
	
		IB
		Union Calendar No. 501
		112th CONGRESS
		2d Session
		H. R. 3674
		[Report No. 112–592, Part
		  I]
		IN THE HOUSE OF
		  REPRESENTATIVES
		
			December 15, 2011
			Mr. Daniel E. Lungren of
			 California (for himself, Mr. King of New
			 York, Mr. McCaul,
			 Mr. Bilirakis,
			 Mrs. Miller of Michigan,
			 Mr. Walberg,
			 Mr. Marino,
			 Mr. Long, Mr. Turner of New York,
			 Mr. Stivers, and
			 Mr. Langevin) introduced the following
			 bill; which was referred to the
			 Committee on Homeland
			 Security, and in addition to the Committees on
			 Oversight and Government
			 Reform, Science, Space,
			 and Technology, the
			 Judiciary, and Select Intelligence (Permanent Select), for a
			 period to be subsequently determined by the Speaker, in each case for
			 consideration of such provisions as fall within the jurisdiction of the
			 committee concerned
		
		
			July 11, 2012
			Reported from the
			 Committee on Homeland
			 Security with an amendment
			Strike out all after the enacting clause and insert
			 the part printed in italic
		
		
			July 11, 2012
			The Committees on Oversight and Government Reform,
			 Science, Space, and
			 Technology, the
			 Judiciary, and the Permanent Select Committee on
			 Intelligence discharged; referred to the
			 Committee on Energy and
			 Commerce for a period ending not later than September 21,
			 2012, for consideration of such provisions of the bill and amendment as fall
			 within the jurisdiction of that committee pursuant to clause 1(f) of rule
			 X.
		
		
			
		
		
			September 21, 2012
			Additional sponsor: Mr.
			 Meehan
		
		
			September 21, 2012
			Deleted sponsor: Mr.
			 Langevin (added December 15, 2011; deleted April 25, 2012)
			 
		
		
			September 21, 2012
			The Committee on
			 Energy and Commerce discharged; committed to the Committee of
			 the Whole House on the State of the Union and ordered to be
			 printed
			For text of introduced bill, see copy of bill as
			 introduced on December 15, 2011
		
		A BILL
		To amend the Homeland Security Act of 2002
		  to make certain improvements in the laws relating to cybersecurity, and for
		  other purposes.
	
	
		1.Short titleThis Act may be cited as the
			 Promoting and Enhancing Cybersecurity
			 and Information Sharing Effectiveness Act of 2012 or the
			 PRECISE Act of
			 2012.
		2.Department of Homeland
			 Security cybersecurity activities
			(a)In
			 generalSubtitle C of title II of the Homeland Security Act of
			 2002 is amended by adding at the end the following new sections:
				
