessments.
								3557. Protection of
				information.
							
							.
					(2)Other
			 references
						(A)Section
			 1001(c)(1)(A) of the Homeland Security Act of 2002 (6 U.S.C. 511(c)(1)(A)) is
			 amended by striking section 3532(3) and inserting section
			 3551(b).
						(B)Section 2222(j)(6)
			 of title 10, United States Code, is amended by striking section
			 3542(b)(2)) and inserting section 3551(b).
						(C)Section 2223(c)(3)
			 of title 10, United States Code, is amended, by striking section
			 3542(b)(2)) and inserting section 3551(b).
						(D)Section 2315 of
			 title 10, United States Code, is amended by striking section
			 3542(b)(2)) and inserting section 3551(b).
						(E)Section 20(a)(2)
			 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) is
			 amended by striking section 3532(b)(2) and inserting
			 section 3551(b).
						(F)Section 21(b)(2)
			 of the National Institute of Standards and Technology Act (15 U.S.C.
			 278g–4(b)(2)) is amended by striking Institute and and inserting
			 Institute, the Director of the National Center on Cybersecurity and
			 Communications, and.
						(G)Section 21(b)(3)
			 of the National Institute of Standards and Technology Act (15 U.S.C.
			 278g–4(b)(3)) is amended by inserting the Director of the National
			 Center on Cybersecurity and Communications, after the Director
			 of the National Security Agency,.
						(H)Section 8(d)(1) of
			 the Cyber Security Research and Development Act (15 U.S.C. 7406(d)(1)) is
			 amended by striking section 3534(b) and inserting section
			 3553(b).
						(3)Homeland
			 Security Act of 2002
						(A)Title
			 XThe Homeland Security Act of 2002 (6 U.S.C. 101 et seq.) is
			 amended by striking title X.
						(B)Table of
			 contentsThe table of contents in section 1(b) of the Homeland
			 Security Act of 2002 (6 U.S.C. 101 et seq.) is amended by striking the matter
			 relating to title X.
						(d)Repeal of other
			 standards
					(1)In
			 generalSection 11331 of title 40, United States Code, is
			 repealed.
					(2)Technical and
			 conforming amendments
						(A)Section 20(c)(3)
			 of the National Institute of Standards and Technology Act (15 U.S.C.
			 278g–3(c)(3)) is amended by striking under section 11331 of title 40,
			 United States Code.
						(B)Section 20(d)(1)
			 of the National Institute of Standards and Technology Act (15 U.S.C.
			 278g–3(d)(1)) is amended by striking the Director of the Office of
			 Management and Budget for promulgation under section 11331 of title 40, United
			 States Code and inserting the Secretary of Commerce for
			 promulgation.
						(C)Section 11302(d)
			 of title 40, United States Code, is amended by striking under section
			 11331 of this title and.
						(D)Section 1874A
			 (e)(2)(A)(ii) of the Social Security Act (42 U.S.C.1395kk–1 (e)(2)(A)(ii)) is
			 amended by striking section 11331 of title 40, United States
			 Code and inserting section 3552 of title 44, United States
			 Code.
						(E)Section 3504(g)(2)
			 of title 44, United States Code, is amended by striking section 11331 of
			 title 40 and inserting section 3552 of title 44.
						(F)Section 3504(h)(1)
			 of title 44, United States Code, is amended by inserting “, the Director of the
			 National Center for Cybersecurity and Communications,” after the
			 National Institute of Standards and Technology.
						(G)Section
			 3504(h)(1)(B) of title 44, United States Code, is amended by striking
			 under section 11331 of title 40 and inserting section
			 3552 of title 44.
						(H)Section 3518(d) of
			 title 44, United States Code, is amended by striking sections 11331 and
			 11332 and inserting section 11332.
						(I)Section 3602(f)(8)
			 of title 44, United States Code, is amended by striking “under section 11331 of
			 title 40.
						(J)Section 3603(f)(5)
			 of title 44, United States Code, is amended by striking and promulgated
			 under section 11331 of title 40,.
						IVRecruitment and
			 professional development
			401.DefinitionsIn this title:
				(1)Cybersecurity
			 missionThe term
			 cybersecurity mission means the activities of the Federal
			 Government that encompass the full range of threat reduction, vulnerability
			 reduction, deterrence, international engagement, incident response, resiliency,
			 and recovery policies and activities, including computer network operations,
			 information assurance, law enforcement, diplomacy, military, and intelligence
			 missions as such activities relate to the security and stability of
			 cyberspace.
				(2)Federal agency’s cybersecurity
			 missionThe term
			 Federal agency's cybersecurity mission means, with respect to any
			 Federal agency, the portion of the cybersecurity mission that is the
			 responsibility of the Federal agency.
				402.Assessment of
			 cybersecurity workforce
				(a)In
			 generalThe Director of the Office of Personnel Management and
			 the Director shall assess the readiness and capacity of the Federal workforce
			 to meet the needs of the cybersecurity mission of the Federal
			 Government.
				(b)Strategy
					(1)In
			 generalNot later than 180 days after the date of enactment of
			 this Act, the Director of the Office of Personnel Management shall develop and
			 implement a comprehensive workforce strategy that enhances the readiness,
			 capacity, training, and recruitment and retention of Federal cybersecurity
			 personnel.
					(2)ContentsThe
			 strategy developed under paragraph (1) shall include—
						(A)a 5-year plan on
			 recruitment of personnel for the Federal workforce; and
						(B)10-year and
			 20-year projections of workforce needs.
						403.Strategic
			 cybersecurity workforce planning
				(a)Federal agency
			 development of strategic cybersecurity workforce plansNot later
			 than 180 days after the date of enactment of this Act and in every subsequent
			 year, the head of each Federal agency shall develop a strategic cybersecurity
			 workforce plan as part of the Federal agency performance plan required under
			 section 1115 of title 31, United States Code.
				(b)Interagency
			 coordinationEach Federal agency shall develop a plan prepared
			 under subsection (a)—
					(1)on the basis of
			 the assessment developed under section 402 and any subsequent guidance from the
			 Director of the Office of Personnel Management and the Director; and
					(2)in consultation
			 with the Director and the Director of the Office of Management and
			 Budget.
					(c)Contents of the
			 plan
					(1)In
			 generalEach plan prepared under subsection (a) shall
			 include—
						(A)a description of
			 the Federal agency’s cybersecurity mission;
						(B)subject to
			 paragraph (2), a description and analysis, relating to the specialized
			 workforce needed by the Federal agency to fulfill the Federal agency’s
			 cybersecurity mission, including—
							(i)the
			 workforce needs of the Federal agency on the date of the report, and 10-year
			 and 20-year projections of workforce needs;
							(ii)hiring
			 projections to meet workforce needs, including, for at least a 2-year period,
			 specific occupation and grade levels;
							(iii)long-term and
			 short-term strategic goals to address critical skills deficiencies, including
			 analysis of the numbers of and reasons for attrition of employees;
							(iv)recruitment
			 strategies, including the use of student internships, part-time employment,
			 student loan reimbursement, and telework, to attract highly qualified
			 candidates from diverse backgrounds and geographic locations;
							(v)an
			 assessment of the sources and availability of individuals with needed
			 expertise;
							(vi)ways to
			 streamline the hiring process;
							(vii)the barriers to
			 recruiting and hiring individuals qualified in cybersecurity and
			 recommendations to overcome the barriers; and
							(viii)a
			 training and development plan, consistent with the curriculum developed under
			 section 406, to enhance and improve the knowledge of employees.
							(2)Federal agencies
			 with small specialized workforceIn accordance with guidance
			 provided by the Director of the Office of Personnel Management, a Federal
			 agency that needs only a small specialized workforce to fulfill the Federal
			 agency’s cybersecurity mission may present the workforce plan components
			 referred to in paragraph (1)(B) as part of the Federal agency performance plan
			 required under section 1115 of title 31, United States Code.
					404.Cybersecurity
			 occupation classifications
				(a)In
			 generalNot later than 1 year after the date of enactment of this
			 Act, the Director of the Office of Personnel Management, in coordination with
			 the Director, shall develop and issue comprehensive occupation classifications
			 for Federal employees engaged in cybersecurity missions.
				(b)Applicability of
			 classificationsThe Director of the Office of Personnel
			 Management shall ensure that the comprehensive occupation classifications
			 issued under subsection (a) may be used throughout the Federal
			 Government.
				405.Measures of
			 cybersecurity hiring effectiveness
				(a)In
			 generalThe head of each Federal agency shall measure, and
			 collect information on, indicators of the effectiveness of the recruitment and
			 hiring by the Federal agency of a workforce needed to fulfill the Federal
			 agency’s cybersecurity mission.
				(b)Types of
			 informationThe indicators of effectiveness measured and subject
			 to collection of information under subsection (a) shall include indicators with
			 respect to the following:
					(1)Recruiting and
			 hiringIn relation to recruiting and hiring by the Federal
			 agency—
						(A)the ability to
			 reach and recruit well-qualified individuals from diverse talent pools;
						(B)the use and impact
			 of special hiring authorities and flexibilities to recruit the most qualified
			 applicants, including the use of student internship and scholarship programs
			 for permanent hires;
						(C)the use and impact
			 of special hiring authorities and flexibilities to recruit diverse candidates,
			 including criteria such as the veteran status, race, ethnicity, gender,
			 disability, or national origin of the candidates; and
						(D)the educational
			 level, and source of applicants.
						(2)SupervisorsIn
			 relation to the supervisors of the positions being filled—
						(A)satisfaction with
			 the quality of the applicants interviewed and hired;
						(B)satisfaction with
			 the match between the skills of the individuals and the needs of the Federal
			 agency;
						(C)satisfaction of
			 the supervisors with the hiring process and hiring outcomes;
						(D)whether any
			 mission-critical deficiencies were addressed by the individuals and the
			 connection between the deficiencies and the performance of the Federal agency;
			 and
						(E)the satisfaction
			 of the supervisors with the period of time elapsed to fill the
			 positions.
