[Congressional Bills 111th Congress]
[From the U.S. Government Publishing Office]
[S. 3480 Reported in Senate (RS)]

                                                       Calendar No. 698
111th CONGRESS
  2d Session
                                S. 3480

                          [Report No. 111-368]

 To amend the Homeland Security Act of 2002 and other laws to enhance 
      the security and resiliency of the cyber and communications 
                  infrastructure of the United States.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             June 10, 2010

Mr. Lieberman (for himself, Ms. Collins, and Mr. Carper) introduced the 
 following bill; which was read twice and referred to the Committee on 
               Homeland Security and Governmental Affairs

                           December 15, 2010

              Reported by Mr. Lieberman, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
 To amend the Homeland Security Act of 2002 and other laws to enhance 
      the security and resiliency of the cyber and communications 
                  infrastructure of the United States.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``Protecting Cyberspace as a 
National Asset Act of 2010''.</DELETED>

<DELETED>SEC. 2. TABLE OF CONTENTS.</DELETED>

<DELETED>    The table of contents for this Act is as 
follows:</DELETED>

<DELETED>Sec. 1. Short title.
<DELETED>Sec. 2. Table of contents.
<DELETED>Sec. 3. Definitions.
             <DELETED>TITLE I--OFFICE OF CYBERSPACE POLICY

<DELETED>Sec. 101. Establishment of the Office of Cyberspace Policy.
<DELETED>Sec. 102. Appointment and responsibilities of the Director.
<DELETED>Sec. 103. Prohibition on political campaigning.
<DELETED>Sec. 104. Review of Federal agency budget requests relating to 
                            the National Strategy.
<DELETED>Sec. 105. Access to intelligence.
<DELETED>Sec. 106. Consultation.
<DELETED>Sec. 107. Reports to Congress.
<DELETED>TITLE II--NATIONAL CENTER FOR CYBERSECURITY AND COMMUNICATIONS

<DELETED>Sec. 201. Cybersecurity.
      <DELETED>TITLE III--FEDERAL INFORMATION SECURITY MANAGEMENT

<DELETED>Sec. 301. Coordination of Federal information policy.
      <DELETED>TITLE IV--RECRUITMENT AND PROFESSIONAL DEVELOPMENT

<DELETED>Sec. 401. Definitions.
<DELETED>Sec. 402. Assessment of cybersecurity workforce.
<DELETED>Sec. 403. Strategic cybersecurity workforce planning.
<DELETED>Sec. 404. Cybersecurity occupation classifications.
<DELETED>Sec. 405. Measures of cybersecurity hiring effectiveness.
<DELETED>Sec. 406. Training and education.
<DELETED>Sec. 407. Cybersecurity incentives.
<DELETED>Sec. 408. Recruitment and retention program for the National 
                            Center for Cybersecurity and 
                            Communications.
                   <DELETED>TITLE V--OTHER PROVISIONS

<DELETED>Sec. 501. Consultation on cybersecurity matters.
<DELETED>Sec. 502. Cybersecurity research and development.
<DELETED>Sec. 503. Prioritized critical information infrastructure.
<DELETED>Sec. 504. National Center for Cybersecurity and Communications 
                            acquisition authorities.
<DELETED>Sec. 505. Technical and conforming amendments.

<DELETED>SEC. 3. DEFINITIONS.</DELETED>

<DELETED>    In this Act:</DELETED>
        <DELETED>    (1) Appropriate congressional committees.--The 
        term ``appropriate congressional committees'' means--</DELETED>
                <DELETED>    (A) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;</DELETED>
                <DELETED>    (B) the Committee on Homeland Security of 
                the House of Representatives;</DELETED>
                <DELETED>    (C) the Committee on Oversight and 
                Government Reform of the House of Representatives; 
                and</DELETED>
                <DELETED>    (D) any other congressional committee with 
                jurisdiction over the particular matter.</DELETED>
        <DELETED>    (2) Critical infrastructure.--The term ``critical 
        infrastructure'' has the meaning given that term in section 
        1016(e) of the USA PATRIOT Act (42 U.S.C. 5195c(e)).</DELETED>
        <DELETED>    (3) Cyberspace.--The term ``cyberspace'' means the 
        interdependent network of information infrastructure, and 
        includes the Internet, telecommunications networks, computer 
        systems, and embedded processors and controllers in critical 
        industries.</DELETED>
        <DELETED>    (4) Director.--The term ``Director'' means the 
        Director of Cyberspace Policy established under section 
        101.</DELETED>
        <DELETED>    (5) Federal agency.--The term ``Federal agency''--
        </DELETED>
                <DELETED>    (A) means any executive department, 
                Government corporation, Government controlled 
                corporation, or other establishment in the executive 
                branch of the Government (including the Executive 
                Office of the President), or any independent regulatory 
                agency; and</DELETED>
                <DELETED>    (B) does not include the governments of 
                the District of Columbia and of the territories and 
                possessions of the United States and their various 
                subdivisions.</DELETED>
        <DELETED>    (6) Federal information infrastructure.--The term 
        ``Federal information infrastructure''--</DELETED>
                <DELETED>    (A) means information infrastructure that 
                is owned, operated, controlled, or licensed for use by, 
                or on behalf of, any Federal agency, including 
                information systems used or operated by another entity 
                on behalf of a Federal agency; and</DELETED>
                <DELETED>    (B) does not include--</DELETED>
                        <DELETED>    (i) a national security system; 
                        or</DELETED>
                        <DELETED>    (ii) information infrastructure 
                        that is owned, operated, controlled, or 
                        licensed for use by, or on behalf of, the 
                        Department of Defense, a military department, 
                        or another element of the intelligence 
                        community.</DELETED>
        <DELETED>    (7) Incident.--The term ``incident'' means an 
        occurrence that--</DELETED>
                <DELETED>    (A) actually or potentially jeopardizes--
                </DELETED>
                        <DELETED>    (i) the information security of 
                        information infrastructure; or</DELETED>
                        <DELETED>    (ii) the information that 
                        information infrastructure processes, stores, 
                        receives, or transmits; or</DELETED>
                <DELETED>    (B) constitutes a violation or threat of 
                violation of security policies, security procedures, or 
                acceptable use policies applicable to information 
                infrastructure.</DELETED>
        <DELETED>    (8) Information infrastructure.--The term 
        ``information infrastructure'' means the underlying framework 
        that information systems and assets rely on to process, 
        transmit, receive, or store information electronically, 
        including programmable electronic devices and communications 
        networks and any associated hardware, software, or 
        data.</DELETED>
        <DELETED>    (9) Information security.--The term ``information 
        security'' means protecting information and information systems 
        from disruption or unauthorized access, use, disclosure, 
        modification, or destruction in order to provide--</DELETED>
                <DELETED>    (A) integrity, by guarding against 
                improper information modification or destruction, 
                including by ensuring information nonrepudiation and 
                authenticity;</DELETED>
                <DELETED>    (B) confidentiality, by preserving 
                authorized restrictions on access and disclosure, 
                including means for protecting personal privacy and 
                proprietary information; and</DELETED>
                <DELETED>    (C) availability, by ensuring timely and 
                reliable access to and use of information.</DELETED>
        <DELETED>    (10) Information technology.--The term 
        ``information technology'' has the meaning given that term in 
        section 11101 of title 40, United States Code.</DELETED>
        <DELETED>    (11) Intelligence community.--The term 
        ``intelligence community'' has the meaning given that term 
        under section 3(4) of the National Security Act of 1947 (50 
        U.S.C. 401a(4)).</DELETED>
        <DELETED>    (12) Key resources.--The term ``key resources'' 
        has the meaning given that term in section 2 of the Homeland 
        Security Act of 2002 (6 U.S.C. 101).</DELETED>
        <DELETED>    (13) National center for cybersecurity and 
        communications.--The term ``National Center for Cybersecurity 
        and Communications'' means the National Center for 
        Cybersecurity and Communications established under section 
        242(a) of the Homeland Security Act of 2002, as added by this 
        Act.</DELETED>
        <DELETED>    (14) National information infrastructure.--The 
        term ``national information infrastructure'' means information 
        infrastructure--</DELETED>
                <DELETED>    (A)(i) that is owned, operated, or 
                controlled within or from the United States; 
                or</DELETED>
                <DELETED>    (ii) if located outside the United States, 
                the disruption of which could result in national or 
                regional catastrophic damage in the United States; 
                and</DELETED>
                <DELETED>    (B) that is not owned, operated, 
                controlled, or licensed for use by a Federal 
                agency.</DELETED>
        <DELETED>    (15) National security system.--The term 
        ``national security system'' has the meaning given that term in 
        section 3551 of title 44, United States Code, as added by this 
        Act.</DELETED>
        <DELETED>    (16) National strategy.--The term ``National 
        Strategy'' means the national strategy to increase the security 
        and resiliency of cyberspace developed under section 
        101(a)(1).</DELETED>
        <DELETED>    (17) Office.--The term ``Office'' means the Office 
        of Cyberspace Policy established under section 101.</DELETED>
        <DELETED>    (18) Risk.--The term ``risk'' means the potential 
        for an unwanted outcome resulting from an incident, as 
        determined by the likelihood of the occurrence of the incident 
        and the associated consequences, including potential for an 
        adverse outcome assessed as a function of threats, 
        vulnerabilities, and consequences associated with an 
        incident.</DELETED>
        <DELETED>    (19) Risk-based security.--The term ``risk-based 
        security'' has the meaning given that term in section 3551 of 
        title 44, United States Code, as added by this Act.</DELETED>

        <DELETED>TITLE I--OFFICE OF CYBERSPACE POLICY</DELETED>

<DELETED>SEC. 101. ESTABLISHMENT OF THE OFFICE OF CYBERSPACE 
              POLICY.</DELETED>

<DELETED>    (a) Establishment of Office.--There is established in the 
Executive Office of the President an Office of Cyberspace Policy which 
shall--</DELETED>
        <DELETED>    (1) develop, not later than 1 year after the date 
        of enactment of this Act, and update as needed, but not less 
        frequently than once every 2 years, a national strategy to 
        increase the security and resiliency of cyberspace, that 
        includes goals and objectives relating to--</DELETED>
                <DELETED>    (A) computer network operations, including 
                offensive activities, defensive activities, and other 
                activities;</DELETED>
                <DELETED>    (B) information assurance;</DELETED>
                <DELETED>    (C) protection of critical infrastructure 
                and key resources;</DELETED>
                <DELETED>    (D) research and development 
                priorities;</DELETED>
                <DELETED>    (E) law enforcement;</DELETED>
                <DELETED>    (F) diplomacy;</DELETED>
                <DELETED>    (G) homeland security; and</DELETED>
                <DELETED>    (H) military and intelligence 
                activities;</DELETED>
        <DELETED>    (2) oversee, coordinate, and integrate all 
        policies and activities of the Federal Government across all 
        instruments of national power relating to ensuring the security 
        and resiliency of cyberspace, including--</DELETED>
                <DELETED>    (A) diplomatic, economic, military, 
                intelligence, homeland security, and law enforcement 
                policies and activities within and among Federal 
                agencies; and</DELETED>
                <DELETED>    (B) offensive activities, defensive 
                activities, and other policies and activities necessary 
                to ensure effective capabilities to operate in 
                cyberspace;</DELETED>
        <DELETED>    (3) ensure that all Federal agencies comply with 
        appropriate guidelines, policies, and directives from the 
        Department of Homeland Security, other Federal agencies with 
        responsibilities relating to cyberspace security or resiliency, 
        and the National Center for Cybersecurity and Communications; 
        and</DELETED>
        <DELETED>    (4) ensure that Federal agencies have access to, 
        receive, and appropriately disseminate law enforcement 
        information, intelligence information, terrorism information, 
        and any other information (including information relating to 
        incidents provided under subsections (a)(4) and (c) of section 
        246 of the Homeland Security Act of 2002, as added by this Act) 
        relevant to--</DELETED>
                <DELETED>    (A) the security of the Federal 
                information infrastructure or the national information 
                infrastructure; and</DELETED>
                <DELETED>    (B) the security of--</DELETED>
                        <DELETED>    (i) information infrastructure 
                        that is owned, operated, controlled, or 
                        licensed for use by, or on behalf of, the 
                        Department of Defense, a military department, 
                        or another element of the intelligence 
                        community; or</DELETED>
                        <DELETED>    (ii) a national security 
                        system.</DELETED>
<DELETED>    (b) Director of Cyberspace Policy.--</DELETED>
        <DELETED>    (1) In general.--There shall be a Director of 
        Cyberspace Policy, who shall be the head of the 
        Office.</DELETED>
        <DELETED>    (2) Executive schedule position.--Section 5312 of 
        title 5, United States Code, is amended by adding at the end 
        the following:</DELETED>
        <DELETED>    ``Director of Cyberspace Policy.''.</DELETED>

<DELETED>SEC. 102. APPOINTMENT AND RESPONSIBILITIES OF THE 
              DIRECTOR.</DELETED>

<DELETED>    (a) Appointment.--</DELETED>
        <DELETED>    (1) In general.--The Director shall be appointed 
        by the President, by and with the advice and consent of the 
        Senate.</DELETED>
        <DELETED>    (2) Qualifications.--The President shall appoint 
        the Director from among individuals who have demonstrated 
        ability and knowledge in information technology, cybersecurity, 
        and the operations, security, and resiliency of communications 
        networks.</DELETED>
        <DELETED>    (3) Prohibition.--No person shall serve as 
        Director while serving in any other position in the Federal 
        Government.</DELETED>
<DELETED>    (b) Responsibilities.--The Director shall--</DELETED>
        <DELETED>    (1) advise the President regarding the 
        establishment of policies, goals, objectives, and priorities 
        for securing the information infrastructure of the 
        Nation;</DELETED>
        <DELETED>    (2) advise the President and other entities within 
        the Executive Office of the President regarding mechanisms to 
        build, and improve the resiliency and efficiency of, the 
        information and communication industry of the Nation, in 
        collaboration with the private sector, while promoting national 
        economic interests;</DELETED>
        <DELETED>    (3) work with Federal agencies to--</DELETED>
                <DELETED>    (A) oversee, coordinate, and integrate the 
                implementation of the National Strategy, including 
                coordination with--</DELETED>
                        <DELETED>    (i) the Department of Homeland 
                        Security;</DELETED>
                        <DELETED>    (ii) the Department of 
                        Defense;</DELETED>
                        <DELETED>    (iii) the Department of 
                        Commerce;</DELETED>
                        <DELETED>    (iv) the Department of 
                        State;</DELETED>
                        <DELETED>    (v) the Department of 
                        Justice;</DELETED>
                        <DELETED>    (vi) the Department of 
                        Energy;</DELETED>
                        <DELETED>    (vii) through the Director of 
                        National Intelligence, the intelligence 
                        community; and</DELETED>
                        <DELETED>    (viii) and any other Federal 
                        agency with responsibilities relating to the 
                        National Strategy; and</DELETED>
                <DELETED>    (B) resolve any disputes that arise 
                between Federal agencies relating to the National 
                Strategy or other matters within the responsibility of 
                the Office;</DELETED>
        <DELETED>    (4) if the policies or activities of a Federal 
        agency are not in compliance with the responsibilities of the 
        Federal agency under the National Strategy--</DELETED>
                <DELETED>    (A) notify the Federal agency;</DELETED>
                <DELETED>    (B) transmit a copy of each notification 
                under subparagraph (A) to the President and the 
                appropriate congressional committees; and</DELETED>
                <DELETED>    (C) coordinate the efforts to bring the 
                Federal agency into compliance;</DELETED>
        <DELETED>    (5) ensure the adequacy of protections for privacy 
        and civil liberties in carrying out the responsibilities of the 
        Director under this title, including through consultation with 
        the Privacy and Civil Liberties Oversight Board established 
        under section 1061 of the National Security Intelligence Reform 
        Act of 2004 (42 U.S.C. 2000ee);</DELETED>
        <DELETED>    (6) upon reasonable request, appear before any 
        duly constituted committees of the Senate or of the House of 
        Representatives;</DELETED>
        <DELETED>    (7) recommend to the Office of Management and 
        Budget or the head of a Federal agency actions (including 
        requests to Congress relating to the reprogramming of funds) 
        that the Director determines are necessary to ensure risk-based 
        security of--</DELETED>
                <DELETED>    (A) the Federal information 
                infrastructure;</DELETED>
                <DELETED>    (B) information infrastructure that is 
                owned, operated, controlled, or licensed for use by, or 
                on behalf of, the Department of Defense, a military 
                department, or another element of the intelligence 
                community; or</DELETED>
                <DELETED>    (C) a national security system;</DELETED>
        <DELETED>    (8) advise the Administrator of the Office of E-
        Government and Information Technology and the Administrator of 
        the Office of Information and Regulatory Affairs on the 
        development, and oversee the implementation, of policies, 
        principles, standards, guidelines, and budget priorities for 
        information technology functions and activities of the Federal 
        Government;</DELETED>
        <DELETED>    (9) coordinate and ensure, to the maximum extent 
        practicable, that the standards and guidelines developed for 
        national security systems and the standards and guidelines 
        under section 20 of the National Institute of Standards and 
        Technology Act (15 U.S.C. 278g-3) are complementary and 
        unified;</DELETED>
        <DELETED>    (10) in consultation with the Administrator of the 
        Office of Information and Regulatory Affairs, coordinate 
        efforts of Federal agencies relating to the development of 
        regulations, rules, requirements, or other actions applicable 
        to the national information infrastructure to ensure, to the 
        maximum extent practicable, that the efforts are 
        complementary;</DELETED>
        <DELETED>    (11) coordinate the activities of the Office of 
        Science and Technology Policy, the National Economic Council, 
        the Office of Management and Budget, the National Security 
        Council, the Homeland Security Council, and the United States 
        Trade Representative related to the National Strategy and other 
        matters within the purview of the Office; and</DELETED>
        <DELETED>    (12) as assigned by the President, other duties 
        relating to the security and resiliency of 
        cyberspace.</DELETED>

<DELETED>SEC. 103. PROHIBITION ON POLITICAL CAMPAIGNING.</DELETED>

<DELETED>    Section 7323(b)(2)(B) of title 5, United States Code, is 
amended--</DELETED>
        <DELETED>    (1) in clause (i), by striking ``or'' at the 
        end;</DELETED>
        <DELETED>    (2) in clause (ii), by striking the period at the 
        end and inserting ``; or''; and</DELETED>
        <DELETED>    (3) by adding at the end the following:</DELETED>
                        <DELETED>    ``(iii) notwithstanding the 
                        exception under subparagraph (A) (relating to 
                        an appointment made by the President, by and 
                        with the advice and consent of the Senate), the 
                        Director of Cyberspace Policy.''.</DELETED>

<DELETED>SEC. 104. REVIEW OF FEDERAL AGENCY BUDGET REQUESTS RELATING TO 
              THE NATIONAL STRATEGY.</DELETED>

<DELETED>    (a) In General.--For each fiscal year, the head of each 
Federal agency shall transmit to the Director a copy of any portion of 
the budget of the Federal agency intended to implement the National 
Strategy at the same time as that budget request is submitted to the 
Office of Management and Budget in the preparation of the budget of the 
President submitted to Congress under section 1105 (a) of title 31, 
United States Code.</DELETED>
<DELETED>    (b) Timely Submissions.--The head of each Federal agency 
shall ensure the timely development and submission to the Director of 
each proposed budget under this section, in such format as may be 
designated by the Director with the concurrence of the Director of the 
Office of Management and Budget.</DELETED>
<DELETED>    (c) Adequacy of the Proposed Budget Requests.--With the 
assistance of, and in coordination with, the Office of E-Government and 
Information Technology and the National Center for Cybersecurity and 
Communications, the Director shall review each budget submission to 
assess the adequacy of the proposed request with regard to 
implementation of the National Strategy.</DELETED>
<DELETED>    (d) Inadequate Budget Requests.--If the Director concludes 
that a budget request submitted under subsection (a) is inadequate, in 
whole or in part, to implement the objectives of the National Strategy, 
the Director shall submit to the Director of the Office of Management 
and Budget and the head of the Federal agency submitting the budget 
request a written description of funding levels and specific 
initiatives that would, in the determination of the Director, make the 
request adequate.</DELETED>

<DELETED>SEC. 105. ACCESS TO INTELLIGENCE.</DELETED>

<DELETED>    The Director shall have access to law enforcement 
information, intelligence information, terrorism information, and any 
other information (including information relating to incidents provided 
under subsections (a)(4) and (c) of section 246 of the Homeland 
Security Act of 2002, as added by this Act) that is obtained by, or in 
the possession of, any Federal agency that the Director determines 
relevant to the security of--</DELETED>
        <DELETED>    (1) the Federal information 
        infrastructure;</DELETED>
        <DELETED>    (2) information infrastructure that is owned, 
        operated, controlled, or licensed for use by, or on behalf of, 
        the Department of Defense, a military department, or another 
        element of the intelligence community;</DELETED>
        <DELETED>    (3) a national security system; or</DELETED>
        <DELETED>    (4) national information infrastructure.</DELETED>

<DELETED>SEC. 106. CONSULTATION.</DELETED>

<DELETED>    (a) In General.--The Director may consult and obtain 
recommendations from, as needed, such Presidential and other advisory 
entities as the Director determines will assist in carrying out the 
mission of the Office, including--</DELETED>
        <DELETED>    (1) the National Security Telecommunications 
        Advisory Committee;</DELETED>
        <DELETED>    (2) the National Infrastructure Advisory 
        Council;</DELETED>
        <DELETED>    (3) the Privacy and Civil Liberties Oversight 
        Board;</DELETED>
        <DELETED>    (4) the President's Intelligence Advisory 
        Board;</DELETED>
        <DELETED>    (5) the Critical Infrastructure Partnership 
        Advisory Council; and</DELETED>
        <DELETED>    (6) the National Cybersecurity Advisory Council 
        established under section 239 of the Homeland Security Act of 
        2002, as added by this Act.</DELETED>
<DELETED>    (b) National Strategy.--In developing and updating the 
National Strategy the Director shall consult with the National 
Cybersecurity Advisory Council and, as appropriate, State and local 
governments and private entities.</DELETED>

<DELETED>SEC. 107. REPORTS TO CONGRESS.</DELETED>

<DELETED>    (a) In General.--The Director shall submit an annual 
report to the appropriate congressional committees describing the 
activities, ongoing projects, and plans of the Federal Government 
designed to meet the goals and objectives of the National 
Strategy.</DELETED>
<DELETED>    (b) Classified Annex.--A report submitted under this 
section shall be submitted in an unclassified form, but may include a 
classified annex, if necessary.</DELETED>
<DELETED>    (c) Public Report.--An unclassified version of each report 
submitted under this section shall be made available to the 
public.</DELETED>

       <DELETED>TITLE II--NATIONAL CENTER FOR CYBERSECURITY AND 
                        COMMUNICATIONS</DELETED>

<DELETED>SEC. 201. CYBERSECURITY.</DELETED>

<DELETED>    Title II of the Homeland Security Act of 2002 (6 U.S.C. 
121 et seq.) is amended by adding at the end the following:</DELETED>

             <DELETED>``Subtitle E--Cybersecurity</DELETED>

<DELETED>``SEC. 241. DEFINITIONS.</DELETED>

<DELETED>    ``In this subtitle--</DELETED>
        <DELETED>    ``(1) the term `agency information infrastructure' 
        means the Federal information infrastructure of a particular 
        Federal agency;</DELETED>
        <DELETED>    ``(2) the term `appropriate committees of 
        Congress' means the Committee on Homeland Security and 
        Governmental Affairs of the Senate and the Committee on 
        Homeland Security of the House of Representatives;</DELETED>
        <DELETED>    ``(3) the term `Center' means the National Center 
        for Cybersecurity and Communications established under section 
        242(a);</DELETED>
        <DELETED>    ``(4) the term `covered critical infrastructure' 
        means a system or asset--</DELETED>
                <DELETED>    ``(A) that is on the prioritized critical 
                infrastructure list established by the Secretary under 
                section 210E(a)(2); and</DELETED>
                <DELETED>    ``(B)(i) that is a component of the 
                national information infrastructure; or</DELETED>
                <DELETED>    ``(ii) for which the national information 
                infrastructure is essential to the reliable operation 
                of the system or asset;</DELETED>
        <DELETED>    ``(5) the term `cyber vulnerability' means any 
        security vulnerability that, if exploited, could pose a 
        significant risk of disruption to the operation of information 
        infrastructure essential to the reliable operation of covered 
        critical infrastructure;</DELETED>
        <DELETED>    ``(6) the term `Director' means the Director of 
        the Center appointed under section 242(b)(1);</DELETED>
        <DELETED>    ``(7) the term `Federal agency'--</DELETED>
                <DELETED>    ``(A) means any executive department, 
                military department, Government corporation, Government 
                controlled corporation, or other establishment in the 
                executive branch of the Government (including the 
                Executive Office of the President), or any independent 
                regulatory agency; and</DELETED>
                <DELETED>    ``(B) does not include the governments of 
                the District of Columbia and of the territories and 
                possessions of the United States and their various 
                subdivisions;</DELETED>
        <DELETED>    ``(8) the term `Federal information 
        infrastructure'--</DELETED>
                <DELETED>    ``(A) means information infrastructure 
                that is owned, operated, controlled, or licensed for 
                use by, or on behalf of, any Federal agency, including 
                information systems used or operated by another entity 
                on behalf of a Federal agency; and</DELETED>
                <DELETED>    ``(B) does not include--</DELETED>
                        <DELETED>    ``(i) a national security system; 
                        or</DELETED>
                        <DELETED>    ``(ii) information infrastructure 
                        that is owned, operated, controlled, or 
                        licensed for use by, or on behalf of, the 
                        Department of Defense, a military department, 
                        or another element of the intelligence 
                        community;</DELETED>
        <DELETED>    ``(9) the term `incident' means an occurrence 
        that--</DELETED>
                <DELETED>    ``(A) actually or potentially 
                jeopardizes--</DELETED>
                        <DELETED>    ``(i) the information security of 
                        information infrastructure; or</DELETED>
                        <DELETED>    ``(ii) the information that 
                        information infrastructure processes, stores, 
                        receives, or transmits; or</DELETED>
                <DELETED>    ``(B) constitutes a violation or threat of 
                violation of security policies, security procedures, or 
                acceptable use policies applicable to information 
                infrastructure.</DELETED>
        <DELETED>    ``(10) the term `information infrastructure' means 
        the underlying framework that information systems and assets 
        rely on to process, transmit, receive, or store information 
        electronically, including--</DELETED>
                <DELETED>    ``(A) programmable electronic devices and 
                communications networks; and</DELETED>
                <DELETED>    ``(B) any associated hardware, software, 
                or data;</DELETED>
        <DELETED>    ``(11) the term `information security' means 
        protecting information and information systems from disruption 
        or unauthorized access, use, disclosure, modification, or 
        destruction in order to provide--</DELETED>
                <DELETED>    ``(A) integrity, by guarding against 
                improper information modification or destruction, 
                including by ensuring information nonrepudiation and 
                authenticity;</DELETED>
                <DELETED>    ``(B) confidentiality, by preserving 
                authorized restrictions on access and disclosure, 
                including means for protecting personal privacy and 
                proprietary information; and</DELETED>
                <DELETED>    ``(C) availability, by ensuring timely and 
                reliable access to and use of information;</DELETED>
        <DELETED>    ``(12) the term `information sharing and analysis 
        center' means a self-governed forum whose members work together 
        within a specific sector of critical infrastructure to 
        identify, analyze, and share with other members and the Federal 
        Government critical information relating to threats, 
        vulnerabilities, or incidents to the security and resiliency of 
        the critical infrastructure that comprises the specific 
        sector;</DELETED>
        <DELETED>    ``(13) the term `information system' has the 
        meaning given that term in section 3502 of title 44, United 
        States Code;</DELETED>
        <DELETED>    ``(14) the term `intelligence community' has the 
        meaning given that term in section 3(4) of the National 
        Security Act of 1947 (50 U.S.C. 401a(4));</DELETED>
        <DELETED>    ``(15) the term `management controls' means 
        safeguards or countermeasures for an information system that 
        focus on the management of risk and the management of 
        information system security;</DELETED>
        <DELETED>    ``(16) the term `National Cybersecurity Advisory 
        Council' means the National Cybersecurity Advisory Council 
        established under section 239;</DELETED>
        <DELETED>    ``(17) the term `national cyber emergency' means 
        an actual or imminent action by any individual or entity to 
        exploit a cyber vulnerability in a manner that disrupts, 
        attempts to disrupt, or poses a significant risk of disruption 
        to the operation of the information infrastructure essential to 
        the reliable operation of covered critical 
        infrastructure;</DELETED>
        <DELETED>    ``(18) the term `national information 
        infrastructure' means information infrastructure--</DELETED>
                <DELETED>    ``(A)(i) that is owned, operated, or 
                controlled within or from the United States; 
                or</DELETED>
                <DELETED>    ``(ii) if located outside the United 
                States, the disruption of which could result in 
                national or regional catastrophic damage in the United 
                States; and</DELETED>
                <DELETED>    ``(B) that is not owned, operated, 
                controlled, or licensed for use by a Federal 
                agency;</DELETED>
        <DELETED>    ``(19) the term `national security system' has the 
        same meaning given that term in section 3551 of title 44, 
        United States Code;</DELETED>
        <DELETED>    ``(20) the term `operational controls' means the 
        safeguards and countermeasures for an information system that 
        are primarily implemented and executed by individuals not 
        systems;</DELETED>
        <DELETED>    ``(21) the term `sector-specific agency' means the 
        relevant Federal agency responsible for infrastructure 
        protection activities in a designated critical infrastructure 
        sector or key resources category under the National 
        Infrastructure Protection Plan, or any other appropriate 
        Federal agency identified by the President after the date of 
        enactment of this subtitle;</DELETED>
        <DELETED>    ``(22) the term `sector coordinating councils' 
        means self-governed councils that are composed of 
        representatives of key stakeholders within a specific sector of 
        critical infrastructure that serve as the principal private 
        sector policy coordination and planning entities with the 
        Federal Government relating to the security and resiliency of 
        the critical infrastructure that comprise that 
        sector;</DELETED>
        <DELETED>    ``(23) the term `security controls' means the 
        management, operational, and technical controls prescribed for 
        an information system to protect the information security of 
        the system;</DELETED>
        <DELETED>    ``(24) the term `small business concern' has the 
        meaning given that term under section 3 of the Small Business 
        Act (15 U.S.C. 632);</DELETED>
        <DELETED>    ``(25) the term `technical controls' means the 
        safeguards or countermeasures for an information system that 
        are primarily implemented and executed by the information 
        system through mechanisms contained in the hardware, software, 
        or firmware components of the system;</DELETED>
        <DELETED>    ``(26) the term `terrorism information' has the 
        meaning given that term in section 1016 of the Intelligence 
        Reform and Terrorism Prevention Act of 2004 (6 U.S.C. 
        485);</DELETED>
        <DELETED>    ``(27) the term `United States person' has the 
        meaning given that term in section 101 of the Foreign 
        Intelligence Surveillance Act of 1978 (50 U.S.C. 1801); 
        and</DELETED>
        <DELETED>    ``(28) the term `US-CERT' means the United States 
        Computer Readiness Team established under section 
        244.</DELETED>

<DELETED>``SEC. 242. NATIONAL CENTER FOR CYBERSECURITY AND 
              COMMUNICATIONS.</DELETED>

<DELETED>    ``(a) Establishment.--</DELETED>
        <DELETED>    ``(1) In general.--There is established within the 
        Department a National Center for Cybersecurity and 
        Communications.</DELETED>
        <DELETED>    ``(2) Operational entity.--The Center may--
        </DELETED>
                <DELETED>    ``(A) enter into contracts for the 
                procurement of property and services for the Center; 
                and</DELETED>
                <DELETED>    ``(B) appoint employees of the Center in 
                accordance with the civil service laws of the United 
                States.</DELETED>
<DELETED>    ``(b) Director.--</DELETED>
        <DELETED>    ``(1) In general.--The Center shall be headed by a 
        Director, who shall be appointed by the President, by and with 
        the advice and consent of the Senate.</DELETED>
        <DELETED>    ``(2) Reporting to secretary.--The Director shall 
        report directly to the Secretary and serve as the principal 
        advisor to the Secretary on cybersecurity and the operations, 
        security, and resiliency of the communications infrastructure 
        of the United States.</DELETED>
        <DELETED>    ``(3) Presidential advice.--The Director shall 
        regularly advise the President on the exercise of the 
        authorities provided under this subtitle or any other provision 
        of law relating to the security of the Federal information 
        infrastructure or an agency information 
        infrastructure.</DELETED>
        <DELETED>    ``(4) Qualifications.--The Director shall be 
        appointed from among individuals who have--</DELETED>
                <DELETED>    ``(A) a demonstrated ability in and 
                knowledge of information technology, cybersecurity, and 
                the operations, security and resiliency of 
                communications networks; and</DELETED>
                <DELETED>    ``(B) significant executive leadership and 
                management experience in the public or private 
                sector.</DELETED>
        <DELETED>    ``(5) Limitation on service.--</DELETED>
                <DELETED>    ``(A) In general.--Subject to subparagraph 
                (B), the individual serving as the Director may not, 
                while so serving, serve in any other capacity in the 
                Federal Government, except to the extent that the 
                individual serving as Director is doing so in an acting 
                capacity.</DELETED>
                <DELETED>    ``(B) Exception.--The Director may serve 
                on any commission, board, council, or similar entity 
                with responsibilities or duties relating to 
                cybersecurity or the operations, security, and 
                resiliency of the communications infrastructure of the 
                United States at the direction of the President or as 
                otherwise provided by law.</DELETED>
<DELETED>    ``(c) Deputy Directors.--</DELETED>
        <DELETED>    ``(1) In general.--There shall be not less than 2 
        Deputy Directors for the Center, who shall report to the 
        Director.</DELETED>
        <DELETED>    ``(2) Infrastructure protection.--</DELETED>
                <DELETED>    ``(A) Appointment.--There shall be a 
                Deputy Director appointed by the Secretary, who shall 
                have expertise in infrastructure protection.</DELETED>
                <DELETED>    ``(B) Responsibilities.--The Deputy 
                Director appointed under subparagraph (A) shall--
                </DELETED>
                        <DELETED>    ``(i) assist the Director and the 
                        Assistant Secretary for Infrastructure 
                        Protection in coordinating, managing, and 
                        directing the information, communications, and 
                        physical infrastructure protection 
                        responsibilities and activities of the 
                        Department, including activities under Homeland 
                        Security Presidential Directive-7, or any 
                        successor thereto, and the National 
                        Infrastructure Protection Plan, or any 
                        successor thereto;</DELETED>
                        <DELETED>    ``(ii) review the budget for the 
                        Center and the Office of Infrastructure 
                        Protection before submission of the budget to 
                        the Secretary to ensure that activities are 
                        appropriately coordinated;</DELETED>
                        <DELETED>    ``(iii) develop, update 
                        periodically, and submit to the appropriate 
                        committees of Congress a strategic plan 
                        detailing how critical infrastructure 
                        protection activities will be coordinated 
                        between the Center, the Office of 
                        Infrastructure Protection, and the private 
                        sector;</DELETED>
                        <DELETED>    ``(iv) subject to the direction of 
                        the Director resolve conflicts between the 
                        Center and the Office of Infrastructure 
                        Protection relating to the information, 
                        communications, and physical infrastructure 
                        protection responsibilities of the Center and 
                        the Office of Infrastructure Protection; 
                        and</DELETED>
                        <DELETED>    ``(v) perform such other duties as 
                        the Director may assign.</DELETED>
                <DELETED>    ``(C) Annual evaluation.--The Assistant 
                Secretary for Infrastructure Protection shall submit 
                annually to the Director an evaluation of the 
                performance of the Deputy Director appointed under 
                subparagraph (A).</DELETED>
        <DELETED>    ``(3) Intelligence community.--The Director of 
        National Intelligence shall identify an employee of an element 
        of the intelligence community to serve as a Deputy Director of 
        the Center. The employee shall be detailed to the Center on a 
        reimbursable basis for such period as is agreed to by the 
        Director and the Director of National Intelligence, and, while 
        serving as Deputy Director, shall report directly to the 
        Director of the Center.</DELETED>
<DELETED>    ``(d) Liaison Officers.--The Secretary of Defense, the 
Attorney General, the Secretary of Commerce, and the Director of 
National Intelligence shall detail personnel to the Center to act as 
full-time liaisons with the Department of Defense, the Department of 
Justice, the National Institute of Standards and Technology, and 
elements of the intelligence community to assist in coordination 
between and among the Center, the Department of Defense, the Department 
of Justice, the National Institute of Standards and Technology, and 
elements of the intelligence community.</DELETED>
<DELETED>    ``(e) Privacy Officer.--</DELETED>
        <DELETED>    ``(1) In general.--The Director, in consultation 
        with the Secretary, shall designate a full-time privacy 
        officer, who shall report to the Director.</DELETED>
        <DELETED>    ``(2) Duties.--The privacy officer designated 
        under paragraph (1) shall have primary responsibility for 
        implementation by the Center of the privacy policy for the 
        Department established by the Privacy Officer appointed under 
        section 222.</DELETED>
<DELETED>    ``(f) Duties of Director.--</DELETED>
        <DELETED>    ``(1) In general.--The Director shall--</DELETED>
                <DELETED>    ``(A) working cooperatively with the 
                private sector, lead the Federal effort to secure, 
                protect, and ensure the resiliency of the Federal 
                information infrastructure and national information 
                infrastructure of the United States, including 
                communications networks;</DELETED>
                <DELETED>    ``(B) assist in the identification, 
                remediation, and mitigation of vulnerabilities to the 
                Federal information infrastructure and the national 
                information infrastructure;</DELETED>
                <DELETED>    ``(C) provide dynamic, comprehensive, and 
                continuous situational awareness of the security status 
                of the Federal information infrastructure, national 
                information infrastructure, and information 
                infrastructure that is owned, operated, controlled, or 
                licensed for use by, or on behalf of, the Department of 
                Defense, a military department, or another element of 
                the intelligence community by sharing and integrating 
                classified and unclassified information, including 
                information relating to threats, vulnerabilities, 
                traffic, trends, incidents, and other anomalous 
                activities affecting the infrastructure or systems, on 
                a routine and continuous basis with--</DELETED>
                        <DELETED>    ``(i) the National Threat 
                        Operations Center of the National Security 
                        Agency;</DELETED>
                        <DELETED>    ``(ii) the United States Cyber 
                        Command, including the Joint Task Force-Global 
                        Network Operations;</DELETED>
                        <DELETED>    ``(iii) the Cyber Crime Center of 
                        the Department of Defense;</DELETED>
                        <DELETED>    ``(iv) the National Cyber 
                        Investigative Joint Task Force;</DELETED>
                        <DELETED>    ``(v) the Intelligence Community 
                        Incident Response Center;</DELETED>
                        <DELETED>    ``(vi) any other Federal agency, 
                        or component thereof, identified by the 
                        Director; and</DELETED>
                        <DELETED>    ``(vii) any non-Federal entity, 
                        including, where appropriate, information 
                        sharing and analysis centers, identified by the 
                        Director, with the concurrence of the owner or 
                        operator of that entity and consistent with 
                        applicable law;</DELETED>
                <DELETED>    ``(D) work with the entities described in 
                subparagraph (C) to establish policies and procedures 
                that enable information sharing between and among the 
                entities;</DELETED>
                <DELETED>    ``(E) develop, in coordination with the 
                Assistant Secretary for Infrastructure Protection, 
                other Federal agencies, the private sector, and State 
                and local governments, a national incident response 
                plan that details the roles of Federal agencies, State 
                and local governments, and the private sector, 
                including plans to be executed in response to a 
                declaration of a national cyber emergency by the 
                President under section 249;</DELETED>
                <DELETED>    ``(F) conduct risk-based assessments of 
                the Federal information infrastructure with respect to 
                acts of terrorism, natural disasters, and other large-
                scale disruptions and provide the results of the 
                assessments to the Director of Cyberspace 
                Policy;</DELETED>
                <DELETED>    ``(G) develop, oversee the implementation 
                of, and enforce policies, principles, and guidelines on 
                information security for the Federal information 
                infrastructure, including timely adoption of and 
                compliance with standards developed by the National 
                Institute of Standards and Technology under section 20 
                of the National Institute of Standards and Technology 
                Act (15 U.S.C. 278g-3);</DELETED>
                <DELETED>    ``(H) provide assistance to the National 
                Institute of Standards and Technology in developing 
                standards under section 20 of the National Institute of 
                Standards and Technology Act (15 U.S.C. 278g-
                3);</DELETED>
                <DELETED>    ``(I) provide to Federal agencies 
                mandatory security controls to mitigate and remediate 
                vulnerabilities of and incidents affecting the Federal 
                information infrastructure;</DELETED>
                <DELETED>    ``(J) subject to paragraph (2), and as 
                needed, assist the Director of the Office of Management 
                and Budget and the Director of Cyberspace Policy in 
                conducting analysis and prioritization of budgets, 
                relating to the security of the Federal information 
                infrastructure;</DELETED>
                <DELETED>    ``(K) in accordance with section 253, 
                develop, periodically update, and implement a supply 
                chain risk management strategy to enhance, in a risk-
                based and cost-effective manner, the security of the 
                communications and information technology products and 
                services purchased by the Federal Government;</DELETED>
                <DELETED>    ``(L) notify the Director of Cyberspace 
                Policy of any incident involving the Federal 
                information infrastructure, information infrastructure 
                that is owned, operated, controlled, or licensed for 
                use by, or on behalf of, the Department of Defense, a 
                military department, or another element of the 
                intelligence community, or the national information 
                infrastructure that could compromise or significantly 
                affect economic or national security;</DELETED>
                <DELETED>    ``(M) consult, in coordination with the 
                Director of Cyberspace Policy, with appropriate 
                international partners to enhance the security of the 
                Federal information infrastructure and national 
                information infrastructure;</DELETED>
                <DELETED>    ``(N)(i) coordinate and integrate 
                information to analyze the composite security state of 
                the Federal information infrastructure and information 
                infrastructure that is owned, operated, controlled, or 
                licensed for use by, or on behalf of, the Department of 
                Defense, a military department, or another element of 
                the intelligence community;</DELETED>
                <DELETED>    ``(ii) ensure the information required 
                under clause (i) and section 3553(c)(1)(A) of title 44, 
                United States Code, including the views of the Director 
                on the adequacy and effectiveness of information 
                security throughout the Federal information 
                infrastructure and information infrastructure that is 
                owned, operated, controlled, or licensed for use by, or 
                on behalf of, the Department of Defense, a military 
                department, or another element of the intelligence 
                community, is available on an automated and continuous 
                basis through the system maintained under section 
                3552(a)(3)(D) of title 44, United States 
                Code;</DELETED>
                <DELETED>    ``(iii) in conjunction with the 
                quadrennial homeland security review required under 
                section 707, and at such other times determined 
                appropriate by the Director, analyze the composite 
                security state of the national information 
                infrastructure and submit to the President, Congress, 
                and the Secretary a report regarding actions necessary 
                to enhance the composite security state of the national 
                information infrastructure based on the analysis; 
                and</DELETED>
                <DELETED>    ``(iv) foster collaboration and serve as 
                the primary contact between the Federal Government, 
                State and local governments, and private entities on 
                matters relating to the security of the Federal 
                information infrastructure and the national information 
                infrastructure;</DELETED>
                <DELETED>    ``(O) oversee the development, 
                implementation, and management of security requirements 
                for Federal agencies relating to the external access 
                points to or from the Federal information 
                infrastructure;</DELETED>
                <DELETED>    ``(P) establish, develop, and oversee the 
                capabilities and operations within the US-CERT as 
                required by section 244;</DELETED>
                <DELETED>    ``(Q) oversee the operations of the 
                National Communications System, as described in 
                Executive Order 12472 (49 Fed. Reg. 13471; relating to 
                the assignment of national security and emergency 
                preparedness telecommunications functions), as amended 
                by Executive Order 13286 (68 Fed. Reg. 10619) and 
                Executive Order 13407 (71 Fed. Reg. 36975), or any 
                successor thereto, including planning for and providing 
                communications for the Federal Government under all 
                circumstances, including crises, emergencies, attacks, 
                recoveries, and reconstitutions;</DELETED>
                <DELETED>    ``(R) ensure, in coordination with the 
                privacy officer designated under subsection (e), the 
                Privacy Officer appointed under section 222, and the 
                Director of the Office of Civil Rights and Civil 
                Liberties appointed under section 705, that the 
                activities of the Center comply with all policies, 
                regulations, and laws protecting the privacy and civil 
                liberties of United States persons;</DELETED>
                <DELETED>    ``(S) subject to the availability of 
                resources, and at the discretion of the Director, 
                provide voluntary technical assistance--</DELETED>
                        <DELETED>    ``(i) at the request of an owner 
                        or operator of covered critical infrastructure, 
                        to assist the owner or operator in complying 
                        with sections 248 and 249, including 
                        implementing required security or emergency 
                        measures and developing response plans for 
                        national cyber emergencies declared under 
                        section 249; and</DELETED>
                        <DELETED>    ``(ii) at the request of the owner 
                        or operator of national information 
                        infrastructure that is not covered critical 
                        infrastructure, and based on risk, to assist 
                        the owner or operator in implementing best 
                        practices, and related standards and 
                        guidelines, recommended under section 247 and 
                        other measures necessary to mitigate or 
                        remediate vulnerabilities of the information 
                        infrastructure and the consequences of efforts 
                        to exploit the vulnerabilities;</DELETED>
                <DELETED>    ``(T)(i) conduct, in consultation with the 
                National Cybersecurity Advisory Council, the head of 
                appropriate sector-specific agencies, and any private 
                sector entity determined appropriate by the Director, 
                risk-based assessments of national information 
                infrastructure, on a sector-by-sector basis, with 
                respect to acts of terrorism, natural disasters, and 
                other large-scale disruptions or financial harm, which 
                shall identify and prioritize risks to the national 
                information infrastructure, including vulnerabilities 
                and associated consequences; and</DELETED>
                <DELETED>    ``(ii) coordinate and evaluate the 
                mitigation or remediation of cyber vulnerabilities and 
                consequences identified under clause (i);</DELETED>
                <DELETED>    ``(U) regularly evaluate and assess 
                technologies designed to enhance the protection of the 
                Federal information infrastructure and national 
                information infrastructure, including an assessment of 
                the cost-effectiveness of the technologies;</DELETED>
                <DELETED>    ``(V) promote the use of the best 
                practices recommended under section 247 to State and 
                local governments and the private sector;</DELETED>
                <DELETED>    ``(W) develop and implement outreach and 
                awareness programs on cybersecurity, including--
                </DELETED>
                        <DELETED>    ``(i) a public education campaign 
                        to increase the awareness of cybersecurity, 
                        cyber safety, and cyber ethics, which shall 
                        include use of the Internet, social media, 
                        entertainment, and other media to reach the 
                        public;</DELETED>
                        <DELETED>    ``(ii) an education campaign to 
                        increase the understanding of State and local 
                        governments and private sector entities of the 
                        costs of failing to ensure effective security 
                        of information infrastructure and cost-
                        effective methods to mitigate and remediate 
                        vulnerabilities; and</DELETED>
                        <DELETED>    ``(iii) outcome-based performance 
                        measures to determine the success of the 
                        programs;</DELETED>
                <DELETED>    ``(X) develop and implement a national 
                cybersecurity exercise program that includes--
                </DELETED>
                        <DELETED>    ``(i) the participation of State 
                        and local governments, international partners 
                        of the United States, and the private sector; 
                        and</DELETED>
                        <DELETED>    ``(ii) an after action report 
                        analyzing lessons learned from exercises and 
                        identifying vulnerabilities to be remediated or 
                        mitigated;</DELETED>
                <DELETED>    ``(Y) coordinate with the Assistant 
                Secretary for Infrastructure Protection to ensure 
                that--</DELETED>
                        <DELETED>    ``(i) cybersecurity is 
                        appropriately addressed in carrying out the 
                        infrastructure protection responsibilities 
                        described in section 201(d); and</DELETED>
                        <DELETED>    ``(ii) the operations of the 
                        Center and the Office of Infrastructure 
                        Protection avoid duplication and use, to the 
                        maximum extent practicable, joint mechanisms 
                        for information sharing and coordination with 
                        the private sector;</DELETED>
                <DELETED>    ``(Z) oversee the activities of the Office 
                of Emergency Communications established under section 
                1801; and</DELETED>
                <DELETED>    ``(AA) perform such other duties as the 
                Secretary may direct relating to the security and 
                resiliency of the information and communications 
                infrastructure of the United States.</DELETED>
        <DELETED>    ``(2) Budget analysis.--In conducting analysis and 
        prioritization of budgets under paragraph (1)(J), the 
        Director--</DELETED>
                <DELETED>    ``(A) in coordination with the Director of 
                the Office of Management and Budget, may access 
                information from any Federal agency regarding the 
                finances, budget, and programs of the Federal agency 
                relevant to the security of the Federal information 
                infrastructure;</DELETED>
                <DELETED>    ``(B) may make recommendations to the 
                Director of the Office of Management and Budget and the 
                Director of Cyberspace Policy regarding the budget for 
                each Federal agency to ensure that adequate funding is 
                devoted to securing the Federal information 
                infrastructure, in accordance with policies, 
                principles, and guidelines established by the Director 
                under this subtitle; and</DELETED>
                <DELETED>    ``(C) shall provide copies of any 
                recommendations made under subparagraph (B) to--
                </DELETED>
                        <DELETED>    ``(i) the Committee on 
                        Appropriations of the Senate;</DELETED>
                        <DELETED>    ``(ii) the Committee on 
                        Appropriations of the House of Representatives; 
                        and</DELETED>
                        <DELETED>    ``(iii) the appropriate committees 
                        of Congress.</DELETED>
<DELETED>    ``(g) Use of Mechanisms for Collaboration.--In carrying 
out the responsibilities and authorities of the Director under this 
subtitle, to the maximum extent practicable, the Director shall use 
mechanisms for collaboration and information sharing (including 
mechanisms relating to the identification and communication of threats, 
vulnerabilities, and associated consequences) established by other 
components of the Department or other Federal agencies to avoid 
unnecessary duplication or waste.</DELETED>
<DELETED>    ``(h) Sufficiency of Resources Plan.--</DELETED>
        <DELETED>    ``(1) Report.--Not later than 120 days after the 
        date of enactment of this subtitle, the Director of the Office 
        of Management and Budget shall submit to the appropriate 
        committees of Congress and the Comptroller General of the 
        United States a report on the resources and staff necessary to 
        carry out fully the responsibilities under this 
        subtitle.</DELETED>
        <DELETED>    ``(2) Comptroller general review.--</DELETED>
                <DELETED>    ``(A) In general.--The Comptroller General 
                of the United States shall evaluate the reasonableness 
                and adequacy of the report submitted by the Director 
                under paragraph (1).</DELETED>
                <DELETED>    ``(B) Report.--Not later than 60 days 
                after the date on which the report is submitted under 
                paragraph (1), the Comptroller General shall submit to 
                the appropriate committees of Congress a report 
                containing the findings of the review under 
                subparagraph (A).</DELETED>
<DELETED>    ``(i) Functions Transferred.--There are transferred to the 
Center the National Cyber Security Division, the Office of Emergency 
Communications, and the National Communications System, including all 
the functions, personnel, assets, authorities, and liabilities of the 
National Cyber Security Division and the National Communications 
System.</DELETED>

<DELETED>``SEC. 243. PHYSICAL AND CYBER INFRASTRUCTURE 
              COLLABORATION.</DELETED>

<DELETED>    ``(a) In General.--The Director and the Assistant 
Secretary for Infrastructure Protection shall coordinate the 
information, communications, and physical infrastructure protection 
responsibilities and activities of the Center and the Office of 
Infrastructure Protection.</DELETED>
<DELETED>    ``(b) Oversight.--The Secretary shall ensure that the 
coordination described in subsection (a) occurs.</DELETED>