					226.Department of Homeland
				Security cybersecurity activities
						(a)In
				generalThe Secretary shall perform necessary activities to help
				facilitate the protection of Federal systems and, solely upon the request of
				critical infrastructure owners and operators, assist such critical
				infrastructure owners and operators in protecting their critical infrastructure
				information systems to include—
							(1)conduct risk assessments,
				subject to the availability of resources and, solely upon request from critical
				infrastructure owners and operators, critical infrastructure information
				systems;
							(2)assist in fostering the
				development, in conjunction with the National Institute of Standards and
				Technology and other Federal departments and agencies and the private sector,
				of essential information security technologies and capabilities for protecting
				Federal systems and critical infrastructure information systems, including
				comprehensive protective capabilities and other technological solutions;
							(3)assist in efforts to
				mitigate communications and information technology supply chain
				vulnerabilities;
							(4)support nationwide
				awareness and outreach efforts, to include participation in appropriate
				interagency cybersecurity awareness and education programs, to educate the
				public;
							(5)conduct exercises,
				simulations, and other activities designed to support and evaluate the national
				cyber incident response plan; and
							(6)subject to the
				availability of resources and, upon request of critical infrastructure owners
				and operators, provide technical assistance, including sending on-site teams,
				to such critical infrastructure owners and operators.
							(b)Interagency
				dutiesAt the direction of
				the Office of Management and Budget pursuant to subchapter II of chapter 35 of
				title 44, United States Code, the Secretary shall—
							(1)conduct targeted risk
				assessments and operational evaluations, in conjunction with the heads of other
				agencies, for Federal systems that may include threat, vulnerability, and
				impact assessments and penetration testing;
							(2)in conjunction with the National Institute
				of Standards and Technology and appropriate Federal departments and agencies,
				as well as the private sector, provide for the use of consolidated intrusion
				detection, prevention, or other protective capabilities and use associated
				countermeasures for the purpose of protecting Federal systems from
				cybersecurity threats;
							(3)in conjunction with other
				agencies and the private sector, assess and foster the development of
				information security technologies and capabilities for use and dissemination
				throughout the Department of Homeland Security and to be made available across
				multiple agencies;
							(4)designate an entity
				within the Department of Homeland Security to receive reports and information
				about cybersecurity incidents, threats, and vulnerabilities affecting Federal
				systems; and
							(5)provide incident
				detection, analysis, mitigation, and response information and remote or on-site
				technical assistance for Federal systems.
							(c)Cybersecurity
				operational activity
							(1)In
				generalWhile carrying out
				the responsibilities authorized in paragraphs (2) and (3) of subsection (b),
				the Secretary is authorized, notwithstanding any other provision of law, to
				acquire, intercept, retain, use, and disclose communications and other system
				traffic that are transiting to or from or stored on Federal systems and to
				deploy countermeasures with regard to such communications and system traffic
				for cybersecurity purposes if the Secretary certifies that—
								(A)such acquisitions,
				interceptions, and countermeasures are reasonably necessary for the purpose of
				protecting Federal systems from cybersecurity threats;
								(B)the content of
				communications will be collected and retained only when the communication is
				associated with a known or reasonably suspected cybersecurity threat and
				communications and system traffic will not be subject to the operation of a
				countermeasure unless associated with such threats;
								(C)information obtained
				pursuant to activities authorized under this subsection will only be retained,
				used, or disclosed to protect Federal systems from cybersecurity threats,
				mitigate against such threats, or, with the approval of the Attorney General,
				for law enforcement purposes when the information is evidence of a crime which
				has been, is being, or is about to be committed;
								(D)notice has been provided
				to users of Federal systems concerning the potential for acquisition,
				interception, retention, use, and disclosure of communications and other system
				traffic; and
								(E)such activities are
				implemented pursuant to policies and procedures governing the acquisition,
				interception, retention, use, and disclosure of communications and other system
				traffic that have been reviewed and approved by the Attorney General.
								(2)Obtaining
				assistanceThe Secretary may enter into contracts or other
				agreements, or otherwise request and obtain the assistance of, private entities
				that provide electronic communication or cybersecurity services to acquire,
				intercept, retain, use, and disclose communications and other system traffic
				consistent with paragraph (1).
							(3)Permission by other
				agenciesAgencies are authorized to permit the Secretary, or a
				private entity providing assistance to the Secretary under paragraph (2), to
				acquire, intercept, retain, use, or disclose communications, system traffic,
				records, or other information transiting to or from or stored on a Federal
				system, notwithstanding any other provision of law, for the purpose of
				protecting Federal systems from cybersecurity threats or mitigating such
				threats in connection with activities under this subsection.
							(4)Privileged
				communicationsNo otherwise privileged communication obtained in
				accordance with, or in violation of, this subtitle shall lose its privileged
				character.
							(d)Coordination
							(1)Coordination with other
				entitiesIn carrying out cybersecurity activities subsection (a),
				the Secretary shall coordinate, as appropriate, with—
								(A)the head of relevant
				Federal departments or agencies;
								(B)representatives of State
				and local governments;
								(C)owners and operators of
				critical infrastructure;
								(D)suppliers of technology
				for owners and operators of critical infrastructure;
								(E)academia; and
								(F)international
				organizations and foreign partners.
								(2)Lead DHS cybersecurity
				officialThe Secretary shall designate a lead cybersecurity
				official within the Department to provide leadership to the cybersecurity
				activities of the Department and to ensure that the Department’s cybersecurity
				activities under this subtitle are coordinated with all other infrastructure
				protection and cyber-related programs and activities of the Department,
				including those of any intelligence or law enforcement components or entities
				within the Department.
							(3)Reports to
				congressThe lead DHS cybersecurity official shall make annual
				reports to the appropriate committees of Congress on the coordination of
				cyber-related programs across the Department.
							(e)StrategyIn
				carrying out the cybersecurity activities of the Department under subsection
				(a), the Secretary shall develop and maintain a strategy that—
							(1)articulates the actions
				of the Department that are necessary to assure the readiness, reliability,
				continuity, integrity, and resilience of Federal systems and critical
				infrastructure information systems;
							(2)includes explicit goals
				and objectives for the Department as well as specific timeframes for
				achievement of stated goals and objectives by the Department;
							(3)fosters the continued
				superiority and reliability of the United States information technology and
				communications sectors; and
							(4)ensures that activities
				of the Department are undertaken in a manner that protects statutory privacy
				rights and civil liberties of United States persons.
							(f)No right or
				benefitThe provision of assistance or information to critical
				infrastructure owners and operators, upon request of such critical
				infrastructure owners and operators, under this section shall be at the
				discretion of the Secretary and subject to the availability of resources. The
				provision of certain assistance or information to one critical infrastructure
				owner or and operator pursuant to this section shall not create a right or
				benefit, substantive or procedural, to similar assistance or information for
				any other critical infrastructure owner or and operator.
						(g)Privacy officer
				oversightThe Privacy Officer
				of the Department of Homeland Security shall review on an ongoing basis, and
				prepare, as necessary, privacy impact assessments on, the cybersecurity
				policies, programs, and activities of the Department of Homeland Security for
				such purposes as ensuring compliance with all relevant constitutional and legal
				protections.
						(h)Savings
				clauseNothing in this subtitle shall be interpreted to—
							(1)alter or amend the
				authorities of any Federal department or agency other than the Department of
				Homeland Security, including the law enforcement or intelligence authorities of
				any such Federal department or agency or the authority of any such Federal
				department or agency to protect sources and methods and the national
				security;
							(2)limit or modify an
				existing information sharing or other relationship;
							(3)prohibit a new
				information sharing or other relationship;
							(4)require a new information
				sharing or other relationship between the Federal Government and a private
				sector entity;
							(5)alter or otherwise limit the authority of
				any Federal department or agency to also undertake any activities that the
				Department of Homeland Security is authorized to undertake pursuant to this
				section; or
							(6)provide additional
				authority to, or modify an existing authority of the Department of Homeland
				Security to control, modify, require, or otherwise direct the cybersecurity
				efforts of a private-sector entity or a component of the Federal Government or
				a State, local, or tribal government.
							(i)DefinitionsIn
				this section:
							(1)The term countermeasure
				means automated actions with defensive intent to modify or block data packets
				associated with electronic or wire communications, internet traffic, program
				code, or other system traffic transiting to or from or stored on an information
				system for the purpose of protecting the information system from cybersecurity
				threats.
							(2)The term Federal systems
				means information systems owned, operated, leased, or otherwise controlled by a
				Federal department or agency, or on behalf of a Federal department or agency,
				except for national security systems or those information systems under the
				control of, used by, or storing information of the Department of Defense or any
				element of the Intelligence Community, including any information systems used
				or operated by a contractor of the Department of Defense or any element of the
				Intelligence Community, or other organization on behalf of the Department of
				Defense or any element of the Intelligence Community.
							(3)The term critical
				infrastructure information systems means any information system that
				is—
								(A)vital to the functioning
				of critical infrastructure as defined in section 5195c(e) of title 42, United
				States Code; or
								(B)owned or operated by or
				on behalf of a State or local government entity that is necessary to ensure
				essential government operations continue.
								(4)The term
				information system means any equipment or interconnected system
				or subsystem of equipment that is used in the automatic acquisition, storage,
				manipulation, management, movement, control, display, switching, interchange,
				transmission, or reception of data or information, and includes—
								(A)computers and computer
				networks;
								(B)ancillary
				equipment;
								(C)software, firmware, and
				related procedures;
								(D)services, including
				support services; and
								(E)related resources.
								(5)The term national
				security system means any information infrastructure (including any
				telecommunications system) used or operated by an agency, by a contractor of an
				agency, or by another organization on behalf of an agency—
								(A)the function, operation,
				or use of which—
									(i)involves intelligence
				activities or intelligence-related activities;
									(ii)involves cryptologic
				activities related to national security;
									(iii)involves command and
				control of military forces;
									(iv)involves equipment that
				is an integral part of a weapon or weapons system; or
									(v)is critical to the direct
				fulfillment of military or intelligence missions;
									(B)that contains information
				related to the activities and other matters set forth in subparagraph (A);
				or
								(C)that is protected by
				procedures established for classified, national security, foreign policy,
				intelligence or intelligence-related, or other appropriate information.
								227.Personnel authorities
				related to the Office of Cybersecurity and Communications
						(a)In
				generalIn order to assure that the Department has the necessary
				resources to carry out the mission set forth in section 226, the Secretary may,
				as necessary, convert competitive service positions, and the incumbents of such
				positions, within the Office of Cybersecurity and Communications to excepted
				service, or may establish new positions within the Office of Cybersecurity and
				Communications in the excepted service, to the extent that the Secretary
				determines such positions are necessary to carry out the cybersecurity
				functions of the Department.
						(b)CompensationThe
				Secretary may—
							(1)fix the compensation of
				individuals who serve in positions referred to in subsection (a) in relation to
				the rates of pay provided for comparable positions in the Department and
				subject to the same limitations on maximum rates of pay established for
				employees of the Department by law or regulations; and
							(2)provide additional forms
				of compensation, including benefits, incentives, and allowances, that are
				consistent with and not in excess of the level authorized for comparable
				positions authorized under title 5, United States Code.
							(c)Retention
				bonusesNotwithstanding any other provision of law, the Secretary
				may pay a retention bonus to any employee appointed under this section, if the
				Secretary determines that the bonus is needed to retain essential personnel.
				Before announcing the payment of a bonus under this subsection, the Secretary
				shall submit a written explanation of such determination to the Committee on
				Homeland Security of the House of Representatives and the Committee on Homeland
				Security and Governmental Affairs of the Senate.
						(d)Annual
				reportNot later than one year after the date of the enactment of
				this section, and annually thereafter, the Secretary shall submit to
				appropriate Congressional committees a detailed report that includes, for the
				period covered by the report—
							(1)a discussion the
				Secretary’s use of the flexible authority authorized under this section to
				recruit and retain qualified employees;
							(2)metrics on relevant
				personnel actions, including—
								(A)the number of qualified
				employees hired by occupation and grade, level, or pay band;
								(B)the total number of
				veterans hired;
								(C)the number of separations
				of qualified employees;
								(D)the number of retirements
				of qualified employees; and
								(E)the number and amounts of
				recruitment, relocation, and retention incentives paid to qualified employees
				by occupation and grade, level, or pay band; and
								(3)long-term and short-term
				strategic goals to address critical skills deficiencies, including an analysis
				of the numbers of and reasons for attrition of employees and barriers to
				recruiting and hiring individuals qualified in cybersecurity.
							228.Federal preemption,
				exclusivity, and law enforcement and intelligence activities
						(a)PreemptionThis subtitle supersedes any statute of a
				State or political subdivision of a State that restricts or otherwise expressly
				regulates the acquisition, interception, retention, use, or disclosure of
				communications, records, or other information by private entities or
				governmental entities to the extent such statute is inconsistent with this
				subtitle.
						(b)Additional exclusive
				meansSection 226(c) constitutes an additional exclusive means
				for the domestic interception of wire or electronic communications, in
				accordance with the provisions of law codified at section 1812(b) of title 50,
				United States Code.
						(c)LimitationThis
				subtitle does not authorize the Secretary to engage in law enforcement or
				intelligence activities that the Department is not otherwise authorized to
				conduct under existing
				law.
						.
			(b)Clerical
			 amendmentThe table of contents in section 1(b) of such Act is
			 amended by inserting after the item relating to section 225 the following new
			 items:
				