						(3)ApplicantsThe
			 satisfaction of applicants with the hiring process, including clarity of job
			 announcements, any reasons for withdrawal of an application, the
			 user-friendliness of the application process, communication regarding status of
			 applications, and the timeliness of offers of employment.
					(4)Hired
			 individualsIn relation to the individuals hired—
						(A)satisfaction with
			 the hiring process;
						(B)satisfaction with
			 the process of starting employment in the position for which the individual was
			 hired;
						(C)attrition;
			 and
						(D)the results of
			 exit interviews.
						(c)Reports
					(1)In
			 generalThe head of each Federal agency shall submit the
			 information collected under this section to the Director of the Office of
			 Personnel Management on an annual basis and in accordance with the regulations
			 issued under subsection (d).
					(2)Availability of
			 recruiting and hiring information
						(A)In
			 generalThe Director of the Office of Personnel Management shall
			 prepare an annual report containing the information received under paragraph
			 (1) in a consistent format to allow for a comparison of hiring effectiveness
			 and experience across demographic groups and Federal agencies.
						(B)SubmissionThe
			 Director of the Office of Personnel Management shall—
							(i)not
			 later than 90 days after the receipt of all information required to be
			 submitted under paragraph (1), make the report prepared under subparagraph (A)
			 publicly available, including on the Web site of the Office of Personnel
			 Management; and
							(ii)before the date
			 on which the report prepared under subparagraph (A) is made publicly available,
			 submit the report to Congress.
							(d)Regulations
					(1)In
			 generalNot later than 180 days after the date of enactment of
			 this Act, the Director of the Office of Personnel Management shall issue
			 regulations establishing the methodology, timing, and reporting of the data
			 required to be submitted under this section.
					(2)Scope and detail
			 of required informationThe regulations under paragraph (1) shall
			 delimit the scope and detail of the information that a Federal agency is
			 required to collect and submit under this section, taking account of the size
			 and complexity of the workforce that the Federal agency needs to fulfill the
			 Federal agency’s cybersecurity mission.
					406.Training and
			 education
				(a)Training
					(1)Federal
			 Government employees and Federal contractorsThe Director of the
			 Office of Personnel Management, in conjunction with the Director of the
			 National Center for Cybersecurity and Communications, the Director of National
			 Intelligence, the Secretary of Defense, and the Chief Information Officers
			 Council established under section 3603 of title 44, United States Code, shall
			 establish a cybersecurity awareness and education curriculum that shall be
			 required for all Federal employees and contractors engaged in the design,
			 development, or operation of agency information infrastructure, as defined
			 under section 3551 of title 44, United States Code.
					(2)ContentsThe
			 curriculum established under paragraph (1) may include—
						(A)role-based
			 security awareness training;
						(B)recommended
			 cybersecurity practices;
						(C)cybersecurity
			 recommendations for traveling abroad;
						(D)unclassified
			 counterintelligence information;
						(E)information
			 regarding industrial espionage;
						(F)information
			 regarding malicious activity online;
						(G)information
			 regarding cybersecurity and law enforcement;
						(H)identity
			 management information;
						(I)information
			 regarding supply chain security;
						(J)information
			 security risks associated with the activities of Federal employees; and
						(K)the
			 responsibilities of Federal employees in complying with policies and procedures
			 designed to reduce information security risks identified under subparagraph
			 (J).
						(3)Federal
			 cybersecurity professionalsThe Director of the Office of
			 Personnel Management in conjunction with the Director of the National Center
			 for Cybersecurity and Communications, the Director of National Intelligence,
			 the Secretary of Defense, the Director of the Office of Management and Budget,
			 and, as appropriate, colleges, universities, and nonprofit organizations with
			 cybersecurity training expertise, shall develop a program, to provide training
			 to improve and enhance the skills and capabilities of Federal employees engaged
			 in the cybersecurity mission, including training specific to the acquisition
			 workforce.
					(4)Heads of Federal
			 agenciesNot later than 30 days after the date on which an
			 individual is appointed to a position at level I or II of the Executive
			 Schedule, the Director of the National Center for Cybersecurity and
			 Communications and the Director of National Intelligence, or their designees,
			 shall provide that individual with a cybersecurity threat briefing.
					(5)CertificationThe
			 head of each Federal agency shall include in the annual report required under
			 section 3553(c) of title 44, United States Code, a certification regarding
			 whether all officers, employees, and contractors of the Federal agency have
			 completed the training required under this subsection.
					(b)Education
					(1)Federal
			 employeesThe Director of the Office of Personnel Management, in
			 coordination with the Secretary of Education, the Director of the National
			 Science Foundation, and the Director, shall develop and implement a strategy to
			 provide Federal employees who work in cybersecurity missions with the
			 opportunity to obtain additional education.
					(2)K through
			 12The Secretary of Education, in coordination with the Director
			 of the National Center for Cybersecurity and Communications and State and local
			 governments, shall develop curriculum standards, guidelines, and recommended
			 courses to address cyber safety, cybersecurity, and cyber ethics for students
			 in kindergarten through grade 12.