<DELETED>``SEC. 244. UNITED STATES COMPUTER EMERGENCY READINESS 
              TEAM.</DELETED>

<DELETED>    ``(a) Establishment of Office.--There is established 
within the Center, the United States Computer Emergency Readiness Team, 
which shall be headed by a Director, who shall be selected from the 
Senior Executive Service by the Secretary.</DELETED>
<DELETED>    ``(b) Responsibilities.--The US-CERT shall--</DELETED>
        <DELETED>    ``(1) collect, coordinate, and disseminate 
        information on--</DELETED>
                <DELETED>    ``(A) risks to the Federal information 
                infrastructure, information infrastructure that is 
                owned, operated, controlled, or licensed for use by, or 
                on behalf of, the Department of Defense, a military 
                department, or another element of the intelligence 
                community, or the national information infrastructure; 
                and</DELETED>
                <DELETED>    ``(B) security controls to enhance the 
                security of the Federal information infrastructure or 
                the national information infrastructure against the 
                risks identified in subparagraph (A); and</DELETED>
        <DELETED>    ``(2) establish a mechanism for engagement with 
        the private sector.</DELETED>
<DELETED>    ``(c) Monitoring, Analysis, Warning, and Response.--
</DELETED>
        <DELETED>    ``(1) Duties.--Subject to paragraph (2), the US-
        CERT shall--</DELETED>
                <DELETED>    ``(A) provide analysis and reports to 
                Federal agencies on the security of the Federal 
                information infrastructure;</DELETED>
                <DELETED>    ``(B) provide continuous, automated 
                monitoring of the Federal information infrastructure at 
                external Internet access points, which shall include 
                detection and warning of threats, vulnerabilities, 
                traffic, trends, incidents, and other anomalous 
                activities affecting the information security of the 
                Federal information infrastructure;</DELETED>
                <DELETED>    ``(C) warn Federal agencies of threats, 
                vulnerabilities, incidents, and anomalous activities 
                that could affect the Federal information 
                infrastructure;</DELETED>
                <DELETED>    ``(D) develop, recommend, and deploy 
                security controls to mitigate or remediate 
                vulnerabilities;</DELETED>
                <DELETED>    ``(E) support Federal agencies in 
                conducting risk assessments of the agency information 
                infrastructure;</DELETED>
                <DELETED>    ``(F) disseminate to Federal agencies risk 
                analyses of incidents that could impair the risk-based 
                security of the Federal information 
                infrastructure;</DELETED>
                <DELETED>    ``(G) develop and acquire predictive 
                analytic tools to evaluate threats, vulnerabilities, 
                traffic, trends, incidents, and anomalous 
                activities;</DELETED>
                <DELETED>    ``(H) aid in the detection of, and warn 
                owners or operators of national information 
                infrastructure regarding, threats, vulnerabilities, and 
                incidents, affecting the national information 
                infrastructure, including providing--</DELETED>
                        <DELETED>    ``(i) timely, targeted, and 
                        actionable notifications of threats, 
                        vulnerabilities, and incidents; and</DELETED>
                        <DELETED>    ``(ii) recommended security 
                        controls to mitigate or remediate 
                        vulnerabilities; and</DELETED>
                <DELETED>    ``(I) respond to assistance requests from 
                Federal agencies and, subject to the availability of 
                resources, owners or operators of the national 
                information infrastructure to--</DELETED>
                        <DELETED>    ``(i) isolate, mitigate, or 
                        remediate incidents;</DELETED>
                        <DELETED>    ``(ii) recover from damages and 
                        mitigate or remediate vulnerabilities; 
                        and</DELETED>
                        <DELETED>    ``(iii) evaluate security controls 
                        and other actions taken to secure information 
                        infrastructure and incorporate lessons learned 
                        into best practices, policies, principles, and 
                        guidelines.</DELETED>
        <DELETED>    ``(2) Requirement.--With respect to the Federal 
        information infrastructure, the US-CERT shall conduct the 
        activities described in paragraph (1) in a manner consistent 
        with the responsibilities of the head of a Federal agency 
        described in section 3553 of title 44, United States 
        Code.</DELETED>
        <DELETED>    ``(3) Report.--Not later than 1 year after the 
        date of enactment of this subtitle, and every year thereafter, 
        the Secretary shall--</DELETED>
                <DELETED>    ``(A) in conjunction with the Inspector 
                General of the Department, conduct an independent audit 
                or review of the activities of the US-CERT under 
                paragraph (1)(B); and</DELETED>
                <DELETED>    ``(B) submit to the appropriate committees 
                of Congress and the President a report regarding the 
                audit or report.</DELETED>
<DELETED>    ``(d) Procedures for Federal Government.--Not later than 
90 days after the date of enactment of this subtitle, the head of each 
Federal agency shall establish procedures for the Federal agency that 
ensure that the US-CERT can perform the functions described in 
subsection (c) in relation to the Federal agency.</DELETED>
<DELETED>    ``(e) Operational Updates.--The US-CERT shall provide 
unclassified and, as appropriate, classified updates regarding the 
composite security state of the Federal information infrastructure to 
the Federal Information Security Taskforce.</DELETED>
<DELETED>    ``(f) Federal Points of Contact.--The Director of the US-
CERT shall designate a principal point of contact within the US-CERT 
for each Federal agency to--</DELETED>
        <DELETED>    ``(1) maintain communication;</DELETED>
        <DELETED>    ``(2) ensure cooperative engagement and 
        information sharing; and</DELETED>
        <DELETED>    ``(3) respond to inquiries or requests.</DELETED>
<DELETED>    ``(g) Requests for Information or Physical Access.--
</DELETED>
        <DELETED>    ``(1) Information access.--Upon request of the 
        Director of the US-CERT, the head of a Federal agency or an 
        Inspector General for a Federal agency shall provide any law 
        enforcement information, intelligence information, terrorism 
        information, or any other information (including information 
        relating to incidents provided under subsections (a)(4) and (c) 
        of section 246) relevant to the security of the Federal 
        information infrastructure or the national information 
        infrastructure necessary to carry out the duties, 
        responsibilities, and authorities under this 
        subtitle.</DELETED>
        <DELETED>    ``(2) Physical access.--Upon request of the 
        Director, and in consultation with the head of a Federal 
        agency, the Federal agency shall provide physical access to any 
        facility of the Federal agency necessary to determine whether 
        the Federal agency is in compliance with any policies, 
        principles, and guidelines established by the Director under 
        this subtitle, or otherwise necessary to carry out the duties, 
        responsibilities, and authorities of the Director applicable to 
        the Federal information infrastructure.</DELETED>

<DELETED>``SEC. 245. ADDITIONAL AUTHORITIES OF THE DIRECTOR OF THE 
              NATIONAL CENTER FOR CYBERSECURITY AND 
              COMMUNICATIONS.</DELETED>

<DELETED>    ``(a) Access to Information.--Unless otherwise directed by 
the President--</DELETED>
        <DELETED>    ``(1) the Director shall access, receive, and 
        analyze law enforcement information, intelligence information, 
        terrorism information, and any other information (including 
        information relating to incidents provided under subsections 
        (a)(4) and (c) of section 246) relevant to the security of the 
        Federal information infrastructure, information infrastructure 
        that is owned, operated, controlled, or licensed for use by, or 
        on behalf of, the Department of Defense, a military department, 
        or another element of the intelligence community, or national 
        information infrastructure from Federal agencies and, 
        consistent with applicable law, State and local governments 
        (including law enforcement agencies), and private entities, 
        including information provided by any contractor to a Federal 
        agency regarding the security of the agency information 
        infrastructure;</DELETED>
        <DELETED>    ``(2) any Federal agency in possession of law 
        enforcement information, intelligence information, terrorism 
        information, or any other information (including information 
        relating to incidents provided under subsections (a)(4) and (c) 
        of section 246) relevant to the security of the Federal 
        information infrastructure, information infrastructure that is 
        owned, operated, controlled, or licensed for use by, or on 
        behalf of, the Department of Defense, a military department, or 
        another element of the intelligence community, or national 
        information infrastructure shall provide that information to 
        the Director in a timely manner; and</DELETED>
        <DELETED>    ``(3) the Director, in coordination with the 
        Attorney General, the Privacy and Civil Liberties Oversight 
        Board established under section 1061 of the National Security 
        Intelligence Reform Act of 2004 (42 U.S.C. 2000ee), the 
        Director of National Intelligence, and the Archivist of the 
        United States, shall establish guidelines to ensure that 
        information is transferred, stored, and preserved in accordance 
        with applicable law and in a manner that protects the privacy 
        and civil liberties of United States persons.</DELETED>
<DELETED>    ``(b) Operational Evaluations.--</DELETED>
        <DELETED>    ``(1) In general.--The Director--</DELETED>
                <DELETED>    ``(A) subject to paragraph (2), shall 
                develop, maintain, and enhance capabilities to evaluate 
                the security of the Federal information infrastructure 
                as described in section 3554(a)(3) of title 44, United 
                States Code, including the ability to conduct risk-
                based penetration testing and vulnerability 
                assessments;</DELETED>
                <DELETED>    ``(B) in carrying out subparagraph (A), 
                may request technical assistance from the Director of 
                the Federal Bureau of Investigation, the Director of 
                the National Security Agency, the head of any other 
                Federal agency that may provide support, and any 
                nongovernmental entity contracting with the Department 
                or another Federal agency; and</DELETED>
                <DELETED>    ``(C) in consultation with the Attorney 
                General and the Privacy and Civil Liberties Oversight 
                Board established under section 1061 of the National 
                Security Intelligence Reform Act of 2004 (42 U.S.C. 
                2000ee), shall develop guidelines to ensure compliance 
                with all applicable laws relating to the privacy of 
                United States persons in carrying out the operational 
                evaluations under subparagraph (A).</DELETED>
        <DELETED>    ``(2) Operational evaluations.--</DELETED>
                <DELETED>    ``(A) In general.--The Director may 
                conduct risk-based operational evaluations of the 
                agency information infrastructure of any Federal 
                agency, at a time determined by the Director, in 
                consultation with the head of the Federal agency, using 
                the capabilities developed under paragraph 
                (1)(A).</DELETED>
                <DELETED>    ``(B) Annual evaluation requirement.--If 
                the Director conducts an operational evaluation under 
                subparagraph (A) or an operational evaluation at the 
                request of a Federal agency to meet the requirements of 
                section 3554 of title 44, United States Code, the 
                operational evaluation shall satisfy the requirements 
                of section 3554 for the Federal agency for the year of 
                the evaluation, unless otherwise specified by the 
                Director.</DELETED>
<DELETED>    ``(c) Corrective Measures and Mitigation Plans.--If the 
Director determines that a Federal agency is not in compliance with 
applicable policies, principles, standards, and guidelines applicable 
to the Federal information infrastructure--</DELETED>
        <DELETED>    ``(1) the Director, in consultation with the 
        Director of the Office of Management and Budget, may direct the 
        head of the Federal agency to--</DELETED>
                <DELETED>    ``(A) take corrective measures to meet the 
                policies, principles, standards, and guidelines; 
                and</DELETED>
                <DELETED>    ``(B) develop a plan to remediate or 
                mitigate any vulnerabilities addressed by the policies, 
                principles, standards, and guidelines;</DELETED>
        <DELETED>    ``(2) within such time period as the Director 
        shall prescribe, the head of the Federal agency shall--
        </DELETED>
                <DELETED>    ``(A) implement a corrective measure or 
                develop a mitigation plan in accordance with paragraph 
                (1); or</DELETED>
                <DELETED>    ``(B) submit to the Director, the Director 
                of the Office of Management and Budget, the Inspector 
                General for the Federal agency, and the appropriate 
                committees of Congress a report indicating why the 
                Federal agency has not implemented the corrective 
                measure or developed a mitigation plan; and</DELETED>
        <DELETED>    ``(3) the Director may direct the isolation of any 
        component of the agency information infrastructure, consistent 
        with the contingency or continuity of operation plans 
        applicable to the agency information infrastructure, until 
        corrective measures are taken or mitigation plans approved by 
        the Director are put in place, if--</DELETED>
                <DELETED>    ``(A) the head of the Federal agency has 
                failed to comply with the corrective measures 
                prescribed under paragraph (1); and</DELETED>
                <DELETED>    ``(B) the failure to comply presents a 
                significant danger to the Federal information 
                infrastructure.</DELETED>

<DELETED>``SEC. 246. INFORMATION SHARING.</DELETED>

<DELETED>    ``(a) Federal Agencies.--</DELETED>
        <DELETED>    ``(1) Information sharing program.--Consistent 
        with the responsibilities described in section 242 and 244, the 
        Director, in consultation with the other members of the Chief 
        Information Officers Council established under section 3603 of 
        title 44, United States Code, and the Federal Information 
        Security Taskforce, shall establish a program for sharing 
        information with and between the Center and other Federal 
        agencies that includes processes and procedures, including 
        standard operating procedures--</DELETED>
                <DELETED>    ``(A) under which the Director regularly 
                shares with each Federal agency--</DELETED>
                        <DELETED>    ``(i) analysis and reports on the 
                        composite security state of the Federal 
                        information infrastructure and information 
                        infrastructure that is owned, operated, 
                        controlled, or licensed for use by, or on 
                        behalf of, the Department of Defense, a 
                        military department, or another element of the 
                        intelligence community, which shall include 
                        information relating to threats, 
                        vulnerabilities, incidents, or anomalous 
                        activities;</DELETED>
                        <DELETED>    ``(ii) any available analysis and 
                        reports regarding the security of the agency 
                        information infrastructure; and</DELETED>
                        <DELETED>    ``(iii) means and methods of 
                        preventing, responding to, mitigating, and 
                        remediating vulnerabilities; and</DELETED>
                <DELETED>    ``(B) under which the Director may request 
                information from Federal agencies concerning the 
                security of the Federal information infrastructure, 
                information infrastructure that is owned, operated, 
                controlled, or licensed for use by, or on behalf of, 
                the Department of Defense, a military department, or 
                another element of the intelligence community, or the 
                national information infrastructure necessary to carry 
                out the duties of the Director under this subtitle or 
                any other provision of law.</DELETED>
        <DELETED>    ``(2) Contents.--The program established under 
        this section shall include--</DELETED>
                <DELETED>    ``(A) timeframes for the sharing of 
                information under paragraph (1);</DELETED>
                <DELETED>    ``(B) guidance on what information shall 
                be shared, including information regarding 
                incidents;</DELETED>
                <DELETED>    ``(C) a tiered structure that provides 
                guidance for the sharing of urgent information; 
                and</DELETED>
                <DELETED>    ``(D) processes and procedures under which 
                the Director or the head of a Federal agency may report 
                noncompliance with the program to the Director of 
                Cyberspace Policy.</DELETED>
        <DELETED>    ``(3) US-CERT.--The Director of the US-CERT shall 
        ensure that the head of each Federal agency has continual 
        access to data collected by the US-CERT regarding the agency 
        information infrastructure of the Federal agency.</DELETED>
        <DELETED>    ``(4) Federal agencies.--</DELETED>
                <DELETED>    ``(A) In general.--The head of a Federal 
                agency shall comply with all processes and procedures 
                established under this subsection regarding 
                notification to the Director relating to 
                incidents.</DELETED>
                <DELETED>    ``(B) Immediate notification required.--
                Unless otherwise directed by the President, any Federal 
                agency with a national security system shall 
                immediately notify the Director regarding any incident 
                affecting the risk-based security of the national 
                security system.</DELETED>
<DELETED>    ``(b) State and Local Governments, Private Sector, and 
International Partners.--</DELETED>
        <DELETED>    ``(1) In general.--The Director, shall establish 
        processes and procedures, including standard operating 
        procedures, to promote bidirectional information sharing with 
        State and local governments, private entities, and 
        international partners of the United States on--</DELETED>
                <DELETED>    ``(A) threats, vulnerabilities, incidents, 
                and anomalous activities affecting the national 
                information infrastructure; and</DELETED>
                <DELETED>    ``(B) means and methods of preventing, 
                responding to, and mitigating and remediating 
                vulnerabilities.</DELETED>
        <DELETED>    ``(2) Contents.--The processes and procedures 
        established under paragraph (1) shall include--</DELETED>
                <DELETED>    ``(A) means or methods of accessing 
                classified or unclassified information, as appropriate, 
                that will provide situational awareness of the security 
                of the Federal information infrastructure and the 
                national information infrastructure relating to 
                threats, vulnerabilities, traffic, trends, incidents, 
                and other anomalous activities affecting the Federal 
                information infrastructure or the national information 
                infrastructure;</DELETED>
                <DELETED>    ``(B) a mechanism, established in 
                consultation with the heads of the relevant sector-
                specific agencies, sector coordinating councils, and 
                information sharing and analysis centers, by which 
                owners and operators of covered critical infrastructure 
                shall report incidents in the information 
                infrastructure for covered critical infrastructure, to 
                the extent the incident might indicate an actual or 
                potential cyber vulnerability, or exploitation of that 
                vulnerability; and</DELETED>
                <DELETED>    ``(C) an evaluation of the need to provide 
                security clearances to employees of State and local 
                governments, private entities, and international 
                partners to carry out this subsection.</DELETED>
        <DELETED>    ``(3) Guidelines.--The Director, in consultation 
        with the Attorney General and the Director of National 
        Intelligence, shall develop guidelines to protect the privacy 
        and civil liberties of United States persons and intelligence 
        sources and methods, while carrying out this 
        subsection.</DELETED>
<DELETED>    ``(c) Incidents.--</DELETED>
        <DELETED>    ``(1) Non-federal entities.--</DELETED>
                <DELETED>    ``(A) In general.--</DELETED>
                        <DELETED>    ``(i) Mandatory reporting.--
                        Subject to clause (i), the owner or operator of 
                        covered critical infrastructure shall report 
                        any incident affecting the information 
                        infrastructure of covered critical 
                        infrastructure to the extent the incident might 
                        indicate an actual or potential cyber 
                        vulnerability, or exploitation of a cyber 
                        vulnerability, in accordance with the policies 
                        and procedures for the mechanism established 
                        under subsection (b)(2)(B) and guidelines 
                        developed under subsection (b)(3).</DELETED>
                        <DELETED>    ``(ii) Limitation.--Clause (i) 
                        shall not authorize the Director, the Center, 
                        the Department, or any other Federal entity to 
                        compel the disclosure of information relating 
                        to an incident or conduct surveillance unless 
                        otherwise authorized under chapter 119, chapter 
                        121, or chapter 206 of title 18, United States 
                        Code, the Foreign Intelligence Surveillance Act 
                        of 1978 (50 U.S.C. 1801 et seq.), or any other 
                        provision of law.</DELETED>
                <DELETED>    ``(B) Reporting procedures.--The Director 
                shall establish procedures that enable and encourage 
                the owner or operator of national information 
                infrastructure to report to the Director regarding 
                incidents affecting such information 
                infrastructure.</DELETED>
        <DELETED>    ``(2) Information protection.--Notwithstanding any 
        other provision of law, information reported under paragraph 
        (1) shall be protected from unauthorized disclosure, in 
        accordance with section 251.</DELETED>
<DELETED>    ``(d) Additional Responsibilities.--In accordance with 
section 251, the Director shall--</DELETED>
        <DELETED>    ``(1) share data collected on the Federal 
        information infrastructure with the National Science Foundation 
        and other accredited research institutions for the sole purpose 
        of cybersecurity research in a manner that protects privacy and 
        civil liberties of United States persons and intelligence 
        sources and methods;</DELETED>
        <DELETED>    ``(2) establish a website to provide an 
        opportunity for the public to provide--</DELETED>
                <DELETED>    ``(A) input about the operations of the 
                Center; and</DELETED>
                <DELETED>    ``(B) recommendations for improvements of 
                the Center; and</DELETED>
        <DELETED>    ``(3) in coordination with the Secretary of 
        Defense, the Director of National Intelligence, the Secretary 
        of State, and the Attorney General, develop information sharing 
        pilot programs with international partners of the United 
        States.</DELETED>

<DELETED>``SEC. 247. PRIVATE SECTOR ASSISTANCE.</DELETED>

<DELETED>    ``(a) In General.--The Director, in consultation with the 
Director of the National Institute of Standards and Technology, the 
Director of the National Security Agency, the head of any relevant 
sector-specific agency, the National Cybersecurity Advisory Council, 
State and local governments, and any private entities the Director 
determines appropriate, shall establish a program to promote, and 
provide technical assistance authorized under section 242(f)(1)(S) 
relating to the implementation of, best practices and related standards 
and guidelines for securing the national information infrastructure, 
including the costs and benefits associated with the implementation of 
the best practices and related standards and guidelines.</DELETED>
<DELETED>    ``(b) Analysis and Improvement of Standards and 
Guidelines.--For purposes of the program established under subsection 
(a), the Director shall--</DELETED>
        <DELETED>    ``(1) regularly assess and evaluate cybersecurity 
        standards and guidelines issued by private sector 
        organizations, recognized international and domestic standards 
        setting organizations, and Federal agencies; and</DELETED>
        <DELETED>    ``(2) in coordination with the National Institute 
        of Standards and Technology, encourage the development of, and 
        recommend changes to, the standards and guidelines described in 
        paragraph (1) for securing the national information 
        infrastructure.</DELETED>
<DELETED>    ``(c) Guidance and Technical Assistance.--</DELETED>
        <DELETED>    ``(1) In general.--The Director shall promote best 
        practices and related standards and guidelines to assist owners 
        and operators of national information infrastructure in 
        increasing the security of the national information 
        infrastructure and protecting against and mitigating or 
        remediating known vulnerabilities.</DELETED>
        <DELETED>    ``(2) Requirement.--Technical assistance provided 
        under section 242(f)(1)(S) and best practices promoted under 
        this section shall be prioritized based on risk.</DELETED>
<DELETED>    ``(d) Criteria.--In promoting best practices or 
recommending changes to standards and guidelines under this section, 
the Director shall ensure that best practices, and related standards 
and guidelines--</DELETED>
        <DELETED>    ``(1) address cybersecurity in a comprehensive, 
        risk-based manner;</DELETED>
        <DELETED>    ``(2) include consideration of the cost of 
        implementing such best practices or of implementing recommended 
        changes to standards and guidelines;</DELETED>
        <DELETED>    ``(3) increase the ability of the owners or 
        operators of national information infrastructure to protect 
        against and mitigate or remediate known 
        vulnerabilities;</DELETED>
        <DELETED>    ``(4) are suitable, as appropriate, for 
        implementation by small business concerns;</DELETED>
        <DELETED>    ``(5) as necessary and appropriate, are sector 
        specific;</DELETED>
        <DELETED>    ``(6) to the maximum extent possible, incorporate 
        standards and guidelines established by private sector 
        organizations, recognized international and domestic standards 
        setting organizations, and Federal agencies; and</DELETED>
        <DELETED>    ``(7) provide sufficient flexibility to permit a 
        range of security solutions.</DELETED>

<DELETED>``SEC. 248. CYBER VULNERABILITIES TO COVERED CRITICAL 
              INFRASTRUCTURE.</DELETED>

<DELETED>    ``(a) Identification of Cyber Vulnerabilities.--</DELETED>
        <DELETED>    ``(1) In general.--Based on the risk-based 
        assessments conducted under section 242(f)(1)(T)(i), the 
        Director, in coordination with the head of the sector-specific 
        agency with responsibility for covered critical infrastructure 
        and the head of any Federal agency that is not a sector-
        specific agency with responsibilities for regulating the 
        covered critical infrastructure, and in consultation with the 
        National Cybersecurity Advisory Council and any private sector 
        entity determined appropriate by the Director, shall, on a 
        continuous and sector-by-sector basis, identify and evaluate 
        the cyber vulnerabilities to covered critical 
        infrastructure.</DELETED>
        <DELETED>    ``(2) Factors to be considered.--In identifying 
        and evaluating cyber vulnerabilities under paragraph (1), the 
        Director shall consider--</DELETED>
                <DELETED>    ``(A) the perceived threat, including a 
                consideration of adversary capabilities and intent, 
                preparedness, target attractiveness, and deterrence 
                capabilities;</DELETED>
                <DELETED>    ``(B) the potential extent and likelihood 
                of death, injury, or serious adverse effects to human 
                health and safety caused by a disruption of the 
                reliable operation of covered critical 
                infrastructure;</DELETED>
                <DELETED>    ``(C) the threat to or potential impact on 
                national security caused by a disruption of the 
                reliable operation of covered critical 
                infrastructure;</DELETED>
                <DELETED>    ``(D) the extent to which the disruption 
                of the reliable operation of covered critical 
                infrastructure will disrupt the reliable operation of 
                other covered critical infrastructure;</DELETED>
                <DELETED>    ``(E) the potential for harm to the 
                economy that would result from a disruption of the 
                reliable operation of covered critical infrastructure; 
                and</DELETED>
                <DELETED>    ``(F) other risk-based security factors 
                that the Director, in consultation with the head of the 
                sector-specific agency with responsibility for the 
                covered critical infrastructure and the head of any 
                Federal agency that is not a sector-specific agency 
                with responsibilities for regulating the covered 
                critical infrastructure, determine to be appropriate 
                and necessary to protect public health and safety, 
                critical infrastructure, or national and economic 
                security.</DELETED>
        <DELETED>    ``(3) Report.--</DELETED>
                <DELETED>    ``(A) In general.--Not later than 180 days 
                after the date of enactment of this subtitle, and 
                annually thereafter, the Director, in coordination with 
                the head of the sector-specific agency with 
                responsibility for the covered critical infrastructure 
                and the head of any Federal agency that is not a 
                sector-specific agency with responsibilities for 
                regulating the covered critical infrastructure, shall 
                submit to the appropriate committees of Congress a 
                report on the findings of the identification and 
                evaluation of cyber vulnerabilities under this 
                subsection. Each report submitted under this paragraph 
                shall be submitted in an unclassified form, but may 
                include a classified annex.</DELETED>
                <DELETED>    ``(B) Input.--For purposes of the reports 
                required under subparagraph (A), the Director shall 
                create a process under which owners and operators of 
                covered critical infrastructure may provide input on 
                the findings of the reports.</DELETED>
<DELETED>    ``(b) Risk-Based Performance Requirements.--</DELETED>
        <DELETED>    ``(1) In general.--Not later than 270 days after 
        the date of the enactment of this subtitle, in coordination 
        with the heads of the sector-specific agencies with 
        responsibility for covered critical infrastructure and the head 
        of any Federal agency that is not a sector-specific agency with 
        responsibilities for regulating the covered critical 
        infrastructure, and in consultation with the National 
        Cybersecurity Advisory Council and any private sector entity 
        determined appropriate by the Director, the Director shall 
        issue interim final regulations establishing risk-based 
        security performance requirements to secure covered critical 
        infrastructure against cyber vulnerabilities through the 
        adoption of security measures that satisfy the security 
        performance requirements identified by the Director.</DELETED>
        <DELETED>    ``(2) Procedures.--The regulations issued under 
        this subsection shall--</DELETED>
                <DELETED>    ``(A) include a process under which owners 
                and operators of covered critical infrastructure are 
                informed of identified cyber vulnerabilities and 
                security performance requirements designed to remediate 
                or mitigate the cyber vulnerabilities, in combination 
                with best practices recommended under section 
                247;</DELETED>
                <DELETED>    ``(B) establish a process for owners and 
                operators of covered critical infrastructure to select 
                security measures, including any best practices 
                recommended under section 247, that, in combination, 
                satisfy the security performance requirements 
                established by the Director under this 
                subsection;</DELETED>
                <DELETED>    ``(C) establish a process for owners and 
                operators of covered critical infrastructure to develop 
                response plans for a national cyber emergency declared 
                under section 249; and</DELETED>
                <DELETED>    ``(D) establish a process by which the 
                Director--</DELETED>
                        <DELETED>    ``(i) is notified of the security 
                        measures selected by the owner or operator of 
                        covered critical infrastructure under 
                        subparagraph (B); and</DELETED>
                        <DELETED>    ``(ii) may determine whether the 
                        proposed security measures satisfy the security 
                        performance requirements established by the 
                        Director under this subsection.</DELETED>
        <DELETED>    ``(3) International cooperation on securing 
        covered critical infrastructure.--</DELETED>
                <DELETED>    ``(A) In general.--The Director, in 
                coordination with the head of the sector-specific 
                agency with responsibility for covered critical 
                infrastructure and the head of any Federal agency that 
                is not a sector-specific agency with responsibilities 
                for regulating the covered critical infrastructure, 
                shall--</DELETED>
                        <DELETED>    ``(i) consistent with the 
                        protection of intelligence sources and methods 
                        and other sensitive matters, inform the owner 
                        or operator of covered critical infrastructure 
                        that is located outside the United States and 
                        the government of the country in which the 
                        covered critical infrastructure is located of 
                        any cyber vulnerabilities to the covered 
                        critical infrastructure; and</DELETED>
                        <DELETED>    ``(ii) coordinate with the 
                        government of the country in which the covered 
                        critical infrastructure is located and, as 
                        appropriate, the owner or operator of the 
                        covered critical infrastructure, regarding the 
                        implementation of security measures or other 
                        measures to the covered critical infrastructure 
                        to mitigate or remediate cyber 
                        vulnerabilities.</DELETED>
                <DELETED>    ``(B) International agreements.--The 
                Director shall carry out the this paragraph in a manner 
                consistent with applicable international 
                agreements.</DELETED>
        <DELETED>    ``(4) Risk-based security performance 
        requirements.--</DELETED>
                <DELETED>    ``(A) In general.--The security 
                performance requirements established by the Director 
                under this subsection shall be--</DELETED>
                        <DELETED>    ``(i) based on the factors listed 
                        in subsection (a)(2); and</DELETED>
                        <DELETED>    ``(ii) designed to remediate or 
                        mitigate identified cyber vulnerabilities and 
                        any associated consequences of an exploitation 
                        based on such vulnerabilities.</DELETED>
                <DELETED>    ``(B) Consultation.--In establishing 
                security performance requirements under this 
                subsection, the Director shall, to the maximum extent 
                practicable, consult with--</DELETED>
                        <DELETED>    ``(i) the Director of the National 
                        Security Agency;</DELETED>
                        <DELETED>    ``(ii) the Director of the 
                        National Institute of Standards and 
                        Technology;</DELETED>
                        <DELETED>    ``(iii) the National Cybersecurity 
                        Advisory Council;</DELETED>
                        <DELETED>    ``(iv) the heads of sector-
                        specific agencies; and</DELETED>
                        <DELETED>    ``(v) the heads of Federal 
                        agencies that are not a sector-specific agency 
                        with responsibilities for regulating the 
                        covered critical infrastructure.</DELETED>
                <DELETED>    ``(C) Alternative measures.--</DELETED>
                        <DELETED>    ``(i) In general.--The owners and 
                        operators of covered critical infrastructure 
                        shall have flexibility to implement any 
                        security measure, or combination thereof, to 
                        satisfy the security performance requirements 
                        described in subparagraph (A) and the Director 
                        may not disapprove under this section any 
                        proposed security measures, or combination 
                        thereof, based on the presence or absence of 
                        any particular security measure if the proposed 
                        security measures, or combination thereof, 
                        satisfy the security performance requirements 
                        established by the Director under this 
                        section.</DELETED>
                        <DELETED>    ``(ii) Recommended security 
                        measures.--The Director may recommend to an 
                        owner and operator of covered critical 
                        infrastructure a specific security measure, or 
                        combination thereof, that will satisfy the 
                        security performance requirements established 
                        by the Director. The absence of the recommended 
                        security measures, or combination thereof, may 
                        not serve as the basis for a disapproval of the 
                        security measure, or combination thereof, 
                        proposed by the owner or operator of covered 
                        critical infrastructure if the proposed 
                        security measure, or combination thereof, 
                        otherwise satisfies the security performance 
                        requirements established by the Director under 
                        this section.</DELETED>

<DELETED>``SEC. 249. NATIONAL CYBER EMERGENCIES.</DELETED>

<DELETED>    ``(a) Declaration.--</DELETED>
        <DELETED>    ``(1) In general.--The President may issue a 
        declaration of a national cyber emergency to covered critical 
        infrastructure. Any declaration under this section shall 
        specify the covered critical infrastructure subject to the 
        national cyber emergency.</DELETED>
        <DELETED>    ``(2) Notification.--Upon issuing a declaration 
        under paragraph (1), the President shall, consistent with the 
        protection of intelligence sources and methods, notify the 
        owners and operators of the specified covered critical 
        infrastructure of the nature of the national cyber 
        emergency.</DELETED>
        <DELETED>    ``(3) Authorities.--If the President issues a 
        declaration under paragraph (1), the Director shall--</DELETED>
                <DELETED>    ``(A) immediately direct the owners and 
                operators of covered critical infrastructure subject to 
                the declaration under paragraph (1) to implement 
                response plans required under section 
                248(b)(2)(C);</DELETED>
                <DELETED>    ``(B) develop and coordinate emergency 
                measures or actions necessary to preserve the reliable 
                operation, and mitigate or remediate the consequences 
                of the potential disruption, of covered critical 
                infrastructure;</DELETED>
                <DELETED>    ``(C) ensure that emergency measures or 
                actions directed under this section represent the least 
                disruptive means feasible to the operations of the 
                covered critical infrastructure;</DELETED>
                <DELETED>    ``(D) subject to subsection (f), direct 
                actions by other Federal agencies to respond to the 
                national cyber emergency;</DELETED>
                <DELETED>    ``(E) coordinate with officials of State 
                and local governments, international partners of the 
                United States, and private owners and operators of 
                covered critical infrastructure specified in the 
                declaration to respond to the national cyber 
                emergency;</DELETED>
                <DELETED>    ``(F) initiate a process under section 248 
                to address the cyber vulnerability that may be 
                exploited by the national cyber emergency; 
                and</DELETED>
                <DELETED>    ``(G) provide voluntary technical 
                assistance, if requested, under section 
                242(f)(1)(S).</DELETED>
        <DELETED>    ``(4) Reimbursement.--A Federal agency shall be 
        reimbursed for expenditures under this section from funds 
        appropriated for the purposes of this section. Any funds 
        received by a Federal agency as reimbursement for services or 
        supplies furnished under the authority of this section shall be 
        deposited to the credit of the appropriation or appropriations 
        available on the date of the deposit for the services or 
        supplies.</DELETED>
        <DELETED>    ``(5) Consultation.--In carrying out this section, 
        the Director shall consult with the Secretary, the Secretary of 
        Defense, the Director of the National Security Agency, the 
        Director of the National Institute of Standards and Technology, 
        and any other official, as directed by the President.</DELETED>
        <DELETED>    ``(6) Privacy.--In carrying out this section, the 
        Director shall ensure that the privacy and civil liberties of 
        United States persons are protected.</DELETED>
<DELETED>    ``(b) Discontinuance of Emergency Measures.--</DELETED>
        <DELETED>    ``(1) In general.--Any emergency measure or action 
        developed under this section shall cease to have effect not 
        later than 30 days after the date on which the President issued 
        the declaration of a national cyber emergency, unless--
        </DELETED>
                <DELETED>    ``(A) the Director affirms in writing that 
                the emergency measure or action remains necessary to 
                address the identified national cyber emergency; 
                and</DELETED>
                <DELETED>    ``(B) the President issues a written order 
                or directive reaffirming the national cyber emergency, 
                the continuing nature of the national cyber emergency, 
                or the need to continue the adoption of the emergency 
                measure or action.</DELETED>
        <DELETED>    ``(2) Extensions.--An emergency measure or action 
        extended in accordance with paragraph (1) may--</DELETED>
                <DELETED>    ``(A) remain in effect for not more than 
                30 days after the date on which the emergency measure 
                or action was to cease to have effect; and</DELETED>
                <DELETED>    ``(B) be extended for additional 30-day 
                periods, if the requirements of paragraph (1) and 
                subsection (d) are met.</DELETED>
<DELETED>    ``(c) Compliance With Emergency Measures.--</DELETED>
        <DELETED>    ``(1) In general.--Subject to paragraph (2), the 
        owner or operator of covered critical infrastructure shall 
        immediately comply with any emergency measure or action 
        developed by the Director under this section during the 
        pendency of any declaration by the President under subsection 
        (a)(1) or an extension under subsection (b)(2).</DELETED>
        <DELETED>    ``(2) Alternative measures.--If the Director 
        determines that a proposed security measure, or any combination 
        thereof, submitted by the owner or operator of covered critical 
        infrastructure in accordance with the process established under 
        section 248(b)(2) addresses the cyber vulnerability associated 
        with the national cyber emergency that is the subject of the 
        declaration under this section, the owner or operator may 
        comply with paragraph (1) of this subsection by implementing 
        the proposed security measure, or combination thereof, approved 
        by the Director under the process established under section 
        248. Before submission of a proposed security measure, or 
        combination thereof, and during the pendency of any review by 
        the Director under the process established under section 248, 
        the owner or operator of covered critical infrastructure shall 
        remain in compliance with any emergency measure or action 
        developed by the Director under this section during the 
        pendency of any declaration by the President under subsection 
        (a)(1) or an extension under subsection (b)(2), until such time 
        as the Director has approved an alternative proposed security 
        measure, or combination thereof, under this 
        paragraph.</DELETED>
        <DELETED>    ``(3) International cooperation on national cyber 
        emergencies.--</DELETED>
                <DELETED>    ``(A) In general.--The Director, in 
                coordination with the head of the sector-specific 
                agency with responsibility for covered critical 
                infrastructure and the head of any Federal agency that 
                is not a sector-specific agency with responsibilities 
                for regulating the covered critical infrastructure, 
                shall--</DELETED>
                        <DELETED>    ``(i) consistent with the 
                        protection of intelligence sources and methods 
                        and other sensitive matters, inform the owner 
                        or operator of covered critical infrastructure 
                        that is located outside of the United States 
                        and the government of the country in which the 
                        covered critical infrastructure is located of 
                        any national cyber emergency affecting the 
                        covered critical infrastructure; and</DELETED>
                        <DELETED>    ``(ii) coordinate with the 
                        government of the country in which the covered 
                        critical infrastructure is located and, as 
                        appropriate, the owner or operator of the 
                        covered critical infrastructure, regarding the 
                        implementation of emergency measures or actions 
                        necessary to preserve the reliable operation, 
                        and mitigate or remediate the consequences of 
                        the potential disruption, of the covered 
                        critical infrastructure.</DELETED>
                <DELETED>    ``(B) International agreements.--The 
                Director shall carry out this paragraph in a manner 
                consistent with applicable international 
                agreements.</DELETED>
        <DELETED>    ``(4) Limitation on compliance authority.--The 
        authority to direct compliance with an emergency measure or 
        action under this section shall not authorize the Director, the 
        Center, the Department, or any other Federal entity to compel 
        the disclosure of information or conduct surveillance unless 
        otherwise authorized under chapter 119, chapter 121, or chapter 
        206 of title 18, United States Code, the Foreign Intelligence 
        Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), or any other 
        provision of law.</DELETED>
<DELETED>    ``(d) Reporting.--</DELETED>
        <DELETED>    ``(1) In general.--Except as provided in paragraph 
        (2), the President shall ensure that any declaration under 
        subsection (a)(1) or any extension under subsection (b)(2) is 
        reported to the appropriate committees of Congress before the 
        Director mandates any emergency measure or actions under 
        subsection (a)(3).</DELETED>
        <DELETED>    ``(2) Exception.--If notice cannot be given under 
        paragraph (1) before mandating any emergency measure or actions 
        under subsection (a)(3), the President shall provide the report 
        required under paragraph (1) as soon as possible, along with a 
        statement of the reasons for not providing notice in accordance 
        with paragraph (1).</DELETED>
        <DELETED>    ``(3) Contents.--Each report under this subsection 
        shall describe--</DELETED>
                <DELETED>    ``(A) the nature of the national cyber 
                emergency;</DELETED>
                <DELETED>    ``(B) the reasons that risk-based security 
                requirements under section 248 are not sufficient to 
                address the national cyber emergency; and</DELETED>
                <DELETED>    ``(C) the actions necessary to preserve 
                the reliable operation and mitigate the consequences of 
                the potential disruption of covered critical 
                infrastructure.</DELETED>
<DELETED>    ``(e) Statutory Defenses and Civil Liability Limitations 
for Compliance With Emergency Measures.--</DELETED>
        <DELETED>    ``(1) Definitions.--In this subsection--</DELETED>
                <DELETED>    ``(A) the term `covered civil action'--
                </DELETED>
                        <DELETED>    ``(i) means a civil action filed 
                        in a Federal or State court against a covered 
                        entity; and</DELETED>
                        <DELETED>    ``(ii) does not include an action 
                        brought under section 2520 or 2707 of title 18, 
                        United States Code, or section 110 or 308 of 
                        the Foreign Intelligence Surveillance Act of 
                        1978 (50 U.S.C. 1810 and 1828);</DELETED>
                <DELETED>    ``(B) the term `covered entity' means any 
                entity that owns or operates covered critical 
                infrastructure, including any owner, operator, officer, 
                employee, agent, landlord, custodian, or other person 
                acting for or on behalf of that entity with respect to 
                the covered critical infrastructure; and</DELETED>
                <DELETED>    ``(C) the term `noneconomic damages' means 
                damages for losses for physical and emotional pain, 
                suffering, inconvenience, physical impairment, mental 
                anguish, disfigurement, loss of enjoyment of life, loss 
                of society and companionship, loss of consortium, 
                hedonic damages, injury to reputation, and any other 
                nonpecuniary losses.</DELETED>
        <DELETED>    ``(2) Application of limitations on civil 
        liability.--The limitations on civil liability under paragraph 
        (3) apply if--</DELETED>
                <DELETED>    ``(A) the President has issued a 
                declaration of national cyber emergency under 
                subsection (a)(1);</DELETED>
                <DELETED>    ``(B) the Director has--</DELETED>
                        <DELETED>    ``(i) issued emergency measures or 
                        actions for which compliance is required under 
                        subsection (c)(1); or</DELETED>
                        <DELETED>    ``(ii) approved security measures 
                        under subsection (c)(2);</DELETED>
                <DELETED>    ``(C) the covered entity is in compliance 
                with--</DELETED>
                        <DELETED>    ``(i) the emergency measures or 
                        actions required under subsection (c)(1); 
                        or</DELETED>
                        <DELETED>    ``(ii) security measures which the 
                        Director has approved under subsection (c)(2); 
                        and</DELETED>
                <DELETED>    ``(D)(i) the Director certifies to the 
                court in which the covered civil action is pending that 
                the actions taken by the covered entity during the 
                period covered by the declaration under subsection 
                (a)(1) were consistent with--</DELETED>
                        <DELETED>    ``(I) emergency measures or 
                        actions for which compliance is required under 
                        subsection (c)(1); or</DELETED>
                        <DELETED>    ``(II) security measures which the 
                        Director has approved under subsection (c)(2); 
                        or</DELETED>
                <DELETED>    ``(ii) notwithstanding the lack of a 
                certification, the covered entity demonstrates by a 
                preponderance of the evidence that the actions taken 
                during the period covered by the declaration under 
                subsection (a)(1) are consistent with the 
                implementation of--</DELETED>
                        <DELETED>    ``(I) emergency measures or 
                        actions for which compliance is required under 
                        subsection (c)(1); or</DELETED>
                        <DELETED>    ``(II) security measures which the 
                        Director has approved under subsection 
                        (c)(2).</DELETED>
        <DELETED>    ``(3) Limitations on civil liability.--In any 
        covered civil action that is related to any incident associated 
        with a cyber vulnerability covered by a declaration of a 
        national cyber emergency and for which Director has issued 
        emergency measures or actions for which compliance is required 
        under subsection (c)(1) or for which the Director has approved 
        security measures under subsection (c)(2), or that is the 
        direct consequence of actions taken in good faith for the 
        purpose of implementing security measures or actions which the 
        Director has approved under subsection (c)(2)--</DELETED>
                <DELETED>    ``(A) the covered entity shall not be 
                liable for any punitive damages intended to punish or 
                deter, exemplary damages, or other damages not intended 
                to compensate a plaintiff for actual losses; 
                and</DELETED>
                <DELETED>    ``(B) noneconomic damages may be awarded 
                against a defendant only in an amount directly 
                proportional to the percentage of responsibility of 
                such defendant for the harm to the plaintiff, and no 
                plaintiff may recover noneconomic damages unless the 
                plaintiff suffered physical harm.</DELETED>
        <DELETED>    ``(4) Civil actions arising out of implementation 
        of emergency measures or actions.--A covered civil action may 
        not be maintained against a covered entity that is the direct 
        consequence of actions taken in good faith for the purpose of 
        implementing specific emergency measures or actions for which 
        compliance is required under subsection (c)(1), if--</DELETED>
                <DELETED>    ``(A) the President has issued a 
                declaration of national cyber emergency under 
                subsection (a)(1) and the action was taken during the 
                period covered by that declaration;</DELETED>
                <DELETED>    ``(B) the Director has issued emergency 
                measures or actions for which compliance is required 
                under subsection (c)(1);</DELETED>
                <DELETED>    ``(C) the covered entity is in compliance 
                with the emergency measures required under subsection 
                (c)(1); and</DELETED>
                <DELETED>    ``(D)(i) the Director certifies to the 
                court in which the covered civil action is pending that 
                the actions taken by the entity during the period 
                covered by the declaration under subsection (a)(1) were 
                consistent with the implementation of emergency 
                measures or actions for which compliance is required 
                under subsection (c)(1); or</DELETED>
                <DELETED>    ``(ii) notwithstanding the lack of a 
                certification, the entity demonstrates by a 
                preponderance of the evidence that the actions taken 
                during the period covered by the declaration under 
                subsection (a)(1) are consistent with the 
                implementation of emergency measures or actions for 
                which compliance is required under subsection 
                (c)(1).</DELETED>
        <DELETED>    ``(5) Certain actions not subject to limitations 
        on liability.--</DELETED>
                <DELETED>    ``(A) Additional or intervening acts.--
                Paragraphs (2) through (4) shall not apply to a civil 
                action relating to any additional or intervening acts 
                or omissions by any covered entity.</DELETED>
                <DELETED>    ``(B) Serious or substantial damage.--
                Paragraph (4) shall not apply to any civil action 
                brought by an individual--</DELETED>
                        <DELETED>    ``(i) whose recovery is otherwise 
                        precluded by application of paragraph (4); 
                        and</DELETED>
                        <DELETED>    ``(ii) who has suffered--
                        </DELETED>
                                <DELETED>    ``(I) serious physical 
                                injury or death; or</DELETED>
                                <DELETED>    ``(II) substantial damage 
                                or destruction to his primary 
                                residence.</DELETED>
                <DELETED>    ``(C) Rule of construction.--Recovery 
                available under subparagraph (B) shall be limited to 
                those damages available under subparagraphs (A) and (B) 
                of paragraph (3), except that neither reasonable and 
                necessary medical benefits nor lifetime total benefits 
                for lost employment income due to permanent and total 
                disability shall be limited herein.</DELETED>
                <DELETED>    ``(D) Indemnification.--In any civil 
                action brought under subparagraph (B), the United 
                States shall defend and indemnify any covered entity. 
                Any covered entity defended and indemnified under this 
                subparagraph shall fully cooperate with the United 
                States in the defense by the United States in any 
                proceeding and shall be reimbursed the reasonable costs 
                associated with such cooperation.</DELETED>
<DELETED>    ``(f) Rule of Construction.--Nothing in this section shall 
be construed to--</DELETED>
        <DELETED>    ``(1) alter or supersede the authority of the 
        Secretary of Defense, the Attorney General, or the Director of 
        National Intelligence in responding to a national cyber 
        emergency; or</DELETED>
        <DELETED>    ``(2) limit the authority of the Director under 
        section 248, after a declaration issued under this section 
        expires.</DELETED>

<DELETED>``SEC. 250. ENFORCEMENT.</DELETED>

<DELETED>    ``(a) Annual Certification of Compliance.--</DELETED>
        <DELETED>    ``(1) In general.--Not later than 6 months after 
        the date on which the Director promulgates regulations under 
        section 248(b), and every year thereafter, each owner or 
        operator of covered critical infrastructure shall certify in 
        writing to the Director whether the owner or operator has 
        developed and implemented, or is implementing, security 
        measures approved by the Director under section 248 and any 
        applicable emergency measures or actions required under section 
        249 for any cyber vulnerabilities and national cyber 
        emergencies.</DELETED>
        <DELETED>    ``(2) Failure to comply.--If an owner or operator 
        of covered critical infrastructure fails to submit a 
        certification in accordance with paragraph (1), or if the 
        certification indicates the owner or operator is not in 
        compliance, the Director may issue an order requiring the owner 
        or operator to submit proposed security measures under section 
        248 or comply with specific emergency measures or actions under 
        section 249.</DELETED>
<DELETED>    ``(b) Risk-Based Evaluations.--</DELETED>
        <DELETED>    ``(1) In general.--Consistent with the factors 
        described in paragraph (3), the Director may perform an 
        evaluation of the information infrastructure of any specific 
        system or asset constituting covered critical infrastructure to 
        assess the validity of a certification of compliance submitted 
        under subsection (a)(1).</DELETED>
        <DELETED>    ``(2) Document review and inspection.--An 
        evaluation performed under paragraph (1) may include--
        </DELETED>
                <DELETED>    ``(A) a review of all documentation 
                submitted to justify an annual certification of 
                compliance submitted under subsection (a)(1); 
                and</DELETED>
                <DELETED>    ``(B) a physical or electronic inspection 
                of relevant information infrastructure to which the 
                security measures required under section 248 or the 
                emergency measures or actions required under section 
                249 apply.</DELETED>
        <DELETED>    ``(3) Evaluation selection factors.--In 
        determining whether sufficient risk exists to justify an 
        evaluation under this subsection, the Director shall consider--
        </DELETED>
                <DELETED>    ``(A) the specific cyber vulnerabilities 
                affecting or potentially affecting the information 
                infrastructure of the specific system or asset 
                constituting covered critical infrastructure;</DELETED>
                <DELETED>    ``(B) any reliable intelligence or other 
                information indicating a cyber vulnerability or 
                credible national cyber emergency to the information 
                infrastructure of the specific system or asset 
                constituting covered critical infrastructure;</DELETED>
                <DELETED>    ``(C) actual knowledge or reasonable 
                suspicion that the certification of compliance 
                submitted by a specific owner or operator of covered 
                critical infrastructure is false or otherwise 
                inaccurate;</DELETED>
                <DELETED>    ``(D) a request by a specific owner or 
                operator of covered critical infrastructure for such an 
                evaluation; and</DELETED>
                <DELETED>    ``(E) such other risk-based factors as 
                identified by the Director.</DELETED>
        <DELETED>    ``(4) Sector-specific agencies.--To carry out the 
        risk-based evaluation authorized under this subsection, the 
        Director may use the resources of a sector-specific agency with 
        responsibility for the covered critical infrastructure or any 
        Federal agency that is not a sector-specific agency with 
        responsibilities for regulating the covered critical 
        infrastructure with the concurrence of the head of the 
        agency.</DELETED>
        <DELETED>    ``(5) Information protection.--Information 
        provided to the Director during the course of an evaluation 
        under this subsection shall be protected from disclosure in 
        accordance with section 251.</DELETED>
<DELETED>    ``(c) Civil Penalties.--</DELETED>
        <DELETED>    ``(1) In general.--Any person who violates section 
        248 or 249 shall be liable for a civil penalty.</DELETED>
        <DELETED>    ``(2) No private right of action.--Nothing in this 
        section confers upon any person, except the Director, a right 
        of action against an owner or operator of covered critical 
        infrastructure to enforce any provision of this 
        subtitle.</DELETED>
<DELETED>    ``(d) Limitation on Civil Liability.--</DELETED>
        <DELETED>    ``(1) Definition.--In this subsection--</DELETED>
                <DELETED>    ``(A) the term `covered civil action'--
                </DELETED>
                        <DELETED>    ``(i) means a civil action filed 
                        in a Federal or State court against a covered 
                        entity; and</DELETED>
                        <DELETED>    ``(ii) does not include an action 
                        brought under section 2520 or 2707 of title 18, 
                        United States Code, or section 110 or 308 of 
                        the Foreign Intelligence Surveillance Act of 
                        1978 (50 U.S.C. 1810 and 1828);</DELETED>
                <DELETED>    ``(B) the term `covered entity' means any 
                entity that owns or operates covered critical 
                infrastructure, including any owner, operator, officer, 
                employee, agent, landlord, custodian, or other person 
                acting for or on behalf of that entity with respect to 
                the covered critical infrastructure; and</DELETED>
                <DELETED>    ``(C) the term `noneconomic damages' means 
                damages for losses for physical and emotional pain, 
                suffering, inconvenience, physical impairment, mental 
                anguish, disfigurement, loss of enjoyment of life, loss 
                of society and companionship, loss of consortium, 
                hedonic damages, injury to reputation, and any other 
                nonpecuniary losses.</DELETED>
        <DELETED>    ``(2) Limitations on civil liability.--If a 
        covered entity experiences an incident related to a cyber 
        vulnerability identified under section 248(a), in any covered 
        civil action for damages directly caused by the incident 
        related to that cyber vulnerability--</DELETED>
                <DELETED>    ``(A) the covered entity shall not be 
                liable for any punitive damages intended to punish or 
                deter, exemplary damages, or other damages not intended 
                to compensate a plaintiff for actual losses; 
                and</DELETED>
                <DELETED>    ``(B) noneconomic damages may be awarded 
                against a defendant only in an amount directly 
                proportional to the percentage of responsibility of 
                such defendant for the harm to the plaintiff, and no 
                plaintiff may recover noneconomic damages unless the 
                plaintiff suffered physical harm.</DELETED>
        <DELETED>    ``(3) Application.--This subsection shall apply to 
        claims made by any individual or nongovernmental entity, 
        including claims made by a State or local government agency on 
        behalf of such individuals or nongovernmental entities, against 
        a covered entity--</DELETED>
                <DELETED>    ``(A) whose proposed security measures, or 
                combination thereof, satisfy the security performance 
                requirements established under subsection 248(b) and 
                have been approved by the Director;</DELETED>
                <DELETED>    ``(B) that has been evaluated under 
                subsection (b) and has been found by the Director to 
                have implemented the proposed security measures 
                approved under section 248; and</DELETED>
                <DELETED>    ``(C) that is in actual compliance with 
                the approved security measures at the time of the 
                incident related to that cyber vulnerability.</DELETED>
        <DELETED>    ``(4) Limitation.--This subsection shall only 
        apply to harm directly caused by the incident related to the 
        cyber vulnerability and shall not apply to damages caused by 
        any additional or intervening acts or omissions by the covered 
        entity.</DELETED>
        <DELETED>    ``(5) Rule of construction.--Except as provided 
        under paragraph (3), nothing in this subsection shall be 
        construed to abrogate or limit any right, remedy, or authority 
        that the Federal Government or any State or local government, 
        or any entity or agency thereof, may possess under any law, or 
        that any individual is authorized by law to bring on behalf of 
        the government.</DELETED>
<DELETED>    ``(e) Report to Congress.--The Director shall submit an 
annual report to the appropriate committees of Congress on the 
implementation and enforcement of the risk-based performance 
requirements of covered critical infrastructure under subsection 248(b) 
and this section including--</DELETED>
        <DELETED>    ``(1) the level of compliance of covered critical 
        infrastructure with the risk-based security performance 
        requirements issued under section 248(b);</DELETED>
        <DELETED>    ``(2) how frequently the evaluation authority 
        under subsection (b) was utilized and a summary of the 
        aggregate results of the evaluations; and</DELETED>
        <DELETED>    ``(3) any civil penalties imposed on covered 
        critical infrastructure.</DELETED>

<DELETED>``SEC. 251. PROTECTION OF INFORMATION.</DELETED>

<DELETED>    ``(a) Definition.--In this section, the term `covered 
information'--</DELETED>
        <DELETED>    ``(1) means--</DELETED>
                <DELETED>    ``(A) any information required to be 
                submitted under sections 246, 248, and 249 to the 
                Center by the owners and operators of covered critical 
                infrastructure; and</DELETED>
                <DELETED>    ``(B) any information submitted to the 
                Center under the processes and procedures established 
                under section 246 by State and local governments, 
                private entities, and international partners of the 
                United States regarding threats, vulnerabilities, and 
                incidents affecting--</DELETED>
                        <DELETED>    ``(i) the Federal information 
                        infrastructure;</DELETED>
                        <DELETED>    ``(ii) information infrastructure 
                        that is owned, operated, controlled, or 
                        licensed for use by, or on behalf of, the 
                        Department of Defense, a military department, 
                        or another element of the intelligence 
                        community; or</DELETED>
                        <DELETED>    ``(iii) the national information 
                        infrastructure; and</DELETED>
        <DELETED>    ``(2) shall not include any information described 
        under paragraph (1), if that information is submitted to--
        </DELETED>
                <DELETED>    ``(A) conceal violations of law, 
                inefficiency, or administrative error;</DELETED>
                <DELETED>    ``(B) prevent embarrassment to a person, 
                organization, or agency; or</DELETED>
                <DELETED>    ``(C) interfere with competition in the 
                private sector.</DELETED>
<DELETED>    ``(b) Voluntarily Shared Critical Infrastructure 
Information.--Covered information submitted in accordance with this 
section shall be treated as voluntarily shared critical infrastructure 
information under section 214, except that the requirement of section 
214 that the information be voluntarily submitted, including the 
requirement for an express statement, shall not be required for 
submissions of covered information.</DELETED>
<DELETED>    ``(c) Guidelines.--</DELETED>
        <DELETED>    ``(1) In general.--Subject to paragraph (2), the 
        Director shall develop and issue guidelines, in consultation 
        with the Secretary, Attorney General, and the National 
        Cybersecurity Advisory Council, as necessary to implement this 
        section.</DELETED>
        <DELETED>    ``(2) Requirements.--The guidelines developed 
        under this section shall--</DELETED>
                <DELETED>    ``(A) consistent with section 214(e)(2)(D) 
                and (g) and the guidelines developed under section 
                246(b)(3), include provisions for information sharing 
                among Federal, State, and local and officials, private 
                entities, or international partners of the United 
                States necessary to carry out the authorities and 
                responsibilities of the Director;</DELETED>
                <DELETED>    ``(B) be consistent, to the maximum extent 
                possible, with policy guidance and implementation 
                standards developed by the National Archives and 
                Records Administration for controlled unclassified 
                information, including with respect to marking, 
                safeguarding, dissemination and dispute resolution; 
                and</DELETED>
                <DELETED>    ``(C) describe, with as much detail as 
                possible, the categories and type of information 
                entities should voluntarily submit under subsections 
                (b) and (c)(1)(B) of section 246.</DELETED>
<DELETED>    ``(d) Process for Reporting Security Problems.--</DELETED>
        <DELETED>    ``(1) Establishment of process.--The Director 
        shall establish through regulation, and provide information to 
        the public regarding, a process by which any person may submit 
        a report to the Secretary regarding cybersecurity threats, 
        vulnerabilities, and incidents affecting--</DELETED>
                <DELETED>    ``(A) the Federal information 
                infrastructure;</DELETED>
                <DELETED>    ``(B) information infrastructure that is 
                owned, operated, controlled, or licensed for use by, or 
                on behalf of, the Department of Defense, a military 
                department, or another element of the intelligence 
                community; or</DELETED>
                <DELETED>    ``(C) national information 
                infrastructure.</DELETED>
        <DELETED>    ``(2) Acknowledgment of receipt.--If a report 
        submitted under paragraph (1) identifies the person making the 
        report, the Director shall respond promptly to such person and 
        acknowledge receipt of the report.</DELETED>
        <DELETED>    ``(3) Steps to address problem.--The Director 
        shall review and consider the information provided in any 
        report submitted under paragraph (1) and, at the sole, 
        unreviewable discretion of the Director, determine what, if 
        any, steps are necessary or appropriate to address any problems 
        or deficiencies identified.</DELETED>
        <DELETED>    ``(4) Disclosure of identity.--</DELETED>
                <DELETED>    ``(A) In general.--Except as provided in 
                subparagraph (B), or with the written consent of the 
                person, the Secretary may not disclose the identity of 
                a person who has provided information described in 
                paragraph (1).</DELETED>
                <DELETED>    ``(B) Referral to the attorney general.--
                The Secretary shall disclose to the Attorney General 
                the identity of a person described under subparagraph 
                (A) if the matter is referred to the Attorney General 
                for enforcement. The Director shall provide reasonable 
                advance notice to the affected person if disclosure of 
                that person's identity is to occur, unless such notice 
                would risk compromising a criminal or civil enforcement 
                investigation or proceeding.</DELETED>
<DELETED>    ``(e) Rules of Construction.--Nothing in this section 
shall be construed to--</DELETED>
        <DELETED>    ``(1) limit or otherwise affect the right, 
        ability, duty, or obligation of any entity to use or disclose 
        any information of that entity, including in the conduct of any 
        judicial or other proceeding;</DELETED>
        <DELETED>    ``(2) prevent the classification of information 
        submitted under this section if that information meets the 
        standards for classification under Executive Order 12958 or any 
        successor of that order;</DELETED>
        <DELETED>    ``(3) limit the right of an individual to make any 
        disclosure--</DELETED>
                <DELETED>    ``(A) protected or authorized under 
                section 2302(b)(8) or 7211 of title 5, United States 
                Code;</DELETED>
                <DELETED>    ``(B) to an appropriate official of 
                information that the individual reasonably believes 
                evidences a violation of any law, rule, or regulation, 
                gross mismanagement, or substantial and specific danger 
                to public health, safety, or security, and that is 
                protected under any Federal or State law (other than 
                those referenced in subparagraph (A)) that shields the 
                disclosing individual against retaliation or 
                discrimination for having made the disclosure if such 
                disclosure is not specifically prohibited by law and if 
                such information is not specifically required by 
                Executive order to be kept secret in the interest of 
                national defense or the conduct of foreign affairs; 
                or</DELETED>
                <DELETED>    ``(C) to the Special Counsel, the 
                inspector general of an agency, or any other employee 
                designated by the head of an agency to receive similar 
                disclosures;</DELETED>
        <DELETED>    ``(4) prevent the Director from using information 
        required to be submitted under sections 246, 248, or 249 for 
        enforcement of this subtitle, including enforcement proceedings 
        subject to appropriate safeguards;</DELETED>
        <DELETED>    ``(5) authorize information to be withheld from 
        Congress, the Government Accountability Office, or Inspector 
        General of the Department; or</DELETED>
        <DELETED>    ``(6) create a private right of action for 
        enforcement of any provision of this section.</DELETED>
<DELETED>    ``(f) Audit.--</DELETED>
        <DELETED>    ``(1) In general.--Not later than 1 year after the 
        date of enactment of the Protecting Cyberspace as a National 
        Asset Act of 2010, the Inspector General of the Department 
        shall conduct an audit of the management of information 
        submitted under subsection (b) and report the findings to 
        appropriate committees of Congress.</DELETED>
        <DELETED>    ``(2) Contents.--The audit under paragraph (1) 
        shall include assessments of--</DELETED>
                <DELETED>    ``(A) whether the information is 
                adequately safeguarded against inappropriate 
                disclosure;</DELETED>
                <DELETED>    ``(B) the processes for marking and 
                disseminating the information and resolving any 
                disputes;</DELETED>
                <DELETED>    ``(C) how the information is used for the 
                purposes of this section, and whether that use is 
                effective;</DELETED>
                <DELETED>    ``(D) whether information sharing has been 
                effective to fulfill the purposes of this 
                section;</DELETED>
                <DELETED>    ``(E) whether the kinds of information 
                submitted have been appropriate and useful, or 
                overbroad or overnarrow;</DELETED>
                <DELETED>    ``(F) whether the information protections 
                allow for adequate accountability and transparency of 
                the regulatory, enforcement, and other aspects of 
                implementing this subtitle; and</DELETED>
                <DELETED>    ``(G) any other factors at the discretion 
                of the Inspector General.</DELETED>

<DELETED>``SEC. 252. SECTOR-SPECIFIC AGENCIES.</DELETED>

<DELETED>    ``(a) In General.--The head of each sector-specific agency 
and the head of any Federal agency that is not a sector-specific agency 
with responsibilities for regulating covered critical infrastructure 
shall coordinate with the Director on any activities of the sector-
specific agency or Federal agency that relate to the efforts of the 
agency regarding security or resiliency of the national information 
infrastructure, including critical infrastructure and covered critical 
infrastructure, within or under the supervision of the 
agency.</DELETED>
<DELETED>    ``(b) Duplicative Reporting Requirements.--The head of 
each sector-specific agency and the head of any Federal agency that is 
not a sector-specific agency with responsibilities for regulating 
covered critical infrastructure shall coordinate with the Director to 
eliminate and avoid the creation of duplicate reporting or compliance 
requirements relating to the security or resiliency of the national 
information infrastructure, including critical infrastructure and 
covered critical infrastructure, within or under the supervision of the 
agency.</DELETED>
<DELETED>    ``(c) Requirements.--</DELETED>
        <DELETED>    ``(1) In general.--To the extent that the head of 
        each sector-specific agency and the head of any Federal agency 
        that is not a sector-specific agency with responsibilities for 
        regulating covered critical infrastructure has the authority to 
        establish regulations, rules, or requirements or other required 
        actions that are applicable to the security of national 
        information infrastructure, including critical infrastructure 
        and covered critical infrastructure, the head of that agency 
        shall--</DELETED>
                <DELETED>    ``(A) notify the Director in a timely 
                fashion of the intent to establish the regulations, 
                rules, requirements, or other required 
                actions;</DELETED>
                <DELETED>    ``(B) coordinate with the Director to 
                ensure that the regulations, rules, requirements, or 
                other required actions are consistent with, and do not 
                conflict or impede, the activities of the Director 
                under sections 247, 248, and 249; and</DELETED>
                <DELETED>    ``(C) in coordination with the Director, 
                ensure that the regulations, rules, requirements, or 
                other required actions are implemented, as they relate 
                to covered critical infrastructure, in accordance with 
                subsection (a).</DELETED>
        <DELETED>    ``(2) Coordination.--Coordination under paragraph 
        (1)(B) shall include the active participation of the Director 
        in the process for developing regulations, rules, requirements, 
        or other required actions.</DELETED>
        <DELETED>    ``(3) Rule of construction.--Nothing in this 
        section shall be construed to provide additional authority for 
        any sector-specific agency or any Federal agency that is not a 
        sector-specific agency with responsibilities for regulating 
        national information infrastructure, including critical 
        infrastructure or covered critical infrastructure, to establish 
        standards or other measures that are applicable to the security 
        of national information infrastructure not otherwise authorized 
        by law.</DELETED>

<DELETED>``SEC. 253. STRATEGY FOR FEDERAL CYBERSECURITY SUPPLY CHAIN 
              MANAGEMENT.</DELETED>

<DELETED>    ``(a) In General.--The Secretary, in consultation with the 
Director of Cyberspace Policy, the Director, the Secretary of Defense, 
the Secretary of Commerce, the Secretary of State, the Director of 
National Intelligence, the Administrator of General Services, the 
Administrator for Federal Procurement Policy, the other members of the 
Chief Information Officers Council established under section 3603 of 
title 44, United States Code, the Chief Acquisition Officers Council 
established under section 16A of the Office of Federal Procurement 
Policy Act (41 U.S.C. 414b), the Chief Financial Officers Council 
established under section 302 of the Chief Financial Officers Act of 
1990 (31 U.S.C. 901 note), and the private sector, shall develop, 
periodically update, and implement a supply chain risk management 
strategy designed to ensure the security of the Federal information 
infrastructure, including protection against unauthorized access to, 
alteration of information in, disruption of operations of, interruption 
of communications or services of, and insertion of malicious software, 
engineering vulnerabilities, or otherwise corrupting software, 
hardware, services, or products intended for use in Federal information 
infrastructure.</DELETED>
<DELETED>    ``(b) Contents.--The supply chain risk management strategy 
developed under subsection (a) shall--</DELETED>
        <DELETED>    ``(1) address risks in the supply chain during the 
        entire life cycle of any part of the Federal information 
        infrastructure;</DELETED>
        <DELETED>    ``(2) place particular emphasis on--</DELETED>
                <DELETED>    ``(A) securing critical information 
                systems and the Federal information 
                infrastructure;</DELETED>
                <DELETED>    ``(B) developing processes that--
                </DELETED>
                        <DELETED>    ``(i) incorporate all-source 
                        intelligence analysis into assessments of the 
                        supply chain for the Federal information 
                        infrastructure;</DELETED>
                        <DELETED>    ``(ii) assess risks from potential 
                        suppliers providing critical components or 
                        services of the Federal information 
                        infrastructure;</DELETED>
                        <DELETED>    ``(iii) assess risks from 
                        individual components, including all 
                        subcomponents, or software used in or affecting 
                        the Federal information 
                        infrastructure;</DELETED>
                        <DELETED>    ``(iv) manage the quality, 
                        configuration, and security of software, 
                        hardware, and systems of the Federal 
                        information infrastructure throughout the life 
                        cycle of the software, hardware, or system, 
                        including components or subcomponents from 
                        secondary and tertiary sources;</DELETED>
                        <DELETED>    ``(v) detect the occurrence, 
                        reduce the likelihood of occurrence, and 
                        mitigate or remediate the risks associated with 
                        products containing counterfeit components or 
                        malicious functions;</DELETED>
                        <DELETED>    ``(vi) enhance developmental and 
                        operational test and evaluation capabilities, 
                        including software vulnerability detection 
                        methods and automated tools that shall be 
                        integrated into acquisition policy practices by 
                        Federal agencies and, where appropriate, make 
                        the capabilities available for use by the 
                        private sector; and</DELETED>
                        <DELETED>    ``(vii) protect the intellectual 
                        property and trade secrets of suppliers of 
                        information and communications technology 
                        products and services;</DELETED>
                <DELETED>    ``(C) the use of internationally-
                recognized standards and standards developed by the 
                private sector and developing a process, with the 
                National Institute for Standards and Technology, to 
                make recommendations for improvements of the 
                standards;</DELETED>
                <DELETED>    ``(D) identifying acquisition practices of 
                Federal agencies that increase risks in the supply 
                chain and developing a process to provide 
                recommendations for revisions to those processes; 
                and</DELETED>
                <DELETED>    ``(E) sharing with the private sector, to 
                the fullest extent possible, the threats identified in 
                the supply chain and working with the private sector to 
                develop responses to those threats as identified; 
                and</DELETED>
        <DELETED>    ``(3) to the extent practicable, promote the 
        ability of Federal agencies to procure commercial off the shelf 
        information and communications technology products and services 
        from a diverse pool of suppliers.</DELETED>
<DELETED>    ``(c) Implementation.--The Federal Acquisition Regulatory 
Council established under section 25(a) of the Office of Federal 
Procurement Policy Act (41 U.S.C. 421(a)) shall--</DELETED>
        <DELETED>    ``(1) amend the Federal Acquisition Regulation 
        issued under section 25 of that Act to--</DELETED>
                <DELETED>    ``(A) incorporate, where relevant, the 
                supply chain risk management strategy developed under 
                subsection (a) to improve security throughout the 
                acquisition process; and</DELETED>
                <DELETED>    ``(B) direct that all software and 
                hardware purchased by the Federal Government shall 
                comply with standards developed or be interoperable 
                with automated tools approved by the National Institute 
                of Standards and Technology, to continually enhance 
                security; and</DELETED>
        <DELETED>    ``(2) develop a clause or set of clauses for 
        inclusion in solicitations, contracts, and task and delivery 
        orders that sets forth the responsibility of the contractor 
        under the Federal Acquisition Regulation provisions implemented 
        under this subsection.''.</DELETED>

 <DELETED>TITLE III--FEDERAL INFORMATION SECURITY MANAGEMENT</DELETED>

<DELETED>SEC. 301. COORDINATION OF FEDERAL INFORMATION 
              POLICY.</DELETED>

<DELETED>    (a) Findings.--Congress finds that--</DELETED>
        <DELETED>    (1) since 2002 the Federal Government has 
        experienced multiple high-profile incidents that resulted in 
        the theft of sensitive information amounting to more than the 
        entire print collection contained in the Library of Congress, 
        including personally identifiable information, advanced 
        scientific research, and prenegotiated United States diplomatic 
        positions; and</DELETED>
        <DELETED>    (2) chapter 35 of title 44, United States Code, 
        must be amended to increase the coordination of Federal agency 
        activities and to enhance situational awareness throughout the 
        Federal Government using more effective enterprise-wide 
        automated monitoring, detection, and response 
        capabilities.</DELETED>
<DELETED>    (b) In General.--Chapter 35 of title 44, United States 
Code, is amended by striking subchapters II and III and inserting the 
following:</DELETED>

        <DELETED>``SUBCHAPTER II--INFORMATION SECURITY</DELETED>

<DELETED>``Sec. 3550. Purposes</DELETED>
<DELETED>    ``The purposes of this subchapter are to--</DELETED>
        <DELETED>    ``(1) provide a comprehensive framework for 
        ensuring the effectiveness of information security controls 
        over information resources that support the Federal information 
        infrastructure and the operations and assets of 
        agencies;</DELETED>
        <DELETED>    ``(2) recognize the highly networked nature of the 
        current Federal information infrastructure and provide 
        effective Government-wide management and oversight of the 
        related information security risks, including coordination of 
        information security efforts throughout the civilian, national 
        security, and law enforcement communities;</DELETED>
        <DELETED>    ``(3) provide for development and maintenance of 
        prioritized and risk-based security controls required to 
        protect Federal information infrastructure and information 
        systems;</DELETED>
        <DELETED>    ``(4) provide a mechanism for improved oversight 
        of Federal agency information security programs;</DELETED>
        <DELETED>    ``(5) acknowledge that commercially developed 
        information security products offer advanced, dynamic, robust, 
        and effective information security solutions, reflecting market 
        solutions for the protection of critical information 
        infrastructures important to the national defense and economic 
        security of the Nation that are designed, built, and operated 
        by the private sector; and</DELETED>
        <DELETED>    ``(6) recognize that the selection of specific 
        technical hardware and software information security solutions 
        should be left to individual agencies from among commercially 
        developed products.</DELETED>
<DELETED>``Sec. 3551. Definitions</DELETED>
<DELETED>    ``(a) In General.--Except as provided under subsection 
(b), the definitions under section 3502 shall apply to this 
subchapter.</DELETED>
<DELETED>    ``(b) Additional Definitions.--In this 
subchapter:</DELETED>
        <DELETED>    ``(1) The term `agency information 
        infrastructure'--</DELETED>
                <DELETED>    ``(A) means information infrastructure 
                that is owned, operated, controlled, or licensed for 
                use by, or on behalf of, an agency, including 
                information systems used or operated by another entity 
                on behalf of the agency; and</DELETED>
                <DELETED>    ``(B) does not include national security 
                systems.</DELETED>
        <DELETED>    ``(2) The term `automated and continuous 
        monitoring' means monitoring at a frequency and sufficiency 
        such that the data exchange requires little to no human 
        involvement and is not interrupted;</DELETED>
        <DELETED>    ``(3) The term `incident' means an occurrence 
        that--</DELETED>
                <DELETED>    ``(A) actually or potentially 
                jeopardizes--</DELETED>
                        <DELETED>    ``(i) the information security of 
                        an information system; or</DELETED>
                        <DELETED>    ``(ii) the information the system 
                        processes, stores, or transmits; or</DELETED>
                <DELETED>    ``(B) constitutes a violation or threat of 
                violation of security policies, security procedures, or 
                acceptable use policies.</DELETED>
        <DELETED>    ``(4) The term `information infrastructure' means 
        the underlying framework that information systems and assets 
        rely on to process, transmit, receive, or store information 
        electronically, including programmable electronic devices and 
        communications networks and any associated hardware, software, 
        or data.</DELETED>
        <DELETED>    ``(5) The term `information security' means 
        protecting information and information systems from disruption 
        or unauthorized access, use, disclosure, modification, or 
        destruction in order to provide--</DELETED>
                <DELETED>    ``(A) integrity, by guarding against 
                improper information modification or destruction, 
                including by ensuring information nonrepudiation and 
                authenticity;</DELETED>
                <DELETED>    ``(B) confidentiality, by preserving 
                authorized restrictions on access and disclosure, 
                including means for protecting personal privacy and 
                proprietary information; and</DELETED>
                <DELETED>    ``(C) availability, by ensuring timely and 
                reliable access to and use of information.</DELETED>
        <DELETED>    ``(6) The term `information technology' has the 
        meaning given that term in section 11101 of title 40.</DELETED>
        <DELETED>    ``(7) The term `management controls' means 
        safeguards or countermeasures for an information system that 
        focus on the management of risk and the management of 
        information system security.</DELETED>
        <DELETED>    ``(8)(A) The term `national security system' means 
        any information system (including any telecommunications 
        system) used or operated by an agency or by a contractor of an 
        agency, or other organization on behalf of an agency--
        </DELETED>
                <DELETED>    ``(i) the function, operation, or use of 
                which--</DELETED>
                        <DELETED>    ``(I) involves intelligence 
                        activities;</DELETED>
                        <DELETED>    ``(II) involves cryptologic 
                        activities related to national 
                        security;</DELETED>
                        <DELETED>    ``(III) involves command and 
                        control of military forces;</DELETED>
                        <DELETED>    ``(IV) involves equipment that is 
                        an integral part of a weapon or weapons system; 
                        or</DELETED>
                        <DELETED>    ``(V) subject to subparagraph (B), 
                        is critical to the direct fulfillment of 
                        military or intelligence missions; or</DELETED>
                <DELETED>    ``(ii) that is protected at all times by 
                procedures established for information that have been 
                specifically authorized under criteria established by 
                an Executive order or an Act of Congress to be kept 
                classified in the interest of national defense or 
                foreign policy.</DELETED>
        <DELETED>    ``(B) Subparagraph (A)(i)(V) does not include a 
        system that is to be used for routine administrative and 
        business applications (including payroll, finance, logistics, 
        and personnel management applications).</DELETED>
        <DELETED>    ``(9) The term `operational controls' means the 
        safeguards and countermeasures for an information system that 
        are primarily implemented and executed by individuals, not 
        systems.</DELETED>
        <DELETED>    ``(10) The term `risk' means the potential for an 
        unwanted outcome resulting from an incident, as determined by 
        the likelihood of the occurrence of the incident and the 
        associated consequences, including potential for an adverse 
        outcome assessed as a function of threats, vulnerabilities, and 
        consequences associated with an incident.</DELETED>
        <DELETED>    ``(11) The term `risk-based security' means 
        security commensurate with the risk and magnitude of harm 
        resulting from the loss, misuse, or unauthorized access to, or 
        modification, of information, including assuring that systems 
        and applications used by the agency operate effectively and 
        provide appropriate confidentiality, integrity, and 
        availability.</DELETED>
        <DELETED>    ``(12) The term `security controls' means the 
        management, operational, and technical controls prescribed for 
        an information system to protect the information security of 
        the system.</DELETED>
        <DELETED>    ``(13) The term `technical controls' means the 
        safeguards or countermeasures for an information system that 
        are primarily implemented and executed by the information 
        system through mechanism contained in the hardware, software, 
        or firmware components of the system.</DELETED>
<DELETED>``Sec. 3552. Authority and functions of the National Center 
              for Cybersecurity and Communications</DELETED>
<DELETED>    ``(a) In General.--The Director of the National Center for 
Cybersecurity and Communications shall--</DELETED>
        <DELETED>    ``(1) develop, oversee the implementation of, and 
        enforce policies, principles, and guidelines on information 
        security, including through ensuring timely agency adoption of 
        and compliance with standards developed under section 20 of the 
        National Institute of Standards and Technology Act (15 U.S.C. 
        278g-3) and subtitle E of title II of the Homeland Security Act 
        of 2002;</DELETED>
        <DELETED>    ``(2) provide to agencies security controls that 
        agencies shall be required to be implemented to mitigate and 
        remediate vulnerabilities, attacks, and exploitations 
        discovered as a result of activities required under this 
        subchapter or subtitle E of title II of the Homeland Security 
        Act of 2002;</DELETED>
        <DELETED>    ``(3) to the extent practicable--</DELETED>
                <DELETED>    ``(A) prioritize the policies, principles, 
                standards, and guidelines promulgated under section 20 
                of the National Institute of Standards and Technology 
                Act (15 U.S.C. 278g-3), paragraph (1), and subtitle E 
                of title II of the Homeland Security Act of 2002, based 
                upon the risk of an incident; and</DELETED>
                <DELETED>    ``(B) develop guidance that requires 
                agencies to monitor, including automated and continuous 
                monitoring of, the effective implementation of 
                policies, principles, standards, and guidelines 
                developed under section 20 of the National Institute of 
                Standards and Technology Act (15 U.S.C. 278g-3), 
                paragraph (1), and subtitle E of title II of the 
                Homeland Security Act of 2002;</DELETED>
                <DELETED>    ``(C) ensure the effective operation of 
                technical capabilities within the National Center for 
                Cybersecurity and Communications to enable automated 
                and continuous monitoring of any information collected 
                as a result of the guidance developed under 
                subparagraph (B) and use the information to enhance the 
                risk-based security of the Federal information 
                infrastructure; and</DELETED>
                <DELETED>    ``(D) ensure the effective operation of a 
                secure system that satisfies information reporting 
                requirements under sections 3553(c) and 
                3556(c);</DELETED>
        <DELETED>    ``(4) require agencies, consistent with the 
        standards developed under section 20 of the National Institute 
        of Standards and Technology Act (15 U.S.C. 278g-3) or paragraph 
        (1) and the requirements of this subchapter, to identify and 
        provide information security protections commensurate with the 
        risk resulting from the disruption or unauthorized access, use, 
        disclosure, modification, or destruction of--</DELETED>
                <DELETED>    ``(A) information collected or maintained 
                by or on behalf of an agency; or</DELETED>
                <DELETED>    ``(B) information systems used or operated 
                by an agency or by a contractor of an agency or other 
                organization on behalf of an agency;</DELETED>
        <DELETED>    ``(5) oversee agency compliance with the 
        requirements of this subchapter, including coordinating with 
        the Office of Management and Budget to use any authorized 
        action under section 11303 of title 40 to enforce 
        accountability for compliance with such requirements;</DELETED>
        <DELETED>    ``(6) review, at least annually, and approve or 
        disapprove, agency information security programs required under 
        section 3553(b); and</DELETED>
        <DELETED>    ``(7) coordinate information security policies and 
        procedures with the Administrator for Electronic Government and 
        the Administrator for the Office of Information and Regulatory 
        Affairs with related information resources management policies 
        and procedures.</DELETED>
<DELETED>    ``(b) National Security Systems.--The authorities of the 
Director under this section shall not apply to national security 
systems.</DELETED>
<DELETED>``Sec. 3553. Agency responsibilities</DELETED>
<DELETED>    ``(a) In General.--The head of each agency shall--
</DELETED>
        <DELETED>    ``(1) be responsible for--</DELETED>
                <DELETED>    ``(A) providing information security 
                protections commensurate with the risk and magnitude of 
                the harm resulting from unauthorized access, use, 
                disclosure, disruption, modification, or destruction 
                of--</DELETED>
                        <DELETED>    ``(i) information collected or 
                        maintained by or on behalf of the agency; 
                        and</DELETED>
                        <DELETED>    ``(ii) agency information 
                        infrastructure;</DELETED>
                <DELETED>    ``(B) complying with the requirements of 
                this subchapter and related policies, procedures, 
                standards, and guidelines, including--</DELETED>
                        <DELETED>    ``(i) information security 
                        requirements, including security controls, 
                        developed by the Director of the National 
                        Center for Cybersecurity and Communications 
                        under section 3552, subtitle E of title II of 
                        the Homeland Security Act of 2002, or any other 
                        provision of law;</DELETED>
                        <DELETED>    ``(ii) information security 
                        policies, principles, standards, and guidelines 
                        promulgated under section 20 of the National 
                        Institute of Standards and Technology Act (15 
                        U.S.C. 278g-3) and section 
                        3552(a)(1);</DELETED>
                        <DELETED>    ``(iii) information security 
                        standards and guidelines for national security 
                        systems issued in accordance with law and as 
                        directed by the President; and</DELETED>
                        <DELETED>    ``(iv) ensuring the standards 
                        implemented for information systems and 
                        national security systems of the agency are 
                        complementary and uniform, to the extent 
                        practicable;</DELETED>
                <DELETED>    ``(C) ensuring that information security 
                management processes are integrated with agency 
                strategic and operational planning processes, including 
                policies, procedures, and practices described in 
                subsection (c)(1)(C);</DELETED>
                <DELETED>    ``(D) as appropriate, maintaining secure 
                facilities that have the capability of accessing, 
                sending, receiving, and storing classified 
                information;</DELETED>
                <DELETED>    ``(E) maintaining a sufficient number of 
                personnel with security clearances, at the appropriate 
                levels, to access, send, receive and analyze classified 
                information to carry out the responsibilities of this 
                subchapter; and</DELETED>
                <DELETED>    ``(F) ensuring that information security 
                performance indicators and measures are included in the 
                annual performance evaluations of all managers, senior 
                managers, senior executive service personnel, and 
                political appointees;</DELETED>
        <DELETED>    ``(2) ensure that senior agency officials provide 
        information security for the information and information 
        systems that support the operations and assets under the 
        control of those officials, including through--</DELETED>
                <DELETED>    ``(A) assessing the risk and magnitude of 
                the harm that could result from the disruption or 
                unauthorized access, use, disclosure, modification, or 
                destruction of such information or information 
                systems;</DELETED>
                <DELETED>    ``(B) determining the levels of 
                information security appropriate to protect such 
                information and information systems in accordance with 
                policies, principles, standards, and guidelines 
                promulgated under section 20 of the National Institute 
                of Standards and Technology Act (15 U.S.C. 278g-3), 
                section 3552(a)(1), and subtitle E of title II of the 
                Homeland Security Act of 2002, for information security 
                categorizations and related requirements;</DELETED>
                <DELETED>    ``(C) implementing policies and procedures 
                to cost effectively reduce risks to an acceptable 
                level;</DELETED>
                <DELETED>    ``(D) periodically testing and evaluating 
                information security controls and techniques to ensure 
                that such controls and techniques are operating 
                effectively; and</DELETED>
                <DELETED>    ``(E) withholding all bonus and cash 
                awards to senior agency officials accountable for the 
                operation of such agency information infrastructure 
                that are recognized by the Chief Information Security 
                Officer as impairing the risk-based security 
                information, information system, or agency information 
                infrastructure;</DELETED>
        <DELETED>    ``(3) delegate to a senior agency officer 
        designated as the Chief Information Security Officer the 
        authority and budget necessary to ensure and enforce compliance 
        with the requirements imposed on the agency under this 
        subchapter, subtitle E of title II of the Homeland Security Act 
        of 2002, or any other provision of law, including--</DELETED>
                <DELETED>    ``(A) overseeing the establishment, 
                maintenance, and management of a security operations 
                center that has technical capabilities that can, 
                through automated and continuous monitoring--</DELETED>
                        <DELETED>    ``(i) detect, report, respond to, 
                        contain, remediate, and mitigate incidents that 
                        impair risk-based security of the information, 
                        information systems, and agency information 
                        infrastructure, in accordance with policy 
                        provided by the National Center for 
                        Cybersecurity and Communications;</DELETED>
                        <DELETED>    ``(ii) monitor and, on a risk-
                        based basis, mitigate and remediate the 
                        vulnerabilities of every information system 
                        within the agency information 
                        infrastructure;</DELETED>
                        <DELETED>    ``(iii) continually evaluate risks 
                        posed to information collected or maintained by 
                        or on behalf of the agency and information 
                        systems and hold senior agency officials 
                        accountable for ensuring the risk-based 
                        security of such information and information 
                        systems;</DELETED>
                        <DELETED>    ``(iv) collaborate with the 
                        National Center for Cybersecurity and 
                        Communications and appropriate public and 
                        private sector security operations centers to 
                        address incidents that impact the security of 
                        information and information systems that extend 
                        beyond the control of the agency; and</DELETED>
                        <DELETED>    ``(v) report any incident 
                        described under clauses (i) and (ii), as 
                        directed by the policy of the National Center 
                        for Cybersecurity and Communications or the 
                        Inspector General of the agency;</DELETED>
                <DELETED>    ``(B) collaborating with the Administrator 
                for E-Government and the Chief Information Officer to 
                establish, maintain, and update an enterprise network, 
                system, storage, and security architecture, that can be 
                accessed by the National Cybersecurity Communications 
                Center and includes--</DELETED>
                        <DELETED>    ``(i) information on how security 
                        controls are implemented throughout the agency 
                        information infrastructure; and</DELETED>
                        <DELETED>    ``(ii) information on how the 
                        controls described under subparagraph (A) 
                        maintain the appropriate level of 
                        confidentiality, integrity, and availability of 
                        information and information systems based on--
                        </DELETED>
                                <DELETED>    ``(I) the policy of the 
                                National Center for Cybersecurity and 
                                Communications; and</DELETED>
                                <DELETED>    ``(II) the standards or 
                                guidance developed by the National 
                                Institute of Standards and 
                                Technology;</DELETED>
                <DELETED>    ``(C) developing, maintaining, and 
                overseeing an agency-wide information security program 
                as required by subsection (b);</DELETED>
                <DELETED>    ``(D) developing, maintaining, and 
                overseeing information security policies, procedures, 
                and control techniques to address all applicable 
                requirements, including those issued under section 
                3552;</DELETED>
                <DELETED>    ``(E) training, consistent with the 
                requirements of section 406 of the Protecting 
                Cyberspace as a National Asset Act of 2010, and 
                overseeing personnel with significant responsibilities 
                for information security with respect to such 
                responsibilities; and</DELETED>
                <DELETED>    ``(F) assisting senior agency officers 
                concerning their responsibilities under paragraph 
                (2);</DELETED>
        <DELETED>    ``(4) ensure that the Chief Information Security 
        Officer has a sufficient number of cleared and trained 
        personnel with technical skills identified by the National 
        Center for Cybersecurity and Communications as critical to 
        maintaining the risk-based security of agency information 
        infrastructure as required by the subchapter and other 
        applicable laws;</DELETED>
        <DELETED>    ``(5) ensure that the agency Chief Information 
        Security Officer, in coordination with appropriate senior 
        agency officials, reports not less than annually to the head of 
        the agency on the effectiveness of the agency information 
        security program, including progress of remedial 
        actions;</DELETED>
        <DELETED>    ``(6) ensure that the Chief Information Security 
        Officer--</DELETED>
                <DELETED>    ``(A) possesses necessary qualifications, 
                including education, professional certifications, 
                training, experience, and the security clearance 
                required to administer the functions described under 
                this subchapter; and</DELETED>
                <DELETED>    ``(B) has information security duties as 
                the primary duty of that officer; and</DELETED>
        <DELETED>    ``(7) ensure that components of that agency 
        establish and maintain an automated reporting mechanism that 
        allows the Chief Information Security Officer with 
        responsibility for the entire agency, and all components 
        thereof, to implement, monitor, and hold senior agency officers 
        accountable for the implementation of appropriate security 
        policies, procedures, and controls of agency 
        components.</DELETED>
<DELETED>    ``(b) Agency-Wide Information Security Program.--Each 
agency shall develop, document, and implement an agency-wide 
information security program, approved by the National Center for 
Cybersecurity and Communications under section 3552(a)(6) and 
consistent with components across and within agencies, to provide 
information security for the information and information systems that 
support the operations and assets of the agency, including those 
provided or managed by another agency, contractor, or other source, 
that includes--</DELETED>
        <DELETED>    ``(1) frequent assessments, at least twice each 
        month--</DELETED>
                <DELETED>    ``(A) of the risk and magnitude of the 
                harm that could result from the disruption or 
                unauthorized access, use, disclosure, modification, or 
                destruction of information and information systems that 
                support the operations and assets of the agency; 
                and</DELETED>
                <DELETED>    ``(B) that assess whether information or 
                information systems should be removed or migrated to 
                more secure networks or standards and make 
                recommendations to the head of the agency and the 
                Director of the National Center for Cybersecurity and 
                Communications based on that assessment;</DELETED>
        <DELETED>    ``(2) consistent with guidance developed under 
        section 3554, vulnerability assessments and penetration tests 
        commensurate with the risk posed to an agency information 
        infrastructure;</DELETED>
        <DELETED>    ``(3) ensure that information security 
        vulnerabilities are remediated or mitigated based on the risk 
        posed to the agency;</DELETED>
        <DELETED>    ``(4) policies and procedures that--</DELETED>
                <DELETED>    ``(A) are informed and revised by the 
                assessments required under paragraphs (1) and 
                (2);</DELETED>
                <DELETED>    ``(B) cost effectively reduce information 
                security risks to an acceptable level;</DELETED>
                <DELETED>    ``(C) ensure that information security is 
                addressed throughout the life cycle of each agency 
                information system; and</DELETED>
                <DELETED>    ``(D) ensure compliance with--</DELETED>
                        <DELETED>    ``(i) the requirements of this 
                        subchapter;</DELETED>
                        <DELETED>    ``(ii) policies and procedures 
                        prescribed by the National Center for 
                        Cybersecurity and Communications;</DELETED>
                        <DELETED>    ``(iii) minimally acceptable 
                        system configuration requirements, as 
                        determined by the National Center for 
                        Cybersecurity and Communications; and</DELETED>
                        <DELETED>    ``(iv) any other applicable 
                        requirements, including standards and 
                        guidelines for national security systems issued 
                        in accordance with law and as directed by the 
                        President;</DELETED>
        <DELETED>    ``(5) subordinate plans for providing risk-based 
        information security for networks, facilities, and systems or 
        groups of information systems, as appropriate;</DELETED>
        <DELETED>    ``(6) role-based security awareness training, 
        consistent with the requirements of section 406 of the 
        Protecting Cyberspace as a National Asset Act of 2010, to 
        inform personnel with access to the agency network, including 
        contractors and other users of information systems that support 
        the operations and assets of the agency, of--</DELETED>
                <DELETED>    ``(A) information security risks 
                associated with agency activities; and</DELETED>
                <DELETED>    ``(B) agency responsibilities in complying 
                with agency policies and procedures designed to reduce 
                those risks;</DELETED>
        <DELETED>    ``(7) periodic testing and evaluation of the 
        effectiveness of information security policies, procedures, and 
        practices, to be performed with a rigor and frequency depending 
        on risk, which shall include--</DELETED>
                <DELETED>    ``(A) testing and evaluation not less than 
                twice each year of security controls of information 
                collected or maintained by or on behalf of the agency 
                and every information system identified in the 
                inventory required under section 3505(c);</DELETED>
                <DELETED>    ``(B) the effectiveness of ongoing 
                monitoring, including automated and continuous 
                monitoring, vulnerability scanning, and intrusion 
                detection and prevention of incidents posed to the 
                risk-based security of information and information 
                systems as required under subsection (a)(3); 
                and</DELETED>
                <DELETED>    ``(C) testing relied on in--</DELETED>
                        <DELETED>    ``(i) an operational evaluation 
                        under section 3554;</DELETED>
                        <DELETED>    ``(ii) an independent assessment 
                        under section 3556; or</DELETED>
                        <DELETED>    ``(iii) another evaluation, to the 
                        extent specified by the Director;</DELETED>
        <DELETED>    ``(8) a process for planning, implementing, 
        evaluating, and documenting remedial action to address any 
        deficiencies in the information security policies, procedures, 
        and practices of the agency;</DELETED>
        <DELETED>    ``(9) procedures for detecting, reporting, and 
        responding to incidents, consistent with requirements issued 
        under section 3552, that include--</DELETED>
                <DELETED>    ``(A) to the extent practicable, automated 
                and continuous monitoring of the use of information and 
                information systems;</DELETED>
                <DELETED>    ``(B) requirements for mitigating risks 
                and remediating vulnerabilities associated with such 
                incidents systemically within the agency information 
                infrastructure before substantial damage is done; 
                and</DELETED>
                <DELETED>    ``(C) notifying and coordinating with the 
                National Center for Cybersecurity and Communications, 
                as required by this subchapter, subtitle E of title II 
                of the Homeland Security Act of 2002, and any other 
                provision of law; and</DELETED>
        <DELETED>    ``(10) plans and procedures to ensure continuity 
        of operations for information systems that support the 
        operations and assets of the agency.</DELETED>
<DELETED>    ``(c) Agency Reporting.--</DELETED>
        <DELETED>    ``(1) In general.--Each agency shall--</DELETED>
                <DELETED>    ``(A) ensure that information relating to 
                the adequacy and effectiveness of information security 
                policies, procedures, and practices, is available to 
                the entities identified under paragraph (2) through the 
                system developed under section 3552(a)(3), including 
                information relating to--</DELETED>
                        <DELETED>    ``(i) compliance with the 
                        requirements of this subchapter;</DELETED>
                        <DELETED>    ``(ii) the effectiveness of the 
                        information security policies, procedures, and 
                        practices of the agency based on a 
                        determination of the aggregate effect of 
                        identified deficiencies and 
                        vulnerabilities;</DELETED>
                        <DELETED>    ``(iii) an identification and 
                        analysis of any significant deficiencies 
                        identified in such policies, procedures, and 
                        practices;</DELETED>
                        <DELETED>    ``(iv) an identification of any 
                        vulnerability that could impair the risk-based 
                        security of the agency information 
                        infrastructure; and</DELETED>
                        <DELETED>    ``(v) results of any operational 
                        evaluation conducted under section 3554 and 
                        plans of action to address the deficiencies and 
                        vulnerabilities identified as a result of such 
                        operational evaluation;</DELETED>
                <DELETED>    ``(B) follow the policy, guidance, and 
                standards of the National Center for Cybersecurity and 
                Communications, in consultation with the Federal 
                Information Security Taskforce, to continually update, 
                and ensure the electronic availability of both a 
                classified and unclassified version of the information 
                required under subparagraph (A);</DELETED>
                <DELETED>    ``(C) ensure the information under 
                subparagraph (A) addresses the adequacy and 
                effectiveness of information security policies, 
                procedures, and practices in plans and reports relating 
                to--</DELETED>
                        <DELETED>    ``(i) annual agency 
                        budgets;</DELETED>
                        <DELETED>    ``(ii) information resources 
                        management of this subchapter;</DELETED>
                        <DELETED>    ``(iii) information technology 
                        management and procurement under this chapter 
                        or any other applicable provision of 
                        law;</DELETED>
                        <DELETED>    ``(iv) subtitle E of title II of 
                        the Homeland Security Act of 2002;</DELETED>
                        <DELETED>    ``(v) program performance under 
                        sections 1105 and 1115 through 1119 of title 
                        31, and sections 2801 and 2805 of title 
                        39;</DELETED>
                        <DELETED>    ``(vi) financial management under 
                        chapter 9 of title 31, and the Chief Financial 
                        Officers Act of 1990 (31 U.S.C. 501 note; 
                        Public Law 101-576) (and the amendments made by 
                        that Act);</DELETED>
                        <DELETED>    ``(vii) financial management 
                        systems under the Federal Financial Management 
                        Improvement Act (31 U.S.C. 3512 
                        note);</DELETED>
                        <DELETED>    ``(viii) internal accounting and 
                        administrative controls under section 3512 of 
                        title 31; and</DELETED>
                        <DELETED>    ``(ix) performance ratings, 
                        salaries, and bonuses provided to the senior 
                        managers and supporting personnel taking into 
                        account program performance as it relates to 
                        complying with this subchapter; and</DELETED>
                <DELETED>    ``(D) report any significant deficiency in 
                a policy, procedure, or practice identified under 
                subparagraph (A) or (B)--</DELETED>
                        <DELETED>    ``(i) as a material weakness in 
                        reporting under section 3512 of title 31; 
                        and</DELETED>
                        <DELETED>    ``(ii) if relating to financial 
                        management systems, as an instance of a lack of 
                        substantial compliance under the Federal 
                        Financial Management Improvement Act (31 U.S.C. 
                        3512 note).</DELETED>
        <DELETED>    ``(2) Adequacy and effectiveness information.--
        Information required under paragraph (1)(A) shall, to the 
        extent possible and in accordance with applicable law, policy, 
        guidance, and standards, be available on an automated and 
        continuous basis to--</DELETED>
                <DELETED>    ``(A) the National Center for 
                Cybersecurity and Communications;</DELETED>
                <DELETED>    ``(B) the Committee on Homeland Security 
                and Governmental Affairs of the Senate;</DELETED>
                <DELETED>    ``(C) the Committee on Government 
                Oversight and Reform of the House of 
                Representatives;</DELETED>
                <DELETED>    ``(D) the Committee on Homeland Security 
                of the House of Representatives;</DELETED>
                <DELETED>    ``(E) other appropriate authorization and 
                appropriations committees of Congress;</DELETED>
                <DELETED>    ``(F) the Inspector General of the Federal 
                agency; and</DELETED>
                <DELETED>    ``(G) the Comptroller General.</DELETED>
<DELETED>    ``(d) Inclusions in Performance Plans.--</DELETED>
        <DELETED>    ``(1) In general.--In addition to the requirements 
        of subsection (c), each agency, in consultation with the 
        National Center for Cybersecurity and Communications, shall 
        include as part of the performance plan required under section 
        1115 of title 31 a description of the time periods the 
        resources, including budget, staffing, and training, that are 
        necessary to implement the program required under subsection 
        (b).</DELETED>
        <DELETED>    ``(2) Risk assessments.--The description under 
        paragraph (1) shall be based on the risk and vulnerability 
        assessments required under subsection (b) and evaluations 
        required under section 3554.</DELETED>
<DELETED>    ``(e) Notice and Comment.--Each agency shall provide the 
public with timely notice and opportunities for comment on proposed 
information security policies and procedures to the extent that such 
policies and procedures affect communication with the public.</DELETED>
<DELETED>    ``(f) More Stringent Standards.--The head of an agency may 
employ standards for the cost effective information security for 
information systems within or under the supervision of that agency that 
are more stringent than the standards the Director of the National 
Center for Cybersecurity and Communications prescribes under this 
subchapter, subtitle E of title II of the Homeland Security Act of 
2002, or any other provision of law, if the more stringent standards--
</DELETED>
        <DELETED>    ``(1) contain at least the applicable standards 
        made compulsory and binding by the Director of the National 
        Center for Cybersecurity and Communications; and</DELETED>
        <DELETED>    ``(2) are otherwise consistent with policies and 
        guidelines issued under section 3552.</DELETED>
<DELETED>``Sec. 3554. Annual operational evaluation</DELETED>
<DELETED>    ``(a) Guidance.--</DELETED>
        <DELETED>    ``(1) In general.--Each year the National Center 
        for Cybersecurity and Communications shall oversee, coordinate, 
        and develop guidance for the effective implementation of 
        operational evaluations of the Federal information 
        infrastructure and agency information security programs and 
        practices to determine the effectiveness of such program and 
        practices.</DELETED>
        <DELETED>    ``(2) Collaboration in development.--In developing 
        guidance for the operational evaluations described under this 
        section, the National Center for Cybersecurity and 
        Communications shall collaborate with the Federal Information 
        Security Taskforce and the Council of Inspectors General on 
        Integrity and Efficiency, and other agencies as necessary, to 
        develop and update risk-based performance indicators and 
        measures that assess the adequacy and effectiveness of 
        information security of an agency and the Federal information 
        infrastructure.</DELETED>
        <DELETED>    ``(3) Contents of operational evaluation.--Each 
        operational evaluation under this section--</DELETED>
                <DELETED>    ``(A) shall be prioritized based on risk; 
                and</DELETED>
                <DELETED>    ``(B) shall--</DELETED>
                        <DELETED>    ``(i) test the effectiveness of 
                        agency information security policies, 
                        procedures, and practices of the information 
                        systems of the agency, or a representative 
                        subset of those information systems;</DELETED>
                        <DELETED>    ``(ii) assess (based on the 
                        results of the testing) compliance with--
                        </DELETED>
                                <DELETED>    ``(I) the requirements of 
                                this subchapter; and</DELETED>
                                <DELETED>    ``(II) related information 
                                security policies, procedures, 
                                standards, and guidelines;</DELETED>
                        <DELETED>    ``(iii) evaluate whether 
                        agencies--</DELETED>
                                <DELETED>    ``(I) effectively monitor, 
                                detect, analyze, protect, report, and 
                                respond to vulnerabilities and 
                                incidents;</DELETED>
                                <DELETED>    ``(II) report to and 
                                collaborate with the appropriate public 
                                and private security operation centers, 
                                the National Center for Cybersecurity 
                                and Communications, and law enforcement 
                                agencies; and</DELETED>
                                <DELETED>    ``(III) remediate or 
                                mitigate the risk posed by attacks and 
                                exploitations in a timely fashion in 
                                order to prevent future vulnerabilities 
                                and incidents; and</DELETED>
                        <DELETED>    ``(iv) identify deficiencies of 
                        agency information security policies, 
                        procedures, and controls on the agency 
                        information infrastructure.</DELETED>
<DELETED>    ``(b) Conduct an Operational Evaluation.--</DELETED>
        <DELETED>    ``(1) In general.--Except as provided under 
        paragraph (2), and in consultation with the Chief Information 
        Officer and senior officials responsible for the affected 
        systems, the Chief Information Security Officer of each agency 
        shall not less than annually--</DELETED>
                <DELETED>    ``(A) conduct an operational evaluation of 
                the agency information infrastructure for 
                vulnerabilities, attacks, and exploitations of the 
                agency information infrastructure;</DELETED>
                <DELETED>    ``(B) evaluate the ability of the agency 
                to monitor, detect, correlate, analyze, report, and 
                respond to incidents; and</DELETED>
                <DELETED>    ``(C) report to the head of the agency, 
                the National Center for Cybersecurity and 
                Communications, the Chief Information Officer, and the 
                Inspector General for the agency the findings of the 
                operational evaluation.</DELETED>
        <DELETED>    ``(2) Satisfaction of requirements by other 
        evaluation.--Unless otherwise specified by the Director of the 
        National Center for Cybersecurity and Communications, if the 
        National Center for Cybersecurity and Communications conducts 
        an operational evaluation of the agency information 
        infrastructure under section 245(b)(2)(A) of the Homeland 
        Security Act of 2002, the Chief Information Security Officer 
        may deem the requirements of paragraph (1) satisfied for the 
        year in which the operational evaluation described under this 
        paragraph is conducted.</DELETED>
<DELETED>    ``(c) Corrective Measures Mitigation and Remediation 
Plans.--</DELETED>
        <DELETED>    ``(1) In general.--In consultation with the 
        National Center for Cybersecurity and Communications and the 
        Chief Information Officer, Chief Information Security Officers 
        shall remediate or mitigate vulnerabilities in accordance with 
        this subsection.</DELETED>
        <DELETED>    ``(2) Risk-based plan.--After an operational 
        evaluation is conducted under this section or under section 
        245(b) of the Homeland Security Act of 2002, the agency shall 
        submit to the National Center for Cybersecurity and 
        Communications in a timely fashion a risk-based plan for 
        addressing recommendations and mitigating and remediating 
        vulnerabilities identified as a result of such operational 
        evaluation, including a timeline and budget for implementing 
        such plan.</DELETED>
        <DELETED>    ``(3) Approval or disapproval.--Not later than 15 
        days after receiving a plan submitted under paragraph (2), the 
        National Center for Cybersecurity and Communications shall--
        </DELETED>
                <DELETED>    ``(A) approve or disprove the agency plan; 
                and</DELETED>
                <DELETED>    ``(B) comment on the adequacy and 
                effectiveness of the plan.</DELETED>
        <DELETED>    ``(4) Isolation from infrastructure.--</DELETED>
                <DELETED>    ``(A) In general.--The Director of the 
                National Center for Cybersecurity and Communications 
                may, consistent with the contingency or continuity of 
                operation plans applicable to such agency information 
                infrastructure, order the isolation of any component of 
                the Federal information infrastructure from any other 
                Federal information infrastructure, if--</DELETED>
                        <DELETED>    ``(i) an agency does not implement 
                        measures in a risk-based plan approved under 
                        this subsection; and</DELETED>
                        <DELETED>    ``(ii) the failure to comply 
                        presents a significant danger to the Federal 
                        information infrastructure.</DELETED>
                <DELETED>    ``(B) Duration.--An isolation under 
                subparagraph (A) shall remain in effect until--
                </DELETED>
                        <DELETED>    ``(i) the Director of the National 
                        Center for Cybersecurity and Communications 
                        determines that corrective measures have been 
                        implemented; or</DELETED>
                        <DELETED>    ``(ii) an updated risk-based plan 
                        is approved by the National Center for 
                        Cybersecurity and Communications and 
                        implemented by the agency.</DELETED>
<DELETED>    ``(d) Operational Guidance.--The Director of the National 
Center for Cybersecurity and Communications shall--</DELETED>
        <DELETED>    ``(1) not later than 180 days after the date of 
        enactment of the Protecting Cyberspace as a National Asset Act 
        of 2010, develop operational guidance for operational 
        evaluations as required under this section that are risk-based 
        and cost effective; and</DELETED>
        <DELETED>    ``(2) periodically evaluate and ensure information 
        is available on an automated and continuous basis through the 
        system required under section 3552(a)(3)(D) to Congress on--
        </DELETED>
                <DELETED>    ``(A) the adequacy and effectiveness of 
                the operational evaluations conducted under this 
                section or section 245(b) of the Homeland Security Act 
                of 2002; and</DELETED>
                <DELETED>    ``(B) possible executive and legislative 
                actions for cost-effectively managing the risks to the 
                Federal information infrastructure.</DELETED>
<DELETED>``Sec. 3555. Federal Information Security Taskforce</DELETED>
<DELETED>    ``(a) Establishment.--There is established in the 
executive branch a Federal Information Security Taskforce.</DELETED>
<DELETED>    ``(b) Membership.--The members of the Federal Information 
Security Taskforce shall be full-time senior Government employees and 
shall be as follows:</DELETED>
        <DELETED>    ``(1) The Director of the National Center for 
        Cybersecurity and Communications.</DELETED>
        <DELETED>    ``(2) The Administrator of the Office of 
        Electronic Government of the Office of Management and 
        Budget.</DELETED>
        <DELETED>    ``(3) The Chief Information Security Officer of 
        each agency described under section 901(b) of title 
        31.</DELETED>
        <DELETED>    ``(4) The Chief Information Security Officer of 
        the Department of the Army, the Department of the Navy, and the 
        Department of the Air Force.</DELETED>
        <DELETED>    ``(5) A representative from the Office of 
        Cyberspace Policy.</DELETED>
        <DELETED>    ``(6) A representative from the Office of the 
        Director of National Intelligence.</DELETED>
        <DELETED>    ``(7) A representative from the United States 
        Cyber Command.</DELETED>
        <DELETED>    ``(8) A representative from the National Security 
        Agency.</DELETED>
        <DELETED>    ``(9) A representative from the United States 
        Computer Emergency Readiness Team.</DELETED>
        <DELETED>    ``(10) A representative from the Intelligence 
        Community Incident Response Center.</DELETED>
        <DELETED>    ``(11) A representative from the Committee on 
        National Security Systems.</DELETED>
        <DELETED>    ``(12) A representative from the National 
        Institute for Standards and Technology.</DELETED>
        <DELETED>    ``(13) A representative from the Council of 
        Inspectors General on Integrity and Efficiency.</DELETED>
        <DELETED>    ``(14) A representative from State and local 
        government.</DELETED>
        <DELETED>    ``(15) Any other officer or employee of the United 
        States designated by the chairperson.</DELETED>
<DELETED>    ``(c) Chairperson and Vice-Chairperson.--</DELETED>
        <DELETED>    ``(1) Chairperson.--The Director of the National 
        Center for Cybersecurity and Communications shall act as 
        chairperson of the Federal Information Security 
        Taskforce.</DELETED>
        <DELETED>    ``(2) Vice-chairperson.--The vice chairperson of 
        the Federal Information Security Taskforce shall--</DELETED>
                <DELETED>    ``(A) be selected by the Federal 
                Information Security Taskforce from among its 
                members;</DELETED>
                <DELETED>    ``(B) serve a 1-year term and may serve 
                multiple terms; and</DELETED>
                <DELETED>    ``(C) serve as a liaison to the Chief 
                Information Officer, Council of the Inspectors General 
                on Integrity and Efficiency, Committee on National 
                Security Systems, and other councils or committees as 
                appointed by the chairperson.</DELETED>
<DELETED>    ``(d) Functions.--The Federal Information Security 
Taskforce shall--</DELETED>
        <DELETED>    ``(1) be the principal interagency forum for 
        collaboration regarding best practices and recommendations for 
        agency information security and the security of the Federal 
        information infrastructure;</DELETED>
        <DELETED>    ``(2) assist in the development of and annually 
        evaluate guidance to fulfill the requirements under sections 
        3554 and 3556;</DELETED>
        <DELETED>    ``(3) share experiences and innovative approaches 
        relating to threats against the Federal information 
        infrastructure, information sharing and information security 
        best practices, penetration testing regimes, and incident 
        response, mitigation, and remediation;</DELETED>
        <DELETED>    ``(4) promote the development and use of standard 
        performance indicators and measures for agency information 
        security that--</DELETED>
                <DELETED>    ``(A) are outcome-based;</DELETED>
                <DELETED>    ``(B) focus on risk management;</DELETED>
                <DELETED>    ``(C) align with the business and program 
                goals of the agency;</DELETED>
                <DELETED>    ``(D) measure improvements in the agency 
                security posture over time; and</DELETED>
                <DELETED>    ``(E) reduce burdensome and efficient 
                performance indicators and measures;</DELETED>
        <DELETED>    ``(5) recommend to the Office of Personnel 
        Management the necessary qualifications to be established for 
        Chief Information Security Officers to be capable of 
        administering the functions described under this subchapter 
        including education, training, and experience;</DELETED>
        <DELETED>    ``(6) enhance information system processes by 
        establishing a prioritized baseline of information security 
        measures and controls that can be continuously monitored 
        through automated mechanisms;</DELETED>
        <DELETED>    ``(7) evaluate the effectiveness and efficiency of 
        any reporting and compliance requirements that are required by 
        law related to the information security of Federal information 
        infrastructure; and</DELETED>
        <DELETED>    ``(8) submit proposed enhancements developed under 
        paragraphs (1) through (7) to the Director of the National 
        Center for Cybersecurity and Communications.</DELETED>
<DELETED>    ``(e) Termination.--</DELETED>
        <DELETED>    ``(1) In general.--Except as provided under 
        paragraph (2), the Federal Information Security Taskforce shall 
        terminate 4 years after the date of enactment of the Protecting 
        Cyberspace as a National Asset Act of 2010.</DELETED>
        <DELETED>    ``(2) Extension.--The President may--</DELETED>
                <DELETED>    ``(A) extend the Federal Information 
                Security Taskforce by executive order; and</DELETED>
                <DELETED>    ``(B) make more than 1 extension under 
                this paragraph for any period as the President may 
                determine.</DELETED>
<DELETED>``Sec. 3556. Independent Assessments</DELETED>
<DELETED>    ``(a) In General.--</DELETED>
        <DELETED>    ``(1) Inspectors general assessments.--Not less 
        than every 2 years, each agency with an Inspector General 
        appointed under the Inspector General Act of 1978 (5 U.S.C. 
        App.) shall assess the adequacy and effectiveness of the 
        information security program developed under section 3553(b) 
        and (c), and evaluations conducted under section 
        3554.</DELETED>
        <DELETED>    ``(2) Independent assessments.--For each agency to 
        which paragraph (1) does not apply, the head of the agency 
        shall engage an independent external auditor to perform the 
        assessment.</DELETED>
<DELETED>    ``(b) Existing Assessments.--The assessments required by 
this section may be based in whole or in part on an audit, evaluation, 
or report relating to programs or practices of the applicable 
agency.</DELETED>
<DELETED>    ``(c) Inspectors General Reporting.--Inspectors General 
shall ensure information obtained as a result of the assessment 
required under this section, or any other relevant information, is 
available through the system required under section 3552(a)(3)(D) to 
Congress and the National Center for Cybersecurity and 
Communications.</DELETED>
<DELETED>``Sec. 3557. Protection of Information</DELETED>
<DELETED>    ``In complying with this subchapter, agencies, evaluators, 
and Inspectors General shall take appropriate actions to ensure the 
protection of information which, if disclosed, may adversely affect 
information security. Protections under this chapter shall be 
commensurate with the risk and comply with all applicable laws and 
regulations.''.</DELETED>
<DELETED>    (c) Technical and Conforming Amendments.--</DELETED>
        <DELETED>    (1) Table of sections.--The table of sections for 
        chapter 35 of title 44, United States Code, is amended by 
        striking the matter relating to subchapters II and III and 
        inserting the following:</DELETED>

            <DELETED> ``subchapter ii--information security

<DELETED>``3550. Purposes.
<DELETED>``3551. Definitions.
<DELETED>``3552. Authority and functions of the National Center for 
                            Cybersecurity and Communications.
<DELETED>``3553. Agency responsibilities.
<DELETED>``3554. Annual operational evaluation.
<DELETED>``3555. Federal Information Security Taskforce.
<DELETED>``3556. Independent assessments.
<DELETED>``3557. Protection of information.''.
        <DELETED>    (2) Other references.--</DELETED>
                <DELETED>    (A) Section 1001(c)(1)(A) of the Homeland 
                Security Act of 2002 (6 U.S.C. 511(c)(1)(A)) is amended 
                by striking ``section 3532(3)'' and inserting ``section 
                3551(b)''.</DELETED>
                <DELETED>    (B) Section 2222(j)(6) of title 10, United 
                States Code, is amended by striking ``section 
                3542(b)(2))'' and inserting ``section 
                3551(b)''.</DELETED>
                <DELETED>    (C) Section 2223(c)(3) of title 10, United 
                States Code, is amended, by striking ``section 
                3542(b)(2))'' and inserting ``section 
                3551(b)''.</DELETED>
                <DELETED>    (D) Section 2315 of title 10, United 
                States Code, is amended by striking ``section 
                3542(b)(2))'' and inserting ``section 
                3551(b)''.</DELETED>
                <DELETED>    (E) Section 20(a)(2) of the National 
                Institute of Standards and Technology Act (15 U.S.C. 
                278g-3) is amended by striking ``section 3532(b)(2)'' 
                and inserting ``section 3551(b)''.</DELETED>
                <DELETED>    (F) Section 21(b)(2) of the National 
                Institute of Standards and Technology Act (15 U.S.C. 
                278g-4(b)(2)) is amended by striking ``Institute and'' 
                and inserting ``Institute, the Director of the National 
                Center on Cybersecurity and Communications, 
                and''.</DELETED>
                <DELETED>    (G) Section 21(b)(3) of the National 
                Institute of Standards and Technology Act (15 U.S.C. 
                278g-4(b)(3)) is amended by inserting ``the Director of 
                the National Center on Cybersecurity and 
                Communications,'' after ``the Director of the National 
                Security Agency,''.</DELETED>
                <DELETED>    (H) Section 8(d)(1) of the Cyber Security 
                Research and Development Act (15 U.S.C. 7406(d)(1)) is 
                amended by striking ``section 3534(b)'' and inserting 
                ``section 3553(b)''.</DELETED>
        <DELETED>    (3) Homeland security act of 2002.--</DELETED>
                <DELETED>    (A) Title x.--The Homeland Security Act of 
                2002 (6 U.S.C. 101 et seq.) is amended by striking 
                title X.</DELETED>
                <DELETED>    (B) Table of contents.--The table of 
                contents in section 1(b) of the Homeland Security Act 
                of 2002 (6 U.S.C. 101 et seq.) is amended by striking 
                the matter relating to title X.</DELETED>
<DELETED>    (d) Repeal of Other Standards.--</DELETED>
        <DELETED>    (1) In general.--Section 11331 of title 40, United 
        States Code, is repealed.</DELETED>
        <DELETED>    (2) Technical and conforming amendments.--
        </DELETED>
                <DELETED>    (A) Section 20(c)(3) of the National 
                Institute of Standards and Technology Act (15 U.S.C. 
                278g-3(c)(3)) is amended by striking ``under section 
                11331 of title 40, United States Code''.</DELETED>
                <DELETED>    (B) Section 20(d)(1) of the National 
                Institute of Standards and Technology Act (15 U.S.C. 
                278g-3(d)(1)) is amended by striking ``the Director of 
                the Office of Management and Budget for promulgation 
                under section 11331 of title 40, United States Code'' 
                and inserting ``the Secretary of Commerce for 
                promulgation''.</DELETED>
                <DELETED>    (C) Section 11302(d) of title 40, United 
                States Code, is amended by striking ``under section 
                11331 of this title and''.</DELETED>
                <DELETED>    (D) Section 1874A (e)(2)(A)(ii) of the 
                Social Security Act (42 U.S.C. 1395kk-1(e)(2)(A)(ii)) 
                is amended by striking ``section 11331 of title 40, 
                United States Code'' and inserting ``section 3552 of 
                title 44, United States Code''.</DELETED>
                <DELETED>    (E) Section 3504(g)(2) of title 44, United 
                States Code, is amended by striking ``section 11331 of 
                title 40'' and inserting ``section 3552 of title 
                44''.</DELETED>
                <DELETED>    (F) Section 3504(h)(1) of title 44, United 
                States Code, is amended by inserting ``, the Director 
                of the National Center for Cybersecurity and 
                Communications,'' after ``the National Institute of 
                Standards and Technology''.</DELETED>
                <DELETED>    (G) Section 3504(h)(1)(B) of title 44, 
                United States Code, is amended by striking ``under 
                section 11331 of title 40'' and inserting ``section 
                3552 of title 44''.</DELETED>
                <DELETED>    (H) Section 3518(d) of title 44, United 
                States Code, is amended by striking ``sections 11331 
                and 11332'' and inserting ``section 11332''.</DELETED>
                <DELETED>    (I) Section 3602(f)(8) of title 44, United 
                States Code, is amended by striking ``under section 
                11331 of title 40.</DELETED>
                <DELETED>    (J) Section 3603(f)(5) of title 44, United 
                States Code, is amended by striking ``and promulgated 
                under section 11331 of title 40,''.</DELETED>

 <DELETED>TITLE IV--RECRUITMENT AND PROFESSIONAL DEVELOPMENT</DELETED>

<DELETED>SEC. 401. DEFINITIONS.</DELETED>

<DELETED>    In this title:</DELETED>
        <DELETED>    (1) Cybersecurity mission.--The term 
        ``cybersecurity mission'' means the activities of the Federal 
        Government that encompass the full range of threat reduction, 
        vulnerability reduction, deterrence, international engagement, 
        incident response, resiliency, and recovery policies and 
        activities, including computer network operations, information 
        assurance, law enforcement, diplomacy, military, and 
        intelligence missions as such activities relate to the security 
        and stability of cyberspace.</DELETED>
        <DELETED>    (2) Federal agency's cybersecurity mission.--The 
        term ``Federal agency's cybersecurity mission'' means, with 
        respect to any Federal agency, the portion of the cybersecurity 
        mission that is the responsibility of the Federal 
        agency.</DELETED>

<DELETED>SEC. 402. ASSESSMENT OF CYBERSECURITY WORKFORCE.</DELETED>

<DELETED>    (a) In General.--The Director of the Office of Personnel 
Management and the Director shall assess the readiness and capacity of 
the Federal workforce to meet the needs of the cybersecurity mission of 
the Federal Government.</DELETED>
<DELETED>    (b) Strategy.--</DELETED>
        <DELETED>    (1) In general.--Not later than 180 days after the 
        date of enactment of this Act, the Director of the Office of 
        Personnel Management shall develop and implement a 
        comprehensive workforce strategy that enhances the readiness, 
        capacity, training, and recruitment and retention of Federal 
        cybersecurity personnel.</DELETED>
        <DELETED>    (2) Contents.--The strategy developed under 
        paragraph (1) shall include--</DELETED>
                <DELETED>    (A) a 5-year plan on recruitment of 
                personnel for the Federal workforce; and</DELETED>
                <DELETED>    (B) 10-year and 20-year projections of 
                workforce needs.</DELETED>

<DELETED>SEC. 403. STRATEGIC CYBERSECURITY WORKFORCE 
              PLANNING.</DELETED>

<DELETED>    (a) Federal Agency Development of Strategic Cybersecurity 
Workforce Plans.--Not later than 180 days after the date of enactment 
of this Act and in every subsequent year, the head of each Federal 
agency shall develop a strategic cybersecurity workforce plan as part 
of the Federal agency performance plan required under section 1115 of 
title 31, United States Code.</DELETED>
<DELETED>    (b) Interagency Coordination.--Each Federal agency shall 
develop a plan prepared under subsection (a)--</DELETED>
        <DELETED>    (1) on the basis of the assessment developed under 
        section 402 and any subsequent guidance from the Director of 
        the Office of Personnel Management and the Director; 
        and</DELETED>
        <DELETED>    (2) in consultation with the Director and the 
        Director of the Office of Management and Budget.</DELETED>
<DELETED>    (c) Contents of the Plan.--</DELETED>
        <DELETED>    (1) In general.--Each plan prepared under 
        subsection (a) shall include--</DELETED>
                <DELETED>    (A) a description of the Federal agency's 
                cybersecurity mission;</DELETED>
                <DELETED>    (B) subject to paragraph (2), a 
                description and analysis, relating to the specialized 
                workforce needed by the Federal agency to fulfill the 
                Federal agency's cybersecurity mission, including--
                </DELETED>
                        <DELETED>    (i) the workforce needs of the 
                        Federal agency on the date of the report, and 
                        10-year and 20-year projections of workforce 
                        needs;</DELETED>
                        <DELETED>    (ii) hiring projections to meet 
                        workforce needs, including, for at least a 2-
                        year period, specific occupation and grade 
                        levels;</DELETED>
                        <DELETED>    (iii) long-term and short-term 
                        strategic goals to address critical skills 
                        deficiencies, including analysis of the numbers 
                        of and reasons for attrition of 
                        employees;</DELETED>
                        <DELETED>    (iv) recruitment strategies, 
                        including the use of student internships, part-
                        time employment, student loan reimbursement, 
                        and telework, to attract highly qualified 
                        candidates from diverse backgrounds and 
                        geographic locations;</DELETED>
                        <DELETED>    (v) an assessment of the sources 
                        and availability of individuals with needed 
                        expertise;</DELETED>
                        <DELETED>    (vi) ways to streamline the hiring 
                        process;</DELETED>
                        <DELETED>    (vii) the barriers to recruiting 
                        and hiring individuals qualified in 
                        cybersecurity and recommendations to overcome 
                        the barriers; and</DELETED>
                        <DELETED>    (viii) a training and development 
                        plan, consistent with the curriculum developed 
                        under section 406, to enhance and improve the 
                        knowledge of employees.</DELETED>
        <DELETED>    (2) Federal agencies with small specialized 
        workforce.--In accordance with guidance provided by the 
        Director of the Office of Personnel Management, a Federal 
        agency that needs only a small specialized workforce to fulfill 
        the Federal agency's cybersecurity mission may present the 
        workforce plan components referred to in paragraph (1)(B) as 
        part of the Federal agency performance plan required under 
        section 1115 of title 31, United States Code.</DELETED>

<DELETED>SEC. 404. CYBERSECURITY OCCUPATION CLASSIFICATIONS.</DELETED>

<DELETED>    (a) In General.--Not later than 1 year after the date of 
enactment of this Act, the Director of the Office of Personnel 
Management, in coordination with the Director, shall develop and issue 
comprehensive occupation classifications for Federal employees engaged 
in cybersecurity missions.</DELETED>
<DELETED>    (b) Applicability of Classifications.--The Director of the 
Office of Personnel Management shall ensure that the comprehensive 
occupation classifications issued under subsection (a) may be used 
throughout the Federal Government.</DELETED>

<DELETED>SEC. 405. MEASURES OF CYBERSECURITY HIRING 
              EFFECTIVENESS.</DELETED>

<DELETED>    (a) In General.--The head of each Federal agency shall 
measure, and collect information on, indicators of the effectiveness of 
the recruitment and hiring by the Federal agency of a workforce needed 
to fulfill the Federal agency's cybersecurity mission.</DELETED>
<DELETED>    (b) Types of Information.--The indicators of effectiveness 
measured and subject to collection of information under subsection (a) 
shall include indicators with respect to the following:</DELETED>
        <DELETED>    (1) Recruiting and hiring.--In relation to 
        recruiting and hiring by the Federal agency--</DELETED>
                <DELETED>    (A) the ability to reach and recruit well-
                qualified individuals from diverse talent 
                pools;</DELETED>
                <DELETED>    (B) the use and impact of special hiring 
                authorities and flexibilities to recruit the most 
                qualified applicants, including the use of student 
                internship and scholarship programs for permanent 
                hires;</DELETED>
                <DELETED>    (C) the use and impact of special hiring 
                authorities and flexibilities to recruit diverse 
                candidates, including criteria such as the veteran 
                status, race, ethnicity, gender, disability, or 
                national origin of the candidates; and</DELETED>
                <DELETED>    (D) the educational level, and source of 
                applicants.</DELETED>
        <DELETED>    (2) Supervisors.--In relation to the supervisors 
        of the positions being filled--</DELETED>
                <DELETED>    (A) satisfaction with the quality of the 
                applicants interviewed and hired;</DELETED>
                <DELETED>    (B) satisfaction with the match between 
                the skills of the individuals and the needs of the 
                Federal agency;</DELETED>
                <DELETED>    (C) satisfaction of the supervisors with 
                the hiring process and hiring outcomes;</DELETED>
                <DELETED>    (D) whether any mission-critical 
                deficiencies were addressed by the individuals and the 
                connection between the deficiencies and the performance 
                of the Federal agency; and</DELETED>
                <DELETED>    (E) the satisfaction of the supervisors 
                with the period of time elapsed to fill the 
                positions.</DELETED>
        <DELETED>    (3) Applicants.--The satisfaction of applicants 
        with the hiring process, including clarity of job 
        announcements, any reasons for withdrawal of an application, 
        the user-friendliness of the application process, communication 
        regarding status of applications, and the timeliness of offers 
        of employment.</DELETED>
        <DELETED>    (4) Hired individuals.--In relation to the 
        individuals hired--</DELETED>
                <DELETED>    (A) satisfaction with the hiring 
                process;</DELETED>
                <DELETED>    (B) satisfaction with the process of 
                starting employment in the position for which the 
                individual was hired;</DELETED>
                <DELETED>    (C) attrition; and</DELETED>
                <DELETED>    (D) the results of exit 
                interviews.</DELETED>
<DELETED>    (c) Reports.--</DELETED>
        <DELETED>    (1) In general.--The head of each Federal agency 
        shall submit the information collected under this section to 
        the Director of the Office of Personnel Management on an annual 
        basis and in accordance with the regulations issued under 
        subsection (d).</DELETED>
        <DELETED>    (2) Availability of recruiting and hiring 
        information.--</DELETED>
                <DELETED>    (A) In general.--The Director of the 
                Office of Personnel Management shall prepare an annual 
                report containing the information received under 
                paragraph (1) in a consistent format to allow for a 
                comparison of hiring effectiveness and experience 
                across demographic groups and Federal 
                agencies.</DELETED>
                <DELETED>    (B) Submission.--The Director of the 
                Office of Personnel Management shall--</DELETED>
                        <DELETED>    (i) not later than 90 days after 
                        the receipt of all information required to be 
                        submitted under paragraph (1), make the report 
                        prepared under subparagraph (A) publicly 
                        available, including on the website of the 
                        Office of Personnel Management; and</DELETED>
                        <DELETED>    (ii) before the date on which the 
                        report prepared under subparagraph (A) is made 
                        publicly available, submit the report to 
                        Congress.</DELETED>
<DELETED>    (d) Regulations.--</DELETED>
        <DELETED>    (1) In general.--Not later than 180 days after the 
        date of enactment of this Act, the Director of the Office of 
        Personnel Management shall issue regulations establishing the 
        methodology, timing, and reporting of the data required to be 
        submitted under this section.</DELETED>
        <DELETED>    (2) Scope and detail of required information.--The 
        regulations under paragraph (1) shall delimit the scope and 
        detail of the information that a Federal agency is required to 
        collect and submit under this section, taking account of the 
        size and complexity of the workforce that the Federal agency 
        needs to fulfill the Federal agency's cybersecurity 
        mission.</DELETED>

<DELETED>SEC. 406. TRAINING AND EDUCATION.</DELETED>

<DELETED>    (a) Training.--</DELETED>
        <DELETED>    (1) Federal government employees and federal 
        contractors.--The Director of the Office of Personnel 
        Management, in conjunction with the Director of the National 
        Center for Cybersecurity and Communications, the Director of 
        National Intelligence, the Secretary of Defense, and the Chief 
        Information Officers Council established under section 3603 of 
        title 44, United States Code, shall establish a cybersecurity 
        awareness and education curriculum that shall be required for 
        all Federal employees and contractors engaged in the design, 
        development, or operation of agency information infrastructure, 
        as defined under section 3551 of title 44, United States 
        Code.</DELETED>
        <DELETED>    (2) Contents.--The curriculum established under 
        paragraph (1) may include--</DELETED>
                <DELETED>    (A) role-based security awareness 
                training;</DELETED>
                <DELETED>    (B) recommended cybersecurity 
                practices;</DELETED>
                <DELETED>    (C) cybersecurity recommendations for 
                traveling abroad;</DELETED>
                <DELETED>    (D) unclassified counterintelligence 
                information;</DELETED>
                <DELETED>    (E) information regarding industrial 
                espionage;</DELETED>
                <DELETED>    (F) information regarding malicious 
                activity online;</DELETED>
                <DELETED>    (G) information regarding cybersecurity 
                and law enforcement;</DELETED>
                <DELETED>    (H) identity management 
                information;</DELETED>
                <DELETED>    (I) information regarding supply chain 
                security;</DELETED>
                <DELETED>    (J) information security risks associated 
                with the activities of Federal employees; and</DELETED>
                <DELETED>    (K) the responsibilities of Federal 
                employees in complying with policies and procedures 
                designed to reduce information security risks 
                identified under subparagraph (J).</DELETED>
        <DELETED>    (3) Federal cybersecurity professionals.--The 
        Director of the Office of Personnel Management in conjunction 
        with the Director of the National Center for Cybersecurity and 
        Communications, the Director of National Intelligence, the 
        Secretary of Defense, the Director of the Office of Management 
        and Budget, and, as appropriate, colleges, universities, and 
        nonprofit organizations with cybersecurity training expertise, 
        shall develop a program, to provide training to improve and 
        enhance the skills and capabilities of Federal employees 
        engaged in the cybersecurity mission, including training 
        specific to the acquisition workforce.</DELETED>
        <DELETED>    (4) Heads of federal agencies.--Not later than 30 
        days after the date on which an individual is appointed to a 
        position at level I or II of the Executive Schedule, the 
        Director of the National Center for Cybersecurity and 
        Communications and the Director of National Intelligence, or 
        their designees, shall provide that individual with a 
        cybersecurity threat briefing.</DELETED>
        <DELETED>    (5) Certification.--The head of each Federal 
        agency shall include in the annual report required under 
        section 3553(c) of title 44, United States Code, a 
        certification regarding whether all officers, employees, and 
        contractors of the Federal agency have completed the training 
        required under this subsection.</DELETED>
<DELETED>    (b) Education.--</DELETED>
        <DELETED>    (1) Federal employees.--The Director of the Office 
        of Personnel Management, in coordination with the Secretary of 
        Education, the Director of the National Science Foundation, and 
        the Director, shall develop and implement a strategy to provide 
        Federal employees who work in cybersecurity missions with the 
        opportunity to obtain additional education.</DELETED>
        <DELETED>    (2) K through 12.--The Secretary of Education, in 
        coordination with the Director of the National Center for 
        Cybersecurity and Communications and State and local 
        governments, shall develop curriculum standards, guidelines, 
        and recommended courses to address cyber safety, cybersecurity, 
        and cyber ethics for students in kindergarten through grade 
        12.</DELETED>
        <DELETED>    (3) Undergraduate, graduate, vocational, and 
        technical institutions.--</DELETED>
                <DELETED>    (A) Secretary of education.--The Secretary 
                of Education, in coordination with the Director of the 
                National Center for Cybersecurity and Communications, 
                shall--</DELETED>
                        <DELETED>    (i) develop curriculum standards 
                        and guidelines to address cyber safety, 
                        cybersecurity, and cyber ethics for all 
                        students enrolled in undergraduate, graduate, 
                        vocational, and technical institutions in the 
                        United States; and</DELETED>
                        <DELETED>    (ii) analyze and develop 
                        recommended courses for students interested in 
                        pursuing careers in information technology, 
                        communications, computer science, engineering, 
                        math, and science, as those subjects relate to 
                        cybersecurity.</DELETED>
                <DELETED>    (B) Office of personnel management.--The 
                Director of the Office of Personnel Management, in 
                coordination with the Director, shall develop 
                strategies and programs--</DELETED>
                        <DELETED>    (i) to recruit students from 
                        undergraduate, graduate, vocational, and 
                        technical institutions in the United States to 
                        serve as Federal employees engaged in cyber 
                        missions; and</DELETED>
                        <DELETED>    (ii) that provide internship and 
                        part-time work opportunities with the Federal 
                        Government for students at the undergraduate, 
                        graduate, vocational, and technical 
                        institutions in the United States.</DELETED>
<DELETED>    (c) Cyber Talent Competitions and Challenges.--</DELETED>
        <DELETED>    (1) In general.--The Director of the National 
        Center for Cybersecurity and Communications shall establish a 
        program to ensure the effective operation of national and 
        statewide competitions and challenges that seek to identify, 
        develop, and recruit talented individuals to work in Federal 
        agencies, State and local government agencies, and the private 
        sector to perform duties relating to the security of the 
        Federal information infrastructure or the national information 
        infrastructure.</DELETED>
        <DELETED>    (2) Groups and individuals.--The program under 
        this subsection shall include--</DELETED>
                <DELETED>    (A) high school students;</DELETED>
                <DELETED>    (B) undergraduate students;</DELETED>
                <DELETED>    (C) graduate students;</DELETED>
                <DELETED>    (D) academic and research 
                institutions;</DELETED>
                <DELETED>    (E) veterans; and</DELETED>
                <DELETED>    (F) other groups or individuals as the 
                Director may determine.</DELETED>
        <DELETED>    (3) Support of other competitions and 
        challenges.--The program under this subsection may support 
        other competitions and challenges not established under this 
        subsection through affiliation and cooperative agreements 
        with--</DELETED>
                <DELETED>    (A) Federal agencies;</DELETED>
                <DELETED>    (B) regional, State, or community school 
                programs supporting the development of cyber 
                professionals; or</DELETED>
                <DELETED>    (C) other private sector 
                organizations.</DELETED>
        <DELETED>    (4) Areas of talent.--The program under this 
        subsection shall seek to identify, develop, and recruit 
        exceptional talent relating to--</DELETED>
                <DELETED>    (A) ethical hacking;</DELETED>
                <DELETED>    (B) penetration testing;</DELETED>
                <DELETED>    (C) vulnerability Assessment;</DELETED>
                <DELETED>    (D) continuity of system 
                operations;</DELETED>
                <DELETED>    (E) cyber forensics; and</DELETED>
                <DELETED>    (F) offensive and defensive cyber 
                operations.</DELETED>

<DELETED>SEC. 407. CYBERSECURITY INCENTIVES.</DELETED>

<DELETED>    (a) Awards.--In making cash awards under chapter 45 of 
title 5, United States Code, the President or the head of a Federal 
agency, in consultation with the Director, shall consider the success 
of an employee in fulfilling the objectives of the National Strategy, 
in a manner consistent with any policies, guidelines, procedures, 
instructions, or standards established by the President.</DELETED>
<DELETED>    (b) Other Incentives.--The head of each Federal agency 
shall adopt best practices, developed by the Director of the National 
Center for Cybersecurity and Communications and the Office of 
Management and Budget, regarding effective ways to educate and motivate 
employees of the Federal Government to demonstrate leadership in 
cybersecurity, including--</DELETED>
        <DELETED>    (1) promotions and other nonmonetary awards; 
        and</DELETED>
        <DELETED>    (2) publicizing information sharing 
        accomplishments by individual employees and, if appropriate, 
        the tangible benefits that resulted.</DELETED>

<DELETED>SEC. 408. RECRUITMENT AND RETENTION PROGRAM FOR THE NATIONAL 
              CENTER FOR CYBERSECURITY AND COMMUNICATIONS.</DELETED>

<DELETED>    (a) Definitions.--In this section:</DELETED>
        <DELETED>    (1) Center.--The term ``Center'' means the 
        National Center for Cybersecurity and Communications.</DELETED>
        <DELETED>    (2) Department.--The term ``Department'' means the 
        Department of Homeland Security.</DELETED>
        <DELETED>    (3) Director.--The term ``Director'' means the 
        Director of the Center.</DELETED>
        <DELETED>    (4) Entry level position.--The term ``entry level 
        position'' means a position that--</DELETED>
                <DELETED>    (A) is established by the Director in the 
                Center; and</DELETED>
                <DELETED>    (B) is classified at GS-7, GS-8, or GS-9 
                of the General Schedule.</DELETED>
        <DELETED>    (5) Secretary.--The term ``Secretary'' means the 
        Secretary of Homeland Security.</DELETED>
        <DELETED>    (6) Senior position.--The term ``senior position'' 
        means a position that--</DELETED>
                <DELETED>    (A) is established by the Director in the 
                Center; and</DELETED>
                <DELETED>    (B) is not established under section 5108 
                of title 5, United States Code, but is similar in 
                duties and responsibilities for positions established 
                under that section.</DELETED>
<DELETED>    (b) Recruitment and Retention Program.--</DELETED>
        <DELETED>    (1) Establishment.--The Director may establish a 
        program to assist in the recruitment and retention of highly 
        skilled personnel to carry out the functions of the 
        Center.</DELETED>
        <DELETED>    (2) Consultation and considerations.--In 
        establishing a program under this section, the Director shall--
        </DELETED>
                <DELETED>    (A) consult with the Secretary; 
                and</DELETED>
                <DELETED>    (B) consider--</DELETED>
                        <DELETED>    (i) national and local employment 
                        trends;</DELETED>
                        <DELETED>    (ii) the availability and quality 
                        of candidates;</DELETED>
                        <DELETED>    (iii) any specialized education or 
                        certifications required for 
                        positions;</DELETED>
                        <DELETED>    (iv) whether there is a shortage 
                        of certain skills; and</DELETED>
                        <DELETED>    (v) such other factors as the 
                        Director determines appropriate.</DELETED>
<DELETED>    (c) Hiring and Special Pay Authorities.--</DELETED>
        <DELETED>    (1) Direct hire authority.--Without regard to the 
        civil service laws (other than sections 3303 and 3328 of title 
        5, United States Code), the Director may appoint not more than 
        500 employees under this subsection to carry out the functions 
        of the Center.</DELETED>
        <DELETED>    (2) Rates of pay.--</DELETED>
                <DELETED>    (A) Entry level positions.--The Director 
                may fix the pay of the employees appointed to entry 
                level positions under this subsection without regard to 
                chapter 51 and subchapter III of chapter 53 of title 5, 
                United States Code, relating to classification of 
                positions and General Schedule pay rates, except that 
                the rate of pay for any such employee may not exceed 
                the maximum rate of basic pay payable for a position at 
                GS-10 of the General Schedule while that employee is in 
                an entry level position.</DELETED>
                <DELETED>    (B) Senior positions.--</DELETED>
                        <DELETED>    (i) In general.--The Director may 
                        fix the pay of the employees appointed to 
                        senior positions under this subsection without 
                        regard to chapter 51 and subchapter III of 
                        chapter 53 of title 5, United States Code, 
                        relating to classification of positions and 
                        General Schedule pay rates, except that the 
                        rate of pay for any such employee may not 
                        exceed the maximum rate of basic pay payable 
                        under section 5376 of title 5, United States 
                        Code.</DELETED>
                        <DELETED>    (ii) Higher maximum rates.--
                        </DELETED>
                                <DELETED>    (I) In general.--
                                Notwithstanding the limitation on rates 
                                of pay under clause (i)--</DELETED>
                                        <DELETED>    (aa) not more than 
                                        20 employees, identified by the 
                                        Director, may be paid at a rate 
                                        of pay not to exceed the 
                                        maximum rate of basic pay 
                                        payable for a position at level 
                                        I of the Executive Schedule 
                                        under section 5312 of title 5, 
                                        United States Code; 
                                        and</DELETED>
                                        <DELETED>    (bb) not more than 
                                        5 employees, identified by the 
                                        Director with the approval of 
                                        the Secretary, may be paid at a 
                                        rate of pay not to exceed the 
                                        maximum rate of basic pay 
                                        payable for the Vice President 
                                        under section 104 of title 3, 
                                        United States Code.</DELETED>
                                <DELETED>    (II) Nondelegation of 
                                authority.--The Secretary or the 
                                Director may not delegate any authority 
                                under this clause.</DELETED>
<DELETED>    (d) Conversion to Competitive Service.--</DELETED>
        <DELETED>    (1) Definition.--In this subsection, the term 
        ``qualified employee'' means any individual appointed to an 
        excepted service position in the Department who performs 
        functions relating to the security of the Federal information 
        infrastructure or national information 
        infrastructure.</DELETED>
        <DELETED>    (2) Competitive civil service status.--In 
        consultation with the Director, the Secretary may grant 
        competitive civil service status to a qualified employee if 
        that employee is--</DELETED>
                <DELETED>    (A) employed in the Center; or</DELETED>
                <DELETED>    (B) transferring to the Center.</DELETED>
<DELETED>    (e) Retention Bonuses.--</DELETED>
        <DELETED>    (1) Authority.--Notwithstanding section 5754 of 
        title 5, United States Code, the Director may--</DELETED>
                <DELETED>    (A) pay a retention bonus under that 
                section to any individual appointed under this 
                subsection, if the Director determines that, in the 
                absence of a retention bonus, there is a high risk that 
                the individual would likely leave employment with the 
                Department; and</DELETED>
                <DELETED>    (B) exercise the authorities of the Office 
                of Personnel Management and the head of an agency under 
                that section with respect to retention bonuses paid 
                under this subsection.</DELETED>
        <DELETED>    (2) Limitations on amount of annual bonuses.--
        </DELETED>
                <DELETED>    (A) Definitions.--In this 
                paragraph:</DELETED>
                        <DELETED>    (i) Maximum total pay.--The term 
                        ``maximum total pay'' means--</DELETED>
                                <DELETED>    (I) in the case of an 
                                employee described under subsection 
                                (c)(2)(B)(i), the total amount of pay 
                                paid in a calendar year at the maximum 
                                rate of basic pay payable for a 
                                position at level I of the Executive 
                                Schedule under section 5312 of title 5, 
                                United States Code;</DELETED>
                                <DELETED>    (II) in the case of an 
                                employee described under subsection 
                                (c)(2)(B)(ii)(I)(aa), the total amount 
                                of pay paid in a calendar year at the 
                                maximum rate of basic pay payable for a 
                                position at level I of the Executive 
                                Schedule under section 5312 of title 5, 
                                United States Code; and</DELETED>
                                <DELETED>    (III) in the case of an 
                                employee described under subsection 
                                (c)(2)(B)(ii)(I)(bb), the total amount 
                                of pay paid in a calendar year at the 
                                maximum rate of basic pay payable for 
                                the Vice President under section 104 of 
                                title 3, United States Code.</DELETED>
                        <DELETED>    (ii) Total compensation.--The term 
                        ``total compensation'' means--</DELETED>
                                <DELETED>    (I) the amount of pay paid 
                                to an employee in any calendar year; 
                                and</DELETED>
                                <DELETED>    (II) the amount of all 
                                retention bonuses paid to an employee 
                                in any calendar year.</DELETED>
                <DELETED>    (B) Limitation.--The Director may not pay 
                a retention bonus under this subsection to an employee 
                that would result in the total compensation of that 
                employee exceeding maximum total pay.</DELETED>
<DELETED>    (f) Termination of Authority.--The authority to make 
appointments and pay retention bonuses under this section shall 
terminate 3 years after the date of enactment of this Act.</DELETED>
<DELETED>    (g) Reports.--</DELETED>
        <DELETED>    (1) Plan for execution of authorities.--Not later 
        than 120 days of enactment of this Act, the Director shall 
        submit a report to the appropriate committees of Congress with 
        a plan for the execution of the authorities provided under this 
        section.</DELETED>
        <DELETED>    (2) Annual report.--Not later than 6 months after 
        the date of enactment of this Act, and every year thereafter, 
        the Director shall submit to the appropriate committees of 
        Congress a detailed report that--</DELETED>
                <DELETED>    (A) discusses how the actions taken during 
                the period of the report are fulfilling the critical 
                hiring needs of the Center;</DELETED>
                <DELETED>    (B) assesses metrics relating to 
                individuals hired under the authority of this section, 
                including--</DELETED>
                        <DELETED>    (i) the numbers of individuals 
                        hired;</DELETED>
                        <DELETED>    (ii) the turnover in relevant 
                        positions;</DELETED>
                        <DELETED>    (iii) with respect to each 
                        individual hired--</DELETED>
                                <DELETED>    (I) the position for which 
                                hired;</DELETED>
                                <DELETED>    (II) the salary 
                                paid;</DELETED>
                                <DELETED>    (III) any retention bonus 
                                paid and the amount of the 
                                bonus;</DELETED>
                                <DELETED>    (IV) the geographic 
                                location from which hired;</DELETED>
                                <DELETED>    (V) the immediate past 
                                salary; and</DELETED>
                                <DELETED>    (VI) whether the 
                                individual was a noncareer appointee in 
                                the Senior Executive Service or an 
                                appointee to a position of a 
                                confidential or policy-determining 
                                character under schedule C of subpart C 
                                of part 213 of title 5 of the Code of 
                                Federal Regulations before the hiring; 
                                and</DELETED>
                        <DELETED>    (iv) whether public notice for 
                        recruitment was made, and if so--</DELETED>
                                <DELETED>    (I) the total number of 
                                qualified applicants;</DELETED>
                                <DELETED>    (II) the number of veteran 
                                preference eligible candidates who 
                                applied;</DELETED>
                                <DELETED>    (III) the time from 
                                posting to job offer; and</DELETED>
                                <DELETED>    (IV) statistics on 
                                diversity, including age, disability, 
                                race, gender, and national origin, of 
                                individuals hired under the authority 
                                of this section to the extent such 
                                statistics are available; and</DELETED>
                <DELETED>    (C) includes rates of pay set in 
                accordance with subsection (c).</DELETED>

              <DELETED>TITLE V--OTHER PROVISIONS</DELETED>

<DELETED>SEC. 501. CONSULTATION ON CYBERSECURITY MATTERS.</DELETED>

<DELETED>    The Chairman of the Federal Trade Commission, the Chairman 
of the Federal Communications Commission, and the head of any other 
Federal agency determined appropriate by the President shall consult 
with the Director of the National Center for Cybersecurity and 
Communications regarding any regulation, rule, or requirement to be 
issued or other action to be required by the Federal agency relating to 
the security and resiliency of the national information 
infrastructure.</DELETED>

<DELETED>SEC. 502. CYBERSECURITY RESEARCH AND DEVELOPMENT.</DELETED>

<DELETED>    Subtitle D of title II of the Homeland Security Act of 
2002 (6 U.S.C. 161 et seq.) is amended by adding at the end the 
following:</DELETED>

<DELETED>``SEC. 238. CYBERSECURITY RESEARCH AND DEVELOPMENT.</DELETED>

<DELETED>    ``(a) Establishment of Research and Development Program.--
The Under Secretary for Science and Technology, in coordination with 
the Director of the National Center for Cybersecurity and 
Communications, shall carry out a research and development program for 
the purpose of improving the security of information 
infrastructure.</DELETED>
<DELETED>    ``(b) Eligible Projects.--The research and development 
program carried out under subsection (a) may include projects to--
</DELETED>
        <DELETED>    ``(1) advance the development and accelerate the 
        deployment of more secure versions of fundamental Internet 
        protocols and architectures, including for the secure domain 
        name addressing system and routing security;</DELETED>
        <DELETED>    ``(2) improve and create technologies for 
        detecting and analyzing attacks or intrusions, including 
        analysis of malicious software;</DELETED>
        <DELETED>    ``(3) improve and create mitigation and recovery 
        methodologies, including techniques for containment of attacks 
        and development of resilient networks and systems;</DELETED>
        <DELETED>    ``(4) develop and support infrastructure and tools 
        to support cybersecurity research and development efforts, 
        including modeling, testbeds, and data sets for assessment of 
        new cybersecurity technologies;</DELETED>
        <DELETED>    ``(5) assist the development and support of 
        technologies to reduce vulnerabilities in process control 
        systems;</DELETED>
        <DELETED>    ``(6) understand human behavioral factors that can 
        affect cybersecurity technology and practices;</DELETED>
        <DELETED>    ``(7) test, evaluate, and facilitate, with 
        appropriate protections for any proprietary information 
        concerning the technologies, the transfer of technologies 
        associated with the engineering of less vulnerable software and 
        securing the information technology software development 
        lifecycle;</DELETED>
        <DELETED>    ``(8) assist the development of identity 
        management and attribution technologies;</DELETED>
        <DELETED>    ``(9) assist the development of technologies 
        designed to increase the security and resiliency of 
        telecommunications networks;</DELETED>
        <DELETED>    ``(10) advance the protection of privacy and civil 
        liberties in cybersecurity technology and practices; 
        and</DELETED>
        <DELETED>    ``(11) address other risks identified by the 
        Director of the National Center for Cybersecurity and 
        Communications.</DELETED>
<DELETED>    ``(c) Coordination With Other Research Initiatives.--The 
Under Secretary--</DELETED>
        <DELETED>    ``(1) shall ensure that the research and 
        development program carried out under subsection (a) is 
        consistent with the national strategy to increase the security 
        and resilience of cyberspace developed by the Director of 
        Cyberspace Policy under section 101 of the Protecting 
        Cyberspace as a National Asset Act of 2010, or any succeeding 
        strategy;</DELETED>
        <DELETED>    ``(2) shall, to the extent practicable, coordinate 
        the research and development activities of the Department with 
        other ongoing research and development security-related 
        initiatives, including research being conducted by--</DELETED>
                <DELETED>    ``(A) the National Institute of Standards 
                and Technology;</DELETED>
                <DELETED>    ``(B) the National Academy of 
                Sciences;</DELETED>
                <DELETED>    ``(C) other Federal agencies, as defined 
                under section 241;</DELETED>
                <DELETED>    ``(D) other Federal and private research 
                laboratories, research entities, and universities and 
                institutions of higher education, and relevant 
                nonprofit organizations; and</DELETED>
                <DELETED>    ``(E) international partners of the United 
                States;</DELETED>
        <DELETED>    ``(3) shall carry out any research and development 
        project under subsection (a) through a reimbursable agreement 
        with an appropriate Federal agency, as defined under section 
        241, if the Federal agency--</DELETED>
                <DELETED>    ``(A) is sponsoring a research and 
                development project in a similar area; or</DELETED>
                <DELETED>    ``(B) has a unique facility or capability 
                that would be useful in carrying out the 
                project;</DELETED>
        <DELETED>    ``(4) may make grants to, or enter into 
        cooperative agreements, contracts, other transactions, or 
        reimbursable agreements with, the entities described in 
        paragraph (2); and</DELETED>
        <DELETED>    ``(5) shall submit a report to the appropriate 
        committees of Congress on a review of the cybersecurity 
        activities, and the capacity, of the national laboratories and 
        other research entities available to the Department to 
        determine if the establishment of a national laboratory 
        dedicated to cybersecurity research and development is 
        necessary.</DELETED>
<DELETED>    ``(d) Privacy and Civil Rights and Civil Liberties 
Issues.--</DELETED>
        <DELETED>    ``(1) Consultation.--In carrying out research and 
        development projects under subsection (a), the Under Secretary 
        shall consult with the Privacy Officer appointed under section 
        222 and the Officer for Civil Rights and Civil Liberties of the 
        Department appointed under section 705.</DELETED>
        <DELETED>    ``(2) Privacy impact assessments.--In accordance 
        with sections 222 and 705, the Privacy Officer shall conduct 
        privacy impact assessments and the Officer for Civil Rights and 
        Civil Liberties shall conduct reviews, as appropriate, for 
        research and development projects carried out under subsection 
        (a) that the Under Secretary determines could have an impact on 
        privacy, civil rights, or civil liberties.</DELETED>

<DELETED>``SEC. 239. NATIONAL CYBERSECURITY ADVISORY COUNCIL.</DELETED>

<DELETED>    ``(a) Establishment.--Not later than 90 days after the 
date of enactment of this section, the Secretary shall establish an 
advisory committee under section 871 on private sector cybersecurity, 
to be known as the National Cybersecurity Advisory Council (in this 
section referred to as the `Council').</DELETED>
<DELETED>    ``(b) Responsibilities.--</DELETED>
        <DELETED>    ``(1) In general.--The Council shall advise the 
        Director of the National Center for Cybersecurity and 
        Communications on the implementation of the cybersecurity 
        provisions affecting the private sector under this subtitle and 
        subtitle E.</DELETED>
        <DELETED>    ``(2) Incentives and regulations.--The Council 
        shall advise the Director of the National Center for 
        Cybersecurity and Communications and appropriate committees of 
        Congress (as defined in section 241) and any other 
        congressional committee with jurisdiction over the particular 
        matter regarding how market incentives and regulations may be 
        implemented to enhance the cybersecurity and economic security 
        of the Nation.</DELETED>
<DELETED>    ``(c) Membership.--</DELETED>
        <DELETED>    ``(1) In general.--The members of the Council 
        shall be appointed the Director of the National Center for 
        Cybersecurity and Communications and shall, to the extent 
        practicable, represent a geographic and substantive cross-
        section of owners and operators of critical infrastructure and 
        others with expertise in cybersecurity, including, as 
        appropriate--</DELETED>
                <DELETED>    ``(A) representatives of covered critical 
                infrastructure (as defined under section 
                241);</DELETED>
                <DELETED>    ``(B) academic institutions with expertise 
                in cybersecurity;</DELETED>
                <DELETED>    ``(C) Federal, State, and local government 
                agencies with expertise in cybersecurity;</DELETED>
                <DELETED>    ``(D) a representative of the National 
                Security Telecommunications Advisory Council, as 
                established by Executive Order 12382 (47 Fed. Reg. 
                40531; relating to the establishment of the advisory 
                council), as amended by Executive Order 13286 (68 Fed. 
                Reg. 10619), as in effect on August 3, 2009, or any 
                successor entity;</DELETED>
                <DELETED>    ``(E) a representative of the 
                Communications Sector Coordinating Council, or any 
                successor entity;</DELETED>
                <DELETED>    ``(F) a representative of the Information 
                Technology Sector Coordinating Council, or any 
                successor entity;</DELETED>
                <DELETED>    ``(G) individuals, acting in their 
                personal capacity, with demonstrated technical 
                expertise in cybersecurity; and</DELETED>
                <DELETED>    ``(H) such other individuals as the 
                Director determines to be appropriate, including owners 
                of small business concerns (as defined under section 3 
                of the Small Business Act (15 U.S.C. 632)).</DELETED>
        <DELETED>    ``(2) Term.--The members of the Council shall be 
        appointed for 2 year terms and may be appointed to consecutive 
        terms.</DELETED>
        <DELETED>    ``(3) Leadership.--The Chairperson and Vice-
        Chairperson of the Council shall be selected by members of the 
        Council from among the members of the Council and shall serve 
        2-year terms.</DELETED>
<DELETED>    ``(d) Applicability of Federal Advisory Committee Act.--
The Federal Advisory Committee Act (5 U.S.C. App.) shall not apply to 
the Council.''.</DELETED>

<DELETED>SEC. 503. PRIORITIZED CRITICAL INFORMATION 
              INFRASTRUCTURE.</DELETED>

<DELETED>    Section 210E(a)(2) of the Homeland Security Act of 2002 (6 
U.S.C. 124l(a)(2)) is amended--</DELETED>
        <DELETED>    (1) by striking ``In accordance'' and inserting 
        the following:</DELETED>
                <DELETED>    ``(A) In general.--In accordance''; 
                and</DELETED>
        <DELETED>    (2) by adding at the end the following:</DELETED>
                <DELETED>    ``(B) Considerations.--In establishing and 
                maintaining a list under subparagraph (A), the 
                Secretary, in coordination with the Director of the 
                National Center for Cybersecurity and Communications 
                and in consultation with the National Cybersecurity 
                Advisory Council, shall--</DELETED>
                        <DELETED>    ``(i) consider cyber 
                        vulnerabilities and consequences by sector, 
                        including--</DELETED>
                                <DELETED>    ``(I) the factors listed 
                                in section 248(a)(2);</DELETED>
                                <DELETED>    ``(II) interdependencies 
                                between components of covered critical 
                                infrastructure (as defined under 
                                section 241); and</DELETED>
                                <DELETED>    ``(III) any other security 
                                related factor determined appropriate 
                                by the Secretary; and</DELETED>
                        <DELETED>    ``(ii) add covered critical 
                        infrastructure to or delete covered critical 
                        infrastructure from the list based on the 
                        factors listed in clause (i) for purposes of 
                        sections 248 and 249.</DELETED>
                <DELETED>    ``(C) Notification.--The Secretary--
                </DELETED>
                        <DELETED>    ``(i) shall notify the owner or 
                        operator of any system or asset added under 
                        subparagraph (B)(ii) to the list established 
                        and maintained under subparagraph (A) as soon 
                        as is practicable;</DELETED>
                        <DELETED>    ``(ii) shall develop a mechanism 
                        for an owner or operator notified under clause 
                        (i) to provide relevant information to the 
                        Secretary and the Director of the National 
                        Center for Cybersecurity and Communications 
                        relating to the inclusion of the system or 
                        asset on the list, including any information 
                        that the owner or operator believes may have 
                        led to the improper inclusion of the system or 
                        asset on the list; and</DELETED>
                        <DELETED>    ``(iii) at the sole and 
                        unreviewable discretion of the Secretary, may 
                        revise the list based on information provided 
                        in clause (ii).''.</DELETED>

<DELETED>SEC. 504. NATIONAL CENTER FOR CYBERSECURITY AND COMMUNICATIONS 
              ACQUISITION AUTHORITIES.</DELETED>

<DELETED>    (a) In General.--The National Center for Cybersecurity and 
Communications is authorized to use the authorities under subsections 
(c)(1) and (d)(1)(B) of section 2304 of title 10, United States Code, 
instead of the authorities under subsections (c)(1) and (d)(1)(B) of 
section 303 of the Federal Property and Administrative Services Act of 
1949 (41 U.S.C. 253), subject to all other requirements of section 303 
of the Federal Property and Administrative Services Act of 
1949.</DELETED>
<DELETED>    (b) Guidelines.--Not later than 90 days after the date of 
enactment of this Act, the chief procurement officer of the Department 
of Homeland Security shall issue guidelines for use of the authority 
under subsection (a).</DELETED>
<DELETED>    (c) Termination.--The National Center for Cybersecurity 
and Communications may not use the authority under subsection (a) on 
and after the date that is 3 years after the date of enactment of this 
Act.</DELETED>
<DELETED>    (d) Reporting.--</DELETED>
        <DELETED>    (1) In general.--On a semiannual basis, the 
        Director of the National Center for Cybersecurity and 
        Communications shall submit a report on use of the authority 
        granted by subsection (a) to--</DELETED>
                <DELETED>    (A) the Committee on Homeland Security and 
                Governmental Affairs of the Senate; and</DELETED>
                <DELETED>    (B) the Committee on Homeland Security of 
                the House of Representatives.</DELETED>
        <DELETED>    (2) Contents.--Each report submitted under 
        paragraph (1) shall include, at a minimum--</DELETED>
                <DELETED>    (A) the number of contract actions taken 
                under the authority under subsection (a) during the 
                period covered by the report; and</DELETED>
                <DELETED>    (B) for each contract action described in 
                subparagraph (A)--</DELETED>
                        <DELETED>    (i) the total dollar value of the 
                        contract action;</DELETED>
                        <DELETED>    (ii) a summary of the market 
                        research conducted by the National Center for 
                        Cybersecurity and Communications, including a 
                        list of all offerors who were considered and 
                        those who actually submitted bids, in order to 
                        determine that use of the authority was 
                        appropriate; and</DELETED>
                        <DELETED>    (iii) a copy of the justification 
                        and approval documents required by section 
                        303(f) of the Federal Property and 
                        Administrative Services Act of 1949 (41 U.S.C. 
                        253(f)).</DELETED>
        <DELETED>    (3) Classified annex.--A report submitted under 
        this subsection shall be submitted in an unclassified form, but 
        may include a classified annex, if necessary.</DELETED>

<DELETED>SEC. 505. TECHNICAL AND CONFORMING AMENDMENTS.</DELETED>

<DELETED>    (a) Elimination of Assistant Secretary for Cybersecurity 
and Communications.--The Homeland Security Act of 2002 (6 U.S.C. 101 et 
seq.) is amended--</DELETED>
        <DELETED>    (1) in section 103(a)(8) (6 U.S.C. 113(a)(8)), by 
        striking ``, cybersecurity,'';</DELETED>
        <DELETED>    (2) in section 514 (6 U.S.C. 321c)--</DELETED>
                <DELETED>    (A) by striking subsection (b); 
                and</DELETED>
                <DELETED>    (B) by redesignating subsection (c) as 
                subsection (b); and</DELETED>
        <DELETED>    (3) in section 1801(b) (6 U.S.C. 571(b)), by 
        striking ``shall report to the Assistant Secretary for 
        Cybersecurity and Communications'' and inserting ``shall report 
        to the Director of the National Center for Cybersecurity and 
        Communications''.</DELETED>
<DELETED>    (b) CIO Council.--Section 3603(b) of title 44, United 
States Code, is amended--</DELETED>
        <DELETED>    (1) by redesignating paragraph (7) as paragraph 
        (8); and</DELETED>
        <DELETED>    (2) by inserting after paragraph (6) the 
        following:</DELETED>
        <DELETED>    ``(7) The Director of the National Center for 
        Cybersecurity and Communications.''.</DELETED>
<DELETED>    (c) Repeal.--The Homeland Security Act of 2002 (6 U.S.C. 
101 et seq) is amended--</DELETED>
        <DELETED>    (1) by striking section 223 (6 U.S.C. 143); 
        and</DELETED>
        <DELETED>    (2) by redesignating sections 224 and 225 (6 
        U.S.C. 144 and 145) as sections 223 and 224, 
        respectively.</DELETED>
<DELETED>    (d) Technical Correction.--Section 1802(a) of the Homeland 
Security Act of 2002 (6 U.S.C. 572(a)) is amended in the matter 
preceding paragraph (1) by striking ``Department of''.</DELETED>
<DELETED>    (e) Executive Schedule Position.--Section 5313 of title 5, 
United States Code, is amended by adding at the end the 
following:</DELETED>
<DELETED>    ``Director of the National Center for Cybersecurity and 
Communications.''.</DELETED>
<DELETED>    (f) Table of Contents.--The table of contents in section 
1(b) of the Homeland Security Act of 2002 (6 U.S.C. 101 et seq.) is 
amended--</DELETED>
        <DELETED>    (1) by striking the items relating to sections 
        223, 224, and 225 and inserting the following:</DELETED>

<DELETED>``Sec. 223. NET guard.
<DELETED>``Sec. 224. Cyber Security Enhancements Act of 2002.''; and
        <DELETED>    (2) by inserting after the item relating to 
        section 237 the following:</DELETED>

<DELETED>``Sec. 238. Cybersecurity research and development.
<DELETED>``Sec. 239. National Cybersecurity Advisory Council.
                  <DELETED>``Subtitle E--Cybersecurity

<DELETED>``Sec. 241. Definitions.
<DELETED>``Sec. 242. National Center for Cybersecurity and 
                            Communications.
<DELETED>``Sec. 243. Physical and cyber infrastructure collaboration.
<DELETED>``Sec. 244. United States Computer Emergency Readiness Team.
<DELETED>``Sec. 245. Additional authorities of the Director of the 
                            National Center for Cybersecurity and 
                            Communications.
<DELETED>``Sec. 246. Information sharing.
<DELETED>``Sec. 247. Private sector assistance.
<DELETED>``Sec. 248. Cyber vulnerabilities to covered critical 
                            infrastructure.
<DELETED>``Sec. 249. National cyber emergencies..
<DELETED>``Sec. 250. Enforcement.
<DELETED>``Sec. 251. Protection of information.
<DELETED>``Sec. 252. Sector-specific agencies.
<DELETED>``Sec. 253. Strategy for Federal cybersecurity supply chain 
                            management.''.

</DELETED>SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Protecting Cyberspace as a National 
Asset Act of 2010''.

SEC. 2. TABLE OF CONTENTS.

    The table of contents for this Act is as follows:

Sec. 1. Short title.
Sec. 2. Table of contents.
Sec. 3. Definitions.

                  TITLE I--OFFICE OF CYBERSPACE POLICY

Sec. 101. Establishment of the Office of Cyberspace Policy.
Sec. 102. Appointment and responsibilities of the Director.
Sec. 103. Prohibition on political campaigning.
Sec. 104. Review of Federal agency budget requests relating to the 
                            National Strategy.
Sec. 105. Access to intelligence.
Sec. 106. Consultation.
Sec. 107. Reports to Congress.

     TITLE II--NATIONAL CENTER FOR CYBERSECURITY AND COMMUNICATIONS

Sec. 201. Cybersecurity.

           TITLE III--FEDERAL INFORMATION SECURITY MANAGEMENT

Sec. 301. Coordination of Federal information policy.

           TITLE IV--RECRUITMENT AND PROFESSIONAL DEVELOPMENT

Sec. 401. Definitions.
Sec. 402. Assessment of cybersecurity workforce.
Sec. 403. Strategic cybersecurity workforce planning.
Sec. 404. Cybersecurity occupation classifications.
Sec. 405. Measures of cybersecurity hiring effectiveness.
Sec. 406. Training and education.
Sec. 407. Cybersecurity incentives.
Sec. 408. Recruitment and retention program for the National Center for 
                            Cybersecurity and Communications.

                       TITLE V--OTHER PROVISIONS

Sec. 501. Cybersecurity research and development.
Sec. 502. Prioritized critical information infrastructure.
Sec. 503. National Center for Cybersecurity and Communications 
                            acquisition authorities.
Sec. 504. Evaluation of the effective implementation of Office of 
                            Management and Budget information security 
                            related policies and directives.
Sec. 505. Technical and conforming amendments.

SEC. 3. DEFINITIONS.

    In this Act:
            (1) Appropriate congressional committees.--The term 
        ``appropriate congressional committees'' means--
                    (A) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;
                    (B) the Committee on Homeland Security of the House 
                of Representatives;
                    (C) the Committee on Oversight and Government 
                Reform of the House of Representatives; and
                    (D) any other congressional committee with 
                jurisdiction over the particular matter.
            (2) Critical infrastructure.--The term ``critical 
        infrastructure'' has the meaning given that term in section 
        1016(e) of the USA PATRIOT Act (42 U.S.C. 5195c(e)).
            (3) Cyberspace.--The term ``cyberspace'' means the 
        interdependent network of information infrastructure, and 
        includes the Internet, telecommunications networks, computer 
        systems, and embedded processors and controllers in critical 
        industries.
            (4) Director.--The term ``Director'' means the Director of 
        Cyberspace Policy established under section 101.
            (5) Federal agency.--The term ``Federal agency''--
                    (A) means any executive department, Government 
                corporation, Government controlled corporation, or 
                other establishment in the executive branch of the 
                Government (including the Executive Office of the 
                President), or any independent regulatory agency; and
                    (B) does not include the governments of the 
                District of Columbia and of the territories and 
                possessions of the United States and their various 
                subdivisions.
            (6) Federal information infrastructure.--The term ``Federal 
        information infrastructure''--
                    (A) means information infrastructure that is owned, 
                operated, controlled, or licensed for use by, or on 
                behalf of, any Federal agency, including information 
                systems used or operated by another entity on behalf of 
                a Federal agency; and
                    (B) does not include--
                            (i) a national security system; or
                            (ii) information infrastructure that is 
                        owned, operated, controlled, or licensed for 
                        use by, or on behalf of, the Department of 
                        Defense, a military department, or another 
                        element of the intelligence community.
            (7) Incident.--The term ``incident'' has the meaning given 
        that term in section 3551 of title 44, United States Code, as 
        added by this Act.
            (8) Information infrastructure.--The term ``information 
        infrastructure'' means the underlying framework that 
        information systems and assets rely on to process, transmit, 
        receive, or store information electronically, including 
        programmable electronic devices and communications networks and 
        any associated hardware, software, or data.
            (9) Information security.--The term ``information 
        security'' means protecting information and information systems 
        from disruption or unauthorized access, use, disclosure, 
        modification, or destruction in order to provide--
                    (A) integrity, by guarding against improper 
                information modification or destruction, including by 
                ensuring information nonrepudiation and authenticity;
                    (B) confidentiality, by preserving authorized 
                restrictions on access and disclosure, including means 
                for protecting personal privacy and proprietary 
                information; and
                    (C) availability, by ensuring timely and reliable 
                access to and use of information.
            (10) Information technology.--The term ``information 
        technology'' has the meaning given that term in section 11101 
        of title 40, United States Code.
            (11) Intelligence community.--The term ``intelligence 
        community'' has the meaning given that term under section 3(4) 
        of the National Security Act of 1947 (50 U.S.C. 401a(4)).
            (12) Key resources.--The term ``key resources'' has the 
        meaning given that term in section 2 of the Homeland Security 
        Act of 2002 (6 U.S.C. 101)
            (13) National center for cybersecurity and 
        communications.--The term ``National Center for Cybersecurity 
        and Communications'' means the National Center for 
        Cybersecurity and Communications established under section 
        242(a) of the Homeland Security Act of 2002, as added by this 
        Act.
            (14) National information infrastructure.--The term 
        ``national information infrastructure'' means information 
        infrastructure--
                    (A) that is owned, operated, or controlled within 
                or from the United States; and
                    (B) that is not owned, operated, controlled, or 
                licensed for use by a Federal agency.
            (15) National security system.--The term ``national 
        security system'' has the meaning given that term in section 
        3551 of title 44, United States Code, as added by this Act.
            (16) National strategy.--The term ``National Strategy'' 
        means the national strategy to increase the security and 
        resiliency of cyberspace developed under section 101(a)(1).
            (17) Office.--The term ``Office'' means the Office of 
        Cyberspace Policy established under section 101.
            (18) Resiliency.--The term ``resiliency'' means the ability 
        to eliminate or reduce the magnitude or duration of a 
        disruptive event, including the ability to prevent, prepare 
        for, respond to, and recover from the event.
            (19) Risk.--The term ``risk'' means the potential for an 
        unwanted outcome resulting from an incident, as determined by 
        the likelihood of the occurrence of the incident and the 
        associated consequences, including potential for an adverse 
        outcome assessed as a function of threats, vulnerabilities, and 
        consequences associated with an incident.
            (20) Risk-based security.--The term ``risk-based security'' 
        has the meaning given that term in section 3551 of title 44, 
        United States Code, as added by this Act.

                  TITLE I--OFFICE OF CYBERSPACE POLICY

SEC. 101. ESTABLISHMENT OF THE OFFICE OF CYBERSPACE POLICY.

    (a) Establishment of Office.--There is established in the Executive 
Office of the President an Office of Cyberspace Policy which shall--
            (1) develop, not later than 1 year after the date of 
        enactment of this Act, and update as needed, but not less 
        frequently than once every 2 years, a national strategy to 
        increase the security and resiliency of cyberspace, that 
        includes goals and objectives relating to--
                    (A) computer network operations, including 
                offensive activities, defensive activities, and other 
                activities;
                    (B) information assurance;
                    (C) protection of critical infrastructure and key 
                resources;
                    (D) research and development priorities;
                    (E) law enforcement;
                    (F) diplomacy;
                    (G) homeland security;
                    (H) protection of privacy and civil liberties;
                    (I) military and intelligence activities; and
                    (J) identity management and authentication;
            (2) oversee, coordinate, and integrate all policies and 
        activities of the Federal Government across all instruments of 
        national power relating to ensuring the security and resiliency 
        of cyberspace, including--
                    (A) diplomatic, economic, military, intelligence, 
                homeland security, and law enforcement policies and 
                activities within and among Federal agencies; and
                    (B) offensive activities, defensive activities, and 
                other policies and activities necessary to ensure 
                effective capabilities to operate in cyberspace;
            (3) ensure that all Federal agencies comply with 
        appropriate guidelines, policies, and directives from the 
        Department of Homeland Security, other Federal agencies with 
        responsibilities relating to cyberspace security or resiliency, 
        and the National Center for Cybersecurity and Communications; 
        and
            (4) ensure that Federal agencies have access to, receive, 
        and appropriately disseminate law enforcement information, 
        intelligence information, terrorism information, and any other 
        information (including information relating to incidents 
        provided under subsections (a)(4) and (c) of section 246 of the 
        Homeland Security Act of 2002, as added by this Act) relevant 
        to--
                    (A) the security of the Federal information 
                infrastructure or the national information 
                infrastructure; and
                    (B) the security of--
                            (i) information infrastructure that is 
                        owned, operated, controlled, or licensed for 
                        use by, or on behalf of, the Department of 
                        Defense, a military department, or another 
                        element of the intelligence community; or
                            (ii) a national security system.
    (b) Director of Cyberspace Policy.--
            (1) In general.--There shall be a Director of Cyberspace 
        Policy, who shall be the head of the Office.
            (2) Executive schedule position.--Section 5312 of title 5, 
        United States Code, is amended by adding at the end the 
        following:
            ``Director of Cyberspace Policy.''.

SEC. 102. APPOINTMENT AND RESPONSIBILITIES OF THE DIRECTOR.

    (a) Appointment.--
            (1) In general.--The Director shall be appointed by the 
        President, by and with the advice and consent of the Senate.
            (2) Qualifications.--The President shall appoint the 
        Director from among individuals who have demonstrated ability 
        and knowledge in information technology, cybersecurity, and the 
        operations, security, and resiliency of communications 
        networks.
            (3) Prohibition.--No person shall serve as Director while 
        serving in any other position in the Federal Government.
    (b) Responsibilities.--The Director shall--
            (1) advise the President regarding the establishment of 
        policies, goals, objectives, and priorities for securing the 
        information infrastructure of the Nation;
            (2) advise the President and other entities within the 
        Executive Office of the President regarding mechanisms to 
        build, and improve the resiliency and efficiency of, the 
        information and communication industry of the Nation, in 
        collaboration with the private sector, while promoting national 
        economic interests;
            (3) work with Federal agencies to--
                    (A) oversee, coordinate, and integrate the 
                implementation of the National Strategy, including 
                coordination with--
                            (i) the Department of Homeland Security;
                            (ii) the Department of Defense;
                            (iii) the Department of Commerce;
                            (iv) the Department of State;
                            (v) the Department of Justice;
                            (vi) the Department of Energy;
                            (vii) through the Director of National 
                        Intelligence, the intelligence community; and
                            (viii) and any other Federal agency with 
                        responsibilities relating to the National 
                        Strategy; and
                    (B) resolve any disputes that arise between Federal 
                agencies relating to the National Strategy or other 
                matters within the responsibility of the Office;
            (4) if the policies or activities of a Federal agency are 
        not in compliance with the responsibilities of the Federal 
        agency under the National Strategy--
                    (A) notify the Federal agency;
                    (B) transmit a copy of each notification under 
                subparagraph (A) to the President and the appropriate 
                congressional committees; and
                    (C) coordinate the efforts to bring the Federal 
                agency into compliance;
            (5) ensure the adequacy of protections for privacy and 
        civil liberties in carrying out the responsibilities of the 
        Director under this title, including through consultation with 
        the Privacy and Civil Liberties Oversight Board established 
        under section 1061 of the National Security Intelligence Reform 
        Act of 2004 (42 U.S.C. 2000ee);
            (6) upon reasonable request, appear before any duly 
        constituted committees of the Senate or of the House of 
        Representatives;
            (7) recommend to the Office of Management and Budget or the 
        head of a Federal agency actions (including requests to 
        Congress relating to the reprogramming of funds) that the 
        Director determines are necessary to ensure risk-based security 
        of--
                    (A) the Federal information infrastructure;
                    (B) information infrastructure that is owned, 
                operated, controlled, or licensed for use by, or on 
                behalf of, the Department of Defense, a military 
                department, or another element of the intelligence 
                community; or
                    (C) a national security system;
            (8) advise the Administrator of the Office of E-Government 
        and Information Technology and the Administrator of the Office 
        of Information and Regulatory Affairs on the development, and 
        oversee the implementation, of policies, principles, standards, 
        guidelines, and budget priorities for information technology 
        functions and activities of the Federal Government;
            (9) coordinate and ensure, to the maximum extent 
        practicable, that the standards and guidelines developed for 
        national security systems and the standards and guidelines 
        under section 20 of the National Institute of Standards and 
        Technology Act (15 U.S.C. 278g-3) are complementary and 
        unified;
            (10) in consultation with the Administrator of the Office 
        of Information and Regulatory Affairs, coordinate efforts of 
        Federal agencies relating to the development of regulations, 
        rules, requirements, or other actions applicable to the 
        national information infrastructure to ensure, to the maximum 
        extent practicable, that the efforts are complementary;
            (11) coordinate the activities of the Office of Science and 
        Technology Policy, the National Economic Council, the Office of 
        Management and Budget, the National Security Council, the 
        Homeland Security Council, and the United States Trade 
        Representative related to the National Strategy and other 
        matters within the purview of the Office;
            (12) carry out the responsibilities for national security 
        and emergency preparedness communications described in section 
        706 of the Communications Act of 1934 (47 U.S.C. 606) to ensure 
        integration and coordination; and
            (13) as assigned by the President, other duties relating to 
        the security and resiliency of cyberspace.
    (c) Conforming Regulations and Orders.--The President shall amend 
the regulations and orders issued under section 706 of the 
Communications Act of 1934 (47 U.S.C. 606) in accordance with 
subsection (b)(12).

SEC. 103. PROHIBITION ON POLITICAL CAMPAIGNING.

    Section 7323(b)(2)(B) of title 5, United States Code, is amended--
            (1) in clause (i), by striking ``or'' at the end;
            (2) in clause (ii), by striking the period at the end and 
        inserting ``; or''; and
            (3) by adding at the end the following:
                            ``(iii) notwithstanding the exception under 
                        subparagraph (A) (relating to an appointment 
                        made by the President, by and with the advice 
                        and consent of the Senate), the Director of 
                        Cyberspace Policy.''.

SEC. 104. REVIEW OF FEDERAL AGENCY BUDGET REQUESTS RELATING TO THE 
              NATIONAL STRATEGY.

    (a) In General.--For each fiscal year, the head of each Federal 
agency shall transmit to the Director a copy of any portion of the 
budget of the Federal agency intended to implement the National 
Strategy at the same time as that budget request is submitted to the 
Office of Management and Budget in the preparation of the budget of the 
President submitted to Congress under section 1105 (a) of title 31, 
United States Code.
    (b) Timely Submissions.--The head of each Federal agency shall 
ensure the timely development and submission to the Director of each 
proposed budget under this section, in such format as may be designated 
by the Director with the concurrence of the Director of the Office of 
Management and Budget.
    (c) Adequacy of the Proposed Budget Requests.--With the assistance 
of, and in coordination with, the Office of E-Government and 
Information Technology and the National Center for Cybersecurity and 
Communications, the Director shall review each budget submission to 
assess the adequacy of the proposed request with regard to 
implementation of the National Strategy, including the overall 
sufficiency of the requests to implement effectively the National 
Strategy across all Federal agencies.
    (d) Inadequate Budget Requests.--If the Director concludes that a 
budget request submitted under subsection (a) is inadequate, in whole 
or in part, to implement the objectives of the National Strategy, the 
Director shall submit to the Director of the Office of Management and 
Budget and the head of the Federal agency submitting the budget request 
a written description of funding levels and specific initiatives that 
would, in the determination of the Director, make the request adequate.

SEC. 105. ACCESS TO INTELLIGENCE.

    The Director shall have access to law enforcement information, 
intelligence information, terrorism information, and any other 
information (including information relating to incidents provided under 
subsections (a)(4) and (c) of section 246 of the Homeland Security Act 
of 2002, as added by this Act) that is obtained by, or in the 
possession of, any Federal agency that the Director determines relevant 
to the security of--
            (1) the Federal information infrastructure;
            (2) information infrastructure that is owned, operated, 
        controlled, or licensed for use by, or on behalf of, the 
        Department of Defense, a military department, or another 
        element of the intelligence community;
            (3) a national security system; or
            (4) national information infrastructure.

SEC. 106. CONSULTATION.

    (a) In General.--The Director may consult and obtain 
recommendations from, as needed, such Presidential and other advisory 
entities as the Director determines will assist in carrying out the 
mission of the Office, including--
            (1) the National Security Telecommunications Advisory 
        Committee;
            (2) the National Infrastructure Advisory Council;
            (3) the Privacy and Civil Liberties Oversight Board;
            (4) the President's Intelligence Advisory Board;
            (5) the Critical Infrastructure Partnership Advisory 
        Council;
            (6) the Committee on Foreign Investment in the United 
        States;
            (7) the Information Security and Privacy Advisory Board;
            (8) the National Cybersecurity Advisory Council established 
        under section 239 of the Homeland Security Act of 2002, as 
        added by this Act; and
            (9) any other entity that may provide assistance to the 
        Director.
    (b) National Strategy.--In developing and updating the National 
Strategy the Director shall consult with the National Cybersecurity 
Advisory Council and, as appropriate, State and local governments and 
private entities.

SEC. 107. REPORTS TO CONGRESS.

    (a) In General.--The Director shall submit an annual report to the 
appropriate congressional committees describing the activities, ongoing 
projects, and plans of the Federal Government designed to meet the 
goals and objectives of the National Strategy.
    (b) Classified Annex.--A report submitted under this section shall 
be submitted in an unclassified form, but may include a classified 
annex, if necessary.
    (c) Public Report.--An unclassified version of each report 
submitted under this section shall be made available to the public.

     TITLE II--NATIONAL CENTER FOR CYBERSECURITY AND COMMUNICATIONS

SEC. 201. CYBERSECURITY.

    Title II of the Homeland Security Act of 2002 (6 U.S.C. 121 et 
seq.) is amended by adding at the end the following:

                      ``Subtitle E--Cybersecurity

``SEC. 241. DEFINITIONS.

    ``In this subtitle--
            ``(1) the term `agency information infrastructure' means 
        the Federal information infrastructure of a particular Federal 
        agency;
            ``(2) the term `appropriate committees of Congress' means 
        the Committee on Homeland Security and Governmental Affairs of 
        the Senate and the Committee on Homeland Security of the House 
        of Representatives;
            ``(3) the term `Center' means the National Center for 
        Cybersecurity and Communications established under section 
        242(a);
            ``(4) the term `covered critical infrastructure' means a 
        system or asset identified by the Secretary as covered critical 
        infrastructure under section 254;
            ``(5) the term `cyber risk' means any risk to information 
        infrastructure, including physical or personnel risks and 
        security vulnerabilities, that, if exploited or not mitigated, 
        could pose a significant risk of disruption to the operation of 
        information infrastructure essential to the reliable operation 
        of covered critical infrastructure;
            ``(6) the term `Director' means the Director of the Center 
        appointed under section 242(b)(1);
            ``(7) the term `Federal agency'--
                    ``(A) means any executive department, military 
                department, Government corporation, Government 
                controlled corporation, or other establishment in the 
                executive branch of the Government (including the 
                Executive Office of the President), or any independent 
                regulatory agency; and
                    ``(B) does not include the governments of the 
                District of Columbia and of the territories and 
                possessions of the United States and their various 
                subdivisions;
            ``(8) the term `Federal information infrastructure'--
                    ``(A) means information infrastructure that is 
                owned, operated, controlled, or licensed for use by, or 
                on behalf of, any Federal agency, including information 
                systems used or operated by another entity on behalf of 
                a Federal agency; and
                    ``(B) does not include--
                            ``(i) a national security system; or
                            ``(ii) information infrastructure that is 
                        owned, operated, controlled, or licensed for 
                        use by, or on behalf of, the Department of 
                        Defense, a military department, or another 
                        element of the intelligence community;
            ``(9) the term `incident' has the meaning given that term 
        in section 3551 of title 44, United States Code;
            ``(10) the term `information infrastructure' means the 
        underlying framework that information systems and assets rely 
        on to process, transmit, receive, or store information 
        electronically, including--
                    ``(A) programmable electronic devices and 
                communications networks; and
                    ``(B) any associated hardware, software, or data;
            ``(11) the term `information security' means protecting 
        information and information systems from disruption or 
        unauthorized access, use, disclosure, modification, or 
        destruction in order to provide--
                    ``(A) integrity, by guarding against improper 
                information modification or destruction, including by 
                ensuring information nonrepudiation and authenticity;
                    ``(B) confidentiality, by preserving authorized 
                restrictions on access and disclosure, including means 
                for protecting personal privacy and proprietary 
                information; and
                    ``(C) availability, by ensuring timely and reliable 
                access to and use of information;
            ``(12) the term `information sharing and analysis center' 
        means a self-governed forum whose members work together within 
        a specific sector of critical infrastructure to identify, 
        analyze, and share with other members and the Federal 
        Government critical information relating to threats, 
        vulnerabilities, or incidents to the security and resiliency of 
        the critical infrastructure that comprises the specific sector;
            ``(13) the term `information system' has the meaning given 
        that term in section 3502 of title 44, United States Code;
            ``(14) the term `intelligence community' has the meaning 
        given that term in section 3(4) of the National Security Act of 
        1947 (50 U.S.C. 401a(4));
            ``(15) the term `management controls' means safeguards or 
        countermeasures for an information system that focus on the 
        management of risk and the management of information system 
        security;
            ``(16) the term `National Cybersecurity Advisory Council' 
        means the National Cybersecurity Advisory Council established 
        under section 239;
            ``(17) the term `national cyber emergency' means an actual 
        or imminent action by any individual or entity to exploit a 
        cyber risk in a manner that disrupts, attempts to disrupt, or 
        poses a significant risk of disruption to the operation of the 
        information infrastructure essential to the reliable operation 
        of covered critical infrastructure;
            ``(18) the term `national information infrastructure' means 
        information infrastructure--
                    ``(A) that is owned, operated, or controlled within 
                or from the United States; and
                    ``(B) that is not owned, operated, controlled, or 
                licensed for use by a Federal agency;
            ``(19) the term `national security system' has the meaning 
        given that term in section 3551 of title 44, United States 
        Code;
            ``(20) the term `operational controls' means the safeguards 
        and countermeasures for an information system that are 
        primarily implemented and executed by individuals not systems;
            ``(21) the term `sector-specific agency' means the relevant 
        Federal agency responsible for infrastructure protection 
        activities in a designated critical infrastructure sector or 
        key resources category under the National Infrastructure 
        Protection Plan, or any other appropriate Federal agency 
        identified by the President after the date of enactment of this 
        subtitle;
            ``(22) the term `sector coordinating councils' means self-
        governed councils that are composed of representatives of key 
        stakeholders within a specific sector of critical 
        infrastructure that serve as the principal private sector 
        policy coordination and planning entities with the Federal 
        Government relating to the security and resiliency of the 
        critical infrastructure that comprise that sector;
            ``(23) the term `security controls' means the management, 
        operational, and technical controls prescribed for an 
        information system to protect the information security of the 
        system;
            ``(24) the term `small business concern' has the meaning 
        given that term under section 3 of the Small Business Act (15 
        U.S.C. 632);
            ``(25) the term `technical controls' means the safeguards 
        or countermeasures for an information system that are primarily 
        implemented and executed by the information system through 
        mechanisms contained in the hardware, software, or firmware 
        components of the system;
            ``(26) the term `terrorism information' has the meaning 
        given that term in section 1016 of the Intelligence Reform and 
        Terrorism Prevention Act of 2004 (6 U.S.C. 485);
            ``(27) the term `United States person' has the meaning 
        given that term in section 101 of the Foreign Intelligence 
        Surveillance Act of 1978 (50 U.S.C. 1801); and
            ``(28) the term `US-CERT' means the United States Computer 
        Emergency Readiness Team established under section 244.

``SEC. 242. NATIONAL CENTER FOR CYBERSECURITY AND COMMUNICATIONS.

    ``(a) Establishment.--
            ``(1) In general.--There is established within the 
        Department a National Center for Cybersecurity and 
        Communications.
            ``(2) Operational entity.--The Center may--
                    ``(A) enter into contracts for the procurement of 
                property and services for the Center; and
                    ``(B) appoint employees of the Center in accordance 
                with the civil service laws of the United States.
    ``(b) Director.--
            ``(1) In general.--The Center shall be headed by a 
        Director, who shall be appointed by the President, by and with 
        the advice and consent of the Senate.
            ``(2) Reporting to secretary.--The Director shall report 
        directly to the Secretary and serve as the principal advisor to 
        the Secretary on cybersecurity and the operations, security, 
        and resiliency of the information infrastructure and 
        communications infrastructure of the United States.
            ``(3) Presidential advice.--The Director shall regularly 
        advise the President on the exercise of the authorities 
        provided under this subtitle or any other provision of law 
        relating to the security of the Federal information 
        infrastructure or an agency information infrastructure.
            ``(4) Qualifications.--The Director shall be appointed from 
        among individuals who have--
                    ``(A) a demonstrated ability in and knowledge of 
                information technology, cybersecurity, and the 
                operations, security and resiliency of communications 
                networks; and
                    ``(B) significant executive leadership and 
                management experience in the public or private sector.
            ``(5) Limitation on service.--
                    ``(A) In general.--Subject to subparagraph (B), the 
                individual serving as the Director may not, while so 
                serving, serve in any other capacity in the Federal 
                Government, except to the extent that the individual 
                serving as Director is doing so in an acting capacity.
                    ``(B) Exception.--The Director may serve on any 
                commission, board, council, or similar entity with 
                responsibilities or duties relating to cybersecurity or 
                the operations, security, and resiliency of the 
                information infrastructure and communications 
                infrastructure of the United States at the direction of 
                the President or as otherwise provided by law.
    ``(c) Deputy Directors.--
            ``(1) In general.--There shall be not less than 2 Deputy 
        Directors for the Center, who shall report to the Director.
            ``(2) Infrastructure protection.--
                    ``(A) Appointment.--There shall be a Deputy 
                Director appointed by the Secretary, who shall have 
                expertise in infrastructure protection.
                    ``(B) Responsibilities.--The Deputy Director 
                appointed under subparagraph (A) shall--
                            ``(i) assist the Director and the Assistant 
                        Secretary for Infrastructure Protection in 
                        coordinating, managing, and directing the 
                        information, communications, and physical 
                        infrastructure protection responsibilities and 
                        activities of the Department, including 
                        activities under Homeland Security Presidential 
                        Directive-7, or any successor thereto, and the 
                        National Infrastructure Protection Plan, or any 
                        successor thereto;
                            ``(ii) review the budget for the Center and 
                        the Office of Infrastructure Protection before 
                        submission of the budget to the Secretary to 
                        ensure that activities are appropriately 
                        coordinated;
                            ``(iii) develop, update periodically, and 
                        submit to the appropriate committees of 
                        Congress a strategic plan detailing how 
                        critical infrastructure protection activities 
                        will be coordinated between the Center, the 
                        Office of Infrastructure Protection, and the 
                        private sector;
                            ``(iv) subject to the direction of the 
                        Director resolve conflicts between the Center 
                        and the Office of Infrastructure Protection 
                        relating to the information, communications, 
                        and physical infrastructure protection 
                        responsibilities of the Center and the Office 
                        of Infrastructure Protection; and
                            ``(v) perform such other duties as the 
                        Director may assign.
                    ``(C) Annual evaluation.--The Assistant Secretary 
                for Infrastructure Protection shall submit annually to 
                the Director an evaluation of the performance of the 
                Deputy Director appointed under subparagraph (A).
            ``(3) Intelligence community.--The Director of National 
        Intelligence shall identify an employee of an element of the 
        intelligence community to serve as a Deputy Director of the 
        Center. The employee shall be detailed to the Center on a 
        reimbursable basis for such period as is agreed to by the 
        Director and the Director of National Intelligence, and, while 
        serving as Deputy Director, shall report directly to the 
        Director of the Center.
    ``(d) Liaison Officers.--
            ``(1) In general.--The Secretary of Defense, the Attorney 
        General, the Secretary of Commerce, and the Director of 
        National Intelligence shall detail personnel to the Center to 
        act as full-time liaisons with the Department of Defense, the 
        Department of Justice, the National Institute of Standards and 
        Technology, and elements of the intelligence community to 
        assist in coordination between and among the Center, the 
        Department of Defense, the Department of Justice, the National 
        Institute of Standards and Technology, and elements of the 
        intelligence community.
            ``(2) Private sector.--
                    ``(A) In general.--Consistent with applicable law 
                and ethics requirements, and except as provided in 
                subparagraph (B), the Director may authorize 
                representatives from private sector entities to 
                participate in the activities of the Center to improve 
                the information sharing, analysis, and coordination of 
                activities of the US-CERT.
                    ``(B) Limitation.--A representative from a private 
                sector entity authorized to participate in the 
                activities of the Center under subparagraph (A) may not 
                participate in any activities of the Center under 
                section 248, 249, or 250.
    ``(e) Privacy Officer.--
            ``(1) In general.--The Director, in consultation with the 
        Secretary, shall designate a full-time privacy officer, who 
        shall report to the Director.
            ``(2) Duties.--The privacy officer designated under 
        paragraph (1) shall have primary responsibility for 
        implementation by the Center of the privacy policy for the 
        Department established by the Privacy Officer appointed under 
        section 222.
    ``(f) Duties of Director.--
            ``(1) In general.--The Director shall--
                    ``(A) working cooperatively with the private 
                sector, lead the Federal effort to secure, protect, and 
                ensure the resiliency of the Federal information 
                infrastructure, national information infrastructure, 
                and communications infrastructure of the United States, 
                including communications networks;
                    ``(B) assist in the identification, remediation, 
                and mitigation of vulnerabilities to the Federal 
                information infrastructure and the national information 
                infrastructure;
                    ``(C) provide dynamic, comprehensive, and 
                continuous situational awareness of the security status 
                of the Federal information infrastructure, national 
                information infrastructure, information infrastructure 
                that is owned, operated, controlled, or licensed for 
                use by, or on behalf of, the Department of Defense, a 
                military department, or another element of the 
                intelligence community, and information infrastructure 
                located outside the United States the disruption of 
                which could result in national or regional catastrophic 
                damage in the United States by sharing and integrating 
                classified and unclassified information, including 
                information relating to threats, vulnerabilities, 
                traffic, trends, incidents, and other anomalous 
                activities affecting the infrastructure or systems, on 
                a routine and continuous basis with--
                            ``(i) the National Threat Operations Center 
                        of the National Security Agency;
                            ``(ii) the United States Cyber Command, 
                        including the Joint Task Force-Global Network 
                        Operations;
                            ``(iii) the Cyber Crime Center of the 
                        Department of Defense;
                            ``(iv) the National Cyber Investigative 
                        Joint Task Force;
                            ``(v) the Intelligence Community Incident 
                        Response Center;
                            ``(vi) any other Federal agency, or 
                        component thereof, identified by the Director; 
                        and
                            ``(vii) any non-Federal entity, including, 
                        where appropriate, information sharing and 
                        analysis centers, identified by the Director, 
                        with the concurrence of the owner or operator 
                        of that entity and consistent with applicable 
                        law;
                    ``(D) work with the entities described in 
                subparagraph (C) to establish policies and procedures 
                that enable information sharing between and among the 
                entities;
                    ``(E)(i) develop, in coordination with the 
                Assistant Secretary for Infrastructure Protection, 
                other Federal agencies, the private sector, and State 
                and local governments, a national incident response 
                plan that details the roles of Federal agencies, State 
                and local governments, and the private sector, 
                including plans to be executed in response to a 
                declaration of a national cyber emergency by the 
                President under section 249; and
                    ``(ii) establish mechanisms for assisting owners or 
                operators of critical infrastructure, including covered 
                critical infrastructure, in the deployment of emergency 
                measures or other actions, including measures to 
                restore the critical infrastructure in the event of the 
                destruction or a serious disruption of the critical 
                infrastructure;
                    ``(F) conduct risk-based assessments of the Federal 
                information infrastructure with respect to acts of 
                terrorism, natural disasters, and other large-scale 
                disruptions and provide the results of the assessments 
                to the Director of Cyberspace Policy and to affected 
                Federal agencies;
                    ``(G) develop, oversee the implementation of, and 
                enforce policies, principles, and guidelines on 
                information security for the Federal information 
                infrastructure, including timely adoption of and 
                compliance with standards developed by the National 
                Institute of Standards and Technology under section 20 
                of the National Institute of Standards and Technology 
                Act (15 U.S.C. 278g-3);
                    ``(H) provide assistance to the National Institute 
                of Standards and Technology in developing standards 
                under section 20 of the National Institute of Standards 
                and Technology Act (15 U.S.C. 278g-3);
                    ``(I) provide to Federal agencies mandatory 
                security controls to mitigate and remediate 
                vulnerabilities of and incidents affecting the Federal 
                information infrastructure;
                    ``(J) subject to paragraph (2), and as needed, 
                assist the Director of the Office of Management and 
                Budget and the Director of Cyberspace Policy in 
                conducting analysis and prioritization of budgets, 
                resources, and policies relating to the security of the 
                Federal information infrastructure;
                    ``(K) in accordance with section 253, develop, 
                periodically update, and implement a supply chain risk 
                management strategy to enhance, in a risk-based and 
                cost-effective manner, the security of the 
                communications and information technology products and 
                services purchased by the Federal Government;
                    ``(L) notify the Director of Cyberspace Policy of 
                any incident involving the Federal information 
                infrastructure, information infrastructure that is 
                owned, operated, controlled, or licensed for use by, or 
                on behalf of, the Department of Defense, a military 
                department, or another element of the intelligence 
                community, or the national information infrastructure 
                that could compromise or significantly affect economic 
                or national security;
                    ``(M) consult, in coordination with the Director of 
                Cyberspace Policy, with appropriate international 
                partners to enhance the security of the Federal 
                information infrastructure, national information 
                infrastructure, and information infrastructure located 
                outside the United States the disruption of which could 
                result in national or regional catastrophic damage in 
                the United States;
                    ``(N)(i) coordinate and integrate information to 
                analyze the composite security state of the Federal 
                information infrastructure and information 
                infrastructure that is owned, operated, controlled, or 
                licensed for use by, or on behalf of, the Department of 
                Defense, a military department, or another element of 
                the intelligence community;
                    ``(ii) ensure the information required under clause 
                (i) and section 3553(c)(1)(A) of title 44, United 
                States Code, including the views of the Director on the 
                adequacy and effectiveness of information security 
                throughout the Federal information infrastructure and 
                information infrastructure that is owned, operated, 
                controlled, or licensed for use by, or on behalf of, 
                the Department of Defense, a military department, or 
                another element of the intelligence community, is 
                available on an automated and continuous basis through 
                the system maintained under section 3552(a)(3)(D) of 
                title 44, United States Code;
                    ``(iii) in conjunction with the quadrennial 
                homeland security review required under section 707, 
                and at such other times determined appropriate by the 
                Director, analyze the composite security state of the 
                national information infrastructure and submit to the 
                President, Congress, and the Secretary a report 
                regarding actions necessary to enhance the composite 
                security state of the national information 
                infrastructure based on the analysis; and
                    ``(iv) foster collaboration and serve as the 
                primary contact between the Federal Government, State 
                and local governments, and private entities on matters 
                relating to the security of the Federal information 
                infrastructure and the national information 
                infrastructure;
                    ``(O) oversee the development, implementation, and 
                management of security requirements for Federal 
                agencies relating to the external access points to or 
                from the Federal information infrastructure;
                    ``(P) establish, develop, and oversee the 
                capabilities and operations within the US-CERT as 
                required by section 244;
                    ``(Q) oversee the operations of the National 
                Communications System, as described in Executive Order 
                12472 (49 Fed. Reg. 13471; relating to the assignment 
                of national security and emergency preparedness 
                telecommunications functions), as amended by Executive 
                Order 13286 (68 Fed. Reg. 10619) and Executive Order 
                13407 (71 Fed. Reg. 36975), or any successor thereto, 
                including planning for and providing communications for 
                the Federal Government under all circumstances, 
                including crises, emergencies, attacks, recoveries, and 
                reconstitutions;
                    ``(R) ensure, in coordination with the privacy 
                officer designated under subsection (e), the Privacy 
                Officer appointed under section 222, and the Director 
                of the Office of Civil Rights and Civil Liberties 
                appointed under section 705, that the activities of the 
                Center comply with all policies, regulations, and laws 
                protecting the privacy and civil liberties of United 
                States persons;
                    ``(S) subject to the availability of resources, in 
                accordance with applicable law relating to the 
                protection of trade secrets, and at the discretion of 
                the Director, provide voluntary technical assistance--
                            ``(i) at the request of an owner or 
                        operator of covered critical infrastructure, to 
                        assist the owner or operator in complying with 
                        sections 248 and 249, including implementing 
                        required security or emergency measures and 
                        developing response plans for national cyber 
                        emergencies declared under section 249; and
                            ``(ii) at the request of the owner or 
                        operator of national information infrastructure 
                        that is not covered critical infrastructure, 
                        and based on risk, to assist the owner or 
                        operator in implementing best practices, and 
                        related standards and guidelines, recommended 
                        under section 247 and other measures necessary 
                        to mitigate or remediate vulnerabilities of the 
                        information infrastructure and the consequences 
                        of efforts to exploit the vulnerabilities;
                    ``(T)(i) conduct, in consultation with the National 
                Cybersecurity Advisory Council, the head of appropriate 
                sector-specific agencies, and any private sector entity 
                determined appropriate by the Director, risk-based 
                assessments of national information infrastructure and 
                information infrastructure located outside the United 
                States the disruption of which could result in national 
                or regional catastrophic damage in the United States, 
                on a sector-by-sector basis, with respect to acts of 
                terrorism, natural disasters, and other large-scale 
                disruptions or financial harm, which shall identify and 
                prioritize risks to the national information 
                infrastructure and information infrastructure located 
                outside the United States the disruption of which could 
                result in national or regional catastrophic damage in 
                the United States, including vulnerabilities and 
                associated consequences; and
                    ``(ii) coordinate and evaluate the mitigation or 
                remediation of vulnerabilities and consequences 
                identified under clause (i);
                    ``(U) regularly evaluate and assess technologies 
                designed to enhance the protection of the Federal 
                information infrastructure and national information 
                infrastructure, including an assessment of the cost-
                effectiveness of the technologies;
                    ``(V) promote the use of the best practices 
                recommended under section 247 to State and local 
                governments and the private sector;
                    ``(W) develop and implement outreach and awareness 
                programs on cybersecurity, including--
                            ``(i) a public education campaign to 
                        increase the awareness of cybersecurity, cyber 
                        safety, and cyber ethics, which shall include 
                        use of the Internet, social media, 
                        entertainment, and other media to reach the 
                        public;
                            ``(ii) an education campaign to increase 
                        the understanding of State and local 
                        governments and private sector entities of the 
                        costs of failing to ensure effective security 
                        of information infrastructure and cost-
                        effective methods to mitigate and remediate 
                        vulnerabilities; and
                            ``(iii) outcome-based performance measures 
                        to determine the success of the programs;
                    ``(X) develop and implement a national 
                cybersecurity exercise program that includes--
                            ``(i) the participation of State and local 
                        governments, international partners of the 
                        United States, and the private sector;
                            ``(ii) an after action report analyzing 
                        lessons learned from exercises and identifying 
                        vulnerabilities to be remediated or mitigated; 
                        and
                            ``(iii) oversight, in coordination with the 
                        Director of the Office of Cyberspace Policy, of 
                        the efforts by Federal agencies to address 
                        deficiencies identified in the after action 
                        reports required under clause (ii);
                    ``(Y) coordinate with the Assistant Secretary for 
                Infrastructure Protection to ensure that--
                            ``(i) cybersecurity is appropriately 
                        addressed in carrying out the infrastructure 
                        protection responsibilities described in 
                        section 201(d); and
                            ``(ii) the operations of the Center and the 
                        Office of Infrastructure Protection avoid 
                        duplication and use, to the maximum extent 
                        practicable, joint mechanisms for information 
                        sharing and coordination with the private 
                        sector;
                    ``(Z) oversee the activities of the Office of 
                Emergency Communications established under section 
                1801;
                    ``(AA) in coordination with the Director of the 
                Office of Cyberspace Policy and the heads of relevant 
                Federal agencies, develop and implement an identity 
                management strategy for cyberspace, which shall 
                include, at a minimum, research and development goals, 
                an analysis of appropriate protections for privacy and 
                civil liberties, and mechanisms to develop and 
                disseminate best practices and standards relating to 
                identity management, including usability and 
                transparency; and
                    ``(BB) perform such other duties as the Secretary 
                may direct relating to the security and resiliency of 
                the information and communications infrastructure of 
                the United States.
            ``(2) Budget analysis.--In conducting analysis and 
        prioritization of budgets under paragraph (1)(J), the 
        Director--
                    ``(A) in coordination with the Director of the 
                Office of Management and Budget, may access information 
                from any Federal agency regarding the finances, budget, 
                and programs of the Federal agency relevant to the 
                security of the Federal information infrastructure;
                    ``(B) may make recommendations to the Director of 
                the Office of Management and Budget and the Director of 
                Cyberspace Policy regarding the budget for each Federal 
                agency to ensure that adequate funding is devoted to 
                securing the Federal information infrastructure, in 
                accordance with policies, principles, and guidelines 
                established by the Director under this subtitle; and
                    ``(C) shall provide copies of any recommendations 
                made under subparagraph (B) to--
                            ``(i) the Committee on Appropriations of 
                        the Senate;
                            ``(ii) the Committee on Appropriations of 
                        the House of Representatives; and
                            ``(iii) the appropriate committees of 
                        Congress.
    ``(g) Use of Mechanisms for Collaboration.--In carrying out the 
responsibilities and authorities of the Director under this subtitle, 
to the maximum extent practicable, the Director shall use mechanisms 
for collaboration and information sharing (including mechanisms 
relating to the identification and communication of threats, 
vulnerabilities, and associated consequences) established by other 
components of the Department or other Federal agencies to avoid 
unnecessary duplication or waste.
    ``(h) Sufficiency of Resources Plan.--
            ``(1) Report.--Not later than 120 days after the date of 
        enactment of this subtitle, the Director of the Office of 
        Management and Budget shall submit to the appropriate 
        committees of Congress and the Comptroller General of the 
        United States a report on the resources and staff necessary to 
        carry out fully the responsibilities under this subtitle.
            ``(2) Comptroller general review.--
                    ``(A) In general.--The Comptroller General of the 
                United States shall evaluate the reasonableness and 
                adequacy of the report submitted by the Director under 
                paragraph (1).
                    ``(B) Report.--Not later than 60 days after the 
                date on which the report is submitted under paragraph 
                (1), the Comptroller General shall submit to the 
                appropriate committees of Congress a report containing 
                the findings of the review under subparagraph (A).
    ``(i) Functions Transferred.--There are transferred to the Center 
the National Cyber Security Division, the Office of Emergency 
Communications, and the National Communications System, including all 
the functions, personnel, assets, authorities, and liabilities of the 
National Cyber Security Division, the Office of Emergency 
Communications, and the National Communications System.
    ``(j) Assistant to the Director for State, Local, and Private 
Sector Outreach.--The Director shall identify a senior official in the 
Center who--
            ``(1) shall report directly to the Director; and
            ``(2) in coordination with the Special Assistant to the 
        Secretary appointed under section 102(f), shall--
                    ``(A) advise the Director on policies and 
                regulations, rules, requirements or other actions 
                affecting the private sector, including the economic 
                impact;
                    ``(B) work with individual businesses and other 
                nongovernmental organizations to foster dialogue with 
                the Center;
                    ``(C) foster partnerships and facilitate 
                communication between the Center and State and local 
                governments and private sector entities;
                    ``(D) coordinate and maintain communication and 
                interaction with State and local governments and 
                private sector entities on matters relating to the 
                security of the Federal information infrastructure and 
                the national information infrastructure;
                    ``(E) assist the Director in sharing best 
                practices, guidelines, and other important information 
                relating to the policies, goals, and activities of the 
                Center;
                    ``(F) assist the Director in developing and 
                implementing the national cybersecurity exercise 
                program under subsection (f)(1)(X) as it relates to 
                State and local governments and private sector 
                entities;
                    ``(G) assist the Director in developing the 
                national incident response plan under subsection 
                (f)(1)(E) as it relates to State and local governments 
                and private sector entities;
                    ``(H) assist the Director in information sharing 
                activities of the Center as it relates to State and 
                local governments and private sector entities; and
                    ``(I) perform any other duties, as directed by the 
                Director.

``SEC. 243. PHYSICAL AND CYBER INFRASTRUCTURE COLLABORATION.

    ``(a) In General.--The Director and the Assistant Secretary for 
Infrastructure Protection shall coordinate the information, 
communications, and physical infrastructure protection responsibilities 
and activities of the Center and the Office of Infrastructure 
Protection.
    ``(b) Oversight.--The Secretary shall ensure that the coordination 
described in subsection (a) occurs.

``SEC. 244. UNITED STATES COMPUTER EMERGENCY READINESS TEAM.

    ``(a) Establishment of Office.--There is established within the 
Center, the United States Computer Emergency Readiness Team, which 
shall be headed by a Director, who shall be selected from the Senior 
Executive Service by the Secretary.
    ``(b) Responsibilities.--The US-CERT shall--
            ``(1) collect, coordinate, and disseminate information on--
                    ``(A) risks to the Federal information 
                infrastructure, information infrastructure that is 
                owned, operated, controlled, or licensed for use by, or 
                on behalf of, the Department of Defense, a military 
                department, or another element of the intelligence 
                community, or the national information infrastructure; 
                and
                    ``(B) security controls to enhance the security of 
                the Federal information infrastructure or the national 
                information infrastructure against the risks identified 
                in subparagraph (A); and
            ``(2) establish a mechanism for engagement with the private 
        sector.
    ``(c) Monitoring, Analysis, Warning, and Response.--
            ``(1) Duties.--Subject to paragraph (2), the US-CERT 
        shall--
                    ``(A) provide analysis and reports to Federal 
                agencies on the security of the Federal information 
                infrastructure;
                    ``(B) provide continuous, automated monitoring of 
                the Federal information infrastructure at external 
                Internet access points, which shall include detection 
                and warning of threats, vulnerabilities, traffic, 
                trends, incidents, and other anomalous activities 
                affecting the information security of the Federal 
                information infrastructure;
                    ``(C) warn Federal agencies of threats, 
                vulnerabilities, incidents, and anomalous activities 
                that could affect the Federal information 
                infrastructure;
                    ``(D) develop, recommend, and deploy security 
                controls to mitigate or remediate vulnerabilities;
                    ``(E) support Federal agencies in conducting risk 
                assessments of the agency information infrastructure;
                    ``(F) disseminate to Federal agencies risk analyses 
                of incidents that could impair the risk-based security 
                of the Federal information infrastructure;
                    ``(G) develop and acquire predictive analytic tools 
                to evaluate threats, vulnerabilities, traffic, trends, 
                incidents, and anomalous activities;
                    ``(H) aid in the detection of, and warn owners or 
                operators of national information infrastructure 
                regarding, threats, vulnerabilities, and incidents, 
                affecting the national information infrastructure, 
                including providing--
                            ``(i) timely, targeted, and actionable 
                        notifications of threats, vulnerabilities, and 
                        incidents;
                            ``(ii) notifications under this 
                        subparagraph; and
                            ``(iii) recommended security controls to 
                        mitigate or remediate vulnerabilities; and
                    ``(I) respond to assistance requests from Federal 
                agencies and, subject to the availability of resources, 
                owners or operators of the national information 
                infrastructure to--
                            ``(i) isolate, mitigate, or remediate 
                        incidents;
                            ``(ii) recover from damages and mitigate or 
                        remediate vulnerabilities; and
                            ``(iii) evaluate security controls and 
                        other actions taken to secure information 
                        infrastructure and incorporate lessons learned 
                        into best practices, policies, principles, and 
                        guidelines.
            ``(2) Requirement.--With respect to the Federal information 
        infrastructure, the US-CERT shall conduct the activities 
        described in paragraph (1) in a manner consistent with the 
        responsibilities of the head of a Federal agency described in 
        section 3553 of title 44, United States Code.
            ``(3) Report.--Not later than 1 year after the date of 
        enactment of this subtitle, and every year thereafter, the 
        Secretary shall--
                    ``(A) in conjunction with the Inspector General of 
                the Department, conduct an independent audit or review 
                of the activities of the US-CERT under paragraph 
                (1)(B)), which shall include, at a minimum, an 
                assessment of whether and to what extent the activities 
                authorized under paragraph (1)(B) have monitored 
                communications other than communications to or from a 
                Federal agency; and
                    ``(B) submit to the appropriate committees of 
                Congress and the President a report regarding the audit 
                or review under subparagraph (A).
            ``(4) Classified annex.--A report submitted under paragraph 
        (3) shall be submitted in an unclassified form, but may include 
        a classified annex, if necessary.
    ``(d) Procedures for Federal Government.--Not later than 90 days 
after the date of enactment of this subtitle, the head of each Federal 
agency shall establish procedures for the Federal agency that ensure 
that the US-CERT can perform the functions described in subsection (c) 
in relation to the Federal agency.
    ``(e) Operational Updates.--The US-CERT shall provide unclassified 
and, as appropriate, classified updates regarding the composite 
security state of the Federal information infrastructure to the Federal 
Information Security Taskforce.
    ``(f) Federal Points of Contact.--The Director of the US-CERT shall 
designate a principal point of contact within the US-CERT for each 
Federal agency to--
            ``(1) maintain communication;
            ``(2) ensure cooperative engagement and information 
        sharing; and
            ``(3) respond to inquiries or requests.
    ``(g) Requests for Information or Physical Access.--
            ``(1) Information access.--Upon request of the Director of 
        the US-CERT, the head of a Federal agency or an Inspector 
        General for a Federal agency shall provide any law enforcement 
        information, intelligence information, terrorism information, 
        or any other information (including information relating to 
        incidents provided under subsections (a)(4) and (c) of section 
        246) relevant to the security of the Federal information 
        infrastructure or the national information infrastructure 
        necessary to carry out the duties, responsibilities, and 
        authorities under this subtitle.
            ``(2) Physical access.--Upon request of the Director, and 
        in consultation with the head of a Federal agency, the Federal 
        agency shall provide physical access to any facility of the 
        Federal agency necessary to determine whether the Federal 
        agency is in compliance with any policies, principles, and 
        guidelines established by the Director under this subtitle, or 
        otherwise necessary to carry out the duties, responsibilities, 
        and authorities of the Director applicable to the Federal 
        information infrastructure.

``SEC. 245. ADDITIONAL AUTHORITIES OF THE DIRECTOR OF THE NATIONAL 
              CENTER FOR CYBERSECURITY AND COMMUNICATIONS.

    ``(a) Access to Information.--Unless otherwise directed by the 
President--
            ``(1) the Director shall access, receive, and analyze law 
        enforcement information, intelligence information, terrorism 
        information, and any other information (including information 
        relating to incidents provided under subsections (a)(4) and (c) 
        of section 246) relevant to the security of the Federal 
        information infrastructure, information infrastructure that is 
        owned, operated, controlled, or licensed for use by, or on 
        behalf of, the Department of Defense, a military department, or 
        another element of the intelligence community, or national 
        information infrastructure from Federal agencies and, 
        consistent with applicable law, State and local governments 
        (including law enforcement agencies), and private entities, 
        including information provided by any contractor to a Federal 
        agency regarding the security of the agency information 
        infrastructure;
            ``(2) any Federal agency in possession of law enforcement 
        information, intelligence information, terrorism information, 
        or any other information (including information relating to 
        incidents provided under subsections (a)(4) and (c) of section 
        246) relevant to the security of the Federal information 
        infrastructure, information infrastructure that is owned, 
        operated, controlled, or licensed for use by, or on behalf of, 
        the Department of Defense, a military department, or another 
        element of the intelligence community, or national information 
        infrastructure shall provide that information to the Director 
        in a timely manner; and
            ``(3) the Director, in coordination with the Director of 
        the Office of Management and Budget, the Attorney General, the 
        Privacy and Civil Liberties Oversight Board established under 
        section 1061 of the National Security Intelligence Reform Act 
        of 2004 (42 U.S.C. 2000ee), the Director of National 
        Intelligence, and the Archivist of the United States, shall 
        establish guidelines to ensure that information is transferred, 
        stored, and preserved--
                    ``(A) in accordance with applicable laws relating 
                to the protection of trade secrets and other applicable 
                laws; and
                    ``(B) in a manner that protects the privacy and 
                civil liberties of United States persons and 
                intelligence sources and methods.
    ``(b) Operational Evaluations.--
            ``(1) In general.--The Director--
                    ``(A) subject to paragraph (2), shall develop, 
                maintain, and enhance capabilities to evaluate the 
                security of the Federal information infrastructure as 
                described in section 3554(a)(3) of title 44, United 
                States Code, including the ability to conduct risk-
                based penetration testing and vulnerability 
                assessments;
                    ``(B) in carrying out subparagraph (A), may request 
                technical assistance from the Director of the Federal 
                Bureau of Investigation, the Director of the National 
                Security Agency, the head of any other Federal agency 
                that may provide support, and any nongovernmental 
                entity contracting with the Department or another 
                Federal agency; and
                    ``(C) in consultation with the Attorney General and 
                the Privacy and Civil Liberties Oversight Board 
                established under section 1061 of the National Security 
                Intelligence Reform Act of 2004 (42 U.S.C. 2000ee), 
                shall develop guidelines to ensure compliance with all 
                applicable laws relating to the privacy of United 
                States persons in carrying out the operational 
                evaluations under subparagraph (A).
            ``(2) Operational evaluations.--
                    ``(A) In general.--The Director may conduct risk-
                based operational evaluations of the agency information 
                infrastructure of any Federal agency, at a time 
                determined by the Director, in consultation with the 
                head of the Federal agency, using the capabilities 
                developed under paragraph (1)(A).
                    ``(B) Annual evaluation requirement.--If the 
                Director conducts an operational evaluation under 
                subparagraph (A) or an operational evaluation at the 
                request of a Federal agency to meet the requirements of 
                section 3554 of title 44, United States Code, the 
                operational evaluation shall satisfy the requirements 
                of section 3554 for the Federal agency for the year of 
                the evaluation, unless otherwise specified by the 
                Director.
    ``(c) Corrective Measures and Mitigation Plans.--If the Director 
determines that a Federal agency is not in compliance with applicable 
policies, principles, standards, and guidelines applicable to the 
Federal information infrastructure--
            ``(1) the Director, in consultation with the Director of 
        the Office of Management and Budget, may direct the head of the 
        Federal agency to--
                    ``(A) take corrective measures to meet the 
                policies, principles, standards, and guidelines; and
                    ``(B) develop a plan to remediate or mitigate any 
                vulnerabilities addressed by the policies, principles, 
                standards, and guidelines;
            ``(2) within such time period as the Director shall 
        prescribe, the head of the Federal agency shall--
                    ``(A) implement a corrective measure or develop a 
                mitigation plan in accordance with paragraph (1); or
                    ``(B) submit to the Director, the Director of the 
                Office of Management and Budget, the Inspector General 
                for the Federal agency, and the appropriate committees 
                of Congress a report indicating why the Federal agency 
                has not implemented the corrective measure or developed 
                a mitigation plan; and
            ``(3) after providing notice to the head of the affected 
        Federal agency, the Director may direct the isolation of any 
        component of the agency information infrastructure, consistent 
        with the contingency or continuity of operation plans 
        applicable to the agency information infrastructure, until 
        corrective measures are taken or mitigation plans approved by 
        the Director are put in place, if--
                    ``(A) the head of the Federal agency has failed to 
                comply with the corrective measures prescribed under 
                paragraph (1); and
                    ``(B) the failure to comply presents a significant 
                danger to the Federal information infrastructure.

``SEC. 246. INFORMATION SHARING.

    ``(a) Federal Agencies.--
            ``(1) Information sharing program.--Consistent with the 
        responsibilities described in section 242 and 244, the 
        Director, in consultation with the other members of the Chief 
        Information Officers Council established under section 3603 of 
        title 44, United States Code, and the Federal Information 
        Security Taskforce, shall establish a program for sharing 
        information with and between the Center and other Federal 
        agencies that includes processes and procedures, including 
        standard operating procedures--
                    ``(A) under which the Director regularly shares 
                with each Federal agency--
                            ``(i) analysis and reports on the composite 
                        security state of the Federal information 
                        infrastructure and information infrastructure 
                        that is owned, operated, controlled, or 
                        licensed for use by, or on behalf of, the 
                        Department of Defense, a military department, 
                        or another element of the intelligence 
                        community, which shall include information 
                        relating to threats, vulnerabilities, 
                        incidents, or anomalous activities;
                            ``(ii) any available analysis and reports 
                        regarding the security of the agency 
                        information infrastructure; and
                            ``(iii) means and methods of preventing, 
                        responding to, mitigating, and remediating 
                        vulnerabilities; and
                    ``(B) under which the Director may request 
                information from Federal agencies concerning the 
                security of the Federal information infrastructure, 
                information infrastructure that is owned, operated, 
                controlled, or licensed for use by, or on behalf of, 
                the Department of Defense, a military department, or 
                another element of the intelligence community, or the 
                national information infrastructure necessary to carry 
                out the duties of the Director under this subtitle or 
                any other provision of law.
            ``(2) Contents.--The program established under this section 
        shall include--
                    ``(A) timeframes for the sharing of information 
                under paragraph (1);
                    ``(B) guidance on what information shall be shared, 
                including information regarding incidents;
                    ``(C) a tiered structure that provides guidance for 
                the sharing of urgent information; and
                    ``(D) processes and procedures under which the 
                Director or the head of a Federal agency may report 
                noncompliance with the program to the Director of 
                Cyberspace Policy.
            ``(3) US-CERT.--The Director of the US-CERT shall ensure 
        that the head of each Federal agency has continual access to 
        data collected by the US-CERT regarding the agency information 
        infrastructure of the Federal agency.
            ``(4) Federal agencies.--
                    ``(A) In general.--The head of a Federal agency 
                shall comply with all processes and procedures 
                established under this subsection regarding 
                notification to the Director relating to incidents.
                    ``(B) Immediate notification required.--Unless 
                otherwise directed by the President, any Federal agency 
                with a national security system shall immediately 
                notify the Director regarding any incident affecting 
                the risk-based security of the national security 
                system.
    ``(b) State and Local Governments, Private Sector, and 
International Partners.--
            ``(1) In general.--The Director shall establish processes 
        and procedures, including standard operating procedures, to 
        ensure bidirectional information sharing with State and local 
        governments, private entities, and international partners of 
        the United States on--
                    ``(A) threats, vulnerabilities, incidents, and 
                anomalous activities affecting the national information 
                infrastructure; and
                    ``(B) means and methods of preventing, responding 
                to, and mitigating and remediating vulnerabilities.
            ``(2) Contents.--The processes and procedures established 
        under paragraph (1) shall include--
                    ``(A) means or methods of accessing classified or 
                unclassified information, as appropriate and in 
                accordance with applicable laws regarding trade 
                secrets, that will provide situational awareness of the 
                security of the Federal information infrastructure and 
                the national information infrastructure relating to 
                threats, vulnerabilities, traffic, trends, incidents, 
                and other anomalous activities affecting the Federal 
                information infrastructure or the national information 
                infrastructure;
                    ``(B) a mechanism, established in consultation with 
                the heads of the relevant sector-specific agencies, 
                sector coordinating councils, and information sharing 
                and analysis centers, by which owners and operators of 
                covered critical infrastructure shall report incidents 
                in the information infrastructure for covered critical 
                infrastructure under subsection (c)(1)(A);
                    ``(C) guidance on the form, content, and priority 
                of incident reports that shall be submitted under 
                subsection (c)(1)(A), which shall--
                            ``(i) include appropriate mechanisms to 
                        protect--
                                    ``(I) information in accordance 
                                with section 251;
                                    ``(II) personally identifiable 
                                information; and
                                    ``(III) trade secrets; and
                            ``(ii) prioritize the reporting of 
                        incidents based on the risk the incident poses 
                        to the disruption of the reliable operation of 
                        the covered critical infrastructure;
                    ``(D) a procedure for notifying an information 
                technology provider if a vulnerability is detected in 
                the product or service produced by the information 
                technology provider and, where possible, working with 
                the information technology provider to remediate the 
                vulnerability before any public disclosure of the 
                vulnerability so as to minimize the opportunity for the 
                vulnerability to be exploited; and
                    ``(E) an evaluation of the need to provide security 
                clearances to employees of State and local governments, 
                private entities, and international partners to carry 
                out this subsection.
            ``(3) Guidelines.--The Director, in consultation with the 
        Attorney General, the Director of National Intelligence, and 
        the Privacy Officer established under section 242(e), shall 
        develop guidelines to protect the privacy and civil liberties 
        of United States persons and intelligence sources and methods, 
        while carrying out this subsection.
    ``(c) Incidents.--
            ``(1) Non-federal entities.--
                    ``(A) In general.--
                            ``(i) Mandatory reporting.--Subject to 
                        clause (ii), the owner or operator of covered 
                        critical infrastructure shall report any 
                        incident affecting the information 
                        infrastructure of covered critical 
                        infrastructure to the extent the incident might 
                        indicate an actual or potential cyber risk, or 
                        exploitation of a cyber risk, in accordance 
                        with the policies and procedures for the 
                        mechanism established under subsection 
                        (b)(2)(B) and guidelines developed under 
                        subsection (b)(3).
                            ``(ii) Limitation.--Clause (i) shall not 
                        authorize the Director, the Center, the 
                        Department, or any other Federal entity to--
                                    ``(I) compel the disclosure of 
                                information relating to an incident 
                                unless otherwise authorized by law; or
                                    ``(II) intercept a wire, oral, or 
                                electronic communication (as those 
                                terms are defined in section 2510 of 
                                title 18, United States Code), access a 
                                stored electronic or wire 
                                communication, install or use a pen 
                                register or trap and trace device, or 
                                conduct electronic surveillance (as 
                                defined in section 101 of the Foreign 
                                Intelligence Surveillance Act of 1978 
                                (50 U.S.C.1801)) relating to an 
                                incident unless otherwise authorized 
                                under chapter 119, chapter 121, or 
                                chapter 206 of title 18, United States 
                                Code, the Foreign Intelligence 
                                Surveillance Act of 1978 (50 U.S.C. 
                                1801 et seq.).
                    ``(B) Reporting procedures.--The Director shall 
                establish procedures that enable and encourage the 
                owner or operator of national information 
                infrastructure to report to the Director regarding 
                incidents affecting such information infrastructure.
            ``(2) Information protection.--Notwithstanding any other 
        provision of law, information reported under paragraph (1) 
        shall be protected from unauthorized disclosure, in accordance 
        with section 251.
    ``(d) Additional Responsibilities.--The Director shall--
            ``(1) share data collected on the Federal information 
        infrastructure with the National Science Foundation and other 
        accredited research institutions for the sole purpose of 
        cybersecurity research in a manner that protects privacy and 
        civil liberties of United States persons and intelligence 
        sources and methods;
            ``(2) establish a website to provide an opportunity for the 
        public to provide--
                    ``(A) input about the operations of the Center; and
                    ``(B) recommendations for improvements of the 
                Center; and
            ``(3) in coordination with the Secretary of Defense, the 
        Director of National Intelligence, the Secretary of State, and 
        the Attorney General, develop information sharing pilot 
        programs with international partners of the United States.

``SEC. 247. PRIVATE SECTOR ASSISTANCE.

    ``(a) In General.--The Director, in consultation with the Director 
of the National Institute of Standards and Technology, the Director of 
the National Security Agency, the head of any relevant sector-specific 
agency, the National Cybersecurity Advisory Council, State and local 
governments, and any private entities the Director determines 
appropriate, shall establish a program to promote, and provide 
technical assistance authorized under section 242(f)(1)(S) relating to 
the implementation of, best practices and related standards and 
guidelines for securing the national information infrastructure, 
including the costs and benefits associated with the implementation of 
the best practices and related standards and guidelines.
    ``(b) Analysis and Improvement of Standards and Guidelines.--For 
purposes of the program established under subsection (a), the Director 
shall--
            ``(1) regularly assess and evaluate cybersecurity standards 
        and guidelines issued by private sector organizations, 
        recognized international and domestic standards setting 
        organizations, and Federal agencies; and
            ``(2) in coordination with the National Institute of 
        Standards and Technology, encourage the development of, and 
        recommend changes to, the standards and guidelines described in 
        paragraph (1) for securing the national information 
        infrastructure.
    ``(c) Guidance and Technical Assistance.--
            ``(1) In general.--The Director shall promote best 
        practices and related standards and guidelines to assist owners 
        and operators of national information infrastructure in 
        increasing the security of the national information 
        infrastructure and protecting against and mitigating or 
        remediating known vulnerabilities.
            ``(2) Requirement.--Technical assistance provided under 
        section 242(f)(1)(S) and best practices promoted under this 
        section shall be prioritized based on risk.
    ``(d) Criteria.--In promoting best practices or recommending 
changes to standards and guidelines under this section, the Director 
shall ensure that best practices, and related standards and 
guidelines--
            ``(1) address cybersecurity in a comprehensive, risk-based 
        manner;
            ``(2) include consideration of the cost of implementing 
        such best practices or of implementing recommended changes to 
        standards and guidelines;
            ``(3) increase the ability of the owners or operators of 
        national information infrastructure to protect against and 
        mitigate or remediate known vulnerabilities;
            ``(4) are suitable, as appropriate, for implementation by 
        small business concerns;
            ``(5) as necessary and appropriate, are sector specific;
            ``(6) to the maximum extent possible, incorporate standards 
        and guidelines established by private sector organizations, 
        recognized international and domestic standards setting 
        organizations, and Federal agencies;
            ``(7) consider voluntary programs by internet service 
        providers to assist individuals using the internet service 
        providers in the identification and mitigation of cyber threats 
        and vulnerabilities, with the consent of the individual users; 
        and
            ``(8) provide sufficient flexibility to permit a range of 
        security solutions.

``SEC. 248. CYBER RISKS TO COVERED CRITICAL INFRASTRUCTURE.

    ``(a) Identification of Cyber Risks.--
            ``(1) In general.--Based on the risk-based assessments 
        conducted under section 242(f)(1)(T)(i), the Director, in 
        coordination with the head of the sector-specific agency with 
        responsibility for covered critical infrastructure and the head 
        of any Federal agency that is not a sector-specific agency with 
        responsibilities for regulating the covered critical 
        infrastructure, and in consultation with the National 
        Cybersecurity Advisory Council and any private sector entity 
        determined appropriate by the Director, shall, on a continuous 
        and sector-by-sector basis, identify and evaluate the cyber 
        risks to covered critical infrastructure.
            ``(2) Factors to be considered.--In identifying and 
        evaluating cyber risks under paragraph (1), the Director shall 
        consider--
                    ``(A) the actual or assessed threat, including a 
                consideration of adversary capabilities and intent, 
                preparedness, target attractiveness, and deterrence 
                capabilities;
                    ``(B) the extent and likelihood of death, injury, 
                or serious adverse effects to human health and safety 
                caused by a disruption of the reliable operation of 
                covered critical infrastructure;
                    ``(C) the threat to or impact on national security 
                caused by a disruption of the reliable operation of 
                covered critical infrastructure;
                    ``(D) the extent to which the disruption of the 
                reliable operation of covered critical infrastructure 
                will disrupt the reliable operation of other covered 
                critical infrastructure;
                    ``(E) the harm to the economy that would result 
                from a disruption of the reliable operation of covered 
                critical infrastructure; and
                    ``(F) other risk-based security factors that the 
                Director, in consultation with the head of the sector-
                specific agency with responsibility for the covered 
                critical infrastructure and the head of any Federal 
                agency that is not a sector-specific agency with 
                responsibilities for regulating the covered critical 
                infrastructure, determine to be appropriate and 
                necessary to protect public health and safety, critical 
                infrastructure, or national and economic security.
            ``(3) Report.--
                    ``(A) In general.--Not later than 180 days after 
                the date of enactment of this subtitle, and annually 
                thereafter, the Director, in coordination with the head 
                of the sector-specific agency with responsibility for 
                the covered critical infrastructure and the head of any 
                Federal agency that is not a sector-specific agency 
                with responsibilities for regulating the covered 
                critical infrastructure, shall submit to the 
                appropriate committees of Congress a report on the 
                findings of the identification and evaluation of cyber 
                risks under this subsection. Each report submitted 
                under this paragraph shall be submitted in an 
                unclassified form, but may include a classified annex.
                    ``(B) Input.--For purposes of the reports required 
                under subparagraph (A), the Director shall create a 
                process under which owners and operators of covered 
                critical infrastructure may provide input on the 
                findings of the reports.
    ``(b) Risk-based Security Performance Requirements.--
            ``(1) In general.--Not later than 270 days after the date 
        of the enactment of this subtitle, in coordination with the 
        heads of the sector-specific agencies with responsibility for 
        covered critical infrastructure and the head of any Federal 
        agency that is not a sector-specific agency with 
        responsibilities for regulating the covered critical 
        infrastructure, and in consultation with the National 
        Cybersecurity Advisory Council and any private sector entity 
        determined appropriate by the Director, the Director shall 
        issue interim final regulations establishing risk-based 
        security performance requirements to secure covered critical 
        infrastructure against cyber risks through the adoption of 
        security measures that satisfy the security performance 
        requirements identified by the Director.
            ``(2) Procedures.--The regulations issued under this 
        subsection shall--
                    ``(A) include a process under which owners and 
                operators of covered critical infrastructure are 
                informed of identified cyber risks and security 
                performance requirements designed to remediate or 
                mitigate the cyber risks, in combination with best 
                practices recommended under section 247;
                    ``(B) establish a process for owners and operators 
                of covered critical infrastructure to select security 
                measures, including any best practices recommended 
                under section 247, that, in combination, satisfy the 
                security performance requirements established by the 
                Director under this subsection;
                    ``(C) establish a process for owners and operators 
                of covered critical infrastructure to develop response 
                plans for a national cyber emergency declared under 
                section 249;
                    ``(D) establish a process under which the 
                Director--
                            ``(i) is notified of the security measures 
                        selected by the owner or operator of covered 
                        critical infrastructure under subparagraph (B); 
                        and
                            ``(ii) may determine whether the proposed 
                        security measures satisfy the security 
                        performance requirements established by the 
                        Director under this subsection; and
                    ``(E) establish a process under which the 
                Director--
                            ``(i) identifies to owners and operators of 
                        covered critical infrastructure cyber risks 
                        that are not capable of effective remediation 
                        or mitigation using available best practices or 
                        security measures;
                            ``(ii) provides owners and operators of 
                        covered critical infrastructure the opportunity 
                        to develop best practices or security measures 
                        to remediate or mitigate the cyber risks 
                        identified in clause (i) without the prior 
                        approval of the Director and without affecting 
                        the compliance of the covered critical 
                        infrastructure with the requirements under this 
                        section;
                            ``(iii) in accordance with applicable law 
                        relating to the protection of trade secrets, 
                        permits owners and operators of covered 
                        critical infrastructure to report to the Center 
                        the development of effective best practices or 
                        security measures to remediate or mitigate the 
                        cyber risks identified under clause (i); and
                            ``(iv) incorporates the best practices and 
                        security measures developed into the risk-based 
                        security performance requirements under this 
                        section.
            ``(3) International cooperation on securing covered 
        critical infrastructure.--
                    ``(A) In general.--The Director, in coordination 
                with the head of the sector-specific agency with 
                responsibility for covered critical infrastructure and 
                the head of any Federal agency that is not a sector-
                specific agency with responsibilities for regulating 
                the covered critical infrastructure, shall--
                            ``(i) consistent with the protection of 
                        intelligence sources and methods and other 
                        sensitive matters, inform the owner or operator 
                        of information infrastructure located outside 
                        the United States the disruption of which could 
                        result in national or regional catastrophic 
                        damage in the United States and the government 
                        of the country in which the information 
                        infrastructure is located of any cyber risks to 
                        the information infrastructure; and
                            ``(ii) coordinate with the government of 
                        the country in which the information 
                        infrastructure is located and, as appropriate, 
                        the owner or operator of the information 
                        infrastructure, regarding the implementation of 
                        security measures or other measures to the 
                        information infrastructure to mitigate or 
                        remediate cyber risks.
                    ``(B) International agreements.--The Director shall 
                carry out this paragraph in a manner consistent with 
                applicable international agreements.
            ``(4) Risk-based security performance requirements.--
                    ``(A) In general.--The security performance 
                requirements established by the Director under this 
                subsection shall be--
                            ``(i) based on the factors listed in 
                        subsection (a)(2); and
                            ``(ii) designed to remediate or mitigate 
                        identified cyber risks and any associated 
                        consequences of an exploitation based on such 
                        risks.
                    ``(B) Consultation.--In establishing security 
                performance requirements under this subsection, the 
                Director shall, to the maximum extent practicable, 
                consult with--
                            ``(i) the Director of the National Security 
                        Agency;
                            ``(ii) the Director of the National 
                        Institute of Standards and Technology;
                            ``(iii) the National Cybersecurity Advisory 
                        Council;
                            ``(iv) the heads of sector-specific 
                        agencies; and
                            ``(v) the heads of Federal agencies that 
                        are not sector-specific agencies with 
                        responsibilities for regulating the covered 
                        critical infrastructure.
                    ``(C) Alternative measures.--
                            ``(i) In general.--The owners and operators 
                        of covered critical infrastructure shall have 
                        flexibility to implement any security measure, 
                        or combination thereof, to satisfy the security 
                        performance requirements described in 
                        subparagraph (A) and the Director may not 
                        disapprove under this section any proposed 
                        security measures, or combination thereof, 
                        based on the presence or absence of any 
                        particular security measure if the proposed 
                        security measures, or combination thereof, 
                        satisfy the security performance requirements 
                        established by the Director under this section 
                        or are consistent with the process for 
                        addressing new or evolving cyber risks 
                        established under paragraph (2)(E).
                            ``(ii) Recommended security measures.--The 
                        Director may recommend to an owner and operator 
                        of covered critical infrastructure a specific 
                        security measure, or combination thereof, that 
                        will satisfy the security performance 
                        requirements established by the Director. The 
                        absence of the recommended security measures, 
                        or combination thereof, may not serve as the 
                        basis for a disapproval of the security 
                        measure, or combination thereof, proposed by 
                        the owner or operator of covered critical 
                        infrastructure if the proposed security 
                        measure, or combination thereof, otherwise 
                        satisfies the security performance requirements 
                        established by the Director under this section.

``SEC. 249. NATIONAL CYBER EMERGENCIES.

    ``(a) Declaration.--
            ``(1) In general.--The President may issue a declaration of 
        a national cyber emergency to covered critical infrastructure 
        if there is an ongoing or imminent action by any individual or 
        entity to exploit a cyber risk in a manner that disrupts, 
        attempts to disrupt, or poses a significant risk of disruption 
        to the operation of the information infrastructure essential to 
        the reliable operation of covered critical infrastructure. Any 
        declaration under this section shall specify the covered 
        critical infrastructure subject to the national cyber 
        emergency.
            ``(2) Notification.--Upon issuing a declaration under 
        paragraph (1), the President shall, consistent with the 
        protection of intelligence sources and methods, notify the 
        owners and operators of the specified covered critical 
        infrastructure and any other relevant private sector entity of 
        the nature of the national cyber emergency.
            ``(3) Authorities.--If the President issues a declaration 
        under paragraph (1), the Director shall--
                    ``(A) immediately direct the owners and operators 
                of covered critical infrastructure subject to the 
                declaration under paragraph (1) to implement response 
                plans required under section 248(b)(2)(C);
                    ``(B) develop and coordinate emergency measures or 
                actions necessary to preserve the reliable operation, 
                and mitigate or remediate the consequences of the 
                potential disruption, of covered critical 
                infrastructure;
                    ``(C) ensure that emergency measures or actions 
                directed under this section represent the least 
                disruptive means feasible to the operations of the 
                covered critical infrastructure and to the national 
                information infrastructure;
                    ``(D) subject to subsection (g), direct actions by 
                other Federal agencies to respond to the national cyber 
                emergency;
                    ``(E) coordinate with officials of State and local 
                governments, international partners of the United 
                States, owners and operators of covered critical 
                infrastructure specified in the declaration, and other 
                relevant private section entities to respond to the 
                national cyber emergency;
                    ``(F) initiate a process under section 248 to 
                address the cyber risk that may be exploited by the 
                national cyber emergency; and
                    ``(G) provide voluntary technical assistance, if 
                requested, under section 242(f)(1)(S).
            ``(4) Reimbursement.--A Federal agency shall be reimbursed 
        for expenditures under this section from funds appropriated for 
        the purposes of this section. Any funds received by a Federal 
        agency as reimbursement for services or supplies furnished 
        under the authority of this section shall be deposited to the 
        credit of the appropriation or appropriations available on the 
        date of the deposit for the services or supplies.
            ``(5) Consultation.--In carrying out this section, the 
        Director shall consult with the Secretary, the Secretary of 
        Defense, the Director of the National Security Agency, the 
        Director of the National Institute of Standards and Technology, 
        and any other official, as directed by the President.
            ``(6) Prohibited actions.--The authority to direct 
        compliance with an emergency measure or action under this 
        section shall not authorize the Director, the Center, the 
        Department, or any other Federal entity to--
                    ``(A) restrict or prohibit communications carried 
                by, or over, covered critical infrastructure and not 
                specifically directed to or from the covered critical 
                infrastructure unless the Director determines that no 
                other emergency measure or action will preserve the 
                reliable operation, and mitigate or remediate the 
                consequences of the potential disruption, of the 
                covered critical infrastructure or the national 
                information infrastructure;
                    ``(B) control covered critical infrastructure;
                    ``(C) compel the disclosure of information unless 
                specifically authorized by law; or
                    ``(D) intercept a wire, oral, or electronic 
                communication (as those terms are defined in section 
                2510 of title 18, United States Code), access a stored 
                electronic or wire communication, install or use a pen 
                register or trap and trace device, or conduct 
                electronic surveillance (as defined in section 101 of 
                the Foreign Intelligence Surveillance Act of 1978 (50 
                U.S.C.1801)) relating to an incident unless otherwise 
                authorized under chapter 119, chapter 121, or chapter 
                206 of title 18, United States Code, the Foreign 
                Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 
                et seq.).
            ``(7) Privacy.--In carrying out this section, the Director 
        shall ensure that the privacy and civil liberties of United 
        States persons are protected.
    ``(b) Discontinuance of Emergency Measures.--
            ``(1) In general.--Any emergency measure or action 
        developed under this section shall cease to have effect not 
        later than 30 days after the date on which the President issued 
        the declaration of a national cyber emergency, unless--
                    ``(A) the Director details in writing why the 
                emergency measure or action remains necessary to 
                address the identified national cyber emergency; and
                    ``(B) the President issues a written order or 
                directive reaffirming the national cyber emergency, the 
                continuing nature of the national cyber emergency, or 
                the need to continue the adoption of the emergency 
                measure or action.
            ``(2) Extensions.--An emergency measure or action extended 
        in accordance with paragraph (1) may--
                    ``(A) remain in effect for not more than 30 days 
                after the date on which the emergency measure or action 
                was to cease to have effect; and
                    ``(B) unless a joint resolution described in 
                subsection (f)(1) is enacted, be extended for not more 
                than 3 additional 30-day periods, if the requirements 
                of paragraph (1) and subsection (d) are met.
    ``(c) Compliance With Emergency Measures.--
            ``(1) In general.--Subject to paragraph (2), the owner or 
        operator of covered critical infrastructure shall immediately 
        comply with any emergency measure or action developed by the 
        Director under this section during the pendency of any 
        declaration by the President under subsection (a)(1) or an 
        extension under subsection (b)(2).
            ``(2) Alternative measures.--
                    ``(A) In general.--If the Director determines that 
                a proposed security measure, or any combination 
                thereof, submitted by the owner or operator of covered 
                critical infrastructure in accordance with the process 
                established under section 248(b)(2) will effectively 
                mitigate or remediate the cyber risk associated with 
                the national cyber emergency that is the subject of the 
                declaration under this section, or effectively mitigate 
                or remediate the consequences of the potential 
                disruption of the covered critical infrastructure based 
                on the cyber risk at least as effectively as the 
                emergency measures or actions directed by the Director 
                under this section, the owner or operator may comply 
                with paragraph (1) of this subsection by implementing 
                the proposed security measure, or combination thereof, 
                approved by the Director under the process established 
                under section 248.
                    ``(B) Compliance pending submission or approval.--
                Before submission of a proposed security measure, or 
                combination thereof, and during the pendency of any 
                review by the Director under the process established 
                under section 248, the owner or operator of covered 
                critical infrastructure shall remain in compliance with 
                any emergency measure or action developed by the 
                Director under this section during the pendency of any 
                declaration by the President under subsection (a)(1) or 
                an extension under subsection (b)(2), until such time 
                as the Director has approved an alternative proposed 
                security measure, or combination thereof, under this 
                paragraph.
            ``(3) International cooperation on national cyber 
        emergencies.--
                    ``(A) In general.--The Director, in coordination 
                with the head of the sector-specific agency with 
                responsibility for covered critical infrastructure and 
                the head of any Federal agency that is not a sector-
                specific agency with responsibilities for regulating 
                the covered critical infrastructure, shall--
                            ``(i) consistent with the protection of 
                        intelligence sources and methods and other 
                        sensitive matters, inform the owner or operator 
                        of information infrastructure located outside 
                        the United States the disruption of which could 
                        result in national or regional catastrophic 
                        damage in the United States and the government 
                        of the country in which the information 
                        infrastructure is located of any cyber risks to 
                        the information infrastructure that led to the 
                        declaration of a national cyber emergency; and
                            ``(ii) coordinate with the government of 
                        the country in which the information 
                        infrastructure is located and, as appropriate, 
                        the owner or operator of the information 
                        infrastructure, regarding the implementation of 
                        emergency measures or actions necessary to 
                        preserve the reliable operation, and mitigate 
                        or remediate the consequences of the potential 
                        disruption, of covered critical infrastructure 
                        that is the subject of the national cyber 
                        emergency.
                    ``(B) International agreements.--The Director shall 
                carry out this paragraph in a manner consistent with 
                applicable international agreements.
    ``(d) Reporting.--
            ``(1) In general.--Except as provided in paragraph (2), the 
        President shall ensure that any declaration under subsection 
        (a)(1) or any extension under subsection (b)(2) is reported to 
        the appropriate committees of Congress before the Director 
        mandates any emergency measure or actions under subsection 
        (a)(3).
            ``(2) Exception.--If notice cannot be given under paragraph 
        (1) before mandating any emergency measure or actions under 
        subsection (a)(3), the President shall provide the report 
        required under paragraph (1) as soon as possible, along with a 
        statement of the reasons for not providing notice in accordance 
        with paragraph (1).
            ``(3) Contents.--Each report under this subsection shall 
        describe--
                    ``(A) the nature of the national cyber emergency;
                    ``(B) the reasons that risk-based security 
                requirements under section 248 are not sufficient to 
                address the national cyber emergency;
                    ``(C) the actions necessary to preserve the 
                reliable operation and mitigate the consequences of the 
                potential disruption of covered critical 
                infrastructure; and
                    ``(D) in the case of an extension of a national 
                cyber emergency under subsection (b)(2)--
                            ``(i) why the emergency measures or actions 
                        continue to be necessary to address the 
                        national cyber emergency; and
                            ``(ii) when the President expects the 
                        national cyber emergency to abate.
    ``(e) Statutory Defenses and Civil Liability Limitations for 
Compliance With Emergency Measures.--
            ``(1) Definitions.--In this subsection--
                    ``(A) the term `covered civil action'--
                            ``(i) means a civil action filed in a 
                        Federal or State court against a covered 
                        entity; and
                            ``(ii) does not include an action brought 
                        under section 2520 or 2707 of title 18, United 
                        States Code, or section 110 or 308 of the 
                        Foreign Intelligence Surveillance Act of 1978 
                        (50 U.S.C. 1810 and 1828);
                    ``(B) the term `covered entity' means any entity 
                that owns or operates covered critical infrastructure, 
                including any owner, operator, officer, employee, 
                agent, landlord, custodian, provider of information 
                technology, or other person acting for or on behalf of 
                that entity with respect to the covered critical 
                infrastructure; and
                    ``(C) the term `noneconomic damages' means damages 
                for losses for physical and emotional pain, suffering, 
                inconvenience, physical impairment, mental anguish, 
                disfigurement, loss of enjoyment of life, loss of 
                society and companionship, loss of consortium, hedonic 
                damages, injury to reputation, and any other 
                nonpecuniary losses.
            ``(2) Application of limitations on civil liability.--The 
        limitations on civil liability under paragraph (3) apply if--
                    ``(A) the President has issued a declaration of 
                national cyber emergency under subsection (a)(1);
                    ``(B) the Director has--
                            ``(i) issued emergency measures or actions 
                        for which compliance is required under 
                        subsection (c)(1); or
                            ``(ii) approved security measures under 
                        subsection (c)(2);
                    ``(C) the covered entity is in compliance with--
                            ``(i) the emergency measures or actions 
                        required under subsection (c)(1); or
                            ``(ii) security measures which the Director 
                        has approved under subsection (c)(2); and
                    ``(D)(i) the Director certifies to the court in 
                which the covered civil action is pending that the 
                actions taken by the covered entity during the period 
                covered by the declaration under subsection (a)(1) were 
                consistent with--
                            ``(I) emergency measures or actions for 
                        which compliance is required under subsection 
                        (c)(1); or
                            ``(II) security measures which the Director 
                        has approved under subsection (c)(2); or
                    ``(ii) notwithstanding the lack of a certification, 
                the covered entity demonstrates by a preponderance of 
                the evidence that the actions taken during the period 
                covered by the declaration under subsection (a)(1) are 
                consistent with the implementation of--
                            ``(I) emergency measures or actions for 
                        which compliance is required under subsection 
                        (c)(1); or
                            ``(II) security measures which the Director 
                        has approved under subsection (c)(2).
            ``(3) Limitations on civil liability.--In any covered civil 
        action that is related to any incident associated with a cyber 
        risk covered by a declaration of a national cyber emergency and 
        for which Director has issued emergency measures or actions for 
        which compliance is required under subsection (c)(1) or for 
        which the Director has approved security measures under 
        subsection (c)(2), or that is the direct consequence of actions 
        taken in good faith for the purpose of implementing security 
        measures or actions which the Director has approved under 
        subsection (c)(2)--
                    ``(A) the covered entity shall not be liable for 
                any punitive damages intended to punish or deter, 
                exemplary damages, or other damages not intended to 
                compensate a plaintiff for actual losses; and
                    ``(B) noneconomic damages may be awarded against a 
                defendant only in an amount directly proportional to 
                the percentage of responsibility of such defendant for 
                the harm to the plaintiff, and no plaintiff may recover 
                noneconomic damages unless the plaintiff suffered 
                physical harm.
            ``(4) Civil actions arising out of implementation of 
        emergency measures or actions.--A covered civil action may not 
        be maintained against a covered entity that is the direct 
        consequence of actions taken in good faith for the purpose of 
        implementing specific emergency measures or actions for which 
        compliance is required under subsection (c)(1), if--
                    ``(A) the President has issued a declaration of 
                national cyber emergency under subsection (a)(1) and 
                the action was taken during the period covered by that 
                declaration;
                    ``(B) the Director has issued emergency measures or 
                actions for which compliance is required under 
                subsection (c)(1) or that the Director has approved 
                under subsection (c)(2);
                    ``(C) the covered entity is in compliance with the 
                emergency measures required under subsection (c)(1) or 
                that the Director has approved under subsection (c)(2); 
                and
                    ``(D)(i) the Director certifies to the court in 
                which the covered civil action is pending that the 
                actions taken by the entity during the period covered 
                by the declaration under subsection (a)(1) were 
                consistent with the implementation of emergency 
                measures or actions for which compliance is required 
                under subsection (c)(1) or that the Director has 
                approved under subsection (c)(2); or
                    ``(ii) notwithstanding the lack of a certification, 
                the entity demonstrates by a preponderance of the 
                evidence that the actions taken during the period 
                covered by the declaration under subsection (a)(1) are 
                consistent with the implementation of emergency 
                measures or actions for which compliance is required 
                under subsection (c)(1) or that the Director has 
                approved under subsection (c)(2).
            ``(5) Certain actions not subject to limitations on 
        liability.--
                    ``(A) Additional or intervening acts.--Paragraphs 
                (2) through (4) shall not apply to a civil action 
                relating to any additional or intervening acts or 
                omissions by any covered entity.
                    ``(B) Serious or substantial damage.--Paragraph (4) 
                shall not apply to any civil action brought by an 
                individual--
                            ``(i) whose recovery is otherwise precluded 
                        by application of paragraph (4); and
                            ``(ii) who has suffered--
                                    ``(I) serious physical injury or 
                                death; or
                                    ``(II) substantial damage or 
                                destruction to his primary residence.
                    ``(C) Rule of construction.--Recovery available 
                under subparagraph (B) shall be limited to those 
                damages available under subparagraphs (A) and (B) of 
                paragraph (3), except that neither reasonable and 
                necessary medical benefits nor lifetime total benefits 
                for lost employment income due to permanent and total 
                disability shall be limited herein.
                    ``(D) Indemnification.--In any civil action brought 
                under subparagraph (B), the United States shall defend 
                and indemnify any covered entity. Any covered entity 
                defended and indemnified under this subparagraph shall 
                fully cooperate with the United States in the defense 
                by the United States in any proceeding and shall be 
                reimbursed the reasonable costs associated with such 
                cooperation.
    ``(f) Joint Resolution To Extend Cyber Emergency.--
            ``(1) In general.--For purposes of subsection (b)(2)(B), a 
        joint resolution described in this paragraph means only a joint 
        resolution--
                    ``(A) the title of which is as follows: `Joint 
                resolution approving the extension of a cyber 
                emergency'; and
                    ``(B) the matter after the resolving clause of 
                which is as follows: `That Congress approves the 
                continuation of the emergency measure or action issued 
                by the Director of the National Center for 
                Cybersecurity and Communications on ____________ for 
                not longer than an additional 120-day period.', the 
                blank space being filled in with the date on which the 
                emergency measure or action to which the joint 
                resolution applies was issued.
            ``(2) Procedure.--
                    ``(A) No referral.--A joint resolution described in 
                paragraph (1) shall not be referred to a committee in 
                either House of Congress and shall immediately be 
                placed on the calendar.
                    ``(B) Consideration.--
                            ``(i) Debate limitation.--A motion to 
                        proceed to a joint resolution described in 
                        paragraph (1) is highly privileged in the House 
                        of Representatives and is privileged in the 
                        Senate and is not debatable. The motion is not 
                        subject to a motion to postpone. In the Senate, 
                        consideration of the joint resolution, and on 
                        all debatable motions and appeals in connection 
                        therewith, shall be limited to not more than 10 
                        hours, which shall be divided equally between 
                        the majority leader and the minority leader, or 
                        their designees. A motion further to limit 
                        debate is in order and not debatable. All 
                        points of order against the joint resolution 
                        (and against consideration of the joint 
                        resolution) are waived. An amendment to, or a 
                        motion to postpone, or a motion to proceed to 
                        the consideration of other business, or a 
                        motion to recommit the joint resolution is not 
                        in order.
                            ``(ii) Passage.--In the Senate, immediately 
                        following the conclusion of the debate on a 
                        joint resolution described in paragraph (1), 
                        and a single quorum call at the conclusion of 
                        the debate if requested in accordance with the 
                        rules of the Senate, the vote on passage of the 
                        joint resolution shall occur.
                            ``(iii) Appeals.--Appeals from the 
                        decisions of the Chair relating to the 
                        application of the rules of the Senate to the 
                        procedure relating to a joint resolution 
                        described in paragraph (1) shall be decided 
                        without debate.
                    ``(C) Other house acts first.--If, before the 
                passage by 1 House of a joint resolution of that House 
                described in paragraph (1), that House receives from 
                the other House a joint resolution described in 
                paragraph (1)--
                            ``(i) the procedure in that House shall be 
                        the same as if no joint resolution had been 
                        received from the other House; and
                            ``(ii) the vote on final passage shall be 
                        on the joint resolution of the other House.
                    ``(D) Majority required for adoption.--A joint 
                resolution considered under this subsection shall 
                require an affirmative vote of a majority of the 
                Members, duly chosen and sworn, for adoption.
            ``(3) Rulemaking.--This subsection is enacted by Congress--
                    ``(A) as an exercise of the rulemaking power of the 
                Senate and the House of Representatives, respectively, 
                and is deemed to be part of the rules of each House, 
                respectively but applicable only with respect to the 
                procedure to be followed in that House in the case of a 
                joint resolution described in paragraph (1), and it 
                supersedes other rules only to the extent that it is 
                inconsistent with such rules; and
                    ``(B) with full recognition of the constitutional 
                right of either House to change the rules (so far as 
                they relate to the procedure of that House) at any 
                time, in the same manner, and to the same extent as in 
                the case of any other rule of that House.
    ``(g) Rule of Construction.--Nothing in this section shall be 
construed to--
            ``(1) alter or supersede the authority of the Secretary of 
        Defense, the Attorney General, or the Director of National 
        Intelligence in responding to a national cyber emergency; or
            ``(2) limit the authority of the Director under section 
        248, after a declaration issued under this section expires.

``SEC. 250. ENFORCEMENT.

    ``(a) Annual Certification of Compliance.--
            ``(1) In general.--Not later than 6 months after the date 
        on which the Director promulgates regulations under section 
        248(b), and every year thereafter, each owner or operator of 
        covered critical infrastructure shall certify in writing to the 
        Director whether the owner or operator has developed and 
        implemented, or is implementing, security measures approved by 
        the Director under section 248 and any applicable emergency 
        measures or actions required under section 249 for any cyber 
        risks and national cyber emergencies.
            ``(2) Failure to comply.--If an owner or operator of 
        covered critical infrastructure fails to submit a certification 
        in accordance with paragraph (1), or if the certification 
        indicates the owner or operator is not in compliance, the 
        Director may issue an order requiring the owner or operator to 
        submit proposed security measures under section 248 or comply 
        with specific emergency measures or actions under section 249.
    ``(b) Risk-based Evaluations.--
            ``(1) In general.--Consistent with the factors described in 
        paragraph (3), the Director may perform an evaluation of the 
        information infrastructure of any specific system or asset 
        constituting covered critical infrastructure to assess the 
        validity of a certification of compliance submitted under 
        subsection (a)(1).
            ``(2) Document review and inspection.--An evaluation 
        performed under paragraph (1) may include--
                    ``(A) a review of all documentation submitted to 
                justify an annual certification of compliance submitted 
                under subsection (a)(1); and
                    ``(B) a physical or electronic inspection of 
                relevant information infrastructure to which the 
                security measures required under section 248 or the 
                emergency measures or actions required under section 
                249 apply.
            ``(3) Evaluation selection factors.--In determining whether 
        sufficient risk exists to justify an evaluation under this 
        subsection, the Director shall consider--
                    ``(A) the specific cyber risks affecting or 
                potentially affecting the information infrastructure of 
                the specific system or asset constituting covered 
                critical infrastructure;
                    ``(B) any reliable intelligence or other 
                information indicating a cyber risk or credible 
                national cyber emergency to the information 
                infrastructure of the specific system or asset 
                constituting covered critical infrastructure;
                    ``(C) actual knowledge or reasonable suspicion that 
                the certification of compliance submitted by a specific 
                owner or operator of covered critical infrastructure is 
                false or otherwise inaccurate;
                    ``(D) a request by a specific owner or operator of 
                covered critical infrastructure for such an evaluation; 
                and
                    ``(E) such other risk-based factors as identified 
                by the Director.
            ``(4) Sector-specific agencies.--To carry out the risk-
        based evaluation authorized under this subsection, the Director 
        may use the resources of a sector-specific agency with 
        responsibility for the covered critical infrastructure or any 
        Federal agency that is not a sector-specific agency with 
        responsibilities for regulating the covered critical 
        infrastructure with the concurrence of the head of the agency.
            ``(5) Information protection.--Information provided to the 
        Director during the course of an evaluation under this 
        subsection shall be protected from disclosure in accordance 
        with section 251.
    ``(c) Civil Penalties.--
            ``(1) In general.--Any person who violates section 248 or 
        249 shall be liable for a civil penalty.
            ``(2) No private right of action.--Nothing in this section 
        confers upon any person, except the Director, a right of action 
        against an owner or operator of covered critical infrastructure 
        to enforce any provision of this subtitle.
    ``(d) Limitation on Civil Liability.--
            ``(1) Definition.--In this subsection--
                    ``(A) the term `covered civil action'--
                            ``(i) means a civil action filed in a 
                        Federal or State court against a covered 
                        entity; and
                            ``(ii) does not include an action brought 
                        under section 2520 or 2707 of title 18, United 
                        States Code, or section 110 or 308 of the 
                        Foreign Intelligence Surveillance Act of 1978 
                        (50 U.S.C. 1810 and 1828);
                    ``(B) the term `covered entity' means any entity 
                that owns or operates covered critical infrastructure, 
                including any owner, operator, officer, employee, 
                agent, landlord, custodian, provider of information 
                technology, or other person acting for or on behalf of 
                that entity with respect to the covered critical 
                infrastructure; and
                    ``(C) the term `noneconomic damages' means damages 
                for losses for physical and emotional pain, suffering, 
                inconvenience, physical impairment, mental anguish, 
                disfigurement, loss of enjoyment of life, loss of 
                society and companionship, loss of consortium, hedonic 
                damages, injury to reputation, and any other 
                nonpecuniary losses.
            ``(2) Limitations on civil liability.--If a covered entity 
        experiences an incident related to a cyber risk identified 
        under section 248(a), in any covered civil action for damages 
        directly caused by the incident related to that cyber risk--
                    ``(A) the covered entity shall not be liable for 
                any punitive damages intended to punish or deter, 
                exemplary damages, or other damages not intended to 
                compensate a plaintiff for actual losses; and
                    ``(B) noneconomic damages may be awarded against a 
                defendant only in an amount directly proportional to 
                the percentage of responsibility of such defendant for 
                the harm to the plaintiff, and no plaintiff may recover 
                noneconomic damages unless the plaintiff suffered 
                physical harm.
            ``(3) Application.--This subsection shall apply to claims 
        made by any individual or nongovernmental entity, including 
        claims made by a State or local government agency on behalf of 
        such individuals or nongovernmental entities, against a covered 
        entity--
                    ``(A) whose proposed security measures, or 
                combination thereof, satisfy the security performance 
                requirements established under subsection 248(b) and 
                have been approved by the Director;
                    ``(B) that has been evaluated under subsection (b) 
                and has been found by the Director to have implemented 
                the proposed security measures approved under section 
                248; and
                    ``(C) that is in actual compliance with the 
                approved security measures at the time of the incident 
                related to that cyber risk.
            ``(4) Limitation.--This subsection shall only apply to harm 
        directly caused by the incident related to the cyber risk and 
        shall not apply to damages caused by any additional or 
        intervening acts or omissions by the covered entity.
            ``(5) Rule of construction.--Except as provided under 
        paragraph (3), nothing in this subsection shall be construed to 
        abrogate or limit any right, remedy, or authority that the 
        Federal Government or any State or local government, or any 
        entity or agency thereof, may possess under any law, or that 
        any individual is authorized by law to bring on behalf of the 
        government.
    ``(e) Report to Congress.--The Director shall submit an annual 
report to the appropriate committees of Congress on the implementation 
and enforcement of the risk-based performance requirements of covered 
critical infrastructure under subsection 248(b) and this section 
including--
            ``(1) the level of compliance of covered critical 
        infrastructure with the risk-based security performance 
        requirements issued under section 248(b);
            ``(2) how frequently the evaluation authority under 
        subsection (b) was utilized and a summary of the aggregate 
        results of the evaluations; and
            ``(3) any civil penalties imposed on covered critical 
        infrastructure.

``SEC. 251. PROTECTION OF INFORMATION.

    ``(a) Definition.--In this section, the term `covered 
information'--
            ``(1) means--
                    ``(A) any information required to be submitted 
                under sections 246, 248, and 249 to the Center by the 
                owners and operators of covered critical 
                infrastructure; and
                    ``(B) any information submitted to the Center under 
                the processes and procedures established under section 
                246 by State and local governments, private entities, 
                and international partners of the United States 
                regarding threats, vulnerabilities, and incidents 
                affecting--
                            ``(i) the Federal information 
                        infrastructure;
                            ``(ii) information infrastructure that is 
                        owned, operated, controlled, or licensed for 
                        use by, or on behalf of, the Department of 
                        Defense, a military department, or another 
                        element of the intelligence community; or
                            ``(iii) the national information 
                        infrastructure; and
            ``(2) shall not include any information described under 
        paragraph (1), if that information is submitted to--
                    ``(A) conceal violations of law, inefficiency, or 
                administrative error;
                    ``(B) prevent embarrassment to a person, 
                organization, or agency; or
                    ``(C) interfere with competition in the private 
                sector.
    ``(b) Voluntarily Shared Critical Infrastructure Information.--
Covered information submitted in accordance with this section shall be 
treated as voluntarily shared critical infrastructure information under 
section 214, except that the requirement of section 214 that the 
information be voluntarily submitted, including the requirement for an 
express statement, shall not be required for submissions of covered 
information.
    ``(c) Guidelines.--
            ``(1) In general.--Subject to paragraph (2), the Director 
        shall develop and issue guidelines, in consultation with the 
        Secretary, Attorney General, and the National Cybersecurity 
        Advisory Council, as necessary to implement this section.
            ``(2) Requirements.--The guidelines developed under this 
        section shall--
                    ``(A) consistent with section 214(e)(2)(D) and (g) 
                and the processes, procedures, and guidelines developed 
                under section 246(b), include provisions for 
                information sharing among Federal, State, and local and 
                officials, private entities, or international partners 
                of the United States necessary to carry out the 
                authorities and responsibilities of the Director;
                    ``(B) be consistent, to the maximum extent 
                possible, with policy guidance and implementation 
                standards developed by the National Archives and 
                Records Administration for controlled unclassified 
                information, including with respect to marking, 
                safeguarding, dissemination and dispute resolution; and
                    ``(C) describe, with as much detail as possible, 
                the categories and type of information entities should 
                voluntarily submit under subsections (b) and (c)(1)(B) 
                of section 246.
    ``(d) Process for Reporting Security Problems.--
            ``(1) Establishment of process.--The Director shall 
        establish through regulation, and provide information to the 
        public regarding, a process by which any person may submit a 
        report to the Secretary regarding cybersecurity threats, 
        vulnerabilities, and incidents affecting--
                    ``(A) the Federal information infrastructure;
                    ``(B) information infrastructure that is owned, 
                operated, controlled, or licensed for use by, or on 
                behalf of, the Department of Defense, a military 
                department, or another element of the intelligence 
                community; or
                    ``(C) national information infrastructure.
            ``(2) Acknowledgment of receipt.--If a report submitted 
        under paragraph (1) identifies the person making the report, 
        the Director shall respond promptly to such person and 
        acknowledge receipt of the report.
            ``(3) Steps to address problem.--The Director shall review 
        and consider the information provided in any report submitted 
        under paragraph (1) and, at the sole, unreviewable discretion 
        of the Director, determine what, if any, steps are necessary or 
        appropriate to address any problems or deficiencies identified.
            ``(4) Disclosure of identity.--
                    ``(A) In general.--Except as provided in 
                subparagraph (B), or with the written consent of the 
                person, the Secretary may not disclose the identity of 
                a person who has provided information described in 
                paragraph (1).
                    ``(B) Referral to the attorney general.--The 
                Secretary shall disclose to the Attorney General the 
                identity of a person described under subparagraph (A) 
                if the matter is referred to the Attorney General for 
                enforcement. The Director shall provide reasonable 
                advance notice to the affected person if disclosure of 
                that person's identity is to occur, unless such notice 
                would risk compromising a criminal or civil enforcement 
                investigation or proceeding.
    ``(e) Rules of Construction.--Nothing in this section shall be 
construed to--
            ``(1) limit or otherwise affect the right, ability, duty, 
        or obligation of any entity to use or disclose any information 
        of that entity, including in the conduct of any judicial or 
        other proceeding;
            ``(2) prevent the classification of information submitted 
        under this section if that information meets the standards for 
        classification under Executive Order 12958 or any successor of 
        that order or affect measures and controls relating to the 
        protection of classified information as prescribed by Federal 
        statute or under Executive Order 12958, or any successor of 
        that order;
            ``(3) limit the right of an individual to make any 
        disclosure--
                    ``(A) protected or authorized under section 
                2302(b)(8) or 7211 of title 5, United States Code;
                    ``(B) to an appropriate official of information 
                that the individual reasonably believes evidences a 
                violation of any law, rule, or regulation, gross 
                mismanagement, or substantial and specific danger to 
                public health, safety, or security, and that is 
                protected under any Federal or State law (other than 
                those referenced in subparagraph (A)) that shields the 
                disclosing individual against retaliation or 
                discrimination for having made the disclosure if such 
                disclosure is not specifically prohibited by law and if 
                such information is not specifically required by 
                Executive order to be kept secret in the interest of 
                national defense or the conduct of foreign affairs; or
                    ``(C) to the Special Counsel, the inspector general 
                of an agency, or any other employee designated by the 
                head of an agency to receive similar disclosures;
            ``(4) prevent the Director from using information required 
        to be submitted under sections 246, 248, or 249 for enforcement 
        of this subtitle, including enforcement proceedings subject to 
        appropriate safeguards;
            ``(5) authorize information to be withheld from Congress, 
        the Government Accountability Office, or Inspector General of 
        the Department;
            ``(6) affect protections afforded to trade secrets under 
        any other provision of law; or
            ``(7) create a private right of action for enforcement of 
        any provision of this section.
    ``(f) Audit.--
            ``(1) In general.--Not later than 1 year after the date of 
        enactment of the Protecting Cyberspace as a National Asset Act 
        of 2010, the Inspector General of the Department shall conduct 
        an audit of the management of information submitted under 
        subsection (b) and report the findings to appropriate 
        committees of Congress.
            ``(2) Contents.--The audit under paragraph (1) shall 
        include assessments of--
                    ``(A) whether the information is adequately 
                safeguarded against inappropriate disclosure;
                    ``(B) the processes for marking and disseminating 
                the information and resolving any disputes;
                    ``(C) how the information is used for the purposes 
                of this section, and whether that use is effective;
                    ``(D) whether information sharing has been 
                effective to fulfill the purposes of this section;
                    ``(E) whether the kinds of information submitted 
                have been appropriate and useful, or overbroad or 
                overnarrow;
                    ``(F) whether the information protections allow for 
                adequate accountability and transparency of the 
                regulatory, enforcement, and other aspects of 
                implementing this subtitle; and
                    ``(G) any other factors at the discretion of the 
                Inspector General.

``SEC. 252. SECTOR-SPECIFIC AGENCIES.

    ``(a) In General.--The head of each sector-specific agency and the 
head of any Federal agency that is not a sector-specific agency with 
responsibilities for regulating covered critical infrastructure shall 
coordinate with the Director on any activities of the sector-specific 
agency or Federal agency that relate to the efforts of the agency 
regarding security or resiliency of the national information 
infrastructure, including critical infrastructure and covered critical 
infrastructure, within or under the supervision of the agency.
    ``(b) Duplicative Reporting Requirements.--The head of each sector-
specific agency and the head of any Federal agency that is not a 
sector-specific agency with responsibilities for regulating covered 
critical infrastructure shall coordinate with the Director to eliminate 
and avoid the creation of duplicate reporting or compliance 
requirements relating to the security or resiliency of the national 
information infrastructure, including critical infrastructure and 
covered critical infrastructure, within or under the supervision of the 
agency.
    ``(c) Requirements.--
            ``(1) In general.--To the extent that the head of each 
        sector-specific agency and the head of any Federal agency that 
        is not a sector-specific agency with responsibilities for 
        regulating covered critical infrastructure has the authority to 
        establish regulations, rules, or requirements or other required 
        actions that are applicable to the security of national 
        information infrastructure, including critical infrastructure 
        and covered critical infrastructure, the head of that agency 
        shall--
                    ``(A) notify the Director in a timely fashion of 
                the intent to establish the regulations, rules, 
                requirements, or other required actions;
                    ``(B) coordinate with the Director to ensure that 
                the regulations, rules, requirements, or other required 
                actions are consistent with, and do not conflict or 
                impede, the activities of the Director under sections 
                247, 248, and 249; and
                    ``(C) in coordination with the Director, ensure 
                that the regulations, rules, requirements, or other 
                required actions are implemented, as they relate to 
                covered critical infrastructure, in accordance with 
                subsection (a).
            ``(2) Coordination.--Coordination under paragraph (1)(B) 
        shall include the active participation of the Director in the 
        process for developing regulations, rules, requirements, or 
        other required actions.
            ``(3) Rule of construction.--Nothing in this section shall 
        be construed to provide additional authority for any sector-
        specific agency or any Federal agency that is not a sector-
        specific agency with responsibilities for regulating national 
        information infrastructure, including critical infrastructure 
        or covered critical infrastructure, to establish standards or 
        other measures that are applicable to the security of national 
        information infrastructure not otherwise authorized by law.

``SEC. 253. STRATEGY FOR FEDERAL CYBERSECURITY SUPPLY CHAIN MANAGEMENT.

    ``(a) In General.--The Secretary, in consultation with the Director 
of Cyberspace Policy, the Director, the Secretary of Defense, the 
Secretary of Commerce, the Secretary of State, the Director of National 
Intelligence, the Administrator of General Services, the Administrator 
for Federal Procurement Policy, the other members of the Chief 
Information Officers Council established under section 3603 of title 
44, United States Code, the Chief Acquisition Officers Council 
established under section 16A of the Office of Federal Procurement 
Policy Act (41 U.S.C. 414b), the Chief Financial Officers Council 
established under section 302 of the Chief Financial Officers Act of 
1990 (31 U.S.C. 901 note), and the private sector, shall develop, 
periodically update, and implement a supply chain risk management 
strategy designed to ensure, based on mission criticality and cost 
effectiveness, the security of the Federal information infrastructure, 
including protection against unauthorized access to, alteration of 
information in, disruption of operations of, interruption of 
communications or services of, and insertion of malicious software, 
engineering vulnerabilities, or otherwise corrupting software, 
hardware, services, or products intended for use in Federal information 
infrastructure.
    ``(b) Contents.--The supply chain risk management strategy 
developed under subsection (a) shall--
            ``(1) address risks in the supply chain during the entire 
        life cycle of any part of the Federal information 
        infrastructure;
            ``(2) place particular emphasis on--
                    ``(A) securing critical information systems and the 
                Federal information infrastructure;
                    ``(B) developing processes that--
                            ``(i) incorporate all-source intelligence 
                        analysis into assessments of the supply chain 
                        for the Federal information infrastructure;
                            ``(ii) assess risks from potential 
                        suppliers providing critical components or 
                        services of the Federal information 
                        infrastructure;
                            ``(iii) assess risks from individual 
                        components, including all subcomponents, or 
                        software used in or affecting the Federal 
                        information infrastructure;
                            ``(iv) manage the quality, configuration, 
                        and security of software, hardware, and systems 
                        of the Federal information infrastructure 
                        throughout the life cycle of the software, 
                        hardware, or system, including components or 
                        subcomponents from secondary and tertiary 
                        sources;
                            ``(v) detect the occurrence, reduce the 
                        likelihood of occurrence, and mitigate or 
                        remediate the risks associated with products 
                        containing counterfeit components or malicious 
                        functions;
                            ``(vi) enhance developmental and 
                        operational test and evaluation capabilities, 
                        including software vulnerability detection 
                        methods and automated methods and tools that 
                        shall be integrated into acquisition policy 
                        practices by Federal agencies and, where 
                        appropriate, make the capabilities available 
                        for use by the private sector; and
                            ``(vii) protect the intellectual property 
                        and trade secrets of suppliers of information 
                        and communications technology products and 
                        services;
                    ``(C) the use of internationally-recognized 
                standards and standards developed by the private sector 
                and developing a process, with the National Institute 
                for Standards and Technology, to make recommendations 
                for improvements of the standards;
                    ``(D) identifying acquisition practices of Federal 
                agencies that increase risks in the supply chain and 
                developing a process to provide recommendations for 
                revisions to those processes; and
                    ``(E) sharing with the private sector, to the 
                fullest extent possible, the threats identified in the 
                supply chain and working with the private sector to 
                develop responses to those threats as identified; and
            ``(3) to the maximum extent practicable, promote the 
        ability of Federal agencies to procure authentic commercial off 
        the shelf information and communications technology products 
        and services from a diverse pool of suppliers.
    ``(c) Implementation.--The Federal Acquisition Regulatory Council 
established under section 25(a) of the Office of Federal Procurement 
Policy Act (41 U.S.C. 421(a)) shall--
            ``(1) amend the Federal Acquisition Regulation issued under 
        section 25 of that Act to--
                    ``(A) incorporate, where relevant, the supply chain 
                risk management strategy developed under subsection (a) 
                to improve security throughout the acquisition process; 
                and
                    ``(B) direct that all software and hardware 
                purchased by the Federal Government shall comply with 
                standards developed or be interoperable with automated 
                tools approved by the National Institute of Standards 
                and Technology, to continually enhance security; and
            ``(2) develop a clause or set of clauses for inclusion in 
        solicitations, contracts, and task and delivery orders that 
        sets forth the responsibility of the contractor under the 
        Federal Acquisition Regulation provisions implemented under 
        this subsection.
    ``(d) Preferences for Acquisition of Commercial Items.--The 
strategy developed under this section, and any actions taken under 
subsection (c), shall be consistent with the preferences for the 
acquisition of commercial items under section 2377 of title 10, United 
States Code, and section 314B of the Federal Property and 
Administrative Services Act of 1949 (41 U.S.C. 264b).''.

           TITLE III--FEDERAL INFORMATION SECURITY MANAGEMENT

SEC. 301. COORDINATION OF FEDERAL INFORMATION POLICY.

    (a) Findings.--Congress finds that--
            (1) since 2002 the Federal Government has experienced 
        multiple high-profile incidents that resulted in the theft of 
        sensitive information amounting to more than the entire print 
        collection contained in the Library of Congress, including 
        personally identifiable information, advanced scientific 
        research, and prenegotiated United States diplomatic positions; 
        and
            (2) chapter 35 of title 44, United States Code, must be 
        amended to increase the coordination of Federal agency 
        activities and to enhance situational awareness throughout the 
        Federal Government using more effective enterprise-wide 
        automated monitoring, detection, and response capabilities.
    (b) In General.--Chapter 35 of title 44, United States Code, is 
amended by striking subchapters II and III and inserting the following:

                 ``SUBCHAPTER II--INFORMATION SECURITY

``Sec. 3550. Purposes
    ``The purposes of this subchapter are to--
            ``(1) provide a comprehensive framework for ensuring the 
        effectiveness of information security controls over information 
        resources that support the Federal information infrastructure 
        and the operations and assets of agencies;
            ``(2) recognize the highly networked nature of the current 
        Federal information infrastructure and provide effective 
        Government-wide management and oversight of the related 
        information security risks, including coordination of 
        information security efforts throughout the civilian, national 
        security, and law enforcement communities;
            ``(3) provide for development and maintenance of 
        prioritized and risk-based security controls required to 
        protect Federal information infrastructure and information 
        systems; and
            ``(4) provide a mechanism for improved oversight of Federal 
        agency information security programs.
            ``(5) acknowledge that commercially developed information 
        security products offer advanced, dynamic, robust, and 
        effective information security solutions, reflecting market 
        solutions for the protection of critical information 
        infrastructures important to the national defense and economic 
        security of the Nation that are designed, built, and operated 
        by the private sector; and
            ``(6) recognize that the selection of specific technical 
        hardware and software information security solutions should be 
        left to individual agencies from among commercially developed 
        products.
``Sec. 3551. Definitions
    ``(a) In General.--Except as provided under subsection (b), the 
definitions under section 3502 shall apply to this subchapter.
    ``(b) Additional Definitions.--In this subchapter:
            ``(1) The term `agency information infrastructure'--
                    ``(A) means information infrastructure that is 
                owned, operated, controlled, or licensed for use by, or 
                on behalf of, an agency, including information systems 
                used or operated by another entity on behalf of the 
                agency; and
                    ``(B) does not include national security systems.
            ``(2) The term `automated and continuous monitoring' means 
        monitoring at a frequency and sufficiency such that the data 
        exchange requires little to no human involvement and is not 
        interrupted;
            ``(3) The term `incident' means an occurrence that--
                    ``(A) actually or imminently jeopardizes--
                            ``(i) the information security of 
                        information infrastructure; or
                            ``(ii) the information that information 
                        infrastructure processes, stores, receives, or 
                        transmits; or
                    ``(B) constitutes a violation of security policies, 
                security procedures, or acceptable use policies 
                applicable to information infrastructure.
            ``(4) The term `information infrastructure' means the 
        underlying framework that information systems and assets rely 
        on to process, transmit, receive, or store information 
        electronically, including programmable electronic devices and 
        communications networks and any associated hardware, software, 
        or data.
            ``(5) The term `information security' means protecting 
        information and information systems from disruption or 
        unauthorized access, use, disclosure, modification, or 
        destruction in order to provide--
                    ``(A) integrity, by guarding against improper 
                information modification or destruction, including by 
                ensuring information nonrepudiation and authenticity;
                    ``(B) confidentiality, by preserving authorized 
                restrictions on access and disclosure, including means 
                for protecting personal privacy and proprietary 
                information; and
                    ``(C) availability, by ensuring timely and reliable 
                access to and use of information.
            ``(6) The term `information technology' has the meaning 
        given that term in section 11101 of title 40.
            ``(7) The term `management controls' means safeguards or 
        countermeasures for an information system that focus on the 
        management of risk and the management of information system 
        security.
            ``(8)(A) The term `national security system' means any 
        information system (including any telecommunications system) 
        used or operated by an agency or by a contractor of an agency, 
        or other organization on behalf of an agency--
                    ``(i) the function, operation, or use of which--
                            ``(I) involves intelligence activities;
                            ``(II) involves cryptologic activities 
                        related to national security;
                            ``(III) involves command and control of 
                        military forces;
                            ``(IV) involves equipment that is an 
                        integral part of a weapon or weapons system; or
                            ``(V) subject to subparagraph (B), is 
                        critical to the direct fulfillment of military 
                        or intelligence missions; or
                    ``(ii) that is protected at all times by procedures 
                established for information that have been specifically 
                authorized under criteria established by an Executive 
                order or an Act of Congress to be kept classified in 
                the interest of national defense or foreign policy.
            ``(B) Subparagraph (A)(i)(V) does not include a system that 
        is to be used for routine administrative and business 
        applications (including payroll, finance, logistics, and 
        personnel management applications).
            ``(9) The term `operational controls' means the safeguards 
        and countermeasures for an information system that are 
        primarily implemented and executed by individuals, not systems.
            ``(10) The term `risk' means the potential for an unwanted 
        outcome resulting from an incident, as determined by the 
        likelihood of the occurrence of the incident and the associated 
        consequences, including potential for an adverse outcome 
        assessed as a function of threats, vulnerabilities, and 
        consequences associated with an incident
            ``(11) The term `risk-based security' means security 
        commensurate with the risk and magnitude of harm resulting from 
        the loss, misuse, or unauthorized access to, or modification, 
        of information, including assuring that systems and 
        applications used by the agency operate effectively and provide 
        appropriate confidentiality, integrity, and availability.
            ``(12) The term `security controls' means the management, 
        operational, and technical controls prescribed for an 
        information system to protect the information security of the 
        system.
            ``(13) The term `technical controls' means the safeguards 
        or countermeasures for an information system that are primarily 
        implemented and executed by the information system through 
        mechanism contained in the hardware, software, or firmware 
        components of the system.
``Sec. 3552. Authority and functions of the National Center for 
              Cybersecurity and Communications
    ``(a) In General.--The Director of the National Center for 
Cybersecurity and Communications shall--
            ``(1) develop, oversee the implementation of, and enforce 
        policies, principles, and guidelines on information security, 
        including through ensuring timely agency adoption of and 
        compliance with standards developed under section 20 of the 
        National Institute of Standards and Technology Act (15 U.S.C. 
        278g-3) and subtitle E of title II of the Homeland Security Act 
        of 2002;
            ``(2) provide to agencies security controls that agencies 
        shall be required to be implemented to mitigate and remediate 
        vulnerabilities, attacks, and exploitations discovered as a 
        result of activities required under this subchapter or subtitle 
        E of title II of the Homeland Security Act of 2002;
            ``(3) to the extent practicable--
                    ``(A) prioritize the policies, principles, 
                standards, and guidelines promulgated under section 20 
                of the National Institute of Standards and Technology 
                Act (15 U.S.C. 278g-3), paragraph (1), and subtitle E 
                of title II of the Homeland Security Act of 2002, based 
                upon the risk of an incident; and
                    ``(B) develop guidance that requires agencies to 
                monitor, including automated and continuous monitoring 
                of, the effective implementation of policies, 
                principles, standards, and guidelines developed under 
                section 20 of the National Institute of Standards and 
                Technology Act (15 U.S.C. 278g-3), paragraph (1), and 
                subtitle E of title II of the Homeland Security Act of 
                2002;
                    ``(C) ensure the effective operation of technical 
                capabilities within the National Center for 
                Cybersecurity and Communications to enable automated 
                and continuous monitoring of any information collected 
                as a result of the guidance developed under 
                subparagraph (B) and use the information to enhance the 
                risk-based security of the Federal information 
                infrastructure; and
                    ``(D) ensure the effective operation of a secure 
                system that satisfies information reporting 
                requirements under sections 3553(c) and 3556(c);
            ``(4) require agencies, consistent with the standards 
        developed under section 20 of the National Institute of 
        Standards and Technology Act (15 U.S.C. 278g-3) or paragraph 
        (1) and the requirements of this subchapter, to identify and 
        provide information security protections commensurate with the 
        risk resulting from the disruption or unauthorized access, use, 
        disclosure, modification, or destruction of--
                    ``(A) information collected or maintained by or on 
                behalf of an agency; or
                    ``(B) information systems used or operated by an 
                agency or by a contractor of an agency or other 
                organization on behalf of an agency;
            ``(5) oversee agency compliance with the requirements of 
        this subchapter, including coordinating with the Office of 
        Management and Budget to use any authorized action under 
        section 11303 of title 40 to enforce accountability for 
        compliance with such requirements;
            ``(6) review, at least annually, and approve or disapprove, 
        agency information security programs required under section 
        3553(b); and
            ``(7) coordinate information security policies and 
        procedures with the Administrator for Electronic Government and 
        the Administrator for the Office of Information and Regulatory 
        Affairs with related information resources management policies 
        and procedures.
    ``(b) National Security Systems.--The authorities of the Director 
of the National Center for Cybersecurity and Communications under this 
section shall not apply to national security systems.
``Sec. 3553. Agency responsibilities
    ``(a) In General.--The head of each agency shall--
            ``(1) be responsible for--
                    ``(A) providing information security protections 
                commensurate with the risk and magnitude of the harm 
                resulting from unauthorized access, use, disclosure, 
                disruption, modification, or destruction of--
                            ``(i) information collected or maintained 
                        by or on behalf of the agency; and
                            ``(ii) agency information infrastructure;
                    ``(B) complying with the requirements of this 
                subchapter and related policies, procedures, standards, 
                and guidelines, including--
                            ``(i) information security requirements, 
                        including security controls, developed by the 
                        Director of the National Center for 
                        Cybersecurity and Communications under section 
                        3552, subtitle E of title II of the Homeland 
                        Security Act of 2002, or any other provision of 
                        law;
                            ``(ii) information security policies, 
                        principles, standards, and guidelines 
                        promulgated under section 20 of the National 
                        Institute of Standards and Technology Act (15 
                        U.S.C. 278g-3) and section 3552(a)(1);
                            ``(iii) information security standards and 
                        guidelines for national security systems issued 
                        in accordance with law and as directed by the 
                        President; and
                            ``(iv) ensuring the standards implemented 
                        for information systems and national security 
                        systems of the agency are complementary and 
                        uniform, to the extent practicable;
                    ``(C) ensuring that information security management 
                processes are integrated with agency strategic and 
                operational planning and budget processes, including 
                policies, procedures, and practices described in 
                subsection (c)(1)(C);
                    ``(D) as appropriate, maintaining secure facilities 
                that have the capability of accessing, sending, 
                receiving, and storing classified information;
                    ``(E) maintaining a sufficient number of personnel 
                with security clearances, at the appropriate levels, to 
                access, send, receive and analyze classified 
                information to carry out the responsibilities of this 
                subchapter; and
                    ``(F) ensuring that information security 
                performance indicators and measures are included in the 
                annual performance evaluations of all managers, senior 
                managers, senior executive service personnel, and 
                political appointees;
            ``(2) ensure that senior agency officials provide 
        information security for the information and information 
        systems that support the operations and assets under the 
        control of those officials, including through--
                    ``(A) assessing the risk and magnitude of the harm 
                that could result from the disruption or unauthorized 
                access, use, disclosure, modification, or destruction 
                of such information or information systems;
                    ``(B) determining the levels of information 
                security appropriate to protect such information and 
                information systems in accordance with policies, 
                principles, standards, and guidelines promulgated under 
                section 20 of the National Institute of Standards and 
                Technology Act (15 U.S.C. 278g-3), section 3552(a)(1), 
                and subtitle E of title II of the Homeland Security Act 
                of 2002, for information security categorizations and 
                related requirements;
                    ``(C) implementing policies and procedures to cost 
                effectively reduce risks to an acceptable level;
                    ``(D) periodically testing and evaluating 
                information security controls and techniques to ensure 
                that such controls and techniques are operating 
                effectively; and
                    ``(E) withholding all bonus and cash awards to 
                senior agency officials accountable for the operation 
                of such agency information infrastructure that are 
                recognized by the Chief Information Security Officer as 
                impairing the risk-based security information, 
                information system, or agency information 
                infrastructure;
            ``(3) delegate to a senior agency officer designated as the 
        Chief Information Security Officer the authority and budget 
        necessary to ensure and enforce compliance with the 
        requirements imposed on the agency under this subchapter, 
        subtitle E of title II of the Homeland Security Act of 2002, or 
        any other provision of law, including--
                    ``(A) overseeing the establishment, maintenance, 
                and management of a security operations center that has 
                technical capabilities that can, through automated and 
                continuous monitoring--
                            ``(i) detect, report, respond to, contain, 
                        remediate, and mitigate incidents that impair 
                        risk-based security of the information, 
                        information systems, and agency information 
                        infrastructure, in accordance with policy 
                        provided by the Director of the National Center 
                        for Cybersecurity and Communications;
                            ``(ii) monitor and, on a risk-based basis, 
                        mitigate and remediate the vulnerabilities of 
                        every information system within the agency 
                        information infrastructure;
                            ``(iii) continually evaluate risks posed to 
                        information collected or maintained by or on 
                        behalf of the agency and information systems 
                        and hold senior agency officials accountable 
                        for ensuring the risk-based security of such 
                        information and information systems;
                            ``(iv) collaborate with the Director of the 
                        National Center for Cybersecurity and 
                        Communications and appropriate public and 
                        private sector security operations centers to 
                        address incidents that impact the security of 
                        information and information systems that extend 
                        beyond the control of the agency; and
                            ``(v) report any incident described under 
                        clauses (i) and (ii), as directed by the policy 
                        of the Director of the National Center for 
                        Cybersecurity and Communications and the 
                        Inspector General of the agency;
                    ``(B) collaborating with the Administrator for E-
                Government and the Chief Information Officer to 
                establish, maintain, and update an enterprise network, 
                system, storage, and security architecture, that can be 
                accessed by the National Cybersecurity Communications 
                Center and includes--
                            ``(i) information on how security controls 
                        are implemented throughout the agency 
                        information infrastructure; and
                            ``(ii) information on how the controls 
                        described under subparagraph (A) maintain the 
                        appropriate level of confidentiality, 
                        integrity, and availability of information and 
                        information systems based on--
                                    ``(I) the policy of the Director of 
                                the National Center for Cybersecurity 
                                and Communications; and
                                    ``(II) the standards or guidance 
                                developed by the National Institute of 
                                Standards and Technology;
                    ``(C) developing, maintaining, and overseeing an 
                agency-wide information security program as required by 
                subsection (b);
                    ``(D) developing, maintaining, and overseeing 
                information security policies, procedures, and control 
                techniques to address all applicable requirements, 
                including those issued under section 3552;
                    ``(E) training, consistent with the requirements of 
                section 406 of the Protecting Cyberspace as a National 
                Asset Act of 2010, and overseeing personnel with 
                significant responsibilities for information security 
                with respect to such responsibilities; and
                    ``(F) assisting senior agency officers concerning 
                their responsibilities under paragraph (2);
            ``(4) ensure that the Chief Information Security Officer 
        has a sufficient number of cleared and trained personnel with 
        technical skills identified by the Director of the National 
        Center for Cybersecurity and Communications as critical to 
        maintaining the risk-based security of agency information 
        infrastructure as required by the subchapter and other 
        applicable laws;
            ``(5) ensure that the agency Chief Information Security 
        Officer, in coordination with appropriate senior agency 
        officials, reports not less than annually to the head of the 
        agency on the effectiveness of the agency information security 
        program, including progress of remedial actions;
            ``(6) ensure that the Chief Information Security Officer--
                    ``(A) possesses necessary qualifications, including 
                education, professional certifications, training, 
                experience, and the security clearance required to 
                administer the functions described under this 
                subchapter; and
                    ``(B) has information security duties as the 
                primary duty of that officer; and
            ``(7) ensure that components of that agency establish and 
        maintain an automated reporting mechanism that allows the Chief 
        Information Security Officer with responsibility for the entire 
        agency, and all components thereof, to implement, monitor, and 
        hold senior agency officers accountable for the implementation 
        of appropriate security policies, procedures, and controls of 
        agency components.
    ``(b) Agency-wide Information Security Program.--Each agency shall 
develop, document, and implement an agency-wide information security 
program, approved by the Director of the National Center for 
Cybersecurity and Communications under section 3552(a)(6) and 
consistent with components across and within agencies, to provide 
information security for the information and information systems that 
support the operations and assets of the agency, including those 
provided or managed by another agency, contractor, or other source, 
that includes--
            ``(1) frequent assessments, at least twice each month--
                    ``(A) of the risk and magnitude of the harm that 
                could result from the disruption or unauthorized 
                access, use, disclosure, modification, or destruction 
                of information and information systems that support the 
                operations and assets of the agency; and
                    ``(B) that assess whether information or 
                information systems should be removed or migrated to 
                more secure networks or standards and make 
                recommendations to the head of the agency and the 
                Director of the National Center for Cybersecurity and 
                Communications based on that assessment;
            ``(2) consistent with guidance developed under section 
        3554, vulnerability assessments and penetration tests 
        commensurate with the risk posed to an agency information 
        infrastructure;
            ``(3) ensure that information security vulnerabilities are 
        remediated or mitigated based on the risk posed to the agency;
            ``(4) policies and procedures that--
                    ``(A) are informed and revised by the assessments 
                required under paragraphs (1) and (2);
                    ``(B) cost effectively reduce information security 
                risks to an acceptable level;
                    ``(C) ensure that information security is addressed 
                throughout the life cycle of each agency information 
                system; and
                    ``(D) ensure compliance with--
                            ``(i) the requirements of this subchapter;
                            ``(ii) policies and procedures prescribed 
                        by the Director of the National Center for 
                        Cybersecurity and Communications;
                            ``(iii) minimally acceptable system 
                        configuration requirements, as determined by 
                        the Director of the National Center for 
                        Cybersecurity and Communications; and
                            ``(iv) any other applicable requirements, 
                        including standards and guidelines for national 
                        security systems issued in accordance with law 
                        and as directed by the President;
            ``(5) subordinate plans for providing risk-based 
        information security for networks, facilities, and systems or 
        groups of information systems, as appropriate;
            ``(6) role-based security awareness training, consistent 
        with the requirements of section 406 of the Protecting 
        Cyberspace as a National Asset Act of 2010, to inform personnel 
        with access to the agency network, including contractors and 
        other users of information systems that support the operations 
        and assets of the agency, of--
                    ``(A) information security risks associated with 
                agency activities; and
                    ``(B) agency responsibilities in complying with 
                agency policies and procedures designed to reduce those 
                risks;
            ``(7) periodic testing and evaluation of the effectiveness 
        of information security policies, procedures, and practices, to 
        be performed with a rigor and frequency depending on risk, 
        which shall include--
                    ``(A) testing and evaluation not less than twice 
                each year of security controls of information collected 
                or maintained by or on behalf of the agency and every 
                information system identified in the inventory required 
                under section 3505(c);
                    ``(B) the effectiveness of ongoing monitoring, 
                including automated and continuous monitoring, 
                vulnerability scanning, and intrusion detection and 
                prevention of incidents posed to the risk-based 
                security of information and information systems as 
                required under subsection (a)(3); and
                    ``(C) testing relied on in--
                            ``(i) an operational evaluation under 
                        section 3554;
                            ``(ii) an independent assessment under 
                        section 3556; or
                            ``(iii) another evaluation, to the extent 
                        specified by the Director of the National 
                        Center for Cybersecurity and Communications;
            ``(8) a process for planning, implementing, evaluating, and 
        documenting remedial action to address any deficiencies in the 
        information security policies, procedures, and practices of the 
        agency;
            ``(9) procedures for detecting, reporting, and responding 
        to incidents, consistent with requirements issued under section 
        3552, that include--
                    ``(A) to the extent practicable, automated and 
                continuous monitoring of the use of information and 
                information systems;
                    ``(B) requirements for mitigating risks and 
                remediating vulnerabilities associated with such 
                incidents systemically within the agency information 
                infrastructure before substantial damage is done; and
                    ``(C) notifying and coordinating with the Director 
                of the National Center for Cybersecurity and 
                Communications, as required by this subchapter, 
                subtitle E of title II of the Homeland Security Act of 
                2002, and any other provision of law; and
            ``(10) plans and procedures to ensure continuity of 
        operations for information systems that support the operations 
        and assets of the agency.
    ``(c) Agency Reporting.--
            ``(1) In general.--Each agency shall--
                    ``(A) ensure that information relating to the 
                adequacy and effectiveness of information security 
                policies, procedures, and practices, is available to 
                the entities identified under paragraph (2) through the 
                system developed under section 3552(a)(3), including 
                information relating to--
                            ``(i) compliance with the requirements of 
                        this subchapter;
                            ``(ii) the effectiveness of the information 
                        security policies, procedures, and practices of 
                        the agency based on a determination of the 
                        aggregate effect of identified deficiencies and 
                        vulnerabilities;
                            ``(iii) an identification and analysis of 
                        any significant deficiencies identified in such 
                        policies, procedures, and practices;
                            ``(iv) an identification of any 
                        vulnerability that could impair the risk-based 
                        security of the agency information 
                        infrastructure; and
                            ``(v) results of any operational evaluation 
                        conducted under section 3554 and plans of 
                        action to address the deficiencies and 
                        vulnerabilities identified as a result of such 
                        operational evaluation;
                    ``(B) follow the policy, guidance, and standards of 
                the Director of the National Center for Cybersecurity 
                and Communications, in consultation with the Federal 
                Information Security Taskforce, to continually update, 
                and ensure the electronic availability of both a 
                classified and unclassified version of the information 
                required under subparagraph (A);
                    ``(C) ensure the information under subparagraph (A) 
                addresses the adequacy and effectiveness of information 
                security policies, procedures, and practices in plans 
                and reports relating to--
                            ``(i) annual agency budgets;
                            ``(ii) information resources management of 
                        this subchapter;
                            ``(iii) information technology management 
                        and procurement under this chapter or any other 
                        applicable provision of law;
                            ``(iv) subtitle E of title II of the 
                        Homeland Security Act of 2002;
                            ``(v) program performance under sections 
                        1105 and 1115 through 1119 of title 31, and 
                        sections 2801 and 2805 of title 39;
                            ``(vi) financial management under chapter 9 
                        of title 31, and the Chief Financial Officers 
                        Act of 1990 (31 U.S.C. 501 note; Public Law 
                        101-576) (and the amendments made by that Act);
                            ``(vii) financial management systems under 
                        the Federal Financial Management Improvement 
                        Act (31 U.S.C. 3512 note);
                            ``(viii) internal accounting and 
                        administrative controls under section 3512 of 
                        title 31; and
                            ``(ix) performance ratings, salaries, and 
                        bonuses provided to the senior managers and 
                        supporting personnel taking into account 
                        program performance as it relates to complying 
                        with this subchapter; and
                    ``(D) report any significant deficiency in a 
                policy, procedure, or practice identified under 
                subparagraph (A) or (B)--
                            ``(i) as a material weakness in reporting 
                        under section 3512 of title 31; and
                            ``(ii) if relating to financial management 
                        systems, as an instance of a lack of 
                        substantial compliance under the Federal 
                        Financial Management Improvement Act (31 U.S.C. 
                        3512 note).
            ``(2) Adequacy and effectiveness information.--Information 
        required under paragraph (1)(A) shall, to the extent possible 
        and in accordance with applicable law, policy, guidance, and 
        standards, be available on an automated and continuous basis 
        to--
                    ``(A) the Director of the National Center for 
                Cybersecurity and Communications;
                    ``(B) the Office of Management and Budget;
                    ``(C) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;
                    ``(D) the Committee on Government Oversight and 
                Reform of the House of Representatives;
                    ``(E) the Committee on Homeland Security of the 
                House of Representatives;
                    ``(F) other appropriate authorization and 
                appropriations committees of Congress;
                    ``(G) the Inspector General of the Federal agency; 
                and
                    ``(H) the Comptroller General.
    ``(d) Inclusions in Performance Plans.--
            ``(1) In general.--In addition to the requirements of 
        subsection (c), each agency, in consultation with the Director 
        of the National Center for Cybersecurity and Communications, 
        shall include as part of the performance plan required under 
        section 1115 of title 31 a description of the time periods the 
        resources, including budget, staffing, and training, that are 
        necessary to implement the program required under subsection 
        (b).
            ``(2) Risk assessments.--The description under paragraph 
        (1) shall be based on the risk and vulnerability assessments 
        required under subsection (b) and evaluations required under 
        section 3554.
    ``(e) Notice and Comment.--Each agency shall provide the public 
with timely notice and opportunities for comment on proposed 
information security policies and procedures to the extent that such 
policies and procedures affect communication with the public.
    ``(f) More Stringent Standards.--The head of an agency may employ 
standards for the cost effective information security for information 
systems within or under the supervision of that agency that are more 
stringent than the standards the Director of the National Center for 
Cybersecurity and Communications prescribes under this subchapter, 
subtitle E of title II of the Homeland Security Act of 2002, or any 
other provision of law, if the more stringent standards--
            ``(1) contain at least the applicable standards made 
        compulsory and binding by the Director of the National Center 
        for Cybersecurity and Communications; and
            ``(2) are otherwise consistent with policies and guidelines 
        issued under section 3552.
``Sec. 3554. Annual operational evaluation
    ``(a) Guidance.--
            ``(1) In general.--Not later than 1 year after the date of 
        enactment of the Protecting Cyberspace as a National Asset Act 
        of 2010 and each year thereafter, the Director of the National 
        Center for Cybersecurity and Communications shall oversee, 
        coordinate, and develop guidance for the effective 
        implementation of operational evaluations of the Federal 
        information infrastructure and agency information security 
        programs and practices to determine the effectiveness of such 
        program and practices.
            ``(2) Collaboration in development.--In developing guidance 
        for the operational evaluations described under this section, 
        the Director of the National Center for Cybersecurity and 
        Communications shall collaborate with the Federal Information 
        Security Taskforce and the Council of Inspectors General on 
        Integrity and Efficiency, and other agencies as necessary, to 
        develop and update risk-based performance indicators and 
        measures that assess the adequacy and effectiveness of 
        information security of an agency and the Federal information 
        infrastructure.
            ``(3) Contents of operational evaluation.--Each operational 
        evaluation under this section--
                    ``(A) shall be prioritized based on risk; and
                    ``(B) shall--
                            ``(i) test the effectiveness of agency 
                        information security policies, procedures, and 
                        practices of the information systems of the 
                        agency, or a representative subset of those 
                        information systems;
                            ``(ii) assess (based on the results of the 
                        testing) compliance with--
                                    ``(I) the requirements of this 
                                subchapter; and
                                    ``(II) related information security 
                                policies, procedures, standards, and 
                                guidelines;
                            ``(iii) evaluate whether agencies--
                                    ``(I) effectively monitor, detect, 
                                analyze, protect, report, and respond 
                                to vulnerabilities and incidents;
                                    ``(II) report to and collaborate 
                                with the appropriate public and private 
                                security operation centers, the 
                                Director of the National Center for 
                                Cybersecurity and Communications, and 
                                law enforcement agencies; and
                                    ``(III) remediate or mitigate the 
                                risk posed by attacks and exploitations 
                                in a timely fashion in order to prevent 
                                future vulnerabilities and incidents; 
                                and
                            ``(iv) identify deficiencies of agency 
                        information security policies, procedures, and 
                        controls on the agency information 
                        infrastructure.
    ``(b) Conduct an Operational Evaluation.--
            ``(1) In general.--Except as provided under paragraph (2), 
        and in consultation with the Chief Information Officer and 
        senior officials responsible for the affected systems, the 
        Chief Information Security Officer of each agency shall not 
        less than annually--
                    ``(A) conduct an operational evaluation of the 
                agency information infrastructure for vulnerabilities, 
                attacks, and exploitations of the agency information 
                infrastructure;
                    ``(B) evaluate the ability of the agency to 
                monitor, detect, correlate, analyze, report, and 
                respond to incidents; and
                    ``(C) report to the head of the agency, the 
                Director of the National Center for Cybersecurity and 
                Communications, the Chief Information Officer, and the 
                Inspector General for the agency the findings of the 
                operational evaluation.
            ``(2) Satisfaction of requirements by other evaluation.--
        Unless otherwise specified by the Director of the National 
        Center for Cybersecurity and Communications, if the Director of 
        the National Center for Cybersecurity and Communications 
        conducts an operational evaluation of the agency information 
        infrastructure under section 245(b)(2)(A) of the Homeland 
        Security Act of 2002, the Chief Information Security Officer 
        may deem the requirements of paragraph (1) satisfied for the 
        year in which the operational evaluation described under this 
        paragraph is conducted.
    ``(c) Corrective Measures Mitigation and Remediation Plans.--
            ``(1) In general.--In consultation with the Director of the 
        National Center for Cybersecurity and Communications and the 
        Chief Information Officer, Chief Information Security Officers 
        shall remediate or mitigate vulnerabilities in accordance with 
        this subsection.
            ``(2) Risk-based plan.--After an operational evaluation is 
        conducted under this section or under section 245(b) of the 
        Homeland Security Act of 2002, the agency shall submit to the 
        Director of the National Center for Cybersecurity and 
        Communications in a timely fashion a risk-based plan for 
        addressing recommendations and mitigating and remediating 
        vulnerabilities identified as a result of such operational 
        evaluation, including a timeline and budget for implementing 
        such plan.
            ``(3) Approval or disapproval.--Not later than 15 days 
        after receiving a plan submitted under paragraph (2), the 
        Director of the National Center for Cybersecurity and 
        Communications shall--
                    ``(A) approve or disprove the agency plan; and
                    ``(B) comment on the adequacy and effectiveness of 
                the plan.
            ``(4) Isolation from infrastructure.--
                    ``(A) In general.--The Director of the National 
                Center for Cybersecurity and Communications may, 
                consistent with the contingency or continuity of 
                operation plans applicable to such agency information 
                infrastructure, order the isolation of any component of 
                the Federal information infrastructure from any other 
                Federal information infrastructure, if--
                            ``(i) an agency does not implement measures 
                        in a risk-based plan approved under this 
                        subsection; and
                            ``(ii) the failure to comply presents a 
                        significant danger to the Federal information 
                        infrastructure.
                    ``(B) Duration.--An isolation under subparagraph 
                (A) shall remain in effect until--
                            ``(i) the Director of the National Center 
                        for Cybersecurity and Communications determines 
                        that corrective measures have been implemented; 
                        or
                            ``(ii) an updated risk-based plan is 
                        approved by the Director of the National Center 
                        for Cybersecurity and Communications and 
                        implemented by the agency.
    ``(d) Operational Guidance.--The Director of the National Center 
for Cybersecurity and Communications shall--
            ``(1) not later than 180 days after the date of enactment 
        of the Protecting Cyberspace as a National Asset Act of 2010, 
        develop operational guidance for operational evaluations as 
        required under this section that are risk-based and cost 
        effective; and
            ``(2) periodically evaluate and ensure information is 
        available on an automated and continuous basis through the 
        system required under section 3552(a)(3)(D) to Congress on--
                    ``(A) the adequacy and effectiveness of the 
                operational evaluations conducted under this section or 
                section 245(b) of the Homeland Security Act of 2002; 
                and
                    ``(B) possible executive and legislative actions 
                for cost-effectively managing the risks to the Federal 
                information infrastructure.
``Sec. 3555. Federal Information Security Taskforce
    ``(a) Establishment.--There is established in the executive branch 
a Federal Information Security Taskforce.
    ``(b) Membership.--The members of the Federal Information Security 
Taskforce shall be full-time senior Government employees and shall be 
as follows:
            ``(1) The Director of the National Center for Cybersecurity 
        and Communications.
            ``(2) The Administrator of the Office of Electronic 
        Government of the Office of Management and Budget.
            ``(3) The Chief Information Security Officer of each agency 
        described under section 901(b) of title 31.
            ``(4) The Chief Information Security Officer of the 
        Department of the Army, the Department of the Navy, and the 
        Department of the Air Force.
            ``(5) A representative from the Office of Cyberspace 
        Policy.
            ``(6) A representative from the Office of the Director of 
        National Intelligence.
            ``(7) A representative from the United States Cyber 
        Command.
            ``(8) A representative from the National Security Agency.
            ``(9) A representative from the United States Computer 
        Emergency Readiness Team.
            ``(10) A representative from the Intelligence Community 
        Incident Response Center.
            ``(11) A representative from the Committee on National 
        Security Systems.
            ``(12) A representative from the National Institute for 
        Standards and Technology.
            ``(13) A representative from the Council of Inspectors 
        General on Integrity and Efficiency.
            ``(14) A representative from State and local government.
            ``(15) Any other officer or employee of the United States 
        designated by the chairperson.
    ``(c) Chairperson and Vice-chairperson.--
            ``(1) Chairperson.--The Director of the National Center for 
        Cybersecurity and Communications shall act as chairperson of 
        the Federal Information Security Taskforce.
            ``(2) Vice-chairperson.--The vice chairperson of the 
        Federal Information Security Taskforce shall--
                    ``(A) be selected by the Federal Information 
                Security Taskforce from among its members;
                    ``(B) serve a 1-year term and may serve multiple 
                terms; and
                    ``(C) serve as a liaison to the Chief Information 
                Officer, Council of the Inspectors General on Integrity 
                and Efficiency, Committee on National Security Systems, 
                and other councils or committees as appointed by the 
                chairperson.
    ``(d) Functions.--The Federal Information Security Taskforce 
shall--
            ``(1) be the principal interagency forum for collaboration 
        regarding best practices and recommendations for agency 
        information security and the security of the Federal 
        information infrastructure;
            ``(2) assist in the development of and annually evaluate 
        guidance to fulfill the requirements under sections 3554 and 
        3556;
            ``(3) share experiences and innovative approaches relating 
        to threats against the Federal information infrastructure, 
        information sharing and information security best practices, 
        penetration testing regimes, and incident response, mitigation, 
        and remediation;
            ``(4) promote the development and use of standard 
        performance indicators and measures for agency information 
        security that--
                    ``(A) are outcome-based;
                    ``(B) focus on risk management;
                    ``(C) align with the business and program goals of 
                the agency;
                    ``(D) measure improvements in the agency security 
                posture over time; and
                    ``(E) reduce burdensome and inefficient performance 
                indicators and measures;
            ``(5) recommend to the Office of Personnel Management the 
        necessary qualifications to be established for Chief 
        Information Security Officers to be capable of administering 
        the functions described under this subchapter including 
        education, training, and experience;
            ``(6) enhance information system processes by establishing 
        a prioritized baseline of information security measures and 
        controls that can be continuously monitored through automated 
        mechanisms; and
            ``(7) evaluate the effectiveness and efficiency of any 
        reporting and compliance requirements that are required by law 
        related to the information security of Federal information 
        infrastructure; and
            ``(8) submit proposed enhancements developed under 
        paragraphs (1) through (7) to the Director of the National 
        Center for Cybersecurity and Communications.
    ``(e) Termination.--
            ``(1) In general.--Except as provided under paragraph (2), 
        the Federal Information Security Taskforce shall terminate 4 
        years after the date of enactment of the Protecting Cyberspace 
        as a National Asset Act of 2010.
            ``(2) Extension.--The President may--
                    ``(A) extend the Federal Information Security 
                Taskforce by executive order; and
                    ``(B) make more than 1 extension under this 
                paragraph for any period as the President may 
                determine.
``Sec. 3556. Independent Assessments
    ``(a) In General.--
            ``(1) Inspectors general assessments.--Not less than every 
        2 years, each agency with an Inspector General appointed under 
        the Inspector General Act of 1978 (5 U.S.C. App.) or any other 
        law shall assess the adequacy and effectiveness of the 
        information security program developed under section 3553(b) 
        and (c), and evaluations conducted under section 3554.
            ``(2) Independent assessments.--For each agency to which 
        paragraph (1) does not apply, the head of the agency shall 
        engage an independent external auditor to perform the 
        assessment.
    ``(b) Standards.--The assessments required under subsection (a) 
shall be performed in accordance with standards developed by the 
Government Accountability Office, in collaboration with the Council of 
Inspectors General on Integrity and Efficiency and with assistance from 
the Federal Information Security Taskforce.
    ``(c) Existing Assessments.--The assessments required under this 
section may be based in whole or in part on an audit, evaluation, or 
report relating to programs or practices of the applicable agency.
    ``(d) Reporting of Information.--
            ``(1) Inspectors general reporting.--Each Inspector General 
        shall ensure information obtained as a result of the assessment 
        required under this section, or any other relevant information, 
        is--
                    ``(A) provided to the head of the agency, the 
                agency Chief Information Security Officer, and the 
                agency Chief Information Officer; and
                    ``(B) available through the system required under 
                section 3552(a)(3)(D) to Congress and the Director of 
                the National Center for Cybersecurity and 
                Communications.
            ``(2) Heads of agencies reporting.--If an assessment 
        described under subsection (a)(2) is performed, the head of the 
        agency shall comply with the requirements of paragraph (1)(A) 
        and (B).
``Sec. 3557. Protection of Information
    ``In complying with this subchapter, agencies, evaluators, and 
Inspectors General shall take appropriate actions to ensure the 
protection of information which, if disclosed, may adversely affect 
information security. Protections under this chapter shall be 
commensurate with the risk and comply with all applicable laws and 
regulations.
``Sec. 3558. Department of Defense and Central Intelligence Agency 
              systems
    ``(a) In General.--The authorities of the Director of the National 
Center for Cybersecurity and Communications under this subchapter shall 
be delegated to--
            ``(1) the Secretary of Defense in the case of systems 
        described under subsection (b); and
            ``(2) the Director of the Central Intelligence Agency in 
        the case of systems described under subsection (c).
    ``(b) Department of Defense Systems.--The systems described under 
this subsection are systems that are operated by the Department of 
Defense, a contractor of the Department of Defense, or another entity 
on behalf of the Department of Defense that processes any information 
the unauthorized access, use, disclosure, disruption, modification, or 
destruction of which would have a debilitating impact on the mission of 
the Department of Defense.
    ``(c) Central Intelligence Agency Systems.--The systems described 
under this subsection are systems that are operated by the Central 
Intelligence Agency, a contractor of the Central Intelligence Agency, 
or another entity on behalf of the Central Intelligence Agency that 
processes any information the unauthorized access, use, disclosure, 
disruption, modification, or destruction of which would have a 
debilitating impact on the mission of the Central Intelligence 
Agency.''.
    (c) Technical and Conforming Amendments.--
            (1) Table of sections.--The table of sections for chapter 
        35 of title 44, United States Code, is amended by striking the 
        matter relating to subchapters II and III and inserting the 
        following:

                 ``subchapter ii--information security

``3550. Purposes.
``3551. Definitions.
``3552. Authority and functions of the National Center for 
                            Cybersecurity and Communications.
``3553. Agency responsibilities.
``3554. Annual operational evaluation.
``3555. Federal Information Security Taskforce.
``3556. Independent assessments.
``3557. Protection of information.
``3558. Department of Defense and Central Intelligence Agency 
                            systems.''.
            (2) Other references.--
                    (A) Section 1001(c)(1)(A) of the Homeland Security 
                Act of 2002 (6 U.S.C. 511(c)(1)(A)) is amended by 
                striking ``section 3532(3)'' and inserting ``section 
                3551(b)''.
                    (B) Section 2222(j)(6) of title 10, United States 
                Code, is amended by striking ``section 3542(b)(2))'' 
                and inserting ``section 3551(b)''.
                    (C) Section 2223(c)(3) of title 10, United States 
                Code, is amended, by striking ``section 3542(b)(2))'' 
                and inserting ``section 3551(b)''.
                    (D) Section 2315 of title 10, United States Code, 
                is amended by striking ``section 3542(b)(2))'' and 
                inserting ``section 3551(b)''.
                    (E) Section 20(a)(2) of the National Institute of 
                Standards and Technology Act (15 U.S.C. 278g-3) is 
                amended by striking ``section 3532(b)(2)'' and 
                inserting ``section 3551(b)''.
                    (F) Section 21(b)(2) of the National Institute of 
                Standards and Technology Act (15 U.S.C. 278g-4(b)(2)) 
                is amended by striking ``Institute and'' and inserting 
                ``Institute, the Director of the National Center on 
                Cybersecurity and Communications, and''.
                    (G) Section 21(b)(3) of the National Institute of 
                Standards and Technology Act (15 U.S.C. 278g-4(b)(3)) 
                is amended by inserting ``the Director of the National 
                Center on Cybersecurity and Communications,'' after 
                ``the Director of the National Security Agency,''.
                    (H) Section 8(d)(1) of the Cyber Security Research 
                and Development Act (15 U.S.C. 7406(d)(1)) is amended 
                by striking ``section 3534(b)'' and inserting ``section 
                3553(b)''.
            (3) Homeland security act of 2002.--
                    (A) Title x.--The Homeland Security Act of 2002 (6 
                U.S.C. 101 et seq.) is amended by striking title X.
                    (B) Table of contents.--The table of contents in 
                section 1(b) of the Homeland Security Act of 2002 (6 
                U.S.C. 101 et seq.) is amended by striking the matter 
                relating to title X.
    (d) Repeal of Other Standards.--
            (1) In general.--Section 11331 of title 40, United States 
        Code, is repealed.
            (2) Technical and conforming amendments.--
                    (A) Section 20(c)(3) of the National Institute of 
                Standards and Technology Act (15 U.S.C. 278g-3(c)(3)) 
                is amended by striking ``under section 11331 of title 
                40, United States Code''.
                    (B) Section 20(d)(1) of the National Institute of 
                Standards and Technology Act (15 U.S.C. 278g-3(d)(1)) 
                is amended by striking ``the Director of the Office of 
                Management and Budget for promulgation under section 
                11331 of title 40, United States Code'' and inserting 
                ``the Secretary of Commerce for promulgation''.
                    (C) Section 11302(d) of title 40, United States 
                Code, is amended by striking ``under section 11331 of 
                this title and''.
                    (D) Section 1874A (e)(2)(A)(ii) of the Social 
                Security Act (42 U.S.C.1395kk-1 (e)(2)(A)(ii)) is 
                amended by striking ``section 11331 of title 40, United 
                States Code'' and inserting ``section 3552 of title 44, 
                United States Code''.
                    (E) Section 3504(g)(2) of title 44, United States 
                Code, is amended by striking ``section 11331 of title 
                40'' and inserting ``section 3552 of title 44''.
                    (F) Section 3504(h)(1) of title 44, United States 
                Code, is amended by inserting ``, the Director of the 
                National Center for Cybersecurity and Communications,'' 
                after ``the National Institute of Standards and 
                Technology''.
                    (G) Section 3504(h)(1)(B) of title 44, United 
                States Code, is amended by striking ``under section 
                11331 of title 40'' and inserting ``section 3552 of 
                title 44''.
                    (H) Section 3518(d) of title 44, United States 
                Code, is amended by striking ``sections 11331 and 
                11332'' and inserting ``section 11332''.
                    (I) Section 3602(f)(8) of title 44, United States 
                Code, is amended by striking ``under section 11331 of 
                title 40.
                    (J) Section 3603(f)(5) of title 44, United States 
                Code, is amended by striking ``and promulgated under 
                section 11331 of title 40,''.

           TITLE IV--RECRUITMENT AND PROFESSIONAL DEVELOPMENT

SEC. 401. DEFINITIONS.

    In this title:
            (1) Cybersecurity mission.--The term ``cybersecurity 
        mission'' means the activities of the Federal Government that 
        encompass the full range of threat reduction, vulnerability 
        reduction, deterrence, international engagement, incident 
        response, resiliency, and recovery policies and activities, 
        including computer network operations, information assurance, 
        law enforcement, diplomacy, military, and intelligence missions 
        as such activities relate to the security and stability of 
        cyberspace.
            (2) Federal agency's cybersecurity mission.--The term 
        ``Federal agency's cybersecurity mission'' means, with respect 
        to any Federal agency, the portion of the cybersecurity mission 
        that is the responsibility of the Federal agency.

SEC. 402. ASSESSMENT OF CYBERSECURITY WORKFORCE.

    (a) In General.--The Director of the Office of Personnel Management 
and the Director shall assess the readiness and capacity of the Federal 
workforce to meet the needs of the cybersecurity mission of the Federal 
Government.
    (b) Strategy.--
            (1) In general.--The Director of the Office of Personnel 
        Management, in consultation with the Director and the Director 
        of the Office of Management and Budget, shall develop a 
        comprehensive workforce strategy that enhances the readiness, 
        capacity, training, and recruitment and retention of Federal 
        cybersecurity personnel.
            (2) Contents.--The strategy developed under paragraph (1) 
        shall include--
                    (A) a 5-year plan on recruitment of personnel for 
                the Federal workforce; and
                    (B) 10-year and 20-year projections of workforce 
                needs.
            (3) Dates for completion.--The strategy under this 
        subsection shall be--
                    (A) completed not later than 180 days after the 
                date of enactment of this Act; and
                    (B) updated as needed.

SEC. 403. STRATEGIC CYBERSECURITY WORKFORCE PLANNING.

    (a) Federal Agency Development of Strategic Cybersecurity Workforce 
Plans.--Not later than 180 days after the date of enactment of this Act 
and in every subsequent year, and subject to subsection (c)(2), the 
head of each Federal agency shall develop a strategic cybersecurity 
workforce plan as part of the Federal agency performance plan required 
under section 1115 of title 31, United States Code.
    (b) Basis and Guidance for Plans.--Each Federal agency shall 
develop a plan prepared under subsection (a) on the basis of the 
assessment developed under section 402 and any subsequent guidance 
issued by the Director of the Office of Personnel Management, in 
consultation with the Director and the Director of the Office of 
Management and Budget.
    (c) Contents of the Plan.--
            (1) In general.--Subject to paragraph (2), each plan 
        prepared under subsection (a) shall include--
                    (A) a description of the Federal agency's 
                cybersecurity mission;
                    (B) a description and analysis, relating to the 
                specialized workforce needed by the Federal agency to 
                fulfill the Federal agency's cybersecurity mission, 
                including--
                            (i) the workforce needs of the Federal 
                        agency on the date of the report, and 10-year 
                        and 20-year projections of workforce needs;
                            (ii) hiring projections to meet workforce 
                        needs, including, for at least a 2-year period, 
                        specific occupation and grade levels;
                            (iii) long-term and short-term strategic 
                        goals to address critical skills deficiencies, 
                        including analysis of the numbers of and 
                        reasons for attrition of employees;
                            (iv) recruitment strategies, including the 
                        use of student internships, part-time 
                        employment, student loan reimbursement, and 
                        telework, to attract highly qualified 
                        candidates from diverse backgrounds and 
                        geographic locations;
                            (v) an assessment of the sources and 
                        availability of individuals with needed 
                        expertise;
                            (vi) ways to streamline the hiring process;
                            (vii) the barriers to recruiting and hiring 
                        individuals qualified in cybersecurity and 
                        recommendations to overcome the barriers; and
                            (viii) a training and development plan, 
                        consistent with the curriculum developed under 
                        section 406, to enhance and improve the 
                        knowledge of employees.
            (2) Federal agencies with small specialized workforce.--In 
        accordance with guidance issued under subsection (b), a Federal 
        agency that needs only a small specialized workforce to fulfill 
        the Federal agency's cybersecurity mission may, in lieu of 
        developing a separate strategic cybersecurity workforce plan, 
        present the workforce plan component referred to in paragraph 
        (1)(A) and those components referred to in paragraph (1)(B) 
        that are relevant and appropriate to the circumstances of the 
        agency as part of the Federal agency performance plan required 
        under section 1115 of title 31, United States Code.

SEC. 404. CYBERSECURITY OCCUPATION CLASSIFICATIONS.

    (a) In General.--Not later than 1 year after the date of enactment 
of this Act, the Director of the Office of Personnel Management, in 
coordination with the Director, shall develop and issue comprehensive 
occupation classifications for Federal employees engaged in 
cybersecurity missions.
    (b) Applicability of Classifications.--The Director of the Office 
of Personnel Management shall ensure that the comprehensive occupation 
classifications issued under subsection (a) may be used throughout the 
Federal Government.

SEC. 405. MEASURES OF CYBERSECURITY HIRING EFFECTIVENESS.

    (a) In General.--The head of each Federal agency shall measure, and 
collect information on, indicators of the effectiveness of the 
recruitment and hiring by the Federal agency of a workforce needed to 
fulfill the Federal agency's cybersecurity mission.
    (b) Types of Information.--The indicators of effectiveness measured 
and subject to collection of information under subsection (a) shall 
include indicators with respect to the following:
            (1) Recruiting and hiring.--In relation to recruiting and 
        hiring by the Federal agency--
                    (A) the ability to reach and recruit well-qualified 
                individuals from diverse talent pools;
                    (B) the use and impact of special hiring 
                authorities and flexibilities to recruit the most 
                qualified applicants, including the use of student 
                internship and scholarship programs for permanent 
                hires;
                    (C) the use and impact of special hiring 
                authorities and flexibilities to recruit diverse 
                candidates, including criteria such as the veteran 
                status, race, ethnicity, gender, disability, or 
                national origin of the candidates; and
                    (D) the educational level, and source of 
                applicants.
            (2) Supervisors.--In relation to the supervisors of the 
        positions being filled--
                    (A) satisfaction with the quality of the applicants 
                interviewed and hired;
                    (B) satisfaction with the match between the skills 
                of the individuals and the needs of the Federal agency;
                    (C) satisfaction of the supervisors with the hiring 
                process and hiring outcomes;
                    (D) whether any mission-critical deficiencies were 
                addressed by the individuals and the connection between 
                the deficiencies and the performance of the Federal 
                agency; and
                    (E) the satisfaction of the supervisors with the 
                period of time elapsed to fill the positions.
            (3) Applicants.--The satisfaction of applicants with the 
        hiring process, including clarity of job announcements, any 
        reasons for withdrawal of an application, the user-friendliness 
        of the application process, communication regarding status of 
        applications, and the timeliness of offers of employment.
            (4) Hired individuals.--In relation to the individuals 
        hired--
                    (A) satisfaction with the hiring process;
                    (B) satisfaction with the process of starting 
                employment in the position for which the individual was 
                hired;
                    (C) attrition; and
                    (D) the results of exit interviews.
    (c) Reports.--
            (1) In general.--The head of each Federal agency shall 
        submit the information collected under this section to the 
        Director of the Office of Personnel Management on an annual 
        basis and in accordance with the regulations issued under 
        subsection (d).
            (2) Availability of recruiting and hiring information.--
                    (A) In general.--The Director of the Office of 
                Personnel Management shall prepare an annual report 
                containing the information received under paragraph (1) 
                in a consistent format to allow for a comparison of 
                hiring effectiveness and experience across demographic 
                groups and Federal agencies.
                    (B) Submission.--The Director of the Office of 
                Personnel Management shall--
                            (i) not later than 90 days after the 
                        receipt of all information required to be 
                        submitted under paragraph (1), make the report 
                        prepared under subparagraph (A) publicly 
                        available, including on the website of the 
                        Office of Personnel Management; and
                            (ii) before the date on which the report 
                        prepared under subparagraph (A) is made 
                        publicly available, submit the report to 
                        Congress.
    (d) Regulations.--
            (1) In general.--Not later than 180 days after the date of 
        enactment of this Act, the Director of the Office of Personnel 
        Management shall issue regulations establishing the 
        methodology, timing, and reporting of the data required to be 
        submitted under this section.
            (2) Scope and detail of required information.--The 
        regulations under paragraph (1) shall delimit the scope and 
        detail of the information that a Federal agency is required to 
        collect and submit under this section, taking account of the 
        size and complexity of the workforce that the Federal agency 
        needs to fulfill the Federal agency's cybersecurity mission.

SEC. 406. TRAINING AND EDUCATION.

    (a) Training.--
            (1) Federal government employees and federal contractors.--
        The Director of the Office of Personnel Management, in 
        conjunction with the Director of the National Center for 
        Cybersecurity and Communications, the Director of National 
        Intelligence, the Secretary of Defense, and the Chief 
        Information Officers Council established under section 3603 of 
        title 44, United States Code, shall establish a cybersecurity 
        awareness and education curriculum that shall be required for 
        all Federal employees and contractors engaged in the design, 
        development, or operation of agency information infrastructure, 
        as defined under section 3551 of title 44, United States Code.
            (2) Contents.--The curriculum established under paragraph 
        (1) may include--
                    (A) role-based security awareness training;
                    (B) recommended cybersecurity practices;
                    (C) cybersecurity recommendations for traveling 
                abroad;
                    (D) unclassified counterintelligence information;
                    (E) information regarding industrial espionage;
                    (F) information regarding malicious activity 
                online;
                    (G) information regarding cybersecurity and law 
                enforcement;
                    (H) identity management information;
                    (I) information regarding supply chain security;
                    (J) information security risks associated with the 
                activities of Federal employees; and
                    (K) the responsibilities of Federal employees in 
                complying with policies and procedures designed to 
                reduce information security risks identified under 
                subparagraph (J).
            (3) Federal cybersecurity professionals.--The Director of 
        the Office of Personnel Management in conjunction with the 
        Director of the National Center for Cybersecurity and 
        Communications, the Director of National Intelligence, the 
        Secretary of Defense, the Director of the Office of Management 
        and Budget, and, as appropriate, colleges, universities, and 
        nonprofit organizations with cybersecurity training expertise, 
        shall develop a program, to provide training to improve and 
        enhance the skills and capabilities of Federal employees 
        engaged in the cybersecurity mission, including training 
        specific to the acquisition workforce.
            (4) Heads of federal agencies.--Not later than 30 days 
        after the date on which an individual is appointed to a 
        position at level I or II of the Executive Schedule, the 
        Director of the National Center for Cybersecurity and 
        Communications and the Director of National Intelligence, or 
        their designees, shall provide that individual with a 
        cybersecurity threat briefing.
            (5) Certification.--The head of each Federal agency shall 
        include in the annual report required under section 3553(c) of 
        title 44, United States Code, a certification regarding whether 
        all officers, employees, and contractors of the Federal agency 
        have completed the training required under this subsection.
    (b) Education.--
            (1) Federal employees.--The Director of the Office of 
        Personnel Management, in coordination with the Secretary of 
        Education, the Director of the National Science Foundation, and 
        the Director, shall develop and implement a strategy to provide 
        Federal employees who work in cybersecurity missions with the 
        opportunity to obtain additional education.
            (2) K through 12.--The Secretary of Education, in 
        coordination with the Director of the National Center for 
        Cybersecurity and Communications and State and local 
        governments, shall develop curriculum standards, guidelines, 
        and recommended courses to address cyber safety, cybersecurity, 
        and cyber ethics for students in kindergarten through grade 12.
            (3) Undergraduate, graduate, vocational, and technical 
        institutions.--
                    (A) Secretary of education.--The Secretary of 
                Education, in coordination with the Director of the 
                National Center for Cybersecurity and Communications, 
                shall--
                            (i) develop curriculum standards and 
                        guidelines to address cyber safety, 
                        cybersecurity, and cyber ethics for all 
                        students enrolled in undergraduate, graduate, 
                        vocational, and technical institutions in the 
                        United States; and
                            (ii) analyze and develop recommended 
                        courses for students interested in pursuing 
                        careers in information technology, 
                        communications, computer science, engineering, 
                        math, and science, as those subjects relate to 
                        cybersecurity.
                    (B) Office of personnel management.--The Director 
                of the Office of Personnel Management, in coordination 
                with the Director, shall develop strategies and 
                programs--
                            (i) to recruit students from undergraduate, 
                        graduate, vocational, and technical 
                        institutions in the United States to serve as 
                        Federal employees engaged in cyber missions; 
                        and
                            (ii) that provide internship and part-time 
                        work opportunities with the Federal Government 
                        for students at the undergraduate, graduate, 
                        vocational, and technical institutions in the 
                        United States.
    (c) Cyber Talent Competitions and Challenges.--
            (1) In general.--The Director of the National Center for 
        Cybersecurity and Communications shall establish a program to 
        ensure the effective operation of national and statewide 
        competitions and challenges that seek to identify, develop, and 
        recruit talented individuals to work in Federal agencies, State 
        and local government agencies, and the private sector to 
        perform duties relating to the security of the Federal 
        information infrastructure or the national information 
        infrastructure.
            (2) Groups and individuals.--The program under this 
        subsection shall include--
                    (A) high school students;
                    (B) undergraduate students;
                    (C) graduate students;
                    (D) academic and research institutions;
                    (E) veterans; and
                    (F) other groups or individuals as the Director may 
                determine.
            (3) Support of other competitions and challenges.--The 
        program under this subsection may support other competitions 
        and challenges not established under this subsection through 
        affiliation and cooperative agreements with--
                    (A) Federal agencies;
                    (B) regional, State, or community school programs 
                supporting the development of cyber professionals; or
                    (C) other private sector organizations.
            (4) Areas of talent.--The program under this subsection 
        shall seek to identify, develop, and recruit exceptional talent 
        relating to--
                    (A) ethical hacking;
                    (B) penetration testing;
                    (C) vulnerability Assessment;
                    (D) continuity of system operations;
                    (E) cyber forensics; and
                    (F) offensive and defensive cyber operations.

SEC. 407. CYBERSECURITY INCENTIVES.

    (a) Awards.--In making cash awards under chapter 45 of title 5, 
United States Code, the President or the head of a Federal agency, in 
consultation with the Director, shall consider the success of an 
employee in fulfilling the objectives of the National Strategy, in a 
manner consistent with any policies, guidelines, procedures, 
instructions, or standards established by the President.
    (b) Other Incentives.--The head of each Federal agency shall adopt 
best practices, developed by the Director of the National Center for 
Cybersecurity and Communications and the Office of Management and 
Budget, regarding effective ways to educate and motivate employees of 
the Federal Government to demonstrate leadership in cybersecurity, 
including--
            (1) promotions and other nonmonetary awards; and
            (2) publicizing information sharing accomplishments by 
        individual employees and, if appropriate, the tangible benefits 
        that resulted.

SEC. 408. RECRUITMENT AND RETENTION PROGRAM FOR THE NATIONAL CENTER FOR 
              CYBERSECURITY AND COMMUNICATIONS.

    (a) Definitions.--In this section:
            (1) Center.--The term ``Center'' means the National Center 
        for Cybersecurity and Communications.
            (2) Department.--The term ``Department'' means the 
        Department of Homeland Security.
            (3) Director.--The term ``Director'' means the Director of 
        the Center.
            (4) Entry level position.--The term ``entry level 
        position'' means a position that--
                    (A) is established by the Director in the Center; 
                and
                    (B) is classified at GS-7, GS-8, or GS-9 of the 
                General Schedule.
            (5) Secretary.--The term ``Secretary'' means the Secretary 
        of Homeland Security.
            (6) Senior position.--The term ``senior position'' means a 
        position that--
                    (A) is established by the Director in the Center; 
                and
                    (B) is not established under section 5108 of title 
                5, United States Code, but is similar in duties and 
                responsibilities for positions established under that 
                section.
    (b) Recruitment and Retention Program.--
            (1) Establishment.--The Director may establish a program to 
        assist in the recruitment and retention of highly skilled 
        personnel to carry out the functions of the Center.
            (2) Consultation and considerations.--In establishing a 
        program under this section, the Director shall--
                    (A) consult with the Secretary; and
                    (B) consider--
                            (i) national and local employment trends;
                            (ii) the availability and quality of 
                        candidates;
                            (iii) any specialized education or 
                        certifications required for positions;
                            (iv) whether there is a shortage of certain 
                        skills; and
                            (v) such other factors as the Director 
                        determines appropriate.
    (c) Hiring and Special Pay Authorities.--
            (1) Direct hire authority.--Without regard to the civil 
        service laws (other than sections 3303 and 3328 of title 5, 
        United States Code), the Director may appoint not more than 500 
        employees under this subsection to carry out the functions of 
        the Center.
            (2) Rates of pay.--
                    (A) Entry level positions.--The Director may fix 
                the pay of the employees appointed to entry level 
                positions under this subsection without regard to 
                chapter 51 and subchapter III of chapter 53 of title 5, 
                United States Code, relating to classification of 
                positions and General Schedule pay rates, except that 
                the rate of pay for any such employee may not exceed 
                the maximum rate of basic pay payable for a position at 
                GS-10 of the General Schedule while that employee is in 
                an entry level position.
                    (B) Senior positions.--
                            (i) In general.--The Director may fix the 
                        pay of the employees appointed to senior 
                        positions under this subsection without regard 
                        to chapter 51 and subchapter III of chapter 53 
                        of title 5, United States Code, relating to 
                        classification of positions and General 
                        Schedule pay rates, except that the rate of pay 
                        for any such employee may not exceed the 
                        maximum rate of basic pay payable under section 
                        5376 of title 5, United States Code.
                            (ii) Higher maximum rates.--
                                    (I) In general.--Notwithstanding 
                                the limitation on rates of pay under 
                                clause (i)--
                                            (aa) not more than 20 
                                        employees, identified by the 
                                        Director, may be paid at a rate 
                                        of pay not to exceed the 
                                        maximum rate of basic pay 
                                        payable for a position at level 
                                        I of the Executive Schedule 
                                        under section 5312 of title 5, 
                                        United States Code; and
                                            (bb) not more than 5 
                                        employees, identified by the 
                                        Director with the approval of 
                                        the Secretary, may be paid at a 
                                        rate of pay not to exceed the 
                                        maximum rate of basic pay 
                                        payable for the Vice President 
                                        under section 104 of title 3, 
                                        United States Code.
                                    (II) Nondelegation of authority.--
                                The Secretary or the Director may not 
                                delegate any authority under this 
                                clause.
    (d) Conversion to Competitive Service.--
            (1) Definition.--In this subsection, the term ``qualified 
        employee'' means any individual appointed to an excepted 
        service position in the Department who performs functions 
        relating to the security of the Federal information 
        infrastructure or national information infrastructure.
            (2) Competitive civil service status.--In consultation with 
        the Director, the Secretary may grant competitive civil service 
        status to a qualified employee if that employee is --
                    (A) employed in the Center; or
                    (B) transferring to the Center.
    (e) Retention Bonuses.--
            (1) Authority.--Notwithstanding section 5754 of title 5, 
        United States Code, the Director may--
                    (A) pay a retention bonus under that section to any 
                individual appointed under this subsection, if the 
                Director determines that, in the absence of a retention 
                bonus, there is a high risk that the individual would 
                likely leave employment with the Department; and
                    (B) exercise the authorities of the Office of 
                Personnel Management and the head of an agency under 
                that section with respect to retention bonuses paid 
                under this subsection.
            (2) Limitations on amount of annual bonuses.--
                    (A) Definitions.--In this paragraph:
                            (i) Maximum total pay.--The term ``maximum 
                        total pay'' means--
                                    (I) in the case of an employee 
                                described under subsection(c)(2)(B)(i), 
                                the total amount of pay paid in a 
                                calendar year at the maximum rate of 
                                basic pay payable for a position at 
                                level I of the Executive Schedule under 
                                section 5312 of title 5, United States 
                                Code;
                                    (II) in the case of an employee 
                                described under 
                                subsection(c)(2)(B)(ii)(I)(aa), the 
                                total amount of pay paid in a calendar 
                                year at the maximum rate of basic pay 
                                payable for a position at level I of 
                                the Executive Schedule under section 
                                5312 of title 5, United States Code; 
                                and
                                    (III) in the case of an employee 
                                described under 
                                subsection(c)(2)(B)(ii)(I)(bb), the 
                                total amount of pay paid in a calendar 
                                year at the maximum rate of basic pay 
                                payable for the Vice President under 
                                section 104 of title 3, United States 
                                Code.
                            (ii) Total compensation.--The term ``total 
                        compensation'' means--
                                    (I) the amount of pay paid to an 
                                employee in any calendar year; and
                                    (II) the amount of all retention 
                                bonuses paid to an employee in any 
                                calendar year.
                    (B) Limitation.--The Director may not pay a 
                retention bonus under this subsection to an employee 
                that would result in the total compensation of that 
                employee exceeding maximum total pay.
    (f) Termination of Authority.--The authority to make appointments 
and pay retention bonuses under this section shall terminate 3 years 
after the date of enactment of this Act.
    (g) Reports.--
            (1) Plan for execution of authorities.--Not later than 120 
        days of enactment of this Act, the Director shall submit a 
        report to the appropriate committees of Congress with a plan 
        for the execution of the authorities provided under this 
        section.
            (2) Annual report.--Not later than 6 months after the date 
        of enactment of this Act, and every year thereafter, the 
        Director shall submit to the appropriate committees of Congress 
        a detailed report that--
                    (A) discusses how the actions taken during the 
                period of the report are fulfilling the critical hiring 
                needs of the Center;
                    (B) assesses metrics relating to individuals hired 
                under the authority of this section, including--
                            (i) the numbers of individuals hired;
                            (ii) the turnover in relevant positions;
                            (iii) with respect to each individual 
                        hired--
                                    (I) the position for which hired;
                                    (II) the salary paid;
                                    (III) any retention bonus paid and 
                                the amount of the bonus;
                                    (IV) the geographic location from 
                                which hired;
                                    (V) the immediate past salary; and
                                    (VI) whether the individual was a 
                                noncareer appointee in the Senior 
                                Executive Service or an appointee to a 
                                position of a confidential or policy-
                                determining character under schedule C 
                                of subpart C of part 213 of title 5 of 
                                the Code of Federal Regulations before 
                                the hiring; and
                            (iv) whether public notice for recruitment 
                        was made, and if so--
                                    (I) the total number of qualified 
                                applicants;
                                    (II) the number of veteran 
                                preference eligible candidates who 
                                applied;
                                    (III) the time from posting to job 
                                offer; and
                                    (IV) statistics on diversity, 
                                including age, disability, race, 
                                gender, and national origin, of 
                                individuals hired under the authority 
                                of this section to the extent such 
                                statistics are available; and
                    (C) includes rates of pay set in accordance with 
                subsection (c).

                       TITLE V--OTHER PROVISIONS

SEC. 501. CYBERSECURITY RESEARCH AND DEVELOPMENT.

    Subtitle D of title II of the Homeland Security Act of 2002 (6 
U.S.C. 161 et seq.) is amended by adding at the end the following:

``SEC. 238. CYBERSECURITY RESEARCH AND DEVELOPMENT.

    ``(a) Establishment of Research and Development Program.--The Under 
Secretary for Science and Technology, in coordination with the Director 
of the National Center for Cybersecurity and Communications, shall 
carry out a research and development program for the purpose of 
improving the security of information infrastructure.
    ``(b) Eligible Projects.--The research and development program 
carried out under subsection (a) may include projects to--
            ``(1) advance the development and accelerate the deployment 
        of more secure versions of fundamental Internet protocols and 
        architectures, including for the secure domain name addressing 
        system and routing security;
            ``(2) improve and create technologies for detecting and 
        analyzing attacks or intrusions, including analysis of 
        malicious software;
            ``(3) improve and create mitigation and recovery 
        methodologies, including techniques for containment of attacks 
        and development of resilient networks and systems;
            ``(4) develop and support infrastructure and tools to 
        support cybersecurity research and development efforts, 
        including modeling, testbeds, and data sets for assessment of 
        new cybersecurity technologies;
            ``(5) assist the development and support of technologies to 
        reduce vulnerabilities in process control systems;
            ``(6) understand human behavioral factors that can affect 
        cybersecurity technology and practices;
            ``(7) test, evaluate, and facilitate, with appropriate 
        protections for any proprietary information concerning the 
        technologies, the transfer of technologies associated with the 
        engineering of less vulnerable software and securing the 
        information technology software development lifecycle;
            ``(8) assist the development of identity management and 
        attribution technologies;
            ``(9) assist the development of technologies designed to 
        increase the security and resiliency of telecommunications 
        networks;
            ``(10) advance the protection of privacy and civil 
        liberties in cybersecurity technology and practices; and
            ``(11) address other risks identified by the Director of 
        the National Center for Cybersecurity and Communications.
    ``(c) Coordination With Other Research Initiatives.--The Under 
Secretary--
            ``(1) shall ensure that the research and development 
        program carried out under subsection (a) is consistent with the 
        national strategy to increase the security and resilience of 
        cyberspace developed by the Director of Cyberspace Policy under 
        section 101 of the Protecting Cyberspace as a National Asset 
        Act of 2010, or any succeeding strategy;
            ``(2) shall, to the extent practicable, coordinate the 
        research and development activities of the Department with 
        other ongoing research and development security-related 
        initiatives, including research being conducted by--
                    ``(A) the National Institute of Standards and 
                Technology;
                    ``(B) the National Science Foundation;
                    ``(C) the National Academy of Sciences;
                    ``(D) other Federal agencies, as defined under 
                section 241;
                    ``(E) other Federal and private research 
                laboratories, research entities, and universities and 
                institutions of higher education, and relevant 
                nonprofit organizations; and
                    ``(F) international partners of the United States;
            ``(3) shall carry out any research and development project 
        under subsection (a) through a reimbursable agreement with an 
        appropriate Federal agency, as defined under section 241, if 
        the Federal agency--
                    ``(A) is sponsoring a research and development 
                project in a similar area; or
                    ``(B) has a unique facility or capability that 
                would be useful in carrying out the project;
            ``(4) may make grants to, or enter into cooperative 
        agreements, contracts, other transactions, or reimbursable 
        agreements with, the entities described in paragraph (2); and
            ``(5) shall submit a report to the appropriate committees 
        of Congress on a review of the cybersecurity activities, and 
        the capacity, of the national laboratories and other research 
        entities available to the Department to determine if the 
        establishment of a national laboratory dedicated to 
        cybersecurity research and development is necessary.
    ``(d) Privacy and Civil Rights and Civil Liberties Issues.--
            ``(1) Consultation.--In carrying out research and 
        development projects under subsection (a), the Under Secretary 
        shall consult with the Privacy Officer appointed under section 
        222 and the Officer for Civil Rights and Civil Liberties of the 
        Department appointed under section 705.
            ``(2) Privacy impact assessments.--In accordance with 
        sections 222 and 705, the Privacy Officer shall conduct privacy 
        impact assessments and the Officer for Civil Rights and Civil 
        Liberties shall conduct reviews, as appropriate, for research 
        and development projects carried out under subsection (a) that 
        the Under Secretary determines could have an impact on privacy, 
        civil rights, or civil liberties.

``SEC. 239. NATIONAL CYBERSECURITY ADVISORY COUNCIL.

    ``(a) Establishment.--Not later than 90 days after the date of 
enactment of this section, the Secretary shall establish an advisory 
committee under section 871 on private sector cybersecurity, to be 
known as the National Cybersecurity Advisory Council (in this section 
referred to as the `Council').
    ``(b) Responsibilities.--
            ``(1) In general.--The Council shall advise the Director of 
        the National Center for Cybersecurity and Communications on the 
        implementation of the cybersecurity provisions affecting the 
        private sector under this subtitle and subtitle E.
            ``(2) Incentives and regulations.--The Council shall advise 
        the Director of the National Center for Cybersecurity and 
        Communications and appropriate committees of Congress (as 
        defined in section 241) and any other congressional committee 
        with jurisdiction over the particular matter regarding how 
        market incentives and regulations may be implemented to enhance 
        the cybersecurity and economic security of the Nation.
    ``(c) Membership.--
            ``(1) In general.--The members of the Council shall be 
        appointed the Director of the National Center for Cybersecurity 
        and Communications and shall, to the extent practicable, 
        represent a geographic and substantive cross-section of owners 
        and operators of critical infrastructure and others with 
        expertise in cybersecurity, including, as appropriate--
                    ``(A) representatives of covered critical 
                infrastructure (as defined under section 241);
                    ``(B) academic institutions with expertise in 
                cybersecurity;
                    ``(C) Federal, State, and local government agencies 
                with expertise in cybersecurity;
                    ``(D) a representative of the National Security 
                Telecommunications Advisory Council, as established by 
                Executive Order 12382 (47 Fed. Reg. 40531; relating to 
                the establishment of the advisory council), as amended 
                by Executive Order 13286 (68 Fed. Reg. 10619), as in 
                effect on August 3, 2009, or any successor entity;
                    ``(E) a representative of the Communications Sector 
                Coordinating Council, or any successor entity;
                    ``(F) a representative of the Information 
                Technology Sector Coordinating Council, or any 
                successor entity;
                    ``(G) individuals, acting in their personal 
                capacity, with demonstrated technical expertise in 
                cybersecurity; and
                    ``(H) such other individuals as the Director 
                determines to be appropriate, including owners of small 
                business concerns (as defined under section 3 of the 
                Small Business Act (15 U.S.C. 632)).
            ``(2) Term.--The members of the Council shall be appointed 
        for 2 year terms and may be appointed to consecutive terms.
            ``(3) Leadership.--The Chairperson and Vice-Chairperson of 
        the Council shall be selected by members of the Council from 
        among the members of the Council and shall serve 2-year terms.
    ``(d) Applicability of Federal Advisory Committee Act.--The Federal 
Advisory Committee Act (5 U.S.C. App.) shall not apply to the 
Council.''.

SEC. 502. PRIORITIZED CRITICAL INFORMATION INFRASTRUCTURE.

    (a) In General.--Section 210E(a)(2) of the Homeland Security Act of 
2002 (6 U.S.C. 124l(a)(2)) is amended--
            (1) by striking ``In accordance'' and inserting the 
        following:
                    ``(A) In general.--In accordance''; and
            (2) by adding at the end the following:
                    ``(B) Considerations.--In establishing and 
                maintaining a list under subparagraph (A), the 
                Secretary, in coordination with the Director of the 
                National Center for Cybersecurity and Communications, 
                shall consider cyber risks and consequences by sector, 
                including--
                            ``(i) the factors listed in section 
                        248(a)(2);
                            ``(ii) interdependencies between components 
                        of covered critical infrastructure (as defined 
                        under section 241); and
                            ``(iii) the potential for the destruction 
                        or disruption of the system or asset to cause--
                                    ``(I) a mass casualty event which 
                                includes an extraordinary number of 
                                fatalities;
                                    ``(II) severe economic 
                                consequences;
                                    ``(III) mass evacuations with a 
                                prolonged absence; or
                                    ``(IV) severe degradation of 
                                national security capabilities, 
                                including intelligence and defense 
                                functions.''.
    (b) Covered Critical Infrastructure.--Title II of the Homeland 
Security Act of 2002 (6 U.S.C. 121 et seq.) (as amended by section 201 
of this Act) is further amended by adding at the end the following:

``SEC. 254. COVERED CRITICAL INFRASTRUCTURE.

    ``(a) Identification of Covered Critical Infrastructure.--
            ``(1) In general.--Subject to paragraphs (2) and (3), the 
        Secretary, in coordination with sector-specific agencies and in 
        consultation with the National Cybersecurity Advisory Council 
        and other appropriate representatives of State and local 
        governments and the private sector, shall establish and 
        maintain a list of systems or assets that constitute covered 
        critical infrastructure for purposes of this subtitle.
            ``(2) Requirements.--
                    ``(A) In general.--A system or asset may not be 
                identified as covered critical infrastructure under 
                this section unless such system or asset meets each of 
                the requirements under subparagraph (B)(i), (ii), and 
                (iii).
                    ``(B) Requirements.--The requirements referred to 
                under subparagraph (A) are that--
                            ``(i) the destruction or the disruption of 
                        the reliable operation of the system or asset 
                        would cause national or regional catastrophic 
                        effects identified under section 
                        210E(a)(2)(B)(iii);
                            ``(ii) the system or asset is on the 
                        prioritized critical infrastructure list 
                        established by the Secretary under section 
                        210E(a)(2); and
                            ``(iii)(I) the system or asset is a 
                        component of the national information 
                        infrastructure; or
                            ``(II) the national information 
                        infrastructure is essential to the reliable 
                        operation of the system or asset.
            ``(3) Limitation.--A system or asset may not be identified 
        as covered critical infrastructure under this section based 
        solely on activities protected by the first amendment to the 
        United States Constitution.
    ``(b) Notification.--
            ``(1) Identification of system or asset.--If the Secretary 
        identifies any system or asset as covered critical 
        infrastructure under subsection (a), the Secretary shall 
        promptly notify the owner or operator of that system or asset 
        of that identification.
            ``(2) System or asset no longer covered critical 
        infrastructure.--If the Secretary determines that any system or 
        asset that was identified as covered critical infrastructure 
        under subsection (a) no longer constitutes covered critical 
        infrastructure, the Secretary shall promptly notify the owner 
        or operator of that system or asset of that determination.
    ``(c) Redress.--
            ``(1) In general.--Subject to paragraphs (2), (3), and (4), 
        the Secretary shall develop a mechanism, consistent with 
        subchapter II of chapter 5 of title 5, United States Code, for 
        an owner or operator notified under subsection (b)(1) to appeal 
        the identification of a system or asset as covered critical 
        infrastructure under this section.
            ``(2) Compliance.--The owner or operator of a system or 
        asset identified as covered critical infrastructure shall 
        comply with any requirement of this subtitle relating to 
        covered critical infrastructure until such time as the system 
        or asset is no longer identified as covered critical 
        infrastructure by the Secretary, based on--
                    ``(A) an appeal under this subsection; or
                    ``(B) a determination of the Secretary unrelated to 
                an appeal.
            ``(3) Abuse of discretion.--In order to prevail in any 
        appeal under this subsection, the owner or operator of the 
        system or asset identified as covered critical infrastructure 
        shall be required to demonstrate an abuse of discretion by the 
        Secretary.
            ``(4) Final appeal.--A final decision in any appeal under 
        this subsection shall be a final agency action that shall not 
        be subject to judicial review.
    ``(d) Addition of Systems or Assets.--
            ``(1) In general.--The Secretary shall develop a process 
        under which any owner or operator of a system or asset that may 
        constitute covered critical infrastructure may--
                    ``(A) request that such system or asset be 
                identified by the Secretary as covered critical 
                infrastructure under this section; and
                    ``(B) submit material supporting such a request to 
                the Director of the Center for consideration by the 
                Secretary in carrying out this section.
            ``(2) Final decision.--A decision to identify any system or 
        asset as covered critical infrastructure based on a request 
        submitted under this subsection--
                    ``(A) is committed to the sole, unreviewable 
                discretion of the Secretary; and
                    ``(B) shall not be subject to--
                            ``(i) an appeal under subsection (c); or
                            ``(ii) judicial review.''.

SEC. 503. NATIONAL CENTER FOR CYBERSECURITY AND COMMUNICATIONS 
              ACQUISITION AUTHORITIES.

    (a) In General.--The National Center for Cybersecurity and 
Communications is authorized to use the authorities under subsections 
(c)(1) and (d)(1)(B) of section 2304 of title 10, United States Code, 
instead of the authorities under subsections (c)(1) and (d)(1)(B) of 
section 303 of the Federal Property and Administrative Services Act of 
1949 (41 U.S.C. 253), subject to all other requirements of section 303 
of the Federal Property and Administrative Services Act of 1949.
    (b) Guidelines.--Not later than 90 days after the date of enactment 
of this Act, the chief procurement officer of the Department of 
Homeland Security shall issue guidelines for use of the authority under 
subsection (a).
    (c) Termination.--The National Center for Cybersecurity and 
Communications may not use the authority under subsection (a) on and 
after the date that is 3 years after the date of enactment of this Act.
    (d) Reporting.--
            (1) In general.--On a semiannual basis, the Director of the 
        National Center for Cybersecurity and Communications shall 
        submit a report on use of the authority granted by subsection 
        (a) to--
                    (A) the Committee on Homeland Security and 
                Governmental Affairs of the Senate; and
                    (B) the Committee on Homeland Security of the House 
                of Representatives.
            (2) Contents.--Each report submitted under paragraph (1) 
        shall include, at a minimum--
                    (A) the number of contract actions taken under the 
                authority under subsection (a) during the period 
                covered by the report; and
                    (B) for each contract action described in 
                subparagraph (A)--
                            (i) the total dollar value of the contract 
                        action;
                            (ii) a summary of the market research 
                        conducted by the National Center for 
                        Cybersecurity and Communications, including a 
                        list of all offerors who were considered and 
                        those who actually submitted bids, in order to 
                        determine that use of the authority was 
                        appropriate; and
                            (iii) a copy of the justification and 
                        approval documents required by section 303(f) 
                        of the Federal Property and Administrative 
                        Services Act of 1949 (41 U.S.C. 253(f)).
            (3) Classified annex.--A report submitted under this 
        subsection shall be submitted in an unclassified form, but may 
        include a classified annex, if necessary.

SEC. 504. EVALUATION OF THE EFFECTIVE IMPLEMENTATION OF OFFICE OF 
              MANAGEMENT AND BUDGET INFORMATION SECURITY RELATED 
              POLICIES AND DIRECTIVES.

    (a) In General.--The Administrator for Electronic Government and 
Information Technology, in coordination with the Chief Information 
Officers Council, the Federal Information Security Taskforce, and 
Council on Inspectors General on Integrity and Efficiency, shall 
evaluate agency adoption and effective implementation of appropriate 
information security related policies, memoranda, and directives issued 
by the Office of Management and Budget including--
            (1) OMB Memorandum M-10-15, FY 2010 Reporting Instructions 
        for the Federal Information Security Management Act and Agency 
        Privacy Management, issued April 21, 2010;
            (2) OMB Memorandum M-09-32, Update on the Trusted Internet 
        Connections Initiative, issued September 17, 2009;
            (3) OMB Memorandum M-09-02, Information Technology 
        Management Structure and Governance Framework, issued October 
        21, 2008;
            (4) OMB Memorandum M-08-23, Securing the Federal 
        Government's Domain Name System Infrastructure, issued April 
        22, 2008;
            (5) OMB Memorandum M-08-22, Guidance on the Federal Desktop 
        Core Configuration (FDCC), issued August 11, 2008;
            (6) OMB Memorandum M-07-16, Safeguarding Against and 
        Responding to the Breach of Personally Identifiable 
        Information, issued May 22, 2007;
            (7) OMB Memorandum M-07-06, Validating and Monitoring 
        Agency Issuance of Personal Identity Verification Credentials, 
        issued January 11, 2007;
            (8) OMB Memorandum M-04-26, Personal Use Policies and 
        ``File Sharing'' Technology, issued September 8, 2004; and
            (9) OMB Memorandum M-03-22, OMB Guidance for Implementing 
        the Privacy Provisions of the E-Government Act of 2002, issued 
        September 26, 2003.
    (b) Report.--Not later than 1 year after the date of enactment of 
this Act, the Office of Management and Budget shall submit a report on 
the evaluation required under subsection (a) to the appropriate 
congressional committees which shall include--
            (1) an examination of whether Federal agencies have 
        effectively implemented information security policies;
            (2) identification of and reasons why Federal agencies are 
        not in compliance with information security policies;
            (3) the extent to which contractors working on behalf of 
        Federal agencies are in compliance and effectively implementing 
        information security policies; and
            (4) recommended legislative and executive branch actions.

SEC. 505. TECHNICAL AND CONFORMING AMENDMENTS.

    (a) Elimination of Assistant Secretary for Cybersecurity and 
Communications.--The Homeland Security Act of 2002 (6 U.S.C. 101 et 
seq.) is amended--
            (1) in section 103(a)(8) (6 U.S.C. 113(a)(8)), by striking 
        ``, cybersecurity,'';
            (2) in section 514 (6 U.S.C. 321c)--
                    (A) by striking subsection (b); and
                    (B) by redesignating subsection (c) as subsection 
                (b); and
            (3) in section 1801(b) (6 U.S.C. 571(b)), by striking 
        ``shall report to the Assistant Secretary for Cybersecurity and 
        Communications'' and inserting ``shall report to the Director 
        of the National Center for Cybersecurity and Communications''.
    (b) CIO Council.--Section 3603(b) of title 44, United States Code, 
is amended--
            (1) by redesignating paragraph (7) as paragraph (8); and
            (2) by inserting after paragraph (6) the following:
            ``(7) The Director of the National Center for Cybersecurity 
        and Communications.''.
    (c) Repeal.--The Homeland Security Act of 2002 (6 U.S.C. 101 et 
seq) is amended--
            (1) by striking section 223 (6 U.S.C. 143); and
            (2) by redesignating sections 224 and 225 (6 U.S.C. 144 and 
        145) as sections 223 and 224, respectively.
    (d) Technical Correction.--Section 1802(a) of the Homeland Security 
Act of 2002 (6 U.S.C. 572(a)) is amended in the matter preceding 
paragraph (1) by striking ``Department of''.
    (e) Executive Schedule Position.--Section 5313 of title 5, United 
States Code, is amended by adding at the end the following:
    ``Director of the National Center for Cybersecurity and 
Communications.''.
    (f) Table of Contents.--The table of contents in section 1(b) of 
the Homeland Security Act of 2002 (6 U.S.C. 101 et seq.) is amended--
            (1) by striking the items relating to sections 223, 224, 
        and 225 and inserting the following:

``Sec. 223. NET guard.
``Sec. 224. Cyber Security Enhancements Act of 2002.''; and
            (2) by inserting after the item relating to section 237 the 
        following:

``Sec. 238. Cybersecurity research and development.
``Sec. 239. National Cybersecurity Advisory Council.

                      ``Subtitle E--Cybersecurity

``Sec. 241. Definitions.
``Sec. 242. National Center for Cybersecurity and Communications.
``Sec. 243. Physical and cyber infrastructure collaboration.
``Sec. 244. United States Computer Emergency Readiness Team.
``Sec. 245. Additional authorities of the Director of the National 
                            Center for Cybersecurity and 
                            Communications.
``Sec. 246. Information sharing.
``Sec. 247. Private sector assistance.
``Sec. 248. Cyber risks to covered critical infrastructure.
``Sec. 249. National cyber emergencies..
``Sec. 250. Enforcement.
``Sec. 251. Protection of information.
``Sec. 252. Sector-specific agencies.
``Sec. 253. Strategy for Federal cybersecurity supply chain management.
``Sec. 254. Covered critical infrastructure.''.
                                                       Calendar No. 698

111th CONGRESS

  2d Session

                                S. 3480

                          [Report No. 111-368]

_______________________________________________________________________

                                 A BILL

 To amend the Homeland Security Act of 2002 and other laws to enhance 
      the security and resiliency of the cyber and communications 
                  infrastructure of the United States.

_______________________________________________________________________

                           December 15, 2010

                       Reported with an amendment