					
						Sec. 226. Department of Homeland Security
				cybersecurity activities.
						Sec. 227. Personnel authorities related to the
				Office of Cybersecurity and Communications.
						Sec. 228. Federal preemption, exclusivity, and
				law enforcement and intelligence
				activities.
					
					.
			(c)Plan for execution of
			 authoritiesNot later than 120 days after the date of the
			 enactment of this Act, the Secretary of Homeland Security shall submit to the
			 Committee on Homeland Security of the House of Representatives and the
			 Committee on Homeland Security and Governmental Affairs of the Senate a report
			 containing a plan for the execution of the authorities contained in the
			 amendment made by subsection (a).
			3.Department of Homeland
			 Security cybersecurity information sharing
			(a)Department of Homeland
			 Security cybersecurity information sharing
				(1)In
			 generalTitle II of the Homeland Security Act of 2002, as amended
			 by section 2, is further amended by adding at the end the following:
					
						EDepartment of Homeland
				Security Cybersecurity Information Sharing
							241.Information
				sharingThe Secretary shall
				make appropriate cyber threat information obtained by the Department pursuant
				to title XI of the National Security Act of 1947 or other information
				appropriately in the possession of the Department available to appropriate
				owners and operators of critical infrastructure on a timely basis consistent
				with the statutory and other appropriate restrictions on the dissemination of
				such information and with the responsibilities of the Secretary under this
				title.
							242.Establishment of
				National Cybersecurity and Communications Integration Center
								(a)EstablishmentThere
				is established within the Department the National Cybersecurity and
				Communications Integration Center.
								(b)PurposeThe
				center established pursuant to subsection (a) shall be the primary entity
				within the Department for sharing timely cyber threat information and
				exchanging technical assistance, advice, and support with appropriate entities
				pursuant to the Department’s authorities.
								243.Board of
				advisors
								(a)In
				generalThe National Cybersecurity and Communications Integration
				Center shall have a board of advisors which shall advise the Secretary on the
				efficient operation of the National Cybersecurity and Communications
				Integration Center.
								(b)CompositionThe
				board shall be composed of 13 members, including the following:
									(1)Eleven representatives
				from the critical infrastructure sectors enumerated in the National
				Infrastructure Protection Plan, of which at least one member shall represent a
				small business interest and at least one member shall represent each of the
				following sectors:
										(A)Banking and
				finance.
										(B)Communications.
										(C)Defense industrial
				base.
										(D)Energy, electricity
				subsector.
										(E)Energy, oil, and natural
				gas subsector.
										(F)Heath care and public
				health.
										(G)Information
				technology.
										(H)Water.
										(I)Chemical.
										(2)Two representatives from
				the privacy and civil liberties community.
									(3)The Chair of the National
				Council of Information Sharing and Analysis Centers.
									(c)Initial
				AppointmentNot later than 30 days after the date of the
				enactment of this subtitle, the Secretary of Homeland Security, in consultation
				with the heads of the sector specific agencies of the critical infrastructure
				sectors enumerated in the National Infrastructure Protection Plan, shall
				appoint the members of the board described under subsection (b) from
				individuals identified by the sector coordinating councils of the critical
				infrastructure sectors enumerated in the National Infrastructure Protection
				Plan.
								(d)Terms
									(1)Critical infrastructure
				representativesEach member of the board described in subsection
				(b)(1) shall be appointed for a term that is not less than one year and not
				longer than three years from the date of the member’s appointment, as
				determined by the member’s sector coordinating council.
									(2)Other
				representativesEach member of the board described in subsection
				(b)(2) or (3) shall serve an initial term that is not less than two years and
				not longer than three years from the date of the member’s appointment, and each
				such member shall select the member’s successor.
									(e)DutiesThe
				board shall—
									(1)meet not less frequently
				than quarterly;
									(2)act as an advocate on
				behalf of the private sector in improving the operations of the National
				Cybersecurity Communications Integration Center; and
									(3)submit to the Secretary
				and the appropriate committees of Congress the annual report described in
				section 247.
									(f)Access to
				informationThe members of the board shall, subject to the laws
				and procedures applicable to national security background investigations and
				security clearances, be provided with the appropriate security clearances and
				have access to appropriate information shared with the National Cybersecurity
				and Communications Integration Center and shall be subject to all of the
				limitations on the use of such information.
								(g)Sub-boardsThe
				board shall have the authority to constitute such sub-boards, or other advisory
				groups or panels, as may be necessary to assist the board in carrying out its
				functions under this section.
								244.CharterThe Secretary shall develop a charter to
				govern the operations and administration of the National Cybersecurity and
				Communications Integration Center consistent with the requirements of title XI
				of the National Security Act of 1947. The charter shall include each of the
				following:
								(1)The organizational
				structure of the National Cybersecurity and Communications Integration Center,
				including a delineation of the mission expectations and responsibilities of the
				various elements assigned to the Center.
								(2)A mission statement of
				the National Cybersecurity and Communications Integration Center.
								(3)A plan that promotes
				broad participation by large, medium, and small business owners and operators
				of networks or systems in the private sector, entities operating critical
				infrastructure, educational institutions, State, tribal, and local governments,
				and the Federal Government.
								(4)Procedures for making appropriate cyber
				incident information available to outside groups for academic research and
				insurance actuarial purposes.
								245.ParticipationNot later than 90 days after the date of the
				enactment of this subtitle, the Secretary shall publish the criteria and
				procedures for voluntary participation and voluntary physical collocation by
				appropriate Federal, State and local government departments, agencies and
				entities, and private sector businesses and organizations within the National
				Cybersecurity and Communications Integration Center.
							246.Annual
				reportThe board of advisors
				of the National Cybersecurity Communications Integration Center shall submit to
				the Secretary and the appropriate committees of Congress an annual report on
				the status of the National Cybersecurity Communications Integration Center and
				how the Center accomplished its purpose under section 242 during the year
				covered by the report. Each such report shall include, for the year covered by
				the report—
								(1)information on the amount
				and nature of information shared by and through the Center;
								(2)the number of violations
				of statutory information sharing restrictions and the procedures established
				for the Center and any steps taken by the Center to reduce and eliminate such
				violations;
								(3)any changes to the
				Center’s charter as agreed upon by the board and the membership; and
								(4)proposed ways to improve
				information sharing by and through the Center.
								247.Authority to issue
				warningsThe Secretary may, in
				coordination with appropriate Federal departments and agencies, provide
				advisories, alerts, and warnings to relevant companies, targeted sectors, other
				government entities, or the general public regarding potential cybersecurity
				threats as appropriate. In issuing such an advisory, alert, or warning, the
				Secretary shall not disclose—
								(1)without the express
				consent of an entity voluntarily sharing information with the Federal
				Government pursuant to title XI of the National Security Act of 1947 and the
				Federal department or agency that initially received such information, any such
				information that forms the basis for the advisory, alert, or warning or the
				source of such information;
								(2)information that is
				proprietary, business sensitive, relates specifically to the submitting person
				or entity, or is otherwise not appropriate for disclosure in the public domain;
				and
								(3)any information that is
				restricted by statute, rule, or regulation, including information restricted
				from disclosure under title XI of the National Security Act of 1947, and
				information relating to sources and methods and the national security of the
				United States.
								248.DefinitionsIn this subtitle:
								(1)Cyber threat
				informationThe term cyber threat information
				means the information directly pertaining to a vulnerability of, or threat to,
				a system or network of a government or private entity, including information
				pertaining to the protection of a system or network from—
									(A)efforts to degrade,
				disrupt, or destroy such system or network; or
									(B)efforts to gain
				unauthorized access to a system or network, including efforts to gain such
				unauthorized access to steal or misappropriate private or government
				information.
									(2)Cybersecurity
				threatThe term cybersecurity threat means a
				vulnerability of, or threat to, a system or network of a government or private
				entity, including—
									(A)efforts to degrade,
				disrupt, or destroy such system or network; or
									(B)efforts to gain
				unauthorized access to a system or network, including efforts to gain such
				unauthorized access to steal or misappropriate private or government
				information.
									249.Savings
				clauseNothing in this
				subtitle shall be interpreted to—
								(1)alter or amend the
				authorities of any Federal department or agency other than the Department of
				Homeland Security, including the law enforcement or intelligence authorities of
				any such Federal department or agency or the authority of any such Federal
				department or agency to protect sources and methods and the national
				security;
								(2)limit or modify an
				existing information sharing or other relationship;
								(3)prohibit a new
				information sharing or other relationship;
								(4)require a new information
				sharing or other relationship between the Federal Government and a private
				sector entity;
								(5)alter or otherwise limit the authority of
				any Federal department or agency to also undertake any activities that the
				Department of Homeland Security is authorized to undertake pursuant to this
				section; or
								(6)provide additional
				authority to, or modify an existing authority of the Department of Homeland
				Security to control, modify, require, or otherwise direct the cybersecurity
				efforts of a private-sector entity or a component of the Federal Government or
				a State, local, or tribal
				government.
								.
				(2)Clerical
			 amendmentThe table of contents in section 1(b) of such Act, as
			 amended by section 2, is further amended by adding at the end of the items
			 relating to title II the following new items:
					
						
							Subtitle E—Department of Homeland Security
				Cybersecurity Information Sharing
							Sec. 241. Information sharing.
							Sec. 242. Establishment of National
				Cybersecurity and Communications Integration Center.
							Sec. 243. Board of advisors.
							Sec. 244. Charter.
							Sec. 245. Participation.
							Sec. 246. Annual report.
							Sec. 247. Authority to issue
				warnings.
							Sec. 248. Definitions.
							Sec. 249. Savings
				clause.
						
						.
				(b)Authorization of
			 appropriation for the national cybersecurity and communications integration
			 centerThere is authorized to be appropriated $4,000,000 for each
			 of fiscal years 2013, 2014, and 2015 for the administration and management of
			 the National Cybersecurity and Communications Integration Center.
			4.Cybersecurity research
			 and development
			(a)In
			 generalTitle III of the Homeland Security Act of 2002 is amended
			 by adding at the end the following:
				
					318.Cybersecurity research
				and development
						(a)In
				generalThe Under Secretary for Science and Technology shall
				support research, development, testing, evaluation, and transition of
				cybersecurity technology. Such support shall include fundamental, long-term
				research to improve the ability of the United States to prevent, protect
				against, detect, respond to, and recover from acts of terrorism and cyber
				attacks, with an emphasis on research and development relevant to attacks that
				would cause a debilitating impact on national security, national economic
				security, or national public health and safety.
						(b)ActivitiesThe
				research and development testing, evaluation, and transition supported under
				subsection (a) shall include work to—
							(1)advance the development
				and accelerate the deployment of more secure versions of fundamental Internet
				protocols and architectures, including for the domain name system and routing
				protocols;
							(2)improve, create, and
				advance the research and development of techniques and technologies for
				proactive detection and identification of threats, attacks, and acts of
				terrorism before they occur;
							(3)advance technologies for
				detecting attacks or intrusions, including real-time monitoring and real-time
				analytic technologies;
							(4)improve and create
				mitigation and recovery methodologies, including techniques and policies for
				real-time containment of attacks and development of resilient networks and
				systems;
							(5)develop and support
				infrastructure and tools to support cybersecurity research and development
				efforts, including modeling, test beds, and data sets for assessment of new
				cybersecurity technologies;
							(6)assist in the development
				and support of technologies to reduce vulnerabilities in process control
				systems;
							(7)develop and support cyber
				forensics and attack attribution;
							(8)test, evaluate, and
				facilitate the transfer of technologies associated with the engineering of less
				vulnerable software and securing the information technology software
				development lifecycle;
							(9)ensure new cybersecurity
				technology is scientifically and operationally validated; and
							(10)facilitate the planning,
				development, and implementation of international cooperative activities (as
				defined in section 317) to address cybersecurity and energy infrastructure with
				foreign public or private entities, governmental organizations, businesses
				(including small business concerns and social and economically disadvantaged
				small business concerns (as those terms are defined in sections 3 and 8 of the
				Small Business Act (15 U.S.C. 632 and 637) respectively)), federally funded
				research and development centers and universities from countries that may
				include Israel, the United Kingdom, Canada, Australia, Singapore, Germany, New
				Zealand, and other allies, as determined by the Secretary, in research and
				development of technologies, best practices, and other means to protect
				critical infrastructure, including the national electric grid.
							(c)CoordinationIn
				carrying out this section, the Under Secretary shall coordinate all activities
				with—
							(1)the Under Secretary for
				National Protection and Programs Directorate; and
							(2)the heads of other
				relevant Federal departments and agencies, including the National Science
				Foundation, the Defense Advanced Research Projects Agency, the Information
				Assurance Directorate of the National Security Agency, the National Institute
				of Standards and Technology, the Department of Commerce, academic institutions,
				the Networking and Information Technology Research and Development Program, and
				other appropriate working groups established by the President to identify unmet
				needs and cooperatively support activities, as
				appropriate.
							.
			(b)Clerical
			 amendmentThe table of contents in section 1(b) of such Act, as
			 amended by sections 2 and 3, is further amended by inserting after the item
			 relating to section 317 the following new item:
				
					
						Sec. 318. Cybersecurity research and
				development.
					
					.
			5.Report on support for
			 regional cybersecurity cooperatives
			(a)In
			 generalNot later than 180 days after the date of the enactment
			 of this Act, the Secretary of Homeland Security shall submit to the Committee
			 on Homeland Security of the House of Representatives and the Committee on
			 Homeland Security and Governmental Affairs of the Senate a report on what
			 support, if any, the Department of Homeland Security might provide to regional,
			 State, and local grassroots cyber cooperatives.
			(b)ContentsThe
			 report shall include an analysis of the progress in establishing the NET
			 Guard authorized under section 224 of the Homeland Security Act of 2002
			 (6 U.S.C. 144) to build a national technology guard for cyber response
			 capabilities and an assessment of whether a grant process for pilot regional,
			 State, or local cyber cooperatives would be beneficial. Such assessment
			 should—
				(1)evaluate whether the
			 grant process should include a methodology of identifying recognized national
			 experts in relevant areas of science and technology, including agreed upon
			 metrics measuring the expertise and demonstrated capabilities of such experts;
			 and
				(2)address the
			 following:
					(A)The appropriateness of
			 the establishment and maintenance of a national volunteer experts registry
			 system comprised of the demonstrated national experts described in this
			 paragraph, together with information relating to their particular areas of
			 expertise and who may be called upon to respond to a cyber incident.
					(B)The need to identify and
			 leverage existing capabilities of cyber response and cyber workforce challenge
			 programs in States, local governments, private sector entities, and non-profit
			 organizations to potentially accelerate the implementation of the NET
			 Guard.
					(C)The requirements for the
			 implementation of a plan to improve national capability with minimum
			 descriptions of the following:
						(i)How to evaluate the
			 demonstrated national experts in relevant areas of science and
			 technology.
						(ii)How to establish and
			 maintain the national volunteer experts registry system.
						(iii)Potential funding
			 models incorporating private sector funding.
						6.Cybersecurity Domestic
			 Preparedness Consortium and cybersecurity training center
			(a)Cybersecurity domestic
			 preparedness consortium
				(1)In
			 generalThe Secretary of Homeland Security may establish a
			 consortium to be known as the Cybersecurity Domestic Preparedness
			 Consortium.
				(2)FunctionsThe
			 Consortium established under paragraph (1) may—
					(A)provide training to State
			 and local first responders and officials specifically for preparing and
			 responding to cybersecurity attacks;
					(B)develop and update a
			 curriculum utilizing the DHS National Cyber Security Division sponsored
			 Community Cyber Security Maturity Model (CCSMM) for State and local first
			 responders and officials;
					(C)provide technical
			 assistance services to build and sustain capabilities in support of
			 cybersecurity preparedness and response; and
					(D)conduct cybersecurity
			 training and simulation exercises to defend from and respond to cyber
			 attacks.
					(3)MembersThe
			 Consortium shall consist of academic, nonprofit, and government partners that
			 develop, update, and deliver cybersecurity training in support of homeland
			 security.
				(b)Cybersecurity training
			 centerAs a part of the Cybersecurity Domestic Preparedness
			 Consortium, the Secretary may establish where appropriate one or more
			 cybersecurity training centers to provide training courses and other resources
			 for State and local first responders and officials to improve preparedness and
			 response capabilities.
			(c)Plan for fusion
			 centersThe Cybersecurity Domestic Preparedness Consortium shall
			 develop a plan to implement as one of the Cybersecurity Training Centers a
			 one-year voluntary pilot program to test and assess the feasibility, costs, and
			 benefits of providing cybersecurity training to State and local law enforcement
			 personnel through the national network of fusion centers.
			(d)Pilot program
				(1)In
			 generalNot later than one year after the date of the enactment
			 of the Act, the Secretary shall implement a one-year voluntary pilot program to
			 train State and local law enforcement personnel in the national network of
			 fusion centers in cyber security standards, procedures, and best
			 practices.
				(2)Curriculum and
			 personnelIn creating the curriculum for the training program and
			 conducting the program, the Secretary may assign personnel from the Department
			 of Homeland Security, including personnel from the Office of Cybersecurity and
			 Communications.
				(3)CoordinationThe
			 curriculum for the training and for conducting the program will be coordinated
			 with that of the Cyber Security Domestic Preparedness Consortium.
				7.Savings
			 clauseNothing in this Act
			 shall be interpreted to—
			(1)alter or amend the
			 authorities of any Federal department or agency other than the Department of
			 Homeland Security, including the law enforcement or intelligence authorities of
			 any such Federal department or agency or the authority of any such Federal
			 department or agency to protect sources and methods and the national
			 security;
			(2)alter or otherwise limit
			 the authority of any Federal department or agency to also undertake any
			 activities that the Department of Homeland Security is authorized to undertake
			 pursuant to this section; or
			(3)provide additional
			 authority to, or modify an existing authority of the Department of Homeland
			 Security to control, modify, require, or otherwise direct the cybersecurity
			 efforts of a private-sector entity or a component of the Federal Government or
			 a State, local, or tribal government.
			
	
		September 21, 2012
		The Committee on Energy
		  and Commerce discharged; committed to the Committee of the
		  Whole House on the State of the Union and ordered to be printed
	