					(3)Undergraduate,
			 graduate, vocational, and technical institutions
						(A)Secretary of
			 educationThe Secretary of Education, in coordination with the
			 Director of the National Center for Cybersecurity and Communications,
			 shall—
							(i)develop curriculum
			 standards and guidelines to address cyber safety, cybersecurity, and cyber
			 ethics for all students enrolled in undergraduate, graduate, vocational, and
			 technical institutions in the United States; and
							(ii)analyze and
			 develop recommended courses for students interested in pursuing careers in
			 information technology, communications, computer science, engineering, math,
			 and science, as those subjects relate to cybersecurity.
							(B)Office of
			 personnel managementThe Director of the Office of Personnel
			 Management, in coordination with the Director, shall develop strategies and
			 programs—
							(i)to
			 recruit students from undergraduate, graduate, vocational, and technical
			 institutions in the United States to serve as Federal employees engaged in
			 cyber missions; and
							(ii)that provide
			 internship and part-time work opportunities with the Federal Government for
			 students at the undergraduate, graduate, vocational, and technical institutions
			 in the United States.
							(c)Cyber talent
			 competitions and challenges
					(1)In
			 generalThe Director of the National Center for Cybersecurity and
			 Communications shall establish a program to ensure the effective operation of
			 national and statewide competitions and challenges that seek to identify,
			 develop, and recruit talented individuals to work in Federal agencies, State
			 and local government agencies, and the private sector to perform duties
			 relating to the security of the Federal information infrastructure or the
			 national information infrastructure.
					(2)Groups and
			 individualsThe program under this subsection shall
			 include—
						(A)high school
			 students;
						(B)undergraduate
			 students;
						(C)graduate
			 students;
						(D)academic and
			 research institutions;
						(E)veterans;
			 and
						(F)other groups or
			 individuals as the Director may determine.
						(3)Support of other
			 competitions and challengesThe program under this subsection may
			 support other competitions and challenges not established under this subsection
			 through affiliation and cooperative agreements with—
						(A)Federal
			 agencies;
						(B)regional, State,
			 or community school programs supporting the development of cyber professionals;
			 or
						(C)other private
			 sector organizations.
						(4)Areas of
			 talentThe program under this subsection shall seek to identify,
			 develop, and recruit exceptional talent relating to—
						(A)ethical
			 hacking;
						(B)penetration
			 testing;
						(C)vulnerability
			 assessment;
						(D)continuity of
			 system operations;
						(E)cyber forensics;
			 and
						(F)offensive and
			 defensive cyber operations.
						407.Cybersecurity
			 incentives
				(a)AwardsIn
			 making cash awards under chapter 45 of title 5, United States Code, the
			 President or the head of a Federal agency, in consultation with the Director,
			 shall consider the success of an employee in fulfilling the objectives of the
			 National Strategy, in a manner consistent with any policies, guidelines,
			 procedures, instructions, or standards established by the President.
				(b)Other
			 incentivesThe head of each Federal agency shall adopt best
			 practices, developed by the Director of the National Center for Cybersecurity
			 and Communications and the Office of Management and Budget, regarding effective
			 ways to educate and motivate employees of the Federal Government to demonstrate
			 leadership in cybersecurity, including—
					(1)promotions and
			 other nonmonetary awards; and
					(2)publicizing
			 information sharing accomplishments by individual employees and, if
			 appropriate, the tangible benefits that resulted.
					408.Recruitment and
			 retention program for the National Center for Cybersecurity and
			 Communications
				(a)DefinitionsIn
			 this section:
					(1)CenterThe
			 term Center means the National Center for Cybersecurity and
			 Communications.
					(2)DepartmentThe
			 term Department means the Department of Homeland Security.
					(3)DirectorThe
			 term Director means the Director of the Center.
					(4)Entry level
			 positionThe term entry level position means a
			 position that—
						(A)is established by
			 the Director in the Center; and
						(B)is classified at
			 GS–7, GS–8, or GS–9 of the General Schedule.
						(5)SecretaryThe
			 term Secretary means the Secretary of Homeland Security.
					(6)Senior
			 positionThe term senior position means a position
			 that—
						(A)is established by
			 the Director in the Center; and
						(B)is not established
			 under section 5108 of title 5, United States Code, but is similar in duties and
			 responsibilities for positions established under that section.
						(b)Recruitment and
			 retention program
					(1)EstablishmentThe
			 Director may establish a program to assist in the recruitment and retention of
			 highly skilled personnel to carry out the functions of the Center.
					(2)Consultation and
			 considerationsIn establishing a program under this section, the
			 Director shall—
						(A)consult with the
			 Secretary; and
						(B)consider—
							(i)national and local
			 employment trends;
							(ii)the
			 availability and quality of candidates;
							(iii)any specialized
			 education or certifications required for positions;
							(iv)whether there is
			 a shortage of certain skills; and
							(v)such
			 other factors as the Director determines appropriate.
							(c)Hiring and
			 special pay authorities
					(1)Direct hire
			 authorityWithout regard to the civil service laws (other than
			 sections 3303 and 3328 of title 5, United States Code), the Director may
			 appoint not more than 500 employees under this subsection to carry out the
			 functions of the Center.
					(2)Rates of
			 pay
						(A)Entry level
			 positionsThe Director may fix the pay of the employees appointed
			 to entry level positions under this subsection without regard to chapter 51 and
			 subchapter III of chapter 53 of title 5, United States Code, relating to
			 classification of positions and General Schedule pay rates, except that the
			 rate of pay for any such employee may not exceed the maximum rate of basic pay
			 payable for a position at GS–10 of the General Schedule while that employee is
			 in an entry level position.
						(B)Senior
			 positions
							(i)In
			 generalThe Director may fix the pay of the employees appointed
			 to senior positions under this subsection without regard to chapter 51 and
			 subchapter III of chapter 53 of title 5, United States Code, relating to
			 classification of positions and General Schedule pay rates, except that the
			 rate of pay for any such employee may not exceed the maximum rate of basic pay
			 payable under section 5376 of title 5, United States Code.
							(ii)Higher maximum
			 rates
								(I)In
			 generalNotwithstanding the limitation on rates of pay under
			 clause (i)—
									(aa)not
			 more than 20 employees, identified by the Director, may be paid at a rate of
			 pay not to exceed the maximum rate of basic pay payable for a position at level
			 I of the Executive Schedule under section 5312 of title 5, United States Code;
			 and
									(bb)not
			 more than 5 employees, identified by the Director with the approval of the
			 Secretary, may be paid at a rate of pay not to exceed the maximum rate of basic
			 pay payable for the Vice President under section 104 of title 3, United States
			 Code.
									(II)Nondelegation
			 of authorityThe Secretary or the Director may not delegate any
			 authority under this clause.
								(d)Conversion to
			 Competitive Service
					(1)DefinitionIn
			 this subsection, the term qualified employee means any individual
			 appointed to an excepted service position in the Department who performs
			 functions relating to the security of the Federal information infrastructure or
			 national information infrastructure.
					(2)Competitive
			 civil service statusIn consultation with the Director, the
			 Secretary may grant competitive civil service status to a qualified employee if
			 that employee is—
						(A)employed in the
			 Center; or
						(B)transferring to
			 the Center.
						(e)Retention
			 Bonuses
					(1)AuthorityNotwithstanding
			 section 5754 of title 5, United States Code, the Director may—
						(A)pay a retention
			 bonus under that section to any individual appointed under this subsection, if
			 the Director determines that, in the absence of a retention bonus, there is a
			 high risk that the individual would likely leave employment with the
			 Department; and
						(B)exercise the
			 authorities of the Office of Personnel Management and the head of an agency
			 under that section with respect to retention bonuses paid under this
			 subsection.
						(2)Limitations on
			 amount of annual bonuses
						(A)DefinitionsIn
			 this paragraph:
							(i)Maximum total
			 payThe term maximum total pay means—
								(I)in the case of an
			 employee described under subsection (c)(2)(B)(i), the total amount of pay paid
			 in a calendar year at the maximum rate of basic pay payable for a position at
			 level I of the Executive Schedule under section 5312 of title 5, United States
			 Code;
								(II)in the case of an
			 employee described under subsection (c)(2)(B)(ii)(I)(aa), the total amount of
			 pay paid in a calendar year at the maximum rate of basic pay payable for a
			 position at level I of the Executive Schedule under section 5312 of title 5,
			 United States Code; and
								(III)in the case of
			 an employee described under subsection (c)(2)(B)(ii)(I)(bb), the total amount
			 of pay paid in a calendar year at the maximum rate of basic pay payable for the
			 Vice President under section 104 of title 3, United States Code.
								(ii)Total
			 compensationThe term total compensation
			 means—
								(I)the amount of pay
			 paid to an employee in any calendar year; and
								(II)the amount of all
			 retention bonuses paid to an employee in any calendar year.
								(B)LimitationThe
			 Director may not pay a retention bonus under this subsection to an employee
			 that would result in the total compensation of that employee exceeding maximum
			 total pay.
						(f)Termination of
			 AuthorityThe authority to make appointments and pay retention
			 bonuses under this section shall terminate 3 years after the date of enactment
			 of this Act.
				(g)Reports
					(1)Plan for
			 execution of authoritiesNot later than 120 days of enactment of
			 this Act, the Director shall submit a report to the appropriate committees of
			 Congress with a plan for the execution of the authorities provided under this
			 section.
					(2)Annual
			 reportNot later than 6 months after the date of enactment of
			 this Act, and every year thereafter, the Director shall submit to the
			 appropriate committees of Congress a detailed report that—
						(A)discusses how the
			 actions taken during the period of the report are fulfilling the critical
			 hiring needs of the Center;
						(B)assesses metrics
			 relating to individuals hired under the authority of this section,
			 including—
							(i)the
			 numbers of individuals hired;
							(ii)the
			 turnover in relevant positions;
							(iii)with respect to
			 each individual hired—
								(I)the position for
			 which hired;
								(II)the salary
			 paid;
								(III)any retention
			 bonus paid and the amount of the bonus;
								(IV)the geographic
			 location from which hired;
								(V)the immediate past
			 salary; and
								(VI)whether the
			 individual was a noncareer appointee in the Senior Executive Service or an
			 appointee to a position of a confidential or policy-determining character under
			 schedule C of subpart C of part 213 of title 5 of the Code of Federal
			 Regulations before the hiring; and
								(iv)whether public
			 notice for recruitment was made, and if so—
								(I)the total number
			 of qualified applicants;
								(II)the number of
			 veteran preference eligible candidates who applied;
								(III)the time from
			 posting to job offer; and
								(IV)statistics on
			 diversity, including age, disability, race, gender, and national origin, of
			 individuals hired under the authority of this section to the extent such
			 statistics are available; and
								(C)includes rates of
			 pay set in accordance with subsection (c).
						VOther
			 provisions
			501.Consultation on
			 cybersecurity mattersThe
			 Chairman of the Federal Trade Commission, the Chairman of the Federal
			 Communications Commission, and the head of any other Federal agency determined
			 appropriate by the President shall consult with the Director of the National
			 Center for Cybersecurity and Communications regarding any regulation, rule, or
			 requirement to be issued or other action to be required by the Federal agency
			 relating to the security and resiliency of the national information
			 infrastructure.
			502.Cybersecurity
			 research and developmentSubtitle D of title II of the Homeland
			 Security Act of 2002 (6 U.S.C. 161 et seq.) is amended by adding at the end the
			 following:
				
					238.Cybersecurity
				research and development
						(a)Establishment of
				research and development programThe Under Secretary for Science
				and Technology, in coordination with the Director of the National Center for
				Cybersecurity and Communications, shall carry out a research and development
				program for the purpose of improving the security of information
				infrastructure.
						(b)Eligible
				projectsThe research and development program carried out under
				subsection (a) may include projects to—
							(1)advance the
				development and accelerate the deployment of more secure versions of
				fundamental Internet protocols and architectures, including for the secure
				domain name addressing system and routing security;
							(2)improve and create
				technologies for detecting and analyzing attacks or intrusions, including
				analysis of malicious software;
							(3)improve and create
				mitigation and recovery methodologies, including techniques for containment of
				attacks and development of resilient networks and systems;
							(4)develop and
				support infrastructure and tools to support cybersecurity research and
				development efforts, including modeling, testbeds, and data sets for assessment
				of new cybersecurity technologies;
							(5)assist the
				development and support of technologies to reduce vulnerabilities in process
				control systems;
							(6)understand human
				behavioral factors that can affect cybersecurity technology and
				practices;
							(7)test, evaluate,
				and facilitate, with appropriate protections for any proprietary information
				concerning the technologies, the transfer of technologies associated with the
				engineering of less vulnerable software and securing the information technology
				software development lifecycle;
							(8)assist the
				development of identity management and attribution technologies;
							(9)assist the
				development of technologies designed to increase the security and resiliency of
				telecommunications networks;
							(10)advance the
				protection of privacy and civil liberties in cybersecurity technology and
				practices; and
							(11)address other
				risks identified by the Director of the National Center for Cybersecurity and
				Communications.
							(c)Coordination
				with other research initiativesThe Under Secretary—
							(1)shall ensure that
				the research and development program carried out under subsection (a) is
				consistent with the national strategy to increase the security and resilience
				of cyberspace developed by the Director of Cyberspace Policy under section 101
				of the Protecting Cyberspace as a National
				Asset Act of 2010, or any succeeding strategy;
							(2)shall, to the
				extent practicable, coordinate the research and development activities of the
				Department with other ongoing research and development security-related
				initiatives, including research being conducted by—
								(A)the National
				Institute of Standards and Technology;
								(B)the National
				Academy of Sciences;
								(C)other Federal
				agencies, as defined under section 241;
								(D)other Federal and
				private research laboratories, research entities, and universities and
				institutions of higher education, and relevant nonprofit organizations;
				and
								(E)international
				partners of the United States;
								(3)shall carry out
				any research and development project under subsection (a) through a
				reimbursable agreement with an appropriate Federal agency, as defined under
				section 241, if the Federal agency—
								(A)is sponsoring a
				research and development project in a similar area; or
								(B)has a unique
				facility or capability that would be useful in carrying out the project;
								(4)may make grants
				to, or enter into cooperative agreements, contracts, other transactions, or
				reimbursable agreements with, the entities described in paragraph (2);
				and
							(5)shall submit a
				report to the appropriate committees of Congress on a review of the
				cybersecurity activities, and the capacity, of the national laboratories and
				other research entities available to the Department to determine if the
				establishment of a national laboratory dedicated to cybersecurity research and
				development is necessary.
							(d)Privacy and
				civil rights and civil liberties issues
							(1)ConsultationIn
				carrying out research and development projects under subsection (a), the Under
				Secretary shall consult with the Privacy Officer appointed under section 222
				and the Officer for Civil Rights and Civil Liberties of the Department
				appointed under section 705.
							(2)Privacy impact
				assessmentsIn accordance with sections 222 and 705, the Privacy
				Officer shall conduct privacy impact assessments and the Officer for Civil
				Rights and Civil Liberties shall conduct reviews, as appropriate, for research
				and development projects carried out under subsection (a) that the Under
				Secretary determines could have an impact on privacy, civil rights, or civil
				liberties.
							239.National
				Cybersecurity Advisory Council
						(a)EstablishmentNot
				later than 90 days after the date of enactment of this section, the Secretary
				shall establish an advisory committee under section 871 on private sector
				cybersecurity, to be known as the National Cybersecurity Advisory Council (in
				this section referred to as the Council).
						(b)Responsibilities
							(1)In
				generalThe Council shall advise the Director of the National
				Center for Cybersecurity and Communications on the implementation of the
				cybersecurity provisions affecting the private sector under this subtitle and
				subtitle E.
							(2)Incentives and
				regulationsThe Council shall advise the Director of the National
				Center for Cybersecurity and Communications and appropriate committees of
				Congress (as defined in section 241) and any other congressional committee with
				jurisdiction over the particular matter regarding how market incentives and
				regulations may be implemented to enhance the cybersecurity and economic
				security of the Nation.
							(c)Membership
							(1)In
				generalThe members of the Council shall be appointed the
				Director of the National Center for Cybersecurity and Communications and shall,
				to the extent practicable, represent a geographic and substantive cross-section
				of owners and operators of critical infrastructure and others with expertise in
				cybersecurity, including, as appropriate—
								(A)representatives of
				covered critical infrastructure (as defined under section 241);
								(B)academic
				institutions with expertise in cybersecurity;
								(C)Federal, State,
				and local government agencies with expertise in cybersecurity;
								(D)a representative
				of the National Security Telecommunications Advisory Council, as established by
				Executive Order 12382 (47 Fed. Reg. 40531; relating to the establishment of the
				advisory council), as amended by Executive Order 13286 (68 Fed. Reg. 10619), as
				in effect on August 3, 2009, or any successor entity;
								(E)a representative
				of the Communications Sector Coordinating Council, or any successor
				entity;
								(F)a representative
				of the Information Technology Sector Coordinating Council, or any successor
				entity;
								(G)individuals,
				acting in their personal capacity, with demonstrated technical expertise in
				cybersecurity; and
								(H)such other
				individuals as the Director determines to be appropriate, including owners of
				small business concerns (as defined under section 3 of the Small Business Act
				(15 U.S.C. 632)).
								(2)TermThe
				members of the Council shall be appointed for 2-year terms and may be appointed
				to consecutive terms.
							(3)LeadershipThe
				Chairperson and Vice-Chairperson of the Council shall be selected by members of
				the Council from among the members of the Council and shall serve 2-year
				terms.
							(d)Applicability of
				Federal Advisory Committee ActThe Federal Advisory Committee Act
				(5 U.S.C. App.) shall not apply to the
				Council.
						.
			503.Prioritized
			 critical information infrastructureSection 210E(a)(2) of the Homeland Security
			 Act of 2002 (6 U.S.C. 124l(a)(2)) is amended—
				(1)by striking
			 In accordance and inserting the following:
					
						(A)In
				generalIn accordance
						;
				and
				(2)by adding at the
			 end the following:
					
						(B)ConsiderationsIn
				establishing and maintaining a list under subparagraph (A), the Secretary, in
				coordination with the Director of the National Center for Cybersecurity and
				Communications and in consultation with the National Cybersecurity Advisory
				Council, shall—
							(i)consider cyber
				vulnerabilities and consequences by sector, including—
								(I)the factors listed
				in section 248(a)(2);
								(II)interdependencies
				between components of covered critical infrastructure (as defined under section
				241); and
								(III)any other
				security related factor determined appropriate by the Secretary; and
								(ii)add covered
				critical infrastructure to or delete covered critical infrastructure from the
				list based on the factors listed in clause (i) for purposes of sections 248 and
				249.
							(C)NotificationThe
				Secretary—
							(i)shall notify the
				owner or operator of any system or asset added under subparagraph (B)(ii) to
				the list established and maintained under subparagraph (A) as soon as is
				practicable;
							(ii)shall develop a
				mechanism for an owner or operator notified under clause (i) to provide
				relevant information to the Secretary and the Director of the National Center
				for Cybersecurity and Communications relating to the inclusion of the system or
				asset on the list, including any information that the owner or operator
				believes may have led to the improper inclusion of the system or asset on the
				list; and
							(iii)at the sole and
				unreviewable discretion of the Secretary, may revise the list based on
				information provided in clause
				(ii).
							.
				504.National Center
			 for Cybersecurity and Communications acquisition authorities
				(a)In
			 generalThe National Center for Cybersecurity and Communications
			 is authorized to use the authorities under subsections (c)(1) and (d)(1)(B) of
			 section 2304 of title 10, United States Code, instead of the authorities under
			 subsections (c)(1) and (d)(1)(B) of section 303 of the Federal Property and
			 Administrative Services Act of 1949 (41 U.S.C. 253), subject to all other
			 requirements of section 303 of the Federal Property and Administrative Services
			 Act of 1949.
				(b)GuidelinesNot
			 later than 90 days after the date of enactment of this Act, the chief
			 procurement officer of the Department of Homeland Security shall issue
			 guidelines for use of the authority under subsection (a).
				(c)TerminationThe
			 National Center for Cybersecurity and Communications may not use the authority
			 under subsection (a) on and after the date that is 3 years after the date of
			 enactment of this Act.
				(d)Reporting
					(1)In
			 generalOn a semiannual basis, the Director of the National
			 Center for Cybersecurity and Communications shall submit a report on use of the
			 authority granted by subsection (a) to—
						(A)the Committee on
			 Homeland Security and Governmental Affairs of the Senate; and
						(B)the Committee on
			 Homeland Security of the House of Representatives.
						(2)ContentsEach
			 report submitted under paragraph (1) shall include, at a minimum—
						(A)the number of
			 contract actions taken under the authority under subsection (a) during the
			 period covered by the report; and
						(B)for each contract
			 action described in subparagraph (A)—
							(i)the
			 total dollar value of the contract action;
							(ii)a
			 summary of the market research conducted by the National Center for
			 Cybersecurity and Communications, including a list of all offerors who were
			 considered and those who actually submitted bids, in order to determine that
			 use of the authority was appropriate; and
							(iii)a
			 copy of the justification and approval documents required by section 303(f) of
			 the Federal Property and Administrative Services Act of 1949 (41 U.S.C.
			 253(f)).
							(3)Classified
			 annexA report submitted under this subsection shall be submitted
			 in an unclassified form, but may include a classified annex, if
			 necessary.
					505.Technical and
			 conforming amendments
				(a)Elimination of
			 assistant Secretary for cybersecurity and communicationsThe
			 Homeland Security Act of 2002 (6 U.S.C. 101 et seq.) is amended—
					(1)in section
			 103(a)(8) (6 U.S.C. 113(a)(8)), by striking ,
			 cybersecurity,;
					(2)in section 514 (6
			 U.S.C. 321c)—
						(A)by striking
			 subsection (b); and
						(B)by redesignating
			 subsection (c) as subsection (b); and
						(3)in section 1801(b)
			 (6 U.S.C. 571(b)), by striking shall report to the Assistant Secretary
			 for Cybersecurity and Communications and inserting shall report
			 to the Director of the National Center for Cybersecurity and
			 Communications.
					(b)CIO
			 councilSection 3603(b) of title 44, United States Code, is
			 amended—
					(1)by redesignating
			 paragraph (7) as paragraph (8); and
					(2)by inserting after
			 paragraph (6) the following:
						
							(7)The Director of
				the National Center for Cybersecurity and
				Communications.
							.
					(c)RepealThe
			 Homeland Security Act of 2002 (6 U.S.C. 101 et seq) is amended—
					(1)by striking
			 section 223 (6 U.S.C. 143); and
					(2)by redesignating
			 sections 224 and 225 (6 U.S.C. 144 and 145) as sections 223 and 224,
			 respectively.
					(d)Technical
			 correctionSection 1802(a) of the Homeland Security Act of 2002
			 (6 U.S.C. 572(a)) is amended in the matter preceding paragraph (1) by striking
			 Department of.
				(e)Executive
			 schedule positionSection 5313 of title 5, United States Code, is
			 amended by adding at the end the following:
					
							Director of the National Center for Cybersecurity
				  and
				  Communications.
						.
				(f)Table of
			 contentsThe table of contents in section 1(b) of the Homeland
			 Security Act of 2002 (6 U.S.C. 101 et seq.) is amended—
					(1)by striking the
			 items relating to sections 223, 224, and 225 and inserting the
			 following:
						
							
								Sec. 223. NET
				guard.
								Sec. 224. Cyber Security
				Enhancements Act of 2002.
							
							;
				  
						and(2)by inserting after
			 the item relating to section 237 the following:
						
							
								Sec. 238. Cybersecurity research and development.
								Sec. 239. National Cybersecurity Advisory Council.
								Subtitle E—Cybersecurity
								Sec. 241. Definitions.
								Sec. 242. National Center for Cybersecurity and
				Communications.
								Sec. 243. Physical and cyber infrastructure
				collaboration.
								Sec. 244. United States Computer Emergency Readiness
				Team.
								Sec. 245. Additional authorities of the Director of the
				National Center for Cybersecurity and Communications.
								Sec. 246. Information sharing.
								Sec. 247. Private sector assistance.
								Sec. 248. Cyber vulnerabilities to covered critical
				infrastructure.
								Sec. 249. National cyber emergencies..
								Sec. 250. Enforcement.
								Sec. 251. Protection of information.
								Sec. 252. Sector-specific agencies.
								Sec. 253. Strategy for Federal cybersecurity supply chain
				management.
							
							.
					
