[Congressional Bills 112th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3523 Reported in House (RH)]

                                                 Union Calendar No. 311
112th CONGRESS
   2d Session
                                H. R. 3523

                          [Report No. 112-445]

  To provide for the sharing of certain cyber threat intelligence and 
    cyber threat information between the intelligence community and 
            cybersecurity entities, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           November 30, 2011

Mr. Rogers of Michigan (for himself, Mr. Ruppersberger, Mr. King of New 
York, Mr. Upton, Mrs. Myrick, Mr. Langevin, Mr. Conaway, Mr. Miller of 
    Florida, Mr. Boren, Mr. LoBiondo, Mr. Chandler, Mr. Nunes, Mr. 
 Gutierrez, Mr. Westmoreland, Mrs. Bachmann, Mr. Rooney, Mr. Heck, Mr. 
Dicks, Mr. McCaul, Mr. Walden, Mr. Calvert, Mr. Shimkus, Mr. Terry, Mr. 
   Burgess, Mr. Gingrey of Georgia, Mr. Thompson of California, Mr. 
   Kinzinger of Illinois, Mr. Amodei, and Mr. Pompeo) introduced the 
     following bill; which was referred to the Select Committee on 
                    Intelligence (Permanent Select)

                             April 17, 2012

     Additional sponsors: Mr. Latta, Mr. Quayle, Mr. McHenry, Mr. 
    Frelinghuysen, Mr. Yoder, Mr. Walberg, Mr. Camp, Ms. Eshoo, Mr. 
  Michaud, Mrs. McMorris Rodgers, Mr. Sullivan, Mr. McKinley, Ms. Ros-
Lehtinen, Mr. Coffman of Colorado, Mr. Goodlatte, Mr. Wolf, Mr. Forbes, 
Mr. Gary G. Miller of California, Mr. Stearns, Mr. Issa, Mr. Cole, Mr. 
Turner of Ohio, Mr. Brooks, Mr. Huizenga of Michigan, Mr. Carter, Mrs. 
 Hartzler, Mr. Grimm, Mrs. Miller of Michigan, Mr. Guthrie, Mr. Rogers 
of Alabama, Mr. Benishek, Mr. Broun of Georgia, Mr. Lance, Mr. Hastings 
  of Washington, Mr. Davis of Kentucky, Mr. Meehan, Mr. Shuster, Mr. 
 Olson, Mr. Kline, Mrs. Bono Mack, Mr. Bachus, Mr. Schock, Mr. Roe of 
   Tennessee, Mr. Fleischmann, Mr. Baca, Mr. Boswell, Mrs. Noem, Mr. 
  Wittman, Mr. Hultgren, Mrs. Blackburn, Mr. Hastings of Florida, Mr. 
  Hurt, Mr. Johnson of Ohio, Mr. Smith of Nebraska, Mr. Crawford, Mr. 
Franks of Arizona, Mr. Larsen of Washington, Mr. Sires, Mr. Towns, Ms. 
Bordallo, Mr. Ross of Arkansas, Mr. Cooper, Mr. Pitts, Mr. Runyan, Mr. 
Costa, Mr. Cardoza, Mr. Woodall, Mr. Bartlett, Mr. Shuler, Mr. Stivers, 
 Mr. Wilson of South Carolina, Mr. McIntyre, Mr. Kissell, Mr. Scalise, 
  Mr. Bilbray, Mr. Griffith of Virginia, Mr. Peterson, Mr. Owens, Mr. 
  Mulvaney, Mr. Hall, Mr. Cuellar, Mr. Lamborn, Mr. Austria, and Mr. 
                                 McKeon

                             April 17, 2012

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]
    [For text of introduced bill, see copy of bill as introduced on 
                           November 30, 2011]

_______________________________________________________________________

                                 A BILL


 
  To provide for the sharing of certain cyber threat intelligence and 
    cyber threat information between the intelligence community and 
            cybersecurity entities, and for other purposes.


 


    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cyber Intelligence Sharing and 
Protection Act''.

SEC. 2. CYBER THREAT INTELLIGENCE AND INFORMATION SHARING.

    (a) In General.--Title XI of the National Security Act of 1947 (50 
U.S.C. 442 et seq.) is amended by adding at the end the following new 
section:

          ``cyber threat intelligence and information sharing

    ``Sec. 1104.  (a) Intelligence Community Sharing of Cyber Threat 
Intelligence With Private Sector.--
            ``(1) In general.--The Director of National Intelligence 
        shall establish procedures to allow elements of the 
        intelligence community to share cyber threat intelligence with 
        private-sector entities and to encourage the sharing of such 
        intelligence.
            ``(2) Sharing and use of classified intelligence.--The 
        procedures established under paragraph (1) shall provide that 
        classified cyber threat intelligence may only be--
                    ``(A) shared by an element of the intelligence 
                community with--
                            ``(i) certified entities; or
                            ``(ii) a person with an appropriate 
                        security clearance to receive such cyber threat 
                        intelligence;
                    ``(B) shared consistent with the need to protect 
                the national security of the United States; and
                    ``(C) used by a certified entity in a manner which 
                protects such cyber threat intelligence from 
                unauthorized disclosure.
            ``(3) Security clearance approvals.--The Director of 
        National Intelligence shall issue guidelines providing that the 
        head of an element of the intelligence community may, as the 
        head of such element considers necessary to carry out this 
        subsection--
                    ``(A) grant a security clearance on a temporary or 
                permanent basis to an employee or officer of a 
                certified entity;
                    ``(B) grant a security clearance on a temporary or 
                permanent basis to a certified entity and approval to 
                use appropriate facilities; and
                    ``(C) expedite the security clearance process for a 
                person or entity as the head of such element considers 
                necessary, consistent with the need to protect the 
                national security of the United States.
            ``(4) No right or benefit.--The provision of information to 
        a private-sector entity under this subsection shall not create 
        a right or benefit to similar information by such entity or any 
        other private-sector entity.
    ``(b) Private Sector Use of Cybersecurity Systems and Sharing of 
Cyber Threat Information.--
            ``(1) In general.--
                    ``(A) Cybersecurity providers.--Notwithstanding any 
                other provision of law, a cybersecurity provider, with 
                the express consent of a protected entity for which 
                such cybersecurity provider is providing goods or 
                services for cybersecurity purposes, may, for 
                cybersecurity purposes--
                            ``(i) use cybersecurity systems to identify 
                        and obtain cyber threat information to protect 
                        the rights and property of such protected 
                        entity; and
                            ``(ii) share such cyber threat information 
                        with any other entity designated by such 
                        protected entity, including, if specifically 
                        designated, the Federal Government.
                    ``(B) Self-protected entities.--Notwithstanding any 
                other provision of law, a self-protected entity may, 
                for cybersecurity purposes--
                            ``(i) use cybersecurity systems to identify 
                        and obtain cyber threat information to protect 
                        the rights and property of such self-protected 
                        entity; and
                            ``(ii) share such cyber threat information 
                        with any other entity, including the Federal 
                        Government.
            ``(2) Use and protection of information.--Cyber threat 
        information shared in accordance with paragraph (1)--
                    ``(A) shall only be shared in accordance with any 
                restrictions placed on the sharing of such information 
                by the protected entity or self-protected entity 
                authorizing such sharing, including appropriate 
                anonymization or minimization of such information;
                    ``(B) may not be used by an entity to gain an 
                unfair competitive advantage to the detriment of the 
                protected entity or the self-protected entity 
                authorizing the sharing of information; and
                    ``(C) if shared with the Federal Government--
                            ``(i) shall be exempt from disclosure under 
                        section 552 of title 5, United States Code;
                            ``(ii) shall be considered proprietary 
                        information and shall not be disclosed to an 
                        entity outside of the Federal Government except 
                        as authorized by the entity sharing such 
                        information; and
                            ``(iii) shall not be used by the Federal 
                        Government for regulatory purposes.
            ``(3) Exemption from liability.--No civil or criminal cause 
        of action shall lie or be maintained in Federal or State court 
        against a protected entity, self-protected entity, 
        cybersecurity provider, or an officer, employee, or agent of a 
        protected entity, self-protected entity, or cybersecurity 
        provider, acting in good faith--
                    ``(A) for using cybersecurity systems or sharing 
                information in accordance with this section; or
                    ``(B) for not acting on information obtained or 
                shared in accordance with this section.
            ``(4) Relationship to other laws requiring the disclosure 
        of information.--The submission of information under this 
        subsection to the Federal Government shall not satisfy or 
        affect any requirement under any other provision of law for a 
        person or entity to provide information to the Federal 
        Government.
    ``(c) Federal Government Use of Information.--
            ``(1) Limitation.--The Federal Government may use cyber 
        threat information shared with the Federal Government in 
        accordance with subsection (b) for any lawful purpose only if--
                    ``(A) the use of such information is not for a 
                regulatory purpose; and
                    ``(B) at least one significant purpose of the use 
                of such information is--
                            ``(i) a cybersecurity purpose; or
                            ``(ii) the protection of the national 
                        security of the United States.
            ``(2) Affirmative search restriction.--The Federal 
        Government may not affirmatively search cyber threat 
        information shared with the Federal Government under subsection 
        (b) for a purpose other than a purpose referred to in paragraph 
        (1)(B).
            ``(3) Anti-tasking restriction.--Nothing in this section 
        shall be construed to permit the Federal Government to--
                    ``(A) require a private-sector entity to share 
                information with the Federal Government; or
                    ``(B) condition the sharing of cyber threat 
                intelligence with a private-sector entity on the 
                provision of cyber threat information to the Federal 
                Government.
    ``(d) Report on Information Sharing.--
            ``(1) Report.--The Inspector General of the Intelligence 
        Community shall annually submit to the congressional 
        intelligence committees a report containing a review of the use 
        of information shared with the Federal Government under this 
        section, including--
                    ``(A) a review of the use by the Federal Government 
                of such information for a purpose other than a 
                cybersecurity purpose;
                    ``(B) a review of the type of information shared 
                with the Federal Government under this section;
                    ``(C) a review of the actions taken by the Federal 
                Government based on such information;
                    ``(D) appropriate metrics to determine the impact 
                of the sharing of such information with the Federal 
                Government on privacy and civil liberties, if any; and
                    ``(E) any recommendations of the Inspector General 
                for improvements or modifications to the authorities 
                under this section.
            ``(2) Form.--Each report required under paragraph (1) shall 
        be submitted in unclassified form, but may include a classified 
        annex.
    ``(e) Federal Preemption.--This section supersedes any statute of a 
State or political subdivision of a State that restricts or otherwise 
expressly regulates an activity authorized under subsection (b).
    ``(f) Savings Clause.--Nothing in this section shall be construed 
to limit any other authority to use a cybersecurity system or to 
identify, obtain, or share cyber threat intelligence or cyber threat 
information.
    ``(g) Definitions.--In this section:
            ``(1) Certified entity.--The term `certified entity' means 
        a protected entity, self-protected entity, or cybersecurity 
        provider that--
                    ``(A) possesses or is eligible to obtain a security 
                clearance, as determined by the Director of National 
                Intelligence; and
                    ``(B) is able to demonstrate to the Director of 
                National Intelligence that such provider or such entity 
                can appropriately protect classified cyber threat 
                intelligence.
            ``(2) Cyber threat information.--The term `cyber threat 
        information' means information directly pertaining to a 
        vulnerability of, or threat to, a system or network of a 
        government or private entity, including information pertaining 
        to the protection of a system or network from--
                    ``(A) efforts to degrade, disrupt, or destroy such 
                system or network; or
                    ``(B) theft or misappropriation of private or 
                government information, intellectual property, or 
                personally identifiable information.
            ``(3) Cyber threat intelligence.--The term `cyber threat 
        intelligence' means information in the possession of an element 
        of the intelligence community directly pertaining to a 
        vulnerability of, or threat to, a system or network of a 
        government or private entity, including information pertaining 
        to the protection of a system or network from--
                    ``(A) efforts to degrade, disrupt, or destroy such 
                system or network; or
                    ``(B) theft or misappropriation of private or 
                government information, intellectual property, or 
                personally identifiable information.
            ``(4) Cybersecurity provider.--The term `cybersecurity 
        provider' means a non-governmental entity that provides goods 
        or services intended to be used for cybersecurity purposes.
            ``(5) Cybersecurity purpose.--The term `cybersecurity 
        purpose' means the purpose of ensuring the integrity, 
        confidentiality, or availability of, or safeguarding, a system 
        or network, including protecting a system or network from--
                    ``(A) efforts to degrade, disrupt, or destroy such 
                system or network; or
                    ``(B) theft or misappropriation of private or 
                government information, intellectual property, or 
                personally identifiable information.
            ``(6) Cybersecurity system.--The term `cybersecurity 
        system' means a system designed or employed to ensure the 
        integrity, confidentiality, or availability of, or safeguard, a 
        system or network, including protecting a system or network 
        from--
                    ``(A) efforts to degrade, disrupt, or destroy such 
                system or network; or
                    ``(B) theft or misappropriation of private or 
                government information, intellectual property, or 
                personally identifiable information.
            ``(7) Protected entity.--The term `protected entity' means 
        an entity, other than an individual, that contracts with a 
        cybersecurity provider for goods or services to be used for 
        cybersecurity purposes.
            ``(8) Self-protected entity.--The term `self-protected 
        entity' means an entity, other than an individual, that 
        provides goods or services for cybersecurity purposes to 
        itself.''.
    (b) Procedures and Guidelines.--The Director of National 
Intelligence shall--
            (1) not later than 60 days after the date of the enactment 
        of this Act, establish procedures under paragraph (1) of 
        section 1104(a) of the National Security Act of 1947, as added 
        by subsection (a) of this section, and issue guidelines under 
        paragraph (3) of such section 1104(a); and
            (2) following the establishment of such procedures and the 
        issuance of such guidelines, expeditiously distribute such 
        procedures and such guidelines to appropriate Federal 
        Government and private-sector entities.
    (c) Initial Report.--The first report required to be submitted 
under subsection (d) of section 1104 of the National Security Act of 
1947, as added by subsection (a) of this section, shall be submitted 
not later than one year after the date of the enactment of this Act.
    (d) Table of Contents Amendment.--The table of contents in the 
first section of the National Security Act of 1947 is amended by adding 
at the end the following new item:

``Sec. 1104. Cyber threat intelligence and information sharing.''.
                                                 Union Calendar No. 311

112th CONGRESS

   2d Session

                               H. R. 3523

                          [Report No. 112-445]

_______________________________________________________________________

                                 A BILL

  To provide for the sharing of certain cyber threat intelligence and 
    cyber threat information between the intelligence community and 
            cybersecurity entities, and for other purposes.

_______________________________________________________________________

                             April 17, 2012

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed