[Congressional Bills 112th Congress]
[From the U.S. Government Publishing Office]
[S. 2105 Placed on Calendar Senate (PCS)]

                                                       Calendar No. 323
112th CONGRESS
  2d Session
                                S. 2105

To enhance the security and resiliency of the cyber and communications 
                  infrastructure of the United States.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           February 14, 2012

  Mr. Lieberman (for himself, Ms. Collins, Mr. Rockefeller, and Mrs. 
Feinstein) introduced the following bill; which was read the first time

                           February 15, 2012

            Read the second time and placed on the calendar

_______________________________________________________________________

                                 A BILL


 
To enhance the security and resiliency of the cyber and communications 
                  infrastructure of the United States.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Cybersecurity Act 
of 2012''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
              TITLE I--PROTECTING CRITICAL INFRASTRUCTURE

Sec. 101. Definitions and responsibilities.
Sec. 102. Sector-by-sector cyber risk assessments.
Sec. 103. Procedure for designation of covered critical infrastructure.
Sec. 104. Sector-by-sector risk-based cybersecurity performance 
                            requirements.
Sec. 105. Security of covered critical infrastructure.
Sec. 106. Sector-specific agencies.
Sec. 107. Protection of information.
Sec. 108. Voluntary technical assistance.
Sec. 109. Emergency planning.
Sec. 110. International cooperation.
Sec. 111. Effect on other laws.
                TITLE II--PROTECTING GOVERNMENT NETWORKS

Sec. 201. FISMA Reform.
Sec. 202. Management of information technology.
Sec. 203. Savings provisions.
 TITLE III--CLARIFYING AND STRENGTHENING EXISTING ROLES AND AUTHORITIES

Sec. 301. Consolidation of existing departmental cyber resources and 
                            authorities.
      TITLE IV--EDUCATION, RECRUITMENT, AND WORKFORCE DEVELOPMENT

Sec. 401. Definitions.
Sec. 402. National education and awareness campaign.
Sec. 403. National cybersecurity competition and challenge.
Sec. 404. Federal cyber scholarship-for-service program.
Sec. 405. Assessment of cybersecurity Federal workforce.
Sec. 406. Federal cybersecurity occupation classifications.
Sec. 407. Training and education.
Sec. 408. Cybersecurity incentives.
                   TITLE V--RESEARCH AND DEVELOPMENT

Sec. 501. Federal cybersecurity research and development.
Sec. 502. Homeland security cybersecurity research and development.
         TITLE VI--FEDERAL ACQUISITION RISK MANAGEMENT STRATEGY

Sec. 601. Federal acquisition risk management strategy.
Sec. 602. Amendments to Clinger-Cohen provisions to enhance agency 
                            planning for information security needs.
                     TITLE VII--INFORMATION SHARING

Sec. 701. Affirmative authority to monitor and defend against 
                            cybersecurity threats.
Sec. 702. Voluntary disclosure of cybersecurity threat indicators among 
                            private entities.
Sec. 703. Cybersecurity exchanges.
Sec. 704. Voluntary disclosure of cybersecurity threat indicators to a 
                            cybersecurity exchange.
Sec. 705. Sharing of classified cybersecurity threat indicators.
Sec. 706. Limitation on liability and good faith defense for 
                            cybersecurity activities.
Sec. 707. Construction; Federal preemption.
Sec. 708. Definitions.
                  TITLE VIII--PUBLIC AWARENESS REPORTS

Sec. 801. Findings.
Sec. 802. Report on cyber incidents against Government networks.
Sec. 803. Reports on prosecution for cybercrime.
Sec. 804. Report on research relating to secure domain.
Sec. 805. Report on preparedness of Federal courts to promote 
                            cybersecurity.
Sec. 806. Report on impediments to public awareness.
Sec. 807. Report on protecting the electrical grid of the United 
                            States.
                  TITLE IX--INTERNATIONAL COOPERATION

Sec. 901. Definitions.
Sec. 902. Findings.
Sec. 903. Sense of Congress.
Sec. 904. Coordination of international cyber issues within the United 
                            States Government.
Sec. 905. Consideration of cybercrime in foreign policy and foreign 
                            assistance programs.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Commercial information technology product.--The term 
        ``commercial information technology product'' means a 
        commercial item that organizes or communicates information 
        electronically.
            (2) Commercial item.--The term ``commercial item'' has the 
        meaning given the term in section 103 of title 41, United 
        States Code.
            (3) Covered critical infrastructure.--The term ``covered 
        critical infrastructure'' means a system or asset designated by 
        the Secretary as covered critical infrastructure in accordance 
        with the procedure established under section 103.
            (4) Covered system or asset.--The term ``covered system or 
        asset'' means a system or asset of covered critical 
        infrastructure.
            (5) Critical infrastructure.--The term ``critical 
        infrastructure'' has the meaning given that term in section 
        1016(e) of the USA PATRIOT Act (42 U.S.C. 5195c(e)).
            (6) Department.--The term ``Department'' means the 
        Department of Homeland Security.
            (7) Federal agency.--The term ``Federal agency'' has the 
        meaning given the term ``agency'' in section 3502 of title 44, 
        United States Code.
            (8) Federal information infrastructure.--The term ``Federal 
        information infrastructure''--
                    (A) means information and information systems that 
                are owned, operated, controlled, or licensed for use 
                by, or on behalf of, any Federal agency, including 
                information systems used or operated by another entity 
                on behalf of a Federal agency; and
                    (B) does not include--
                            (i) a national security system; or
                            (ii) information and information systems 
                        that are owned, operated, controlled, or 
                        licensed for use by, or on behalf of, the 
                        Department of Defense, a military department, 
                        or another element of the intelligence 
                        community.
            (9) Incident.--The term ``incident'' has the meaning given 
        that term in section 3552 of title 44, United States Code, as 
        added by section 201 of this Act.
            (10) Information infrastructure.--The term ``information 
        infrastructure'' means the underlying framework that 
        information systems and assets rely on to process, transmit, 
        receive, or store information electronically, including 
        programmable electronic devices and communications networks and 
        any associated hardware, software, or data.
            (11) Information sharing and analysis organization.--The 
        term ``Information Sharing and Analysis Organization'' has the 
        meaning given that term in section 212 of the Homeland Security 
        Act of 2002 (6 U.S.C. 131).
            (12) Information system.--The term ``information system'' 
        has the meaning given that term in section 3502 of title 44, 
        United States Code.
            (13) Institution of higher education.--The term 
        ``institution of higher education'' has the meaning given that 
        term in section 102 of the Higher Education Act of 1965 (20 
        U.S.C. 1002).
            (14) Intelligence community.--The term ``intelligence 
        community'' has the meaning given that term under section 3(4) 
        of the National Security Act of 1947 (50 U.S.C. 401a(4)).
            (15) National information infrastructure.--The term 
        ``national information infrastructure'' means information and 
        information systems--
                    (A) that are owned, operated, or controlled, in 
                whole or in part, within or from the United States; and
                    (B) that are not owned, operated, controlled, or 
                licensed for use by a Federal agency.
            (16) National security system.--The term ``national 
        security system'' has the meaning given that term in section 
        3552 of title 44, United States Code, as added by section 201 
        of this Act.
            (17) Owner.--The term ``owner''--
                    (A) means an entity that owns a covered system or 
                asset; and
                    (B) does not include a company contracted by the 
                owner to manage, run, or operate a covered system or 
                asset, or to provide a specific information technology 
                product or service that is used or incorporated into a 
                covered system or asset.
            (18) Operator.--The term ``operator''--
                    (A) means an entity that manages, runs, or 
                operates, in whole or in part, the day-to-day 
                operations of a covered system or asset; and
                    (B) may include the owner of a covered system or 
                asset.
            (19) Secretary.--The term ``Secretary'' means the Secretary 
        of Homeland Security.

              TITLE I--PROTECTING CRITICAL INFRASTRUCTURE

SEC. 101. DEFINITIONS AND RESPONSIBILITIES.

    (a) Definitions.--In this title:
            (1) Cyber risk.--The term ``cyber risk'' means any risk to 
        information infrastructure, including physical or personnel 
        risks and security vulnerabilities, that, if exploited or not 
        mitigated, could pose a significant risk of disruption to the 
        operation of information infrastructure essential to the 
        reliable operation of covered critical infrastructure.
            (2) Sector-specific agency.--The term ``sector-specific 
        agency'' means the relevant Federal agency responsible for 
        infrastructure protection activities in a designated critical 
        infrastructure sector or key resources category under the 
        National Infrastructure Protection Plan, or any other 
        appropriate Federal agency identified by the President after 
        the date of enactment of this Act.
    (b) Responsibility of Owner.--It shall be the responsibility of an 
owner to comply with the requirements of this Act.

SEC. 102. SECTOR-BY-SECTOR CYBER RISK ASSESSMENTS.

    (a) In General.--The Secretary, in consultation with entities that 
own or operate critical infrastructure, the Critical Infrastructure 
Partnership Advisory Council, and appropriate Information Sharing and 
Analysis Organizations, and in coordination with the intelligence 
community, the Department of Defense, the Department of Commerce, 
sector-specific agencies and other Federal agencies with 
responsibilities for regulating the security of entities that own or 
operate critical infrastructure shall--
            (1) not later than 90 days after the date of enactment of 
        this Act, conduct a top-level assessment of the cybersecurity 
        threats, vulnerabilities, risks, and probability of a 
        catastrophic incident across all critical infrastructure 
        sectors to determine which sectors pose the greatest immediate 
        risk, in order to guide the allocation of resources for the 
        implementation of this Act; and
            (2) beginning with the highest priority sectors identified 
        under paragraph (1), conduct, on an ongoing, sector-by-sector 
        basis, cyber risk assessments of the critical infrastructure in 
        a manner that--
                    (A) uses state-of-the art threat modeling, 
                simulation, and analysis techniques;
                    (B) incorporates, as appropriate, any existing 
                similar risk assessments; and
                    (C) considers--
                            (i) the actual or assessed threat, 
                        including consideration of adversary 
                        capabilities and intent, intrusion techniques, 
                        preparedness, target attractiveness, and 
                        deterrence capabilities;
                            (ii) the extent and likelihood of death, 
                        injury, or serious adverse effects to human 
                        health and safety caused by damage or 
                        unauthorized access to critical infrastructure;
                            (iii) the threat to or impact on national 
                        security caused by damage or unauthorized 
                        access to critical infrastructure;
                            (iv) the extent to which damage or 
                        unauthorized access to critical infrastructure 
                        will disrupt the reliable operation of other 
                        critical infrastructure;
                            (v) the harm to the economy that would 
                        result from damage or unauthorized access to 
                        critical infrastructure;
                            (vi) the risk of national or regional 
                        catastrophic damage within the United States 
                        caused by damage or unauthorized access to 
                        information infrastructure located outside the 
                        United States;
                            (vii) the overall preparedness and 
                        resilience of each sector against damage or 
                        unauthorized access to critical infrastructure, 
                        including the effectiveness of market forces at 
                        driving security innovation and secure 
                        practices; and
                            (viii) any other risk-based security 
                        factors appropriate and necessary to protect 
                        public health and safety, critical 
                        infrastructure, or national and economic 
                        security.
    (b) Input of Owners and Operators.--
            (1) In general.--The Secretary shall--
                    (A) establish a process under which entities that 
                own or operate critical infrastructure and other 
                relevant private sector experts provide input into the 
                risk assessments conducted under this section; and
                    (B) seek and incorporate private sector expertise 
                available through established public-private 
                partnerships, including the Critical Infrastructure 
                Partnership Advisory Council and appropriate 
                Information Sharing and Analysis Organizations.
            (2) Protection of information.--Any information submitted 
        as part of the process established under paragraph (1) shall be 
        protected in accordance with section 107.
    (c) Methodologies for Assessing Information Security Risk.--The 
Secretary and the Director of the National Institute of Standards and 
Technology, in consultation with entities that own or operate critical 
infrastructure and relevant private sector and academic experts, 
shall--
            (1) develop repeatable, qualitative, and quantitative 
        methodologies for assessing information security risk; or
            (2) use methodologies described in paragraph (1) that are 
        in existence on the date of enactment of this Act and make the 
        methodologies publicly available.
    (d) Submission of Risk Assessments.--The Secretary shall submit 
each risk assessment conducted under this section, in a classified or 
unclassified form as necessary, to--
            (1) the President;
            (2) appropriate Federal agencies; and
            (3) appropriate congressional committees.

SEC. 103. PROCEDURE FOR DESIGNATION OF COVERED CRITICAL INFRASTRUCTURE.

    (a) Responsibility for Designation of Covered Critical 
Infrastructure.--
            (1) In general.--The Secretary, in consultation with 
        entities that own or operate critical infrastructure, the 
        Critical Infrastructure Partnership Advisory Council, 
        appropriate Information Sharing and Analysis Organizations, and 
        other appropriate representatives of State and local 
        governments, shall establish a procedure for the designation of 
        critical infrastructure, on a sector-by-sector basis, as 
        covered critical infrastructure for the purposes of this Act.
            (2) Duties.--In establishing the procedure under paragraph 
        (1), the Secretary shall--
                    (A) prioritize the efforts of the Department based 
                on the prioritization established under section 
                102(a)(1);
                    (B) incorporate, to the extent practicable, the 
                input of entities that own or operate critical 
                infrastructure, the Critical Infrastructure Partnership 
                Advisory Council, appropriate Information Sharing and 
                Analysis Organizations, and other appropriate 
                representatives of the private sector and State and 
                local governments;
                    (C) coordinate with the head of the sector-specific 
                agency with responsibility for critical infrastructure 
                and the head of any Federal agency with 
                responsibilities for regulating the security of 
                critical infrastructure;
                    (D) develop a mechanism for owners to submit 
                information to assist the Secretary in making 
                determinations under this section; and
                    (E) periodically, but not less often than annually, 
                review and update designations under this section.
    (b) Designation of Covered Critical Infrastructure.--
            (1) Guidelines for designation.--In designating covered 
        critical infrastructure for the purposes of this Act, the 
        Secretary shall--
                    (A) designate covered critical infrastructure on a 
                sector-by-sector basis and at the system or asset 
                level;
                    (B) inform owners of the criteria used to identify 
                covered critical infrastructure;
                    (C) only designate a system or asset as covered 
                critical infrastructure if damage or unauthorized 
                access to that system or asset could reasonably result 
                in--
                            (i) the interruption of life-sustaining 
                        services, including energy, water, 
                        transportation, emergency services, or food, 
                        sufficient to cause--
                                    (I) a mass casualty event that 
                                includes an extraordinary number of 
                                fatalities; or
                                    (II) mass evacuations with a 
                                prolonged absence;
                            (ii) catastrophic economic damage to the 
                        United States including--
                                    (I) failure or substantial 
                                disruption of a United States financial 
                                market;
                                    (II) incapacitation or sustained 
                                disruption of a transportation system; 
                                or
                                    (III) other systemic, long-term 
                                damage to the United States economy; or
                            (iii) severe degradation of national 
                        security or national security capabilities, 
                        including intelligence and defense functions; 
                        and
                    (D) consider the sector-by-sector risk assessments 
                developed in accordance with section 102.
            (2) Limitations.--The Secretary may not designate as 
        covered critical infrastructure under this section--
                    (A) a system or asset based solely on activities 
                protected by the first amendment to the Constitution of 
                the United States;
                    (B) an information technology product or service 
                based solely on a finding that the product or service 
                is capable of, or is actually, being used in covered 
                critical infrastructure;
                    (C) a commercial information technology product, 
                including hardware and software; or
                    (D) any service provided in support of a product 
                specified in subparagraph (C), including installation 
                services, maintenance services, repair services, 
                training services, and any other services provided in 
                support of the product.
            (3) Notification of identification of system or asset.--Not 
        later than 30 days after the Secretary designates a system or 
        asset as covered critical infrastructure under this section, 
        the Secretary shall notify the owner of the system or asset 
        that was designated and the basis for the designation.
            (4) Self-designation of system or asset as covered critical 
        infrastructure.--The owner of a system or asset may request 
        that the system or asset be designated as covered critical 
        infrastructure under this section if the owner determines that 
        the system or asset meets the criteria for designation.
            (5) System or asset no longer covered critical 
        infrastructure.--
                    (A) In general.--If the Secretary determines that 
                any system or asset that was designated as covered 
                critical infrastructure under this section no longer 
                constitutes covered critical infrastructure, the 
                Secretary shall promptly notify the owner of that 
                system or asset of that determination.
                    (B) Self-designation.--If an owner determines that 
                an asset or system previously self-designated as 
                covered critical infrastructure under paragraph (4) no 
                longer meets the criteria for designation, the owner 
                shall notify the Secretary of this determination and 
                submit to the redress process under subsection (c).
            (6) Definition.--In this subsection, the term ``damage'' 
        has the meaning given that term in section 1030(e) of title 18, 
        United States Code.
    (c) Redress.--
            (1) In general.--Subject to paragraphs (2) and (3), the 
        Secretary shall develop a mechanism, consistent with subchapter 
        II of chapter 5 of title 5, United States Code, for an owner 
        notified under subsection (b)(3) or for an owner that self-
        designates under subsection (b)(4) to request that the 
        Secretary review--
                    (A) the designation of a system or asset as covered 
                critical infrastructure;
                    (B) the rejection of the self-designation of an 
                owner of a system or asset as covered critical 
                infrastructure; or
                    (C) a determination under subsection (b)(5)(B).
            (2) Appeal to federal court.--A civil action seeking 
        judicial review of a final agency action taken under the 
        mechanism developed under paragraph (1) shall be filed in the 
        United States District Court for the District of Columbia.
            (3) Compliance.--An owner shall comply with this title 
        relating to covered critical infrastructure until such time as 
        the critical infrastructure is no longer designated as covered 
        critical infrastructure, based on--
                    (A) an appeal under paragraph (1);
                    (B) a determination of the Secretary unrelated to 
                an appeal; or
                    (C) a final judgment entered in a civil action 
                seeking judicial review brought in accordance with 
                paragraph (2).

SEC. 104. SECTOR-BY-SECTOR RISK-BASED CYBERSECURITY PERFORMANCE 
              REQUIREMENTS.

    (a) Purpose.--The purpose of this section is to secure the critical 
infrastructure of the Nation while promoting and protecting private 
sector innovation in design and development of technology for the 
global market for commercial information technology products, including 
hardware and software and related products and services.
    (b) Performance Requirements.--The Secretary, in consultation with 
owners and operators, the Critical Infrastructure Partnership Advisory 
Council, and appropriate Information Sharing and Analysis 
Organizations, and in coordination with the National Institute of 
Standards and Technology, the Director of the National Security Agency, 
sector-specific agencies, appropriate representatives from State and 
local governments, and other Federal agencies with responsibilities for 
regulating the security of covered critical infrastructure, shall 
identify or develop, on a sector-by-sector basis, risk-based 
cybersecurity performance requirements (referred to in this section as 
``performance requirements'') that--
            (1) require owners to remediate or mitigate identified 
        cyber risks and any associated consequences identified under 
        section 102(a) or otherwise; and
            (2) do not permit any Federal employee or agency to--
                    (A) regulate commercial information technology 
                products, including hardware and software and related 
                services, including installation services, maintenance 
                services, repair services, training services, and any 
                other services provided in support of the product;
                    (B) require commercial information technology 
                products, including hardware and software and related 
                services, for use or non-use in covered critical 
                infrastructure; or
                    (C) regulate the design, development, 
                manufacturing, or attributes of commercial information 
                technology products, including hardware and software 
                and related services, for use or non-use in covered 
                critical infrastructure.
    (c) Limitation.--If the Secretary determines that there are 
regulations in effect on the date of enactment of this Act that apply 
to covered critical infrastructure and that address some or all of the 
risks identified under section 102, the Secretary shall identify or 
develop performance requirements under this section only if the 
regulations do not require an appropriate level of security.
    (d) Identification and Development of Performance Requirements.--In 
establishing the performance requirements under this section, the 
Secretary shall--
            (1) establish a process for entities that own or operate 
        critical infrastructure, voluntary consensus standards 
        development organizations, representatives of State and local 
        government, and the private sector, including sector 
        coordinating councils and appropriate Information Sharing and 
        Analysis Organizations to propose performance requirements;
            (2) identify existing industry practices, standards, and 
        guidelines; and
            (3) select and adopt performance requirements submitted 
        under paragraph (1) or identified under paragraph (2) that 
        satisfy other provisions of this section.
    (e) Requirement.--If the Secretary determines that none of the 
performance requirements submitted or identified under paragraphs (1) 
and (2) of subsection (d) satisfy the other provisions of this section, 
the Secretary shall, in consultation with owners and operators, the 
Critical Infrastructure Partnership Advisory Council, and appropriate 
Information Sharing and Analysis Organizations, and in coordination 
with the National Institute of Standards and Technology, the Director 
of the National Security Agency, sector-specific agencies, and other 
Federal agencies with responsibilities for regulating the security of 
covered critical infrastructure, develop satisfactory performance 
requirements.
    (f) Exemption Authority.--
            (1) In general.--The President, in consultation with the 
        Director of the Office of Management and Budget, may exempt an 
        appropriate part of covered critical infrastructure from the 
        requirements of this title if the President determines that a 
        sector-specific regulatory agency has sufficient specific 
        requirements and enforcement mechanisms to effectively mitigate 
        the risks identified under section 102.
            (2) Reconsideration.--The President may reconsider any 
        exemption under paragraph (1) as appropriate.
    (g) Consideration.--The Secretary, in establishing performance 
requirements under this section, shall take into consideration 
available resources and anticipated consequences of a cyber attack.

SEC. 105. SECURITY OF COVERED CRITICAL INFRASTRUCTURE.

    (a) In General.--Not later than 1 year after the date of enactment 
of this Act, the Secretary, in consultation with owners and operators, 
and the Critical Infrastructure Partnership Advisory Council, and in 
coordination with sector-specific agencies and other Federal agencies 
with responsibilities for regulating the security of covered critical 
infrastructure, shall promulgate regulations to enhance the security of 
covered critical infrastructure against cyber risks.
    (b) Responsibilities.--The regulations promulgated under this 
section shall establish procedures under which--
            (1) each owner--
                    (A) is regularly informed of cyber risk 
                assessments, identified cybersecurity threats, and the 
                risk-based security performance requirements 
                appropriate to the sector of the owner established 
                under section 104;
                    (B) selects and implements the cybersecurity 
                measures the owner determines to be best suited to 
                satisfy the risk-based cybersecurity performance 
                requirements established under section 104;
                    (C) develop or update continuity of operations and 
                incident response plans; and
                    (D) shall report, consistent with the protections 
                in section 107, significant cyber incidents affecting 
                covered critical infrastructure;
            (2) the Secretary and each Federal agency with 
        responsibilities for regulating the security of covered 
        critical infrastructure, is notified of the security measure or 
        measures selected by an owner in accordance with paragraph 
        (1)(B); and
            (3) the Secretary--
                    (A) identifies, in consultation with owners and 
                operators, cyber risks that are not capable of 
                effective remediation or mitigation using available 
                standards, industry practices or other available 
                security measures;
                    (B) provides owners the opportunity to develop 
                practices or security measures to remediate or mitigate 
                the cyber risks identified in section 102 without the 
                prior approval of the Secretary and without affecting 
                the compliance of the covered critical infrastructure 
                with the requirements under this section;
                    (C) in accordance with applicable law relating to 
                the protection of trade secrets, permits owners and 
                operators to report to the Secretary the development of 
                effective practices or security measures to remediate 
                or mitigate the cyber risks identified under section 
                102; and
                    (D) shall develop, in conjunction with the 
                Secretary of Defense and the Director of National 
                Intelligence and in coordination with owners and 
                operators, a procedure for ensuring that owners and 
                operators are, to the maximum extent practicable and 
                consistent with the protection of sources and methods, 
                informed of relevant real-time threat information.
    (c) Enforcement.--
            (1) Requirements.--The regulations promulgated under this 
        section shall establish procedures that--
                    (A) require each owner--
                            (i) to certify, on an annual basis, in 
                        writing to the Secretary and the head of the 
                        Federal agency with responsibilities for 
                        regulating the security of the covered critical 
                        infrastructure whether the owner has developed 
                        and effectively implemented security measures 
                        sufficient to satisfy the risk-based security 
                        performance requirements established under 
                        section 104; or
                            (ii) to submit a third-party assessment in 
                        accordance with subsection (d), on an annual 
                        basis;
                    (B) provide for civil penalties for any person 
                who--
                            (i) violates this section; and
                            (ii) fails to remediate such violation in 
                        an appropriate timeframe; and
                    (C) do not confer upon any person, except the 
                Federal agency with responsibilities for regulating the 
                security of the covered critical infrastructure and the 
                Secretary, a right of action against an owner or 
                operator to enforce any provision of this section.
            (2) Proposed security measures.--An owner may select any 
        security measures that satisfy the risk-based security 
        performance requirements established under section 104.
            (3) Recommended security measures.--Upon request from an 
        owner or operator, the Secretary may recommend a specific 
        security measure that the Secretary believes will satisfy the 
        risk-based security performance requirements established under 
        section 104.
            (4) Security and performance-based exemptions.--
                    (A) In general.--The Secretary shall develop a 
                process for an owner to demonstrate that--
                            (i) a covered system or asset is 
                        sufficiently secured against the risks 
                        identified in section 102; or
                            (ii) compliance with risk-based performance 
                        requirements developed under section 104 would 
                        not substantially improve the security of the 
                        covered system or asset.
                    (B) Exemption authority.--Upon a determination by 
                the Secretary that a covered system or asset is 
                sufficiently secured against the risks identified in 
                section 102, or that compliance with risk based 
                performance requirements developed under section 104 
                would not substantially improve the security of the 
                system or asset, the Secretary may not require the 
                owner to select or implement cybersecurity measures or 
                submit an annual certification or third party 
                assessment as required under this Act.
                    (C) Requirement.--The Secretary shall require an 
                owner that was exempted under subparagraph (B) to 
                demonstrate that the covered system or asset of the 
                owner is sufficiently secured against the risks 
                identified in section 102, or that compliance with risk 
                based performance requirements developed under section 
                104 would not substantially improve the security of the 
                system or asset--
                            (i) not less than once every 3 years; or
                            (ii) if the Secretary has reason to believe 
                        that the covered system or asset no longer 
                        meets the exemption qualifications under 
                        subparagraph (B).
            (5) Enforcement actions.--An action to enforce any 
        regulation promulgated pursuant to this section shall be 
        initiated by--
                    (A) the Federal agency with responsibilities for 
                regulating the security of the covered critical 
                infrastructure, in consultation with the Secretary; or
                    (B) the Secretary, when--
                            (i) the covered critical infrastructure is 
                        not subject to regulation by another Federal 
                        agency;
                            (ii) the head of the Federal agency with 
                        responsibilities for regulating the security of 
                        the covered critical infrastructure requests 
                        the Secretary take such action; or
                            (iii) the Federal agency with 
                        responsibilities for regulating the security of 
                        the covered critical infrastructure fails to 
                        initiate such action after a request by the 
                        Secretary.
    (d) Assessments.--
            (1) Third-party assessments.--The regulations promulgated 
        under this section shall establish procedures for third-party 
        private entities to conduct assessments that use reliable, 
        repeatable, performance-based evaluations and metrics to--
                    (A) assess the implementation of the selected 
                security measures;
                    (B) assess the effectiveness of the security 
                measure or measures implemented by the owner in 
                satisfying the risk-based security performance 
                requirements established under section 104;
                    (C) require that third party assessors--
                            (i) be certified by the Secretary, in 
                        consultation with the head of any Federal 
                        agency with responsibilities for regulating the 
                        security of covered critical infrastructure, 
                        after completing a proficiency program 
                        established by the Secretary in consultation 
                        with owners and operators, the Critical 
                        Infrastructure Partnership Advisory Council, 
                        appropriate Information Sharing and Analysis 
                        Organizations, and in coordination with the 
                        Director of the National Institute of Standards 
                        and Technology, and relevant Federal agencies;
                            (ii) undergo regular retraining and 
                        certification;
                            (iii) provide the findings of the third 
                        party assessors to the owners and operators; 
                        and
                            (iv) submit each independent assessment to 
                        the owner, the Secretary, and to the Federal 
                        agency with responsibilities for regulating the 
                        security of the covered critical 
                        infrastructure.
            (2) Other assessments.--The regulations promulgated under 
        this section shall establish procedures under which the 
        Secretary--
                    (A) may perform cybersecurity assessments of 
                selected covered critical infrastructure, in 
                consultation with relevant agencies, based on--
                            (i) the specific cyber risks affecting or 
                        potentially affecting the information 
                        infrastructure of the specific system or asset 
                        constituting covered critical infrastructure;
                            (ii) any reliable intelligence or other 
                        information indicating a cyber risk to the 
                        information infrastructure of the specific 
                        system or asset constituting covered critical 
                        infrastructure;
                            (iii) actual knowledge or reasonable 
                        suspicion that an owner is not in compliance 
                        with risk-based security performance 
                        requirements established under section 104; or
                            (iv) such other risk-based factors as 
                        identified by the Secretary; and
                    (B) may use the resources of any relevant Federal 
                agency with the concurrence of the head of such agency;
                    (C) to the extent practicable uses government and 
                private sector information security assessment programs 
                that were in existence on the date of enactment of this 
                Act to conduct assessments; and
                    (D) provides copies of any Federal Government 
                assessments to the owner of the covered system or 
                asset.
            (3) Access to information.--
                    (A) In general.--For the purposes of an assessment 
                conducted under paragraph (1) or (2), an owner or 
                operator shall provide an assessor any reasonable 
                access necessary to complete the assessment.
                    (B) Protection of information.--Information 
                provided to the Secretary, the Secretary's designee, or 
                any assessor during the course of an assessment under 
                this section shall be protected from disclosure in 
                accordance with section 107.
    (e) Limitations on Civil Liability.--
            (1) In general.--Except as provided in paragraph (2), in 
        any civil action for damages directly caused by an incident 
        related to a cyber risk identified under section 102, an owner 
        or operator shall not be liable for any punitive damages 
        intended to punish or deter if the owner or operator--
                    (A) has implemented security measures, or a 
                combination thereof, that satisfy the security 
                performance requirements established under section 104;
                    (B) has undergone successful assessments, submitted 
                an annual certification or third party assessment 
                required by subsection (c)(1), or been granted an 
                exemption in accordance with subsection (c)(4); and
                    (C) is in substantial compliance with the 
                appropriate risk based cybersecurity performance 
                requirements at the time of the incident related to 
                that cyber risk.
            (2) Limitation.--Paragraph (1) shall only apply to harm 
        directly caused by the incident related to the cyber risk and 
        shall not apply to damages caused by any additional or 
        intervening acts or omissions by the owner or operator.

SEC. 106. SECTOR-SPECIFIC AGENCIES.

    (a) In General.--The head of each sector-specific agency and the 
head of any Federal agency that is not a sector-specific agency with 
responsibilities for regulating the security of covered critical 
infrastructure shall coordinate with the Secretary on any activities of 
the sector-specific agency or Federal agency that relate to the efforts 
of the agency regarding the cybersecurity and resiliency to cyber 
attack of critical infrastructure and covered critical infrastructure, 
within or under the supervision of the agency.
    (b) Duplicative Reporting Requirements.--
            (1) In general.--The Secretary shall coordinate with the 
        head of each sector-specific agency and the head of any Federal 
        agency that is not a sector-specific agency with 
        responsibilities for regulating the security of covered 
        critical infrastructure to determine whether reporting 
        requirements in effect on the date of enactment of this Act 
        substantially fulfill any reporting requirements described in 
        this title.
            (2) Prior required reports.--If the Secretary determines 
        that a report that was required under a regulatory regime in 
        existence on the date of enactment of this Act substantially 
        satisfies a reporting requirement under this title, the 
        Secretary shall use such report and may not require an owner or 
        operator to submit an additional report.
            (3) Coordination.--The Secretary shall coordinate with the 
        head of each sector-specific agency and the head of any Federal 
        agency that is not a sector-specific agency with 
        responsibilities for regulating the security of covered 
        critical infrastructure to eliminate any duplicate reporting or 
        compliance requirements relating to the security or resiliency 
        of critical infrastructure and covered critical infrastructure, 
        within or under the supervision of the agency.
    (c) Requirements.--
            (1) In general.--To the extent that the head of each 
        sector-specific agency and the head of any Federal agency that 
        is not a sector-specific agency with responsibilities for 
        regulating the security of covered critical infrastructure has 
        the authority to establish regulations, rules, or requirements 
        or other required actions that are applicable to the security 
        of critical infrastructure and covered critical infrastructure, 
        the head of the agency shall--
                    (A) notify the Secretary in a timely fashion of the 
                intent to establish the regulations, rules, 
                requirements, or other required actions;
                    (B) coordinate with the Secretary to ensure that 
                the regulations, rules, requirements, or other required 
                actions are consistent with, and do not conflict or 
                impede, the activities of the Secretary under this 
                title; and
                    (C) in coordination with the Secretary, ensure that 
                the regulations, rules, requirements, or other required 
                actions are implemented, as they relate to covered 
                critical infrastructure, in accordance with subsection 
                (a).
            (2) Rule of construction.--Nothing in this section shall be 
        construed to provide additional authority for any sector-
        specific agency or any Federal agency that is not a sector-
        specific agency with responsibilities for regulating the 
        security of critical infrastructure or covered critical 
        infrastructure to establish standards or other measures that 
        are applicable to the security of critical infrastructure not 
        otherwise authorized by law.

SEC. 107. PROTECTION OF INFORMATION.

    (a) Definition.--In this section, the term ``covered 
information''--
            (1) means--
                    (A) any information that constitutes a privileged 
                or confidential trade secret or commercial or financial 
                transaction that is appropriately marked at the time it 
                is provided by entities that own or operate critical 
                infrastructure in sector-by-sector risk assessments 
                conducted under section 102;
                    (B) any information required to be submitted by 
                owners and operators under section 105; and
                    (C) any information submitted by State and local 
                governments, private entities, and international 
                partners of the United States regarding threats, 
                vulnerabilities, risks, and incidents affecting--
                            (i) the Federal information infrastructure;
                            (ii) information infrastructure that is 
                        owned, operated, controlled, or licensed for 
                        use by, or on behalf of, the Department of 
                        Defense, a military department, or another 
                        element of the intelligence community; or
                            (iii) critical infrastructure; and
            (2) does not include any information described under 
        paragraph (1), if that information is submitted to--
                    (A) conceal violations of law, inefficiency, or 
                administrative error;
                    (B) prevent embarrassment to a person, 
                organization, or agency; or
                    (C) interfere with competition in the private 
                sector.
    (b) Voluntarily Shared Critical Infrastructure Information.--
Covered information submitted in accordance with this section shall be 
treated as voluntarily shared critical infrastructure information under 
section 214 of the Homeland Security Act (6 U.S.C. 133), except that 
the requirement of such section 214 that the information be voluntarily 
submitted, including the requirement for an express statement, shall 
not be required for protection of information under this section to 
apply.
    (c) Guidelines.--
            (1) In general.--Subject to paragraph (2), the Secretary 
        shall develop and issue guidelines, in consultation with the 
        Attorney General and the Critical Infrastructure Partnership 
        Advisory Council, appropriate Information Sharing and Analysis 
        Organizations, as necessary to implement this section.
            (2) Requirements.--The guidelines developed under this 
        section shall--
                    (A) include provisions for the sharing of 
                information among governmental and nongovernmental 
                officials and entities in furtherance of carrying out 
                the authorities and responsibilities of the Secretary;
                    (B) be consistent, to the maximum extent possible, 
                with policy guidance and implementation standards 
                developed by the National Archives and Records 
                Administration for controlled unclassified information, 
                including with respect to marking, safeguarding, 
                dissemination, and dispute resolution; and
                    (C) describe, with as much detail as possible, the 
                categories and type of information entities should 
                voluntarily submit.
    (d) Process for Reporting Security Threats, Vulnerabilities, Risks, 
and Incidents.--
            (1) Establishment of process.--The Secretary shall 
        establish through regulation, and provide information to the 
        public regarding, a process by which any person may submit a 
        report to the Secretary regarding cybersecurity threats, 
        vulnerabilities, risks, and incidents affecting--
                    (A) the Federal information infrastructure;
                    (B) information infrastructure that is owned, 
                operated, controlled, or licensed for use by, or on 
                behalf of, the Department of Defense, a military 
                department, or another element of the intelligence 
                community; or
                    (C) critical infrastructure.
            (2) Acknowledgment of receipt.--If a report submitted under 
        paragraph (1) includes the identity of the person making the 
        report, the Secretary shall respond promptly to the person and 
        acknowledge receipt of the report.
            (3) Steps to address problem.--Consistent with existing 
        authority, the Secretary shall review and consider the 
        information provided in any report submitted under paragraph 
        (1) and, at the sole, unreviewable discretion of the Secretary, 
        determine what, if any, steps are necessary or appropriate to 
        address any threats, vulnerabilities, risks, and incidents 
        identified.
            (4) Disclosure of identity.--
                    (A) In general.--Except as provided in subparagraph 
                (B), or with the written consent of the person, the 
                Secretary may not disclose the identity of a person who 
                has provided information described in paragraph (1).
                    (B) Referral to the attorney general.--
                            (i) In general.--The Secretary shall 
                        disclose to the Attorney General the identity 
                        of a person who has provided information 
                        described in paragraph (1) if the matter is 
                        referred to the Attorney General for 
                        enforcement.
                            (ii) Notice.--The Secretary shall provide 
                        reasonable advance notice to the person 
                        described in clause (i) if disclosure of that 
                        person's identity is to occur, unless such 
                        notice would risk compromising a criminal or 
                        civil enforcement investigation or proceeding.
    (e) Rules of Construction.--Nothing in this section shall be 
construed to--
            (1) limit or otherwise affect the right, ability, duty, or 
        obligation of any entity to use or disclose any information of 
        that entity, including in the conduct of any judicial or other 
        proceeding;
            (2) prevent the classification of information submitted 
        under this section if that information meets the standards for 
        classification under Executive Order 12958, or any successor 
        thereto, or affect measures and controls relating to the 
        protection of classified information as prescribed by Federal 
        statute or under Executive Order 12958, or any successor 
        thereto;
            (3) limit the right of an individual to make any 
        disclosure--
                    (A) protected or authorized under section 
                2302(b)(8) or 7211 of title 5, United States Code;
                    (B) to an appropriate official of information that 
                the individual reasonably believes evidences a 
                violation of any law, rule, or regulation, gross 
                mismanagement, or substantial and specific danger to 
                public health, safety, or security, and that is 
                protected under any Federal or State law (other than 
                those referenced in subparagraph (A)) that shields the 
                disclosing individual against retaliation or 
                discrimination for having made the disclosure if such 
                disclosure is not specifically prohibited by law and if 
                such information is not specifically required by 
                Executive order to be kept secret in the interest of 
                national defense or the conduct of foreign affairs; or
                    (C) to the Special Counsel, the Inspector General 
                of an agency, or any other employee designated by the 
                head of an agency to receive similar disclosures;
            (4) prevent the Secretary from using information required 
        to be submitted under this Act for enforcement of this title, 
        including enforcement proceedings subject to appropriate 
        safeguards;
            (5) authorize information to be withheld from Congress, the 
        Comptroller General, or the Inspector General of the 
        Department;
            (6) affect protections afforded to trade secrets under any 
        other provision of law; or
            (7) create a private right of action for enforcement of any 
        provision of this section.
    (f) Audit.--
            (1) In general.--Not later than 1 year after the date of 
        enactment of this Act, the Inspector General of the Department 
        shall conduct an audit of the management of information 
        submitted under this section and report the findings to 
        appropriate committees of Congress.
            (2) Contents.--The audit under paragraph (1) shall include 
        assessments of--
                    (A) whether the information is adequately 
                safeguarded against inappropriate disclosure;
                    (B) the processes for marking and disseminating the 
                information and resolving any disputes;
                    (C) how the information is used for the purposes of 
                this section, and whether that use is effective;
                    (D) whether information sharing has been effective 
                to fulfill the purposes of this section;
                    (E) whether the kinds of information submitted have 
                been appropriate and useful, or overbroad or 
                overnarrow;
                    (F) whether the information protections allow for 
                adequate accountability and transparency of the 
                regulatory, enforcement, and other aspects of 
                implementing this title; and
                    (G) any other factors at the discretion of the 
                Inspector General.

SEC. 108. VOLUNTARY TECHNICAL ASSISTANCE.

    Subject to the availability of resources, in accordance with 
applicable law relating to the protection of trade secrets, and at the 
discretion of the Secretary, the Secretary shall provide voluntary 
technical assistance at the request of an owner or operator of covered 
critical infrastructure, to assist the owner or operator in meeting the 
requirements of section 105, including implementing required security 
or emergency measures, restoring the critical infrastructure in the 
event of destruction or serious disruption, and developing emergency 
response plans.

SEC. 109. EMERGENCY PLANNING.

    (a) Emergency Planning.--In partnership with owners and operators, 
the Secretary, in coordination with the heads of sector-specific 
agencies and the heads of other Federal agencies with responsibilities 
for regulating the security of covered critical infrastructure, shall 
exercise response and restoration plans, including plans required under 
section 105(b) to--
            (1) assess performance and improve the capabilities and 
        procedures of government and private sector entities to respond 
        to a major cyber incident; and
            (2) clarify specific roles, responsibilities, and 
        authorities of government and private sector entities when 
        responding to a major cyber incident.

SEC. 110. INTERNATIONAL COOPERATION.

    (a) In General.--The Secretary, in coordination with the Secretary 
of State or the head of the sector-specific agencies and the head of 
any Federal agency with responsibilities for regulating the security of 
covered critical infrastructure, shall--
            (1) consistent with the protection of intelligence sources 
        and methods and other sensitive matters, inform the owner or 
        operator of information infrastructure located outside the 
        United States the disruption of which could result in national 
        or regional catastrophic damage within the United States and 
        the government of the country in which the information 
        infrastructure is located of any cyber risks to such 
        information infrastructure; and
            (2) coordinate with the government of the country in which 
        such information infrastructure is located and, as appropriate, 
        the owner or operator of the information infrastructure 
        regarding the implementation of security measures or other 
        measures to the information infrastructure to mitigate or 
        remediate cyber risks.
    (b) International Agreements.--The Secretary, in coordination with 
the Secretary of State, including in particular with the interpretation 
of international agreements, shall perform the functions prescribed by 
this section consistent with applicable international agreements.

SEC. 111. EFFECT ON OTHER LAWS.

    (a) Preemption of State Cybersecurity Laws.--This Act shall 
supersede any statute, provision of a statute, regulation, or rule of a 
State or political subdivision of a State that expressly requires 
comparable cybersecurity practices to protect covered critical 
infrastructure.
    (b) Preservation of Other State Law.--Except as expressly provided 
in subsection (a) and section 105(e), nothing in this Act shall be 
construed to preempt the applicability of any other State law or 
requirement.

                TITLE II--PROTECTING GOVERNMENT NETWORKS

SEC. 201. FISMA REFORM.

    (a) In General.--Chapter 35 of title 44, United States Code, is 
amended by striking subchapters II and III and inserting the following:

                 ``SUBCHAPTER II--INFORMATION SECURITY

``Sec. 3551. Purposes
    ``The purposes of this subchapter are to--
            ``(1) provide a comprehensive framework for ensuring the 
        effectiveness of information security controls over information 
        resources that support Federal operations and assets;
            ``(2) recognize the highly networked nature of the Federal 
        computing environment and provide effective governmentwide 
        management of policies, directives, standards, and guidelines, 
        as well as effective and nimble oversight of and response to 
        information security risks, including coordination of 
        information security efforts throughout the Federal civilian, 
        national security, and law enforcement communities;
            ``(3) provide for development and maintenance of controls 
        required to protect agency information and information systems 
        and contribute to the overall improvement of agency information 
        security posture; and
            ``(4) provide a mechanism to improve and continuously 
        monitor the security of agency information security programs 
        and systems through a focus on continuous monitoring of agency 
        information systems and streamlined reporting requirements 
        rather than overly prescriptive manual reporting.
``Sec. 3552. Definitions
    ``(a) In General.--Except as provided under subsection (b), the 
definitions under section 3502 (including the definitions of the terms 
`agency' and `information system') shall apply to this subchapter.
    ``(b) Other Terms.--In this subchapter:
            ``(1) Adequate security.--The term `adequate security' 
        means security commensurate with the risk and impact resulting 
        from the unauthorized access to or loss, misuse, destruction, 
        or modification of information.
            ``(2) Continuous monitoring.--The term `continuous 
        monitoring' means the ongoing real time or near real-time 
        process used to determine if the complete set of planned, 
        required, and deployed security controls within an information 
        system continue to be effective over time in light of rapidly 
        changing information technology and threat development. To the 
        maximum extent possible, this also requires automation of that 
        process to enable cost effective, efficient, and consistent 
        monitoring and provide a more dynamic view of the security 
        state of those deployed controls.
            ``(3) Incident.--The term `incident' means an occurrence 
        that--
                    ``(A) actually or imminently jeopardizes, without 
                lawful authority, the integrity, confidentiality, or 
                availability of information or an information system; 
                or
                    ``(B) constitutes a violation or imminent threat of 
                violation of law, security policies, security 
                procedures, or acceptable use policies.
            ``(4) Information security.--The term `information 
        security' means protecting information and information systems 
        from unauthorized access, use, disclosure, disruption, 
        modification, or destruction in order to provide--
                    ``(A) integrity, which means guarding against 
                improper information modification or destruction, and 
                includes ensuring nonrepudiation and authenticity;
                    ``(B) confidentiality, which means preserving 
                authorized restrictions on access and disclosure, 
                including means for protecting personal privacy and 
                proprietary information; and
                    ``(C) availability, which means ensuring timely and 
                reliable access to and use of information.
            ``(5) Information technology.--The term `information 
        technology' has the meaning given that term in section 11101 of 
        title 40.
            ``(6) National security system.--
                    ``(A) In general.--The term `national security 
                system' means any information system (including any 
                telecommunications system) used or operated by an 
                agency or by a contractor of an agency, or other 
                organization on behalf of an agency--
                            ``(i) the function, operation, or use of 
                        which--
                                    ``(I) involves intelligence 
                                activities;
                                    ``(II) involves cryptologic 
                                activities related to national 
                                security;
                                    ``(III) involves command and 
                                control of military forces;
                                    ``(IV) involves equipment that is 
                                an integral part of a weapon or weapons 
                                system; or
                                    ``(V) subject to subparagraph (B), 
                                is critical to the direct fulfillment 
                                of military or intelligence missions; 
                                or
                            ``(ii) that is protected at all times by 
                        procedures established for information that 
                        have been specifically authorized under 
                        criteria established by an Executive order or 
                        an Act of Congress to be kept classified in the 
                        interest of national defense or foreign policy.
                    ``(B) Exclusion.--Subparagraph (A)(i)(V) does not 
                include a system that is to be used for routine 
                administrative and business applications (including 
                payroll, finance, logistics, and personnel management 
                applications).
            ``(7) Secretary.--The term `Secretary' means the Secretary 
        of Homeland Security.
            ``(8) Threat assessment.--The term `threat assessment' 
        means the real time or near real time process of formally 
        evaluating the degree of threat to an information system or 
        enterprise and describing the nature of the threat. Threat 
        assessments consist of identifying threat sources, possible 
        threat events, vulnerabilities within a system or network 
        environment, determining the likelihood that an identified 
        threat will occur and the possible adverse impacts of such an 
        occurrence. This requires automation of that process and rapid 
        sharing of emerging threat information among government 
        agencies.
``Sec. 3553. Federal information security authority and coordination
    ``(a) In General.--Except as provided in subsections (f) and (g), 
the Secretary shall oversee agency information security policies and 
practices, including the development and oversight of information 
security policies and directives and compliance with this subchapter.
    ``(b) Duties.--The Secretary shall--
            ``(1) develop, issue, and oversee the implementation of 
        information security policies and directives, which shall be 
        compulsory and binding on agencies to the extent determined 
        appropriate by the Secretary, including--
                    ``(A) policies and directives consistent with the 
                standards promulgated under section 11331 of title 40 
                to identify and provide information security 
                protections that are commensurate with the risk and 
                impact resulting from the unauthorized access, use, 
                disclosure, disruption, modification, or destruction 
                of--
                            ``(i) information collected, created, 
                        processed, stored, disseminated, or otherwise 
                        used or maintained by or on behalf of an 
                        agency; or
                            ``(ii) information systems used or operated 
                        by an agency or by a contractor of an agency or 
                        other organization on behalf of an agency;
                    ``(B) minimum operational requirements for network 
                operations centers and security operations centers of 
                agencies to facilitate the protection of and provide 
                common situational awareness for all agency information 
                and information systems;
                    ``(C) reporting requirements, consistent with 
                relevant law, regarding information security incidents;
                    ``(D) requirements for agencywide information 
                security programs, including continuous monitoring of 
                information security;
                    ``(E) performance requirements and metrics for the 
                security of agency information systems;
                    ``(F) training requirements to ensure that agencies 
                are able to fully and timely comply with directions 
                issued by the Secretary under this subchapter;
                    ``(G) training requirements regarding privacy, 
                civil rights, civil liberties, and information 
                oversight for agency information security employees;
                    ``(H) requirements for the annual reports to the 
                Secretary under section 3554(c); and
                    ``(I) any other information security requirements 
                as determined by the Secretary;
            ``(2) review agency information security programs required 
        to be developed under section 3554(b);
            ``(3) develop and conduct targeted risk assessments and 
        operational evaluations for agency information and information 
        systems in consultation with the heads of other agencies or 
        governmental and private entities that own and operate such 
        systems, that may include threat, vulnerability, and impact 
        assessments and penetration testing;
            ``(4) operate consolidated intrusion detection, prevention, 
        or other protective capabilities and use associated 
        countermeasures for the purpose of protecting agency 
        information and information systems from information security 
        threats;
            ``(5) in conjunction with other agencies and the private 
        sector, assess and foster the development of information 
        security technologies and capabilities for use across multiple 
        agencies;
            ``(6) designate an entity to receive reports and 
        information about information security incidents, threats, and 
        vulnerabilities affecting agency information systems;
            ``(7) provide incident detection, analysis, mitigation, and 
        response information and remote or on-site technical assistance 
        to the heads of agencies; and
            ``(8) coordinate with appropriate agencies and officials to 
        ensure, to the maximum extent feasible, that policies and 
        directives issued under paragraph (1) are complementary with--
                    ``(A) standards and guidelines developed for 
                national security systems; and
                    ``(B) policies and directives issues by the 
                Secretary of Defense, Director of the Central 
                Intelligence Agency, and Director of National 
                Intelligence under subsection (g)(1).
    ``(c) Issuing Policies and Directives.--When issuing policies and 
directives under subsection (b), the Secretary shall consider any 
applicable standards or guidelines developed by the National Institute 
of Standards and Technology and issued by the Secretary of Commerce 
under section 11331 of title 40. The Secretary shall consult with the 
Director of the National Institute of Standards and Technology when 
such policies and directives implement standards or guidelines 
developed by National Institute of Standards and Technology. To the 
maximum extent feasible, such standards and guidelines shall be 
complementary with standards and guidelines developed for national 
security systems.
    ``(d) Communications and System Traffic.--
            ``(1) In general.--Notwithstanding any other provision of 
        law, in carrying out the responsibilities under paragraphs (3) 
        and (4) of subsection (b), if the Secretary makes a 
        certification described in paragraph (2), the Secretary may 
        acquire, intercept, retain, use, and disclose communications 
        and other system traffic that are transiting to or from or 
        stored on agency information systems and deploy countermeasures 
        with regard to the communications and system traffic.
            ``(2) Certification.--A certification described in this 
        paragraph is a certification by the Secretary that--
                    ``(A) the acquisitions, interceptions, and 
                countermeasures are reasonably necessary for the 
                purpose of protecting agency information systems from 
                information security threats;
                    ``(B) the content of communications will be 
                collected and retained only when the communication is 
                associated with a known or reasonably suspected 
                information security threat, and communications and 
                system traffic will not be subject to the operation of 
                a countermeasure unless associated with the threats;
                    ``(C) information obtained under activities 
                authorized under this subsection will only be retained, 
                used, or disclosed to protect agency information 
                systems from information security threats, mitigate 
                against such threats, or, with the approval of the 
                Attorney General, for law enforcement purposes when the 
                information is evidence of a crime which has been, is 
                being, or is about to be committed;
                    ``(D) notice has been provided to users of agency 
                information systems concerning the potential for 
                acquisition, interception, retention, use, and 
                disclosure of communications and other system traffic; 
                and
                    ``(E) the activities are implemented pursuant to 
                policies and procedures governing the acquisition, 
                interception, retention, use, and disclosure of 
                communications and other system traffic that have been 
                reviewed and approved by the Attorney General.
            ``(3) Private entities.--The Secretary may enter into 
        contracts or other agreements, or otherwise request and obtain 
        the assistance of, private entities that provide electronic 
        communication or information security services to acquire, 
        intercept, retain, use, and disclose communications and other 
        system traffic in accordance with this subsection.
    ``(e) Directions to Agencies.--
            ``(1) Authority.--
                    ``(A) In general.--Notwithstanding section 3554, 
                and subject to subparagraph (B), in response to a known 
                or reasonably suspected information security threat, 
                vulnerability, or incident that represents a 
                substantial threat to the information security of an 
                agency, the Secretary may direct other agency heads to 
                take any lawful action with respect to the operation of 
                the information systems, including those owned or 
                operated by another entity on behalf of an agency, that 
                collect, process, store, transmit, disseminate, or 
                otherwise maintain agency information, for the purpose 
                of protecting the information system from or mitigating 
                an information security threat.
                    ``(B) Exception.--The authorities of the Secretary 
                under this subsection shall not apply to a system 
                described in paragraph (2), (3), or (4) of subsection 
                (g).
            ``(2) Procedures for use of authority.--The Secretary 
        shall--
                    ``(A) in coordination with the Director of the 
                Office of Management and Budget and in consultation 
                with Federal contractors, as appropriate, establish 
                procedures governing the circumstances under which a 
                directive may be issued under this subsection, which 
                shall include--
                            ``(i) thresholds and other criteria;
                            ``(ii) privacy and civil liberties 
                        protections; and
                            ``(iii) providing notice to potentially 
                        affected third parties;
                    ``(B) specify the reasons for the required action 
                and the duration of the directive;
                    ``(C) minimize the impact of directives under this 
                subsection by--
                            ``(i) adopting the least intrusive means 
                        possible under the circumstances to secure the 
                        agency information systems; and
                            ``(ii) limiting directives to the shortest 
                        period practicable; and
                    ``(D) notify the Director of the Office of 
                Management and Budget and head of any affected agency 
                immediately upon the issuance of a directive under this 
                subsection.
            ``(3) Imminent threats.--
                    ``(A) In general.--If the Secretary determines that 
                there is an imminent threat to agency information 
                systems and a directive under this subsection is not 
                reasonably likely to result in a timely response to the 
                threat, the Secretary may authorize the use of 
                protective capabilities under the control of the 
                Secretary for communications or other system traffic 
                transiting to or from or stored on an agency 
                information system without prior consultation with the 
                affected agency for the purpose of ensuring the 
                security of the information or information system or 
                other agency information systems.
                    ``(B) Limitation on delegation.--The authority 
                under this paragraph may not be delegated to an 
                official in a position lower than Assistant Secretary.
                    ``(C) Notice.--The Secretary or designee of the 
                Secretary shall immediately notify the Director of the 
                Office of Management and Budget and the head and chief 
                information officer (or equivalent official) of each 
                affected agency of--
                            ``(i) any action taken under this 
                        subsection; and
                            ``(ii) the reasons for and duration and 
                        nature of the action.
                    ``(D) Other law.--The actions of the Secretary 
                under this paragraph shall be consistent with 
                applicable law.
            ``(4) Limitation.--The Secretary may direct or authorize 
        lawful action or protective capability under this subsection 
        only to--
                    ``(A) protect agency information from unauthorized 
                access, use, disclosure, disruption, modification, or 
                destruction; or
                    ``(B) require the remediation of or protect against 
                identified information security risks with respect to--
                            ``(i) information collected or maintained 
                        by or on behalf of an agency; or
                            ``(ii) that portion of an information 
                        system used or operated by an agency or by a 
                        contractor of an agency or other organization 
                        on behalf of an agency.
    ``(f) National Security Systems.--
            ``(1) In general.--This section shall not apply to a 
        national security system.
            ``(2) Information security.--Information security policies, 
        directives, standards, and guidelines for national security 
        systems shall be overseen as directed by the President and, in 
        accordance with that direction, carried out under the authority 
        of the heads of agencies that operate or exercise authority 
        over national security systems.
    ``(g) Delegation of Authorities.--
            ``(1) In general.--The authorities of the Secretary 
        described in paragraphs (1), (2), (3), and (4) of subsection 
        (b) shall be delegated to--
                    ``(A) the Secretary of Defense in the case of 
                systems described in paragraph (2);
                    ``(B) the Director of the Central Intelligence 
                Agency in the case of systems described in paragraph 
                (3); and
                    ``(C) the Director of National Intelligence in the 
                case of systems described in paragraph (4).
            ``(2) Department of defense.--The systems described in this 
        paragraph are systems that are operated by the Department of 
        Defense, a contractor of the Department of Defense, or another 
        entity on behalf of the Department of Defense that process any 
        information the unauthorized access, use, disclosure, 
        disruption, modification, or destruction of which would have a 
        debilitating impact on the mission of the Department of 
        Defense.
            ``(3) Central intelligence agency.--The systems described 
        in this paragraph are systems that are operated by the Central 
        Intelligence Agency, a contractor of the Central Intelligence 
        Agency, or another entity on behalf of the Central Intelligence 
        Agency that process any information the unauthorized access, 
        use, disclosure, disruption, modification, or destruction of 
        which would have a debilitating impact on the mission of the 
        Central Intelligence Agency.
            ``(4) Office of the director of national intelligence.--The 
        systems described in this paragraph are systems that are 
        operated by the Office of the Director of National 
        Intelligence, a contractor of the Office of the Director of 
        National Intelligence, or another entity on behalf of the 
        Office of the Director of National Intelligence that process 
        any information the unauthorized access, use, disclosure, 
        disruption, modification, or destruction of which would have a 
        debilitating impact on the mission of the Office of the 
        Director of National Intelligence.
            ``(5) Integration of information.--The Secretary of 
        Defense, the Director of the Central Intelligence Agency, and 
        the Director of National Intelligence shall carry out their 
        responsibilities under this subsection in coordination with the 
        Secretary and share relevant information in a timely manner 
        with the Secretary relating to the security of agency 
        information and information systems, including systems 
        described in paragraphs (2), (3), and (4), to enable the 
        Secretary to carry out the responsibilities set forth in this 
        section and to maintain comprehensive situational awareness 
        regarding information security incidents, threats, and 
        vulnerabilities affecting agency information systems, 
        consistent with standards and guidelines for national security 
        systems, issued in accordance with law and as directed by the 
        President.
``Sec. 3554. Agency responsibilities
    ``(a) In General.--The head of each agency shall--
            ``(1) be responsible for--
                    ``(A) providing information security protections 
                commensurate with the risk resulting from unauthorized 
                access, use, disclosure, disruption, modification, or 
                destruction of--
                            ``(i) information collected, created, 
                        processed, stored, disseminated, or otherwise 
                        used or maintained by or on behalf of the 
                        agency; or
                            ``(ii) information systems used or operated 
                        by the agency or by a contractor of the agency 
                        or other organization on behalf of the agency;
                    ``(B) complying with this subchapter, including--
                            ``(i) the policies and directives issued 
                        under section 3553, including any directions 
                        under section 3553(e); and
                            ``(ii) information security policies, 
                        directives, standards, and guidelines for 
                        national security systems issued in accordance 
                        with law and as directed by the President;
                    ``(C) complying with the requirements of the 
                information security standards prescribed under section 
                11331 of title 40, including any required security 
                configuration checklists; and
                    ``(D) ensuring that information security management 
                processes are integrated with agency strategic and 
                operational planning processes;
            ``(2) ensure that senior agency officials provide 
        information security for the information and information 
        systems that support the operations and assets under the 
        control of the officials, including through--
                    ``(A) assessing, with a frequency commensurate with 
                risk, the risk and impact that could result from the 
                unauthorized access, use, disclosure, disruption, 
                modification, or destruction of the information or 
                information systems;
                    ``(B) determining the levels of information 
                security appropriate to protect the information and 
                information systems in accordance with the policies and 
                directives issued under section 3553(b) and standards 
                prescribed under section 11331 of title 40;
                    ``(C) implementing policies, procedures, and 
                capabilities to reduce risks to an acceptable level in 
                a cost-effective manner;
                    ``(D) security testing and evaluation, including 
                continuously monitoring the effective implementation of 
                information security controls and techniques, threats, 
                vulnerabilities, assets, and other aspects of 
                information security as appropriate; and
                    ``(E) reporting information about information 
                security incidents, threats, and vulnerabilities in a 
                timely manner as required under policies and procedures 
                established under subsection (b)(7);
            ``(3) assess and maintain the resiliency of information 
        systems critical to the mission and operations of the agency;
            ``(4) delegate to the chief information officer or 
        equivalent official (or to a senior agency official who reports 
        to the chief information officer or equivalent official) the 
        authority to ensure and primary responsibility for ensuring 
        compliance with this subchapter, including--
                    ``(A) overseeing the establishment and maintenance 
                of an agencywide security operations capability that on 
                a continuous basis can--
                            ``(i) detect, report, respond to, contain, 
                        and mitigate information security incidents 
                        that impair adequate security of the agency 
                        information and information systems in a timely 
                        manner and in accordance with the policies and 
                        directives issued under section 3553(b); and
                            ``(ii) report any information security 
                        incident described under clause (i) to the 
                        entity designated under section 3553(b)(6);
                    ``(B) developing, maintaining, and overseeing an 
                agencywide information security program as required 
                under subsection (b);
                    ``(C) developing, maintaining, and overseeing 
                information security policies, procedures, and control 
                techniques to address all applicable requirements, 
                including those issued under section 3553 and section 
                11331 of title 40;
                    ``(D) training and overseeing employees and 
                contractors of the agency with significant 
                responsibilities for information security with respect 
                to such responsibilities; and
                    ``(E) assisting senior agency officials concerning 
                their responsibilities under paragraph (2);
            ``(5) the agency has trained and obtained security 
        clearances for an adequate number of employees to assist the 
        agency in complying with this subchapter, including the 
        policies and directives issued under section 3553(b);
            ``(6) ensure that the chief information officer (or other 
        senior agency official designated under paragraph (4)), in 
        coordination with other senior agency officials, reports to the 
        head of the agency on the effectiveness of the agency 
        information security program, including the progress of 
        remedial actions;
            ``(7) ensure that the chief information officer (or other 
        senior agency official designated under paragraph (4))--
                    ``(A) possesses the necessary qualifications to 
                administer the duties of the official under this 
                subchapter; and
                    ``(B) has information security duties as a primary 
                duty of the official; and
            ``(8) ensure that senior agency officials (including 
        component chief information officers or equivalent officials) 
        carry out responsibilities under this subchapter as directed by 
        the official delegated authority under paragraph (4).
    ``(b) Agency Program.--The head of each agency shall develop, 
document, and implement an agencywide information security program, 
which shall be reviewed under section 3553(b)(2), to provide 
information security for the information and information systems that 
support the operations and assets of the agency, including those 
provided or managed by another agency, contractor, or other source, 
which shall include--
            ``(1) the development, execution, and maintenance of a risk 
        management strategy for information security that--
                    ``(A) considers information security threats, 
                vulnerabilities, and consequences;
                    ``(B) includes periodic assessments and reporting 
                of risk, with a frequency commensurate with risk and 
                impact;
            ``(2) policies and procedures that--
                    ``(A) are based on the risk management strategy and 
                assessment results required under paragraph (1);
                    ``(B) reduce information security risks to an 
                acceptable level in a cost-effective manner;
                    ``(C) ensure that cost-effective and adequate 
                information security is addressed throughout the life 
                cycle of each agency information system; and
                    ``(D) ensure compliance with--
                            ``(i) this subchapter;
                            ``(ii) the information security policies 
                        and directives issued under section 3553(b); 
                        and
                            ``(iii) any other applicable requirements;
            ``(3) subordinate plans for providing adequate information 
        security for networks, facilities, and systems or groups of 
        information systems;
            ``(4) security awareness training developed in accordance 
        with the requirements issued under section 3553(b) to inform 
        individuals with access to agency information systems, 
        including information security employees, contractors, and 
        other users of information systems that support the operations 
        and assets of the agency, of--
                    ``(A) information security risks associated with 
                their activities;
                    ``(B) their responsibilities in complying with 
                agency policies and procedures designed to reduce those 
                risks; and
                    ``(C) requirements for fulfilling privacy, civil 
                rights, civil liberties, and other information 
                oversight responsibilities;
            ``(5) security testing and evaluation commensurate with 
        risk and impact that includes--
                    ``(A) risk-based continuous monitoring of the 
                operational status and security of agency information 
                systems to enable evaluation of the effectiveness of 
                and compliance with information security policies, 
                procedures, and practices, including a relevant and 
                appropriate selection of management, operational, and 
                technical controls of information systems identified in 
                the inventory required under section 3505(c);
                    ``(B) penetration testing exercises and operational 
                evaluations in accordance with the requirements issued 
                under section 3553(b) to evaluate whether the agency 
                adequately protects against, detects, and responds to 
                incidents;
                    ``(C) vulnerability scanning, intrusion detection 
                and prevention, and penetration testing, in accordance 
                with the requirements issued under section 3553(b); and
                    ``(D) any other periodic testing and evaluation, in 
                accordance with the requirements issued under section 
                3553(b);
            ``(6) a process for ensuring that remedial actions are 
        taken to mitigate information security vulnerabilities 
        commensurate with risk and impact, and otherwise address any 
        deficiencies in the information security policies, procedures, 
        and practices of the agency;
            ``(7) policies and procedures to ensure detection, 
        mitigation, reporting, and responses to information security 
        incidents, in accordance with the policies and directives 
        issued under section 3553(b), including--
                    ``(A) ensuring timely internal reporting of 
                information security incidents;
                    ``(B) establishing and maintaining appropriate 
                technical capabilities to detect and mitigate risks 
                associated with information security incidents;
                    ``(C) notifying and consulting with the entity 
                designated by the Secretary under section 3553(b)(6); 
                and
                    ``(D) notifying and consulting with--
                            ``(i) law enforcement agencies and relevant 
                        Offices of Inspectors General; and
                            ``(ii) any other entity, in accordance with 
                        law and as directed by the President; and
            ``(8) plans and procedures to ensure continuity of 
        operations for information systems that support the operations 
        and assets of the agency.
    ``(c) Agency Reporting.--The head of each agency shall--
            ``(1) report annually to the Secretary on the adequacy and 
        effectiveness of information security policies, procedures, and 
        practices, including--
                    ``(A) compliance of the agency with the 
                requirements of this subchapter;
                    ``(B) a conclusion as to the effectiveness of the 
                information security policies, procedures, and 
                practices of the agency based on a determination of the 
                aggregate effect of identified deficiencies;
                    ``(C) an identification and analysis of, including 
                actions and plans to address, any significant 
                deficiencies identified in such policies, procedures 
                and practices; and
                    ``(D) any information or evaluation required under 
                the reporting requirements issued under section 
                3553(b);
            ``(2) make the report required under paragraph (1) 
        available to the appropriate authorization and appropriations 
        committees of Congress and the Comptroller General of the 
        United States; and
            ``(3) address the adequacy and effectiveness of the 
        information security policies, procedures, and practices of the 
        agency as required for management and budget plans and reports, 
        as appropriate.
    ``(d) Communications and System Traffic.--Notwithstanding any other 
provision of law, the head of each agency is authorized to allow the 
Secretary, or a private entity providing assistance to the Secretary 
under section 3553, to acquire, intercept, retain, use, and disclose 
communications, system traffic, records, or other information 
transiting to or from or stored on an agency information system for the 
purpose of protecting agency information and information systems from 
information security threats or mitigating the threats in connection 
with the implementation of the information security capabilities 
authorized by paragraph (3) or (4) of section 3553(b).
``Sec. 3555. Annual assessments
    ``(a) In General.--Except as provided in subsection (c), the 
Secretary shall conduct periodic assessments of the information 
security programs and practices of agencies based on the annual agency 
reports required under section 3554(c), the annual independent 
evaluations required under section 3556, the results of any continuous 
monitoring, and other available information.
    ``(b) Contents.--Each assessment conducted under subsection (a) 
shall--
            ``(1) assess the effectiveness of agency information 
        security policies, procedures, and practices;
            ``(2) provide an assessment of the status of agency 
        information system security for the Federal Government as a 
        whole; and
            ``(3) include recommendations for improving information 
        system security for an agency or the Federal Government as a 
        whole.
    ``(c) Certain Information Systems.--
            ``(1) National security systems.--A periodic assessment 
        conducted under subsection (a) relating to a national security 
        system shall be prepared as directed by the President.
            ``(2) Specific agencies.--Periodic assessments conducted 
        under subsection (a) shall be prepared in accordance with 
        governmentwide reporting requirements by--
                    ``(A) the Secretary of Defense for information 
                systems under the control of the Department of Defense;
                    ``(B) the Director of the Central Intelligence 
                Agency for information systems under the control of the 
                Central Intelligence Agency; and
                    ``(C) the Director of National Intelligence for 
                information systems under the control of the Office of 
                the Director of National Intelligence.
    ``(d) Agency-specific Assessments.--Each assessment conducted under 
subsection (a) that relates, in whole or in part, to the information 
systems of an agency shall be made available to the head of the agency.
    ``(e) Protection of Information.--In conducting assessments under 
subsection (a), the Secretary shall take appropriate actions to ensure 
the protection of information which, if disclosed, may adversely affect 
information security. Such protections shall be commensurate with the 
risk and comply with all applicable laws and policies.
    ``(f) Report to Congress.--The Secretary, in coordination with the 
Secretary of Defense, the Director of the Central Intelligence Agency, 
and the Director of National Intelligence, shall evaluate and submit to 
Congress an annual report on the adequacy and effectiveness of the 
information security programs and practices assessed under this 
section.
``Sec. 3556. Independent evaluations
    ``(a) In General.--Not less than once every 2 years, an independent 
evaluation shall be performed of the information security program and 
practices of each agency in accordance with the guidance developed 
under subsection (d) to determine the effectiveness of the programs and 
practices in addressing risk.
    ``(b) Contents.--Each evaluation performed under subsection (a) 
shall include--
            ``(1) testing of the effectiveness of information security 
        policies, procedures, and practices of a representative subset 
        of the information systems of the agency;
            ``(2) an assessment of compliance with this subchapter and 
        any significant deficiencies; and
            ``(3) a conclusion as to the effectiveness of the 
        information security policies, procedures, and practices of the 
        agency in addressing risk based on a determination of the 
        aggregate effect of identified deficiencies.
    ``(c) Conduct of Independent Evaluations.--An evaluation of an 
agency under subsection (a) shall be performed by--
            ``(1) the Inspector General of the agency;
            ``(2) at the discretion of the Inspector General of the 
        agency, an independent entity entering a contract with the 
        Inspector General to perform the evaluation; or
            ``(3) if the agency does not have an Inspector General, an 
        independent entity selected by the head of the agency, in 
        consultation with the Secretary.
    ``(d) Guidance.--The Council of Inspectors General on Integrity and 
Efficiency, in consultation with the Secretary, the Comptroller General 
of the United States, and the Director of the National Institute of 
Standards and Technology, shall issue and maintain guidance for 
performing timely, cost-effective, and risk-based evaluations under 
subsection (a).
    ``(e) Reports.--The official or entity performing an evaluation of 
an agency under subsection (a) shall submit to Congress, the agency, 
and the Comptroller General of the United States a report regarding the 
evaluation. The head of the agency shall provide to the Secretary a 
report received under this subsection.
    ``(f) National Security Systems.--An evaluation under subsection 
(a) of a national security system shall be performed as directed by the 
President.
    ``(g) Comptroller General.--The Comptroller General of the United 
States shall periodically evaluate and submit to Congress reports on--
            ``(1) the adequacy and effectiveness of the information 
        security policies and practices of agencies; and
            ``(2) implementation of this subchapter.
``Sec. 3557. National security systems
    ``The head of each agency operating or exercising control of a 
national security system shall be responsible for ensuring that the 
agency--
            ``(1) provides information security protections 
        commensurate with the risk and magnitude of the harm resulting 
        from the unauthorized use, disclosure, disruption, 
        modification, or destruction of the information contained in 
        the national security system;
            ``(2) implements information security policies and 
        practices as required by standards and guidelines for national 
        security systems issued in accordance with law and as directed 
        by the President; and
            ``(3) complies with this subchapter.
``Sec. 3558. Effect on existing law
    ``Nothing in this subchapter shall be construed to alter or amend 
any law regarding the authority of any head of an agency over the 
agency.''.
    (b) Technical and Conforming Amendment.--The table of sections for 
chapter 35 of title 44 is amended by striking the matter relating to 
subchapters II and III and inserting the following:

                  ``subchapter ii--information security

``Sec. 3551. Purposes.
``Sec. 3552. Definitions.
``Sec. 3553. Federal information security authority and coordination.
``Sec. 3554. Agency responsibilities.
``Sec. 3555. Annual assessments.
``Sec. 3556. Independent evaluations.
``Sec. 3557. National security systems.
``Sec. 3558. Effect on existing law.''.

SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY.

    (a) In General.--Section 11331 of title 40, United States Code, is 
amended to read as follows:
``Sec. 11331. Responsibilities for Federal information systems 
              standards
    ``(a) Definitions.--In this section:
            ``(1) Federal information system.--The term `Federal 
        information system' means an information system used or 
        operated by an executive agency, by a contractor of an 
        executive agency, or by another entity on behalf of an 
        executive agency.
            ``(2) Information security.--The term `information 
        security' has the meaning given that term in section 3552 of 
        title 44.
            ``(3) National security system.--The term `national 
        security system' has the meaning given that term in section 
        3552 of title 44.
    ``(b) Standards and Guidelines.--
            ``(1) Authority to prescribe.--Except as provided under 
        paragraph (2), and based on the standards and guidelines 
        developed by the National Institute of Standards and Technology 
        under paragraphs (2) and (3) of section 20(a) of the National 
        Institute of Standards and Technology Act (15 U.S.C. 278g-
        3(a)), the Secretary of Commerce, in consultation with the 
        Secretary of Homeland Security, shall prescribe standards and 
        guidelines relating to Federal information systems.
            ``(2) National security systems.--Standards and guidelines 
        for national security systems shall be developed, prescribed, 
        enforced, and overseen as otherwise authorized by law and as 
        directed by the President.
    ``(c) Mandatory Requirements.--
            ``(1) Authority to make mandatory.--The Secretary of 
        Commerce may require executive agencies to comply with the 
        standards prescribed under subsection (b)(1) to the extent 
        determined necessary by the Secretary of Commerce to improve 
        the efficiency of operation or security of Federal information 
        systems.
            ``(2) Required mandatory standards.--
                    ``(A) In general.--The Secretary of Commerce shall 
                require executive agencies to comply with the standards 
                described in subparagraph (B).
                    ``(B) Contents.--The standards described in this 
                subparagraph are information security standards that--
                            ``(i) provide minimum information security 
                        requirements as determined under section 20(b) 
                        of the National Institute of Standards and 
                        Technology Act (15 U.S.C. 278g-3(b)); and
                            ``(ii) are otherwise necessary to improve 
                        the security of Federal information and Federal 
                        information systems.
    ``(d) Authority To Disapprove or Modify.--The President may 
disapprove or modify the standards and guidelines prescribed under 
subsection (b)(1) if the President determines such action to be in the 
public interest. The authority of the President to disapprove or modify 
the standards and guidelines may be delegated to the Director of the 
Office of Management and Budget. Notice of a disapproval or 
modification under this subsection shall be published promptly in the 
Federal Register. Upon receiving notice of a disapproval or 
modification, the Secretary of Commerce shall immediately rescind or 
modify the standards or guidelines as directed by the President or the 
Director of the Office of Management and Budget.
    ``(e) Exercise of Authority.--To ensure fiscal and policy 
consistency, the Secretary of Commerce shall exercise the authority 
under this section subject to direction by the President and in 
coordination with the Director of the Office of Management and Budget.
    ``(f) Application of More Stringent Standards.--The head of an 
executive agency may employ standards for the cost-effective 
information security for Federal information systems of that agency 
that are more stringent than the standards prescribed by the Secretary 
of Commerce under subsection (b)(1) if the more stringent standards--
            ``(1) contain any standards with which the Secretary of 
        Commerce has required the agency to comply; and
            ``(2) are otherwise consistent with the policies and 
        directives issued under section 3553(b) of title 44.
    ``(g) Decisions on Promulgation of Standards.--The decision by the 
Secretary of Commerce regarding the promulgation of any standard under 
this section shall occur not later than 6 months after the submission 
of the proposed standard to the Secretary of Commerce by the National 
Institute of Standards and Technology, as provided under section 20 of 
the National Institute of Standards and Technology Act (15 U.S.C. 278g-
3).''.
    (b) Technical and Conforming Amendments.--
            (1) Section 3502(8)) of title 44, United States Code, is 
        amended by inserting ``hosting,'' after ``collection,'';
            (2) The National Institute of Standards and Technology Act 
        (15 U.S.C. 271 et seq.) is amended--
                    (A) in section 20(a)(2) (15 U.S.C. 278g-3(a)(2)), 
                by striking ``section 3532(b)(2)'' and inserting 
                ``section 3552(b)''; and
                    (B) in section 21(b) (15 U.S.C. 278g-4(b))--
                            (i) in paragraph (2), by inserting ``, the 
                        Secretary of Homeland Security,'' after ``the 
                        Institute''; and
                            (ii) in paragraph (3), by inserting ``the 
                        Secretary of Homeland Security,'' after ``the 
                        Secretary of Commerce,''.
            (3) Section 1001(c)(1)(A) of the Homeland Security Act of 
        2002 (6 U.S.C. 511(c)(1)(A)) is amended by striking ``section 
        3532(3)'' and inserting ``section 3552(b)''.
            (4) Part IV of title 10, United States Code, is amended--
                    (A) in section 2222(j)(5), by striking ``section 
                3542(b)(2)'' and inserting ``section 3552(b)'';
                    (B) in section 2223(c)(3), by striking ``section 
                3542(b)(2)'' and inserting ``section 3552(b)''; and
                    (C) in section 2315, by striking ``section 
                3542(b)(2)'' and inserting ``section 3552(b)''.
            (5) Section 8(d)(1) of the Cyber Security Research and 
        Development Act (15 U.S.C. 7406(d)(1)) is amended by striking 
        ``section 3534(b)'' and inserting ``section 3554(b)''.

SEC. 203. SAVINGS PROVISIONS.

    (a) In General.--Policies and compliance guidance issued by the 
Director of the Office of Management and Budget before the date of 
enactment of this Act under section 3543(a)(1) of title 44 (as in 
effect on the day before the date of enactment of this Act) shall 
continue in effect, according to their terms, until modified, 
terminated, superseded, or repealed under section 3553(b)(1) of title 
44, as added by this Act.
    (b) Other Standards and Guidelines.--Standards and guidelines 
issued by the Secretary of Commerce or by the Director of the Office of 
Management and Budget before the date of enactment of this Act under 
section 11331(b)(1) of title 40 (as in effect on the day before the 
date of enactment of this Act) shall continue in effect, according to 
their terms, until modified, terminated, superseded, or repealed under 
section 11331(b)(1), as added by this Act.

 TITLE III--CLARIFYING AND STRENGTHENING EXISTING ROLES AND AUTHORITIES

SEC. 301. CONSOLIDATION OF EXISTING DEPARTMENTAL CYBER RESOURCES AND 
              AUTHORITIES.

    (a) In General.--Title II of the Homeland Security Act of 2002 (6 
U.S.C. 121 et seq.) is amended by adding at the end the following:

                      ``Subtitle E--Cybersecurity

``SEC. 241. DEFINITIONS.

    ``In this subtitle:
            ``(1) Agency information infrastructure.--The term `agency 
        information infrastructure' means the Federal information 
        infrastructure of a particular Federal agency.
            ``(2) Center.--The term `Center' means the National Center 
        for Cybersecurity and Communications established under section 
        242.
            ``(3) Covered critical infrastructure.--The term `covered 
        critical infrastructure' means a system or asset designated by 
        the Secretary as covered critical infrastructure in accordance 
        with the procedure established under section 103 of the 
        Cybersecurity Act of 2012.
            ``(4) Damage.--The term `damage' has the meaning given that 
        term in section 1030(e) of title 18, United States Code.
            ``(5) Federal agency.--The term `Federal agency' has the 
        meaning given the term `agency' in section 3502 of title 44, 
        United States Code.
            ``(6) Federal cybersecurity center.--The term `Federal 
        cybersecurity center' has the meaning given that term in 
        section 708 of the Cybersecurity Act of 2012.
            ``(7) Federal entity.--The term `Federal entity' has the 
        meaning given that term in section 708 of the Cybersecurity Act 
        of 2012.
            ``(8) Federal information infrastructure.--The term 
        `Federal information infrastructure'--
                    ``(A) means information and information systems 
                that are owned, operated, controlled, or licensed for 
                use by, or on behalf of, any Federal agency, including 
                information systems used or operated by another entity 
                on behalf of a Federal agency; and
                    ``(B) does not include--
                            ``(i) a national security system; or
                            ``(ii) information and information systems 
                        that are owned, operated, controlled, or 
                        licensed for use by, or on behalf of, the 
                        Department of Defense, a military department, 
                        or another element of the intelligence 
                        community.
            ``(9) Incident.--The term `incident' has the meaning given 
        that term in section 3552 of title 44, United States Code.
            ``(10) Information security.--The term `information 
        security' has the meaning given that term in section 3552 of 
        title 44, United States Code.
            ``(11) Information system.--The term `information system' 
        has the meaning given that term in section 3502 of title 44, 
        United States Code.
            ``(12) Intelligence community.--The term `intelligence 
        community' has the meaning given that term in section 3(4) of 
        the National Security Act of 1947 (50 U.S.C. 401a(4)).
            ``(13) National security and emergency preparedness 
        communications infrastructure.--The term `national security and 
        emergency preparedness communications infrastructure' means the 
        systems supported or covered by the Office of Emergency 
        Communications and the National Communications System on the 
        date of enactment of the Cybersecurity Act of 2012 or otherwise 
        described in Executive Order 12472, or any successor thereto, 
        relating to national security and emergency preparedness 
        communications functions.
            ``(14) National information infrastructure.--The term 
        `national information infrastructure' means information and 
        information systems--
                    ``(A) that are owned, operated, or controlled 
                within or from the United States; and
                    ``(B) that are not owned, operated, controlled, or 
                licensed for use by a Federal agency.
            ``(15) National security system.--The term `national 
        security system' has the meaning given that term in section 
        3552 of title 44, United States Code.
            ``(16) Non-federal entity.--The term `non-Federal entity' 
        has the meaning given that term in section 708 of the 
        Cybersecurity Act of 2012.

``SEC. 242. CONSOLIDATION OF EXISTING RESOURCES.

    ``(a) Establishment.--There is established within the Department a 
National Center for Cybersecurity and Communications.
    ``(b) Transfer of Functions.--There are transferred to the Center 
the National Cyber Security Division, the Office of Emergency 
Communications, and the National Communications System, including all 
the functions, personnel, assets, authorities, and liabilities of the 
National Cyber Security Division, the Office of Emergency 
Communications, and the National Communications System.
    ``(c) Director.--The Center shall be headed by a Director, who 
shall be appointed by the President, by and with the advice and consent 
of the Senate, and who shall report directly to the Secretary.
    ``(d) Duties.--The Director of the Center shall--
            ``(1) manage Federal efforts to secure, protect, and ensure 
        the resiliency of the Federal information infrastructure, 
        national information infrastructure, and national security and 
        emergency preparedness communications infrastructure of the 
        United States, working cooperatively with appropriate 
        government agencies and the private sector;
            ``(2) support private sector efforts to secure, protect, 
        and ensure the resiliency of the national information 
        infrastructure;
            ``(3) prioritize the efforts of the Center to address the 
        most significant risks and incidents that have caused or are 
        likely to cause damage to the Federal information 
        infrastructure, the national information infrastructure, and 
        national security and emergency preparedness communications 
        infrastructure of the United States;
            ``(4) ensure, in coordination with the privacy officer 
        designated under subsection (j), the Privacy Officer appointed 
        under section 222, and the Director of the Office of Civil 
        Rights and Civil Liberties appointed under section 705, that 
        the activities of the Center comply with all policies, 
        regulations, and laws protecting the privacy and civil 
        liberties of United States persons; and
            ``(5) perform such other duties as the Secretary may 
        require relating to the security and resiliency of the Federal 
        information infrastructure, national information 
        infrastructure, and the national security and emergency 
        preparedness communications infrastructure of the United 
        States.
    ``(e) Authorities and Responsibilities of Center.--The Center 
shall--
            ``(1) engage in activities and otherwise coordinate Federal 
        efforts to identify, protect against, remediate, and mitigate, 
        respond to, and recover from cybersecurity threats, 
        consequences, vulnerabilities and incidents impacting the 
        Federal information infrastructure and the national information 
        infrastructure, including by providing support to entities that 
        own or operate national information infrastructure, at their 
        request;
            ``(2) conduct risk-based assessments of the Federal 
        information infrastructure, and risk assessments of critical 
        infrastructure;
            ``(3) develop, oversee the implementation of, and enforce 
        policies, principles, and guidelines on information security 
        for the Federal information infrastructure, including exercise 
        of the authorities under the Federal Information Security 
        Management Act of 2002 (title III of Public Law 107-347; 116 
        Stat. 2946);
            ``(4) evaluate and facilitate the adoption of technologies 
        designed to enhance the protection of information 
        infrastructure, including making such technologies available to 
        entities that own or operate national information 
        infrastructure, with or without reimbursement, as necessary to 
        accomplish the purposes of this section;
            ``(5) oversee the responsibilities related to national 
        security and emergency preparedness communications 
        infrastructure, including the functions of the Office of 
        Emergency Communications and the National Communications 
        System;
            ``(6)(A) maintain comprehensive situational awareness of 
        the security of the Federal information infrastructure and the 
        national information infrastructure for the purpose of enabling 
        and supporting activities under subparagraph (e)(1); and
            ``(B) provide classified and unclassified information to 
        entities that own or operate national information 
        infrastructure to support efforts by such entities to secure 
        such infrastructure and for enhancing overall situational 
        awareness;
            ``(7) serve as the focal point for, and foster 
        collaboration between, the Federal Government, State and local 
        governments, and private entities on matters relating to the 
        security of the national information infrastructure;
            ``(8) develop, in coordination with the Assistant Secretary 
        for Infrastructure Protection, other Federal agencies, the 
        private sector, and State and local governments a national 
        incident response plan that details the roles of Federal 
        agencies, State and local governments, and the private sector, 
        and coordinate national cyber incident response efforts;
            ``(9) consult, in coordination with the Secretary of State, 
        with appropriate international partners to enhance the security 
        of the Federal information infrastructure, national information 
        infrastructure, and information infrastructure located outside 
        the United States the disruption of which could result in 
        national or regional catastrophic damage in the United States; 
        and
            ``(10) coordinate the activities undertaken by Federal 
        agencies to--
                    ``(A) protect Federal information infrastructure 
                and national information infrastructure; and
                    ``(B) prepare the Nation to respond to, recover 
                from, and mitigate against risks of incidents involving 
                such infrastructure; and
            ``(11) perform such other duties as the Secretary may 
        require relating to the security and resiliency of the Federal 
        information infrastructure, national information 
        infrastructure, and national security and emergency 
        preparedness communications infrastructure of the United 
        States.
    ``(f) Use of Existing Mechanisms for Collaboration.--To avoid 
unnecessary duplication or waste, in carrying out the authorities and 
responsibilities of the Center under this subtitle, to the maximum 
extent practicable, the Director of the Center shall make use of 
existing mechanisms for collaboration and information sharing, 
including mechanisms relating to the identification and communication 
of cybersecurity threats, vulnerabilities, and associated consequences, 
established by other components of the Department or other Federal 
agencies and the information sharing mechanisms established under title 
VII of the Cybersecurity Act of 2012.
    ``(g) Deputy Directors.--
            ``(1) In general.--There shall be a Deputy Director 
        appointed by the Secretary, who shall--
                    ``(A) have expertise in infrastructure protection; 
                and
                    ``(B) ensure that the operations of the Center and 
                the Office of Infrastructure Protection avoid 
                duplication and use, to the maximum extent practicable, 
                joint mechanisms for information sharing and 
                coordination with the private sector.
            ``(2) Intelligence community.--The Director of National 
        Intelligence, with the concurrence of the Secretary, shall 
        identify an employee of an element of the intelligence 
        community to serve as a Deputy Director of the Center. The 
        employee shall be detailed to the Center on a reimbursable 
        basis for such period as is agreed to by the Director of the 
        Center and the Director of National Intelligence, and, while 
        serving as Deputy Director, shall report directly to the 
        Director of the Center.
    ``(h) Cybersecurity Exercise Program.--The Director of the Center 
shall develop and implement a national cybersecurity exercise program 
with the participation of State and local governments, international 
partners of the United States, and the private sector.
    ``(i) Liaison Officers.--
            ``(1) Required detail of liaison officers.--The Secretary 
        of Defense, the Attorney General, the Secretary of Commerce, 
        and the Director of National Intelligence shall assign 
        personnel to the Center to act as full-time liaisons.
            ``(2) Optional detail of liaison officers.--The head of any 
        Federal agency not described in paragraph (1), with the 
        concurrence of the Director of the Center, may assign personnel 
        to the Center to act as liaisons.
            ``(3) Private sector liaison.--The Director of the Center 
        shall designate not less than 1 employee of the Center to serve 
        as a liaison with the private sector.
    ``(j) Privacy Officer.--The Director of the Center, in consultation 
with the Secretary, shall designate a full-time privacy officer.
    ``(k) Sufficiency of Resources Plan.--
            ``(1) Report.--Not later than 120 days after the date of 
        enactment of the Cybersecurity Act of 2012, the Director of the 
        Office of Management and Budget shall submit to the appropriate 
        committees of Congress and the Comptroller General of the 
        United States a report on the resources and staff necessary to 
        carry out fully the responsibilities under this subtitle, 
        including the availability of existing resources and staff.
            ``(2) Comptroller general review.--The Comptroller General 
        of the United States shall evaluate the reasonableness and 
        adequacy of the report submitted by the Director of the Office 
        of Management and Budget under paragraph (1) and submit to the 
        appropriate committees of Congress a report regarding the same.
    ``(l) No Right or Benefit.--The provision of assistance or 
information under this section to governmental or private entities that 
own or operate critical infrastructure shall be at the discretion of 
the Secretary. The provision of certain assistance or information to a 
governmental or private entity pursuant to this section shall not 
create a right or benefit, substantive or procedural, to similar 
assistance or information for any other governmental or private entity.

``SEC. 243. DEPARTMENT OF HOMELAND SECURITY INFORMATION SHARING.

    ``(a) In General.--
            ``(1) Assessment.--Not later than 180 days after the date 
        of enactment of the Cybersecurity Act of 2012, the Director of 
        the Center, in consultation with the private sector, relevant 
        government agencies, and nongovernmental organizations, shall 
        conduct an assessment of existing and proposed information 
        sharing models to identify best practices for sharing 
        information across government and with the private sector, 
        including through cybersecurity exchanges designated pursuant 
        to section 703 of the Cybersecurity Act of 2012.
            ``(2) Information sharing.--The Director of the Center 
        shall periodically review procedures established under 
        subsection (b) and the program established in accordance with 
        subsection (c) to ensure that classified and unclassified 
        cybersecurity information, including information relating to 
        threats, vulnerabilities, traffic, trends, incidents, and other 
        anomalous activities affecting the Federal information 
        infrastructure, national information infrastructure, or 
        information systems, are being appropriately shared between and 
        among appropriate Federal and non-Federal entities, including 
        Federal cybersecurity centers, Federal and non-Federal network 
        and security operations centers, cybersecurity exchanges, and 
        non-Federal entities responsible for such information systems.
    ``(b) Federal Agencies.--
            ``(1) Information sharing program.--The Director of the 
        Center, in consultation with the members of the Chief 
        Information Officers Council established under section 3603 of 
        title 44, United States Code, shall establish a program for 
        sharing information with and between the Center and other 
        Federal agencies that includes processes and procedures--
                    ``(A) under which the Director of the Center 
                regularly shares with each Federal agency analyses and 
                reports regarding the security of such agency 
                information infrastructure and on the overall security 
                of the Federal information infrastructure and 
                information infrastructure that is owned, operated, 
                controlled, or licensed for use by, or on behalf of, 
                the Department of Defense, a military department, or 
                another element of the intelligence community, which 
                shall include means and methods of preventing, 
                responding to, mitigating, and remediating 
                cybersecurity threats and vulnerabilities; and
                    ``(B) under which Federal agencies provide the 
                Director of the Center, upon request, with information 
                concerning the security of the Federal information 
                infrastructure, information infrastructure that is 
                owned, operated, controlled, or licensed for use by, or 
                on behalf of, the Department of Defense, a military 
                department, or another element of the intelligence 
                community, or the national information infrastructure 
                necessary to carry out the duties of the Director of 
                the Center under this subtitle or any other provision 
                of law.
            ``(2) Access to information.--
                    ``(A) In general.--The Director of the Center shall 
                ensure--
                            ``(i) that the head of each Federal agency 
                        has timely access to data, including 
                        appropriate raw and processed data, regarding 
                        the information infrastructure of the Federal 
                        agency; and
                            ``(ii) to the greatest extent possible, 
                        that the head of each Federal agency is kept 
                        apprised of common trends in security 
                        compliance as well as the likelihood that a 
                        significant cybersecurity risk or incident 
                        could cause damage to the agency information 
                        infrastructure.
                    ``(B) Compliance.--The head of a Federal agency 
                shall comply with all processes and procedures 
                established under this subsection regarding 
                notification to the Director of the Center relating to 
                incidents.
                    ``(C) Immediate notification required.--Unless 
                otherwise directed by the President, any Federal agency 
                with a national security system shall, consistent with 
                the level of the risk, immediately notify the Director 
                of the Center regarding any incident affecting the 
                security of a national security system.
    ``(c) Private Sector, State and Local Governments, and 
International Partners.--
            ``(1) Information sharing program.--The Director of the 
        Center shall establish a program for sharing cybersecurity 
        threat and vulnerability information in support of activities 
        under section 242(e)(1) between the Center, cybersecurity 
        exchanges designated pursuant to section 703 of the 
        Cybersecurity Act of 2012, State and local governments, the 
        private sector, and international partners, which shall include 
        processes and procedures that--
                    ``(A) expand and enhance the sharing of timely and 
                actionable cybersecurity threat and vulnerability 
                information by the Federal Government with owners and 
                operators of the national information infrastructure;
                    ``(B) establish criteria under which owners or 
                operators of covered critical infrastructure 
                information systems shall share information about 
                incidents affecting covered critical infrastructure, 
                and other relevant data with the Federal Government;
                    ``(C) ensure voluntary information sharing with and 
                from the private sector, State and local governments, 
                and international partners of the United States on--
                            ``(i) cybersecurity threats, 
                        vulnerabilities, incidents, and anomalous 
                        activities affecting the national information 
                        infrastructure; and
                            ``(ii) means and methods of identifying, 
                        preventing, responding to, mitigating and 
                        remediating cybersecurity threats, and 
                        vulnerabilities;
                    ``(D) establish a method of accessing classified or 
                unclassified information, as appropriate and in 
                accordance with applicable laws protecting trade 
                secrets, that will provide situational awareness of the 
                security of the Federal information infrastructure and 
                the national information infrastructure relating to 
                cybersecurity threats, and vulnerabilities, including 
                traffic, trends, incidents, damage, and other anomalous 
                activities affecting the Federal information 
                infrastructure or the national information 
                infrastructure;
                    ``(E) establish guidance on the form, content, and 
                priority of incident reports that shall be submitted 
                under subsection (c)(1)(B), which shall--
                            ``(i) include appropriate mechanisms to 
                        protect personally identifiable information; 
                        and
                            ``(ii) prioritize the reporting of 
                        incidents based on the risk the incident poses 
                        to the disruption of the reliable operation of 
                        the covered critical infrastructure; and
                    ``(F) establish a procedure for notifying an 
                information technology provider if a vulnerability is 
                detected in the product or service produced by the 
                information technology provider and, where possible, 
                working with the information technology provider to 
                remediate the vulnerability before any public 
                disclosure of the vulnerability so as to minimize the 
                opportunity for the vulnerability to be exploited.
            ``(2) Coordination.--In carrying out the duties under this 
        subsection, the Director of the Center shall coordinate, as 
        appropriate, with Federal and non-Federal entities engaged in 
        similar information sharing efforts.
            ``(3) Evaluation of access to classified information.--The 
        Director of the Center, in coordination with the Director of 
        National Intelligence, shall conduct an annual evaluation of 
        the sufficiency of access to classified information by owners 
        and operators of national information infrastructure.
            ``(4) Evaluation.--The Director of the Center shall create 
        and promote a mechanism for owners and operators of national 
        information infrastructure to provide feedback about the 
        operations of the Center and recommendations for improvements 
        of the Center, including recommendations to improve the sharing 
        of classified and unclassified information.
            ``(5) Guidelines.--The Director of the Center, in 
        consultation with the Attorney General, the Director of 
        National Intelligence, and the Privacy Officer established 
        under section 242(j), shall develop guidelines to protect the 
        privacy and civil liberties of United States persons and 
        intelligence sources and methods, while carrying out this 
        subsection.
    ``(d) Voluntarily Shared Information.--Covered information, as 
defined in section 107 of the Cybersecurity Act of 2012, submitted to 
the Center in accordance with this subtitle shall be treated as 
voluntarily shared critical infrastructure information under section 
214, except that the requirement of section 214 that the information be 
voluntarily submitted, including the requirement for an express 
statement, shall not be required for submissions of covered 
information.
    ``(e) Limitation on Use of Voluntarily Submitted Information for 
Regulatory Enforcement Actions.--A Federal entity may not use 
information submitted under this subtitle as evidence in a regulatory 
enforcement action against the individual or entity that lawfully 
submitted the information.

``SEC. 244. ACCESS TO INFORMATION.

    ``Unless otherwise directed by the President--
            ``(1) the Director of the Center shall have access to, 
        receive, and analyze law enforcement information, intelligence 
        information, terrorism information, and any other information 
        in the possession of Federal agencies relevant to the security 
        of the Federal information infrastructure, information 
        infrastructure that is owned, operated, controlled, or licensed 
        for use by, or on behalf of, the Department of Defense, a 
        military department, or another element of the intelligence 
        community, or national information infrastructure and, 
        consistent with applicable law, may also receive such 
        information, from State and local governments (including law 
        enforcement agencies), and private entities, including 
        information provided by any contractor to a Federal agency 
        regarding the security of the agency information 
        infrastructure; and
            ``(2) any Federal agency in possession of law enforcement 
        information, intelligence information, terrorism information, 
        or any other information relevant to the security of the 
        Federal information infrastructure, information infrastructure 
        that is owned, operated, controlled, or licensed for use by, or 
        on behalf of, the Department of Defense, a military department, 
        or another element of the intelligence community, or national 
        information infrastructure shall provide that information to 
        the Director of the Center in a timely manner.

``SEC. 245. NATIONAL CENTER FOR CYBERSECURITY AND COMMUNICATIONS 
              ACQUISITION AUTHORITIES.

    ``(a) In General.--The National Center for Cybersecurity and 
Communications is authorized to use the authorities under subsections 
(c)(1) and (d)(1)(B) of section 2304 of title 10, United States Code, 
instead of the authorities under subsections (a)(1) and (b)(2) of 
section 3304 of title 41, United States Code, subject to all other 
requirements of sections 3301 and 3304 of title 41, United States Code.
    ``(b) Guidelines.--Not later than 90 days after the date of 
enactment of the Cybersecurity Act of 2012, the chief procurement 
officer of the Department of Homeland Security shall issue guidelines 
for use of the authority under subsection (a).
    ``(c) Termination.--The National Center for Cybersecurity and 
Communications may not use the authority under subsection (a) on and 
after the date that is 3 years after the date of enactment of this Act.
    ``(d) Reporting.--
            ``(1) In general.--On a semiannual basis, the Director of 
        the Center shall submit a report on use of the authority 
        granted by subsection (a) to--
                    ``(A) the Committee on Homeland Security and 
                Governmental Affairs of the Senate; and
                    ``(B) the Committee on Homeland Security of the 
                House of Representatives.
            ``(2) Contents.--Each report submitted under paragraph (1) 
        shall include, at a minimum--
                    ``(A) the number of contract actions taken under 
                the authority under subsection (a) during the period 
                covered by the report; and
                    ``(B) for each contract action described in 
                subparagraph (A)--
                            ``(i) the total dollar value of the 
                        contract action;
                            ``(ii) a summary of the market research 
                        conducted by the National Center for 
                        Cybersecurity and Communications, including a 
                        list of all offerors who were considered and 
                        those who actually submitted bids, in order to 
                        determine that use of the authority was 
                        appropriate; and
                            ``(iii) a copy of the justification and 
                        approval documents required by section 3304(e) 
                        of title 41, United States Code.
            ``(3) Classified annex.--A report submitted under this 
        subsection shall be submitted in an unclassified form, but may 
        include a classified annex, if necessary.

``SEC. 246. RECRUITMENT AND RETENTION PROGRAM FOR THE NATIONAL CENTER 
              FOR CYBERSECURITY AND COMMUNICATIONS.

    ``(a) Definitions.--In this section:
            ``(1) Collective bargaining agreement.--The term 
        `collective bargaining agreement' has the meaning given that 
        term in section 7103(a)(8) of title 5, United States Code.
            ``(2) Qualified employee.--The term `qualified employee' 
        means an employee who performs functions relating to the 
        security of Federal systems and critical information 
        infrastructure.
    ``(b) General Authority.--
            ``(1) Establish positions, appoint personnel, and fix rates 
        of pay.--The Secretary may exercise with respect to qualified 
        employees of the Department the same authority of that the 
        Secretary of Defense has with respect to civilian intelligence 
        personnel under sections 1601, 1602, and 1603 of title 10, 
        United States Code, to establish as positions in the excepted 
        service, to appoint individuals to those positions, and fix 
        pay. Such authority shall be exercised subject to the same 
        conditions and limitations applicable to the Secretary of 
        Defense with respect to civilian intelligence personnel of the 
        Department of Defense.
            ``(2) Scholarship program.--The Secretary may exercise with 
        respect to qualified employees of the Department the same 
        authority of the Secretary of Defense has with respect to 
        civilian personnel under section 2200a of title 10, United 
        States Code, to the same extent, and subject to the same 
        conditions and limitations, that the Secretary of Defense may 
        exercise such authority with respect to civilian personnel of 
        the Department of Defense.
            ``(3) Plan for execution of authorities.--Not later than 
        120 days after the date of enactment of this subtitle, the 
        Secretary shall submit a report to the appropriate committees 
        of Congress with a plan for the use of the authorities provided 
        under this subsection.
            ``(4) Collective bargaining agreements.--Nothing in 
        paragraph (1) may be construed to impair the continued 
        effectiveness of a collective bargaining agreement with respect 
        to an office, component, subcomponent, or equivalent of the 
        Department that is a successor to an office, component, 
        subcomponent, or equivalent of the Department covered by the 
        agreement before the succession.
            ``(5) Required regulations.--The Secretary, in coordination 
        with the Director of the Center and the Director of the Office 
        of Personnel Management, shall prescribe regulations for the 
        administration of this section.
    ``(c) Merit System Principles And Civil Service Protections: 
Applicability.--
            ``(1) Applicability of merit system principles.--The 
        Secretary shall exercise the authority under subsection (b) in 
        a manner consistent with the merit system principles set forth 
        in section 2301 of title 5, United States Code.
            ``(2) Civil service protections.--Section 1221, section 
        2302, and chapter 75 of title 5, United States Code, shall 
        apply to the positions established under subsection (b)(1).
    ``(d) Requirements.--Before the initial exercise of any authority 
authorized under subsection (b)(1) the Secretary shall--
            ``(1) seek input from affected employees, and the union 
        representatives of affected employees as applicable, and 
        Federal manager and professional associations into the design 
        and implementation of a fair, credible, and transparent system 
        for exercising any authority under subsection (b)(1);
            ``(2) make a good faith attempt to resolve any employee 
        concerns regarding proposed changes in conditions of employment 
        through discussions with the groups described in paragraph (1);
            ``(3) develop a program to provide training to supervisors 
        of cybersecurity employees at the Department on the use of the 
        new authorities, including actions, options, and strategies a 
        supervisor may use in--
                    ``(A) developing and discussing relevant goals and 
                objectives with the employee, communicating and 
                discussing progress relative to performance goals and 
                objectives, and conducting performance appraisals;
                    ``(B) mentoring and motivating employees, and 
                improving employee performance and productivity;
                    ``(C) fostering a work environment characterized by 
                fairness, respect, equal opportunity, and attention to 
                the quality of work of the employees;
                    ``(D) effectively managing employees with 
                unacceptable performance;
                    ``(E) addressing reports of a hostile work 
                environment, reprisal, or harassment of or by another 
                supervisor or employee; and
                    ``(F) otherwise carrying out the duties and 
                responsibilities of a supervisor;
            ``(4) develop a program to provide training to supervisors 
        of cybersecurity employees at the Department on the prohibited 
        personnel practices under section 2302 of title 5, United 
        States Code, (particularly with respect to the practices 
        described in paragraphs (1) and (8) of section 2302(b) of title 
        5, United States Code), employee collective bargaining and 
        union participation rights, and the procedures and processes 
        used to enforce employee rights; and
            ``(5) develop a program under which experienced supervisors 
        mentor new supervisors by--
                    ``(A) sharing knowledge and advice in areas such as 
                communication, critical thinking, responsibility, 
                flexibility, motivating employees, teamwork, 
                leadership, and professional development; and
                    ``(B) pointing out strengths and areas for 
                development.
    ``(e) Supervisor Requirement.--
            ``(1) In general.--Except as provided in paragraph (2), not 
        later than 1 year after the date of enactment of the 
        Cybersecurity Act of 2012 and every 3 years thereafter, every 
        supervisor of cybersecurity employees at the Department shall 
        complete the programs established under paragraphs (3) and (4) 
        of subsection (d).
            ``(2) Exception.--A supervisor of cybersecurity employees 
        at the Department who is appointed after the date of enactment 
        of the Cybersecurity Act of 2012 shall complete the programs 
        established under paragraphs (3) and (4) of subsection (d) not 
        later than 1 year after the date on which the supervisor is 
        appointed to the position, and every 3 years thereafter.
            ``(3) Ongoing participation.--Participation by supervisors 
        of cybersecurity employees at the Department in the program 
        established under subsection (d)(5) shall be ongoing.
    ``(f) Conversion to Competitive Service.--In consultation with the 
Director of the Center, the Secretary may grant competitive civil 
service status to a qualified employee appointed to the excepted 
service under subsection (b) if that employee is employed in the Center 
or is transferring to the Center.
    ``(g) Annual Report.--Not later than 1 year after the date of 
enactment of this subtitle, and every year thereafter for 4 years, the 
Secretary shall submit to the appropriate committees of Congress a 
detailed report that--
            ``(1) discusses the process used by the Secretary in 
        accepting applications, assessing candidates, ensuring 
        adherence to veterans' preference, and selecting applicants for 
        vacancies to be filled by a qualified employee;
            ``(2) describes--
                    ``(A) how the Secretary plans to fulfill the 
                critical need of the Department to recruit and retain 
                qualified employees;
                    ``(B) the measures that will be used to measure 
                progress; and
                    ``(C) any actions taken during the reporting period 
                to fulfill such critical need;
            ``(3) discusses how the planning and actions taken under 
        paragraph (2) are integrated into the strategic workforce 
        planning of the Department;
            ``(4) provides metrics on actions occurring during the 
        reporting period, including--
                    ``(A) the number of qualified employees hired by 
                occupation and grade and level or pay band;
                    ``(B) the total number of veterans hired;
                    ``(C) the number of separations of qualified 
                employees by occupation and grade and level or pay 
                band;
                    ``(D) the number of retirements of qualified 
                employees by occupation and grade and level or pay 
                band; and
                    ``(E) the number and amounts of recruitment, 
                relocation, and retention incentives paid to qualified 
                employees by occupation and grade and level or pay 
                band.

``SEC. 247. PROHIBITED CONDUCT.

    ``None of the authorities provided under this subtitle shall 
authorize the Director of the Center, the Center, the Department, or 
any other Federal entity to--
            ``(1) compel the disclosure of information from a private 
        entity relating to an incident unless otherwise authorized by 
        law; or
            ``(2) intercept a wire, oral, or electronic communication 
        (as those terms are defined in section 2510 of title 18, United 
        States Code), access a stored electronic or wire communication, 
        install or use a pen register or trap and trace device, or 
        conduct electronic surveillance (as defined in section 101 of 
        the Foreign Intelligence Surveillance Act of 1978 (50 
        U.S.C.1801)) relating to an incident unless otherwise 
        authorized under chapter 119, chapter 121, or chapter 206 of 
        title 18, United States Code, or the Foreign Intelligence 
        Surveillance Act of 1978 (50 U.S.C. 1801 et seq.).''.
    (b) Technical and Conforming Amendment.--The table of contents in 
section 1(b) of the Homeland Security Act of 2002 (6 U.S.C. 101 et 
seq.) is amended by inserting after the item relating to section 237 
the following:

                      ``Subtitle E--Cybersecurity

``Sec. 241. Definitions.
``Sec. 242. Consolidation of existing resources.
``Sec. 243. Department of Homeland Security information sharing.
``Sec. 244. Access to information.
``Sec. 245. National Center for Cybersecurity and Communications 
                            acquisition authorities.
``Sec. 246. Recruitment and retention program for the National Center 
                            for Cybersecurity and Communications.
``Sec. 247. Prohibited conduct.''.

      TITLE IV--EDUCATION, RECRUITMENT, AND WORKFORCE DEVELOPMENT

SEC. 401. DEFINITIONS.

    In this title:
            (1) Cybersecurity mission.--The term ``cybersecurity 
        mission'' means activities that encompass the full range of 
        threat reduction, vulnerability reduction, deterrence, 
        international engagement, incident response, resiliency, and 
        recovery policies and activities, including computer network 
        operations, information assurance, law enforcement, diplomacy, 
        military, and intelligence missions as such activities relate 
        to the security and stability of cyberspace.
            (2) Cybersecurity mission of a federal agency.--The term 
        ``cybersecurity mission of a Federal agency'' means the portion 
        of a cybersecurity mission that is the responsibility of a 
        Federal agency.

SEC. 402. NATIONAL EDUCATION AND AWARENESS CAMPAIGN.

    (a) In General.--The Secretary, in consultation with appropriate 
Federal agencies shall develop and implement outreach and awareness 
programs on cybersecurity, including--
            (1) in consultation with the Director of the National 
        Institute of Standards and Technology--
                    (A) a public education campaign to increase the 
                awareness of cybersecurity, cyber safety, and cyber 
                ethics, which shall include the use of the Internet, 
                social media, entertainment, and other media to reach 
                the public; and
                    (B) an education campaign to increase the 
                understanding of State and local governments and 
                private sector entities of the benefits of ensuring 
                effective risk management of the information 
                infrastructure versus the costs of failure to do so and 
                methods to mitigate and remediate vulnerabilities; and
            (2) in coordination with the Secretary of Commerce, 
        development of a program to publicly recognize or identify 
        products, services, and companies, including owners and 
        operators, that meet the highest standards of cybersecurity.
    (b) Considerations.--In carrying out the authority described in 
subsection (a), the Secretary of Commerce, the Secretary, and the 
Director of the National Institute of Standards and Technology shall 
leverage existing programs designed to inform the public of safety and 
security of products or services, including self-certifications and 
independently-verified assessments regarding the quantification and 
valuation of information security risk.

SEC. 403. NATIONAL CYBERSECURITY COMPETITION AND CHALLENGE.

    (a) Talent Competition and Challenge.--
            (1) In general.--The Secretary of Homeland Security and the 
        Secretary of Commerce shall establish a program to conduct 
        competitions and challenges and ensure the effective operation 
        of national and statewide competitions and challenges that seek 
        to identify, develop, and recruit talented individuals to work 
        in Federal agencies, State and local government agencies, and 
        the private sector to perform duties relating to the security 
        of the Federal information infrastructure or the national 
        information infrastructure.
            (2) Participation.--Participants in the competitions and 
        challenges of the program established under paragraph (1) shall 
        include--
                    (A) students enrolled in grades 9 through 12;
                    (B) students enrolled in a postsecondary program of 
                study leading to a baccalaureate degree at an 
                institution of higher education;
                    (C) students enrolled in a postbaccalaureate 
                program of study leading to an institution of higher 
                education;
                    (D) institutions of higher education and research 
                institutions;
                    (E) veterans; and
                    (F) other groups or individuals as the Secretary of 
                Homeland Security and the Secretary of Commerce 
                determine appropriate.
            (3) Support of other competitions and challenges.--The 
        program established under paragraph (1) may support other 
        competitions and challenges not established under this 
        subsection through affiliation and cooperative agreements 
        with--
                    (A) Federal agencies;
                    (B) regional, State, or school programs supporting 
                the development of cyber professionals;
                    (C) State, local, and tribal governments; or
                    (D) other private sector organizations.
            (4) Areas of talent.--The program established under 
        paragraph (1) shall seek to identify, develop, and recruit 
        exceptional talent relating to--
                    (A) ethical hacking;
                    (B) penetration testing;
                    (C) vulnerability assessment;
                    (D) continuity of system operations;
                    (E) cyber forensics;
                    (F) offensive and defensive cyber operations; and
                    (G) other areas to fulfill the cybersecurity 
                mission as the Director determines appropriate.
            (5) Internships.--The Director of the Office of Personnel 
        Management shall establish, in coordination with the Director 
        of the National Center for Cybersecurity and Communications, a 
        program to provide, where appropriate, internships or other 
        work experience in the Federal government to the winners of the 
        competitions and challenges.
    (b) National Research and Development Competition and Challenge.--
            (1) In general.--The Director of the National Science 
        Foundation, in consultation with appropriate Federal agencies, 
        shall establish a program of cybersecurity competitions and 
        challenges to stimulate innovation in basic and applied 
        cybersecurity research, technology development, and prototype 
        demonstration that has the potential for application to the 
        information technology activities of the Federal Government.
            (2) Participation.--Participants in the competitions and 
        challenges of the program established under paragraph (1) shall 
        include--
                    (A) students enrolled in grades 9 through 12;
                    (B) students enrolled in a postsecondary program of 
                study leading to a baccalaureate degree at an 
                institution of higher education;
                    (C) students enrolled in a postbaccalaureate 
                program of study leading to an institution of higher 
                education;
                    (D) institutions of higher education and research 
                institutions;
                    (E) veterans; and
                    (F) other groups or individuals as the Director of 
                the National Science Foundation determines appropriate.
            (3) Topics.--In selecting topics for competitions and 
        challenges held as part of the program established under 
        paragraph (1), the Director--
                    (A) shall consult widely both within and outside 
                the Federal Government; and
                    (B) may empanel advisory committees.
            (4) Internships.--The Director of the Office of Personnel 
        Management shall establish, in coordination with the Director 
        of the National Science Foundation, a program to provide, where 
        appropriate, internships or other work experience in the 
        Federal government to the winners of the competitions and 
        challenges held as part of the program established under 
        paragraph (1).

SEC. 404. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.

    (a) In General.--The Director of the National Science Foundation, 
in coordination with the Secretary, shall establish a Federal Cyber 
Scholarship-for-Service program to recruit and train the next 
generation of information technology professionals, industry control 
system security professionals, and security managers to meet the needs 
of the cybersecurity mission for the Federal Government and State, 
local, and tribal governments.
    (b) Program Description and Components.--The program established 
under subsection (a) shall--
            (1) incorporate findings from the assessment and 
        development of the strategy under section 405;
            (2) provide not more than 1,000 scholarships per year, to 
        students who are enrolled in a program of study at an 
        institution of higher education leading to a degree or 
        specialized program certification in the cybersecurity field, 
        in an amount that covers each student's tuition and fees at the 
        institution and provides the student with an additional 
        stipend;
            (3) require each scholarship recipient, as a condition of 
        receiving a scholarship under the program, to enter into an 
        agreement under which the recipient agrees to work in the 
        cybersecurity mission of a Federal, State, local, or tribal 
        agency for a period equal to the length of the scholarship 
        following receipt of the student's degree if offered employment 
        in that field by a Federal, State, local, or tribal agency;
            (4) provide a procedure by which the National Science 
        Foundation or a Federal agency may, consistent with regulations 
        of the Office of Personnel Management, request and fund 
        security clearances for scholarship recipients, including 
        providing for clearances during summer internships and after 
        the recipient receives the degree; and
            (5) provide opportunities for students to receive temporary 
        appointments for meaningful employment in the cybersecurity 
        mission of a Federal agency during school vacation periods and 
        for internships.
    (c) Hiring Authority.--
            (1) In general.--For purposes of any law or regulation 
        governing the appointment of individuals in the Federal civil 
        service, upon receiving a degree for which an individual 
        received a scholarship under this section, the individual shall 
        be--
                    (A) hired under the authority provided for in 
                section 213.3102(r) of title 5, Code of Federal 
                Regulations; and
                    (B) exempt from competitive service.
            (2) Competitive service position.--Upon satisfactory 
        fulfillment of the service term of an individual hired under 
        paragraph (1), the individual may be converted to a competitive 
        service position without competition if the individual meets 
        the requirements for that position.
    (d) Eligibility.--To be eligible to receive a scholarship under 
this section, an individual shall--
            (1) be a citizen or lawful permanent resident of the United 
        States;
            (2) demonstrate a commitment to a career in improving the 
        security of information infrastructure; and
            (3) have demonstrated a high level of proficiency in 
        mathematics, engineering, or computer sciences.
    (e) Repayment.--If a recipient of a scholarship under this section 
does not meet the terms of the scholarship program, the recipient shall 
refund the scholarship payments in accordance with rules established by 
the Director of the National Science Foundation, in coordination with 
the Secretary.
    (f) Evaluation and Report.--The Director of the National Science 
Foundation shall evaluate and report periodically to Congress on the 
success of recruiting individuals for the scholarships and on hiring 
and retaining those individuals in the public sector workforce.

SEC. 405. ASSESSMENT OF CYBERSECURITY FEDERAL WORKFORCE.

    (a) In General.--The Director of the Office of Personnel Management 
and the Secretary, in coordination with the Director of National 
Intelligence, the Secretary of Defense, and the Chief Information 
Officers Council established under section 3603 of title 44, United 
States Code, shall assess the readiness and capacity of the Federal 
workforce to meet the needs of the cybersecurity mission of the Federal 
Government.
    (b) Strategy.--
            (1) In general.--Not later than 180 days after the date of 
        enactment of this Act, the Director of the Office of Personnel 
        Management, in consultation with the Director of the National 
        Center for Cybersecurity and Communications and the Director of 
        the Office of Management and Budget, shall develop a 
        comprehensive workforce strategy that enhances the readiness, 
        capacity, training, and recruitment and retention of 
        cybersecurity personnel of the Federal Government.
            (2) Contents.--The strategy developed under paragraph (1) 
        shall include--
                    (A) a 5-year plan on recruitment of personnel for 
                the Federal workforce; and
                    (B) a 10-year projections of Federal workforce 
                needs.
    (c) Updates.--The Director of the Office of Personnel Management, 
in consultation with the Director of the National Center for 
Cybersecurity and Communications and the Director of the Office of 
Management and Budget, shall update the strategy developed under 
subsection (b) as needed.

SEC. 406. FEDERAL CYBERSECURITY OCCUPATION CLASSIFICATIONS.

    (a) In General.--Not later than 1 year after the date of enactment 
of this Act, the Director of the Office of Personnel Management, in 
coordination with the Director of the National Center for Cybersecurity 
and Communications, shall develop and issue comprehensive occupation 
classifications for Federal employees engaged in cybersecurity 
missions.
    (b) Applicability of Classifications.--The Director of the Office 
of Personnel Management shall ensure that the comprehensive occupation 
classifications issued under subsection (a) may be used throughout the 
Federal Government.

SEC. 407. TRAINING AND EDUCATION.

    (a) Definition.--In this section, the term ``agency information 
infrastructure'' means the Federal information infrastructure of a 
Federal agency.
    (b) Training.--
            (1) Federal government employees and federal contractors.--
        The Director of the Office of Personnel Management, in 
        coordination with the Secretary, the Director of National 
        Intelligence, the Secretary of Defense, and the Chief 
        Information Officers Council established under section 3603 of 
        title 44, United States Code, shall establish a cybersecurity 
        awareness and education curriculum that shall be required for 
        all Federal employees and contractors engaged in the design, 
        development, or operation of an agency information 
        infrastructure or the Federal information infrastructure.
            (2) Contents.--The curriculum established under paragraph 
        (1) shall include, at a minimum--
                    (A) role-based security awareness training;
                    (B) recommended cybersecurity practices;
                    (C) cybersecurity recommendations for traveling 
                abroad;
                    (D) unclassified counterintelligence information;
                    (E) information regarding industrial espionage;
                    (F) information regarding malicious activity 
                online;
                    (G) information regarding cybersecurity and law 
                enforcement;
                    (H) identity management information;
                    (I) information regarding supply chain security;
                    (J) information security risks associated with the 
                activities of Federal employees and contractors; and
                    (K) the responsibilities of Federal employees and 
                contractors in complying with policies and procedures 
                designed to reduce information security risks 
                identified under subparagraph (J).
            (3) Federal cybersecurity professionals.--The Director of 
        the Office of Personnel Management in conjunction with the 
        Secretary, the Director of National Intelligence, the Secretary 
        of Defense, the Director of the Office of Management and 
        Budget, and, as appropriate, colleges, universities, and 
        nonprofit organizations with cybersecurity training expertise, 
        shall develop a program to provide training to improve and 
        enhance the skills and capabilities of Federal employees 
        engaged in the cybersecurity mission, including training 
        specific to the acquisition workforce.
            (4) Heads of federal agencies.--Not later than 30 days 
        after the date on which an individual is appointed to a 
        position at level I or II of the Executive Schedule, the 
        Secretary and the Director of National Intelligence shall 
        provide that individual with a cybersecurity threat briefing.
            (5) Certification.--The head of each Federal agency shall 
        include in the annual report required under section 3554(c) of 
        title 44, United States Code, as amended by this Act, a 
        certification regarding whether all employees and contractors 
        of the Federal agency have completed the training required 
        under this subsection.
    (c) Education.--
            (1) Federal employees.--The Director of the Office of 
        Personnel Management, in coordination with the Secretary of 
        Education, the Director of the National Science Foundation, and 
        the Director of the National Center for Cybersecurity and 
        Communications, shall develop and implement a strategy to 
        provide Federal employees who work in cybersecurity missions 
        with the opportunity to obtain additional education.
            (2) K through 12 education.--The Secretary of Education, in 
        coordination with the Director of the National Center for 
        Cybersecurity and Communications and State and local 
        governments, shall develop model curriculum standards, 
        guidelines, and recommended courses to address cyber safety, 
        cybersecurity, and cyber ethics for students in kindergarten 
        through grade 12.
            (3) Institutions of higher education and career and 
        technical institutions.--
                    (A) Secretary of education.--The Secretary of 
                Education, in coordination with the Secretary, and 
                after consultation with appropriate private entities, 
                shall--
                            (i) develop model curriculum standards and 
                        guidelines to address cyber safety, 
                        cybersecurity, and cyber ethics for all 
                        students enrolled in institutions of higher 
                        education, and all students enrolled in career 
                        and technical institutions, in the United 
                        States; and
                            (ii) analyze and develop recommended 
                        courses for students interested in pursuing 
                        careers in information technology, 
                        communications, computer science, engineering, 
                        mathematics, and science, as those subjects 
                        relate to cybersecurity.
                    (B) Office of personnel management.--The Director 
                of the Office of Personnel Management, in coordination 
                with the Director of the National Center for 
                Cybersecurity and Communications, shall develop 
                strategies and programs--
                            (i) to recruit students enrolled in 
                        institutions of higher education, and students 
                        enrolled in career and technical institutions 
                        in the United States to serve as Federal 
                        employees engaged in cybersecurity missions; 
                        and
                            (ii) that provide internship and part-time 
                        work opportunities with the Federal Government 
                        for students enrolled in institutions of higher 
                        education and career and technical institutions 
                        in the United States.

SEC. 408. CYBERSECURITY INCENTIVES.

    The head of each Federal agency shall adopt best practices, 
developed by the Office of Personnel Management, regarding effective 
ways to educate and motivate employees of the Federal Government to 
demonstrate leadership in cybersecurity, including--
            (1) promotions and other nonmonetary awards; and
            (2) publicizing information sharing accomplishments by 
        individual employees and, if appropriate, the tangible benefits 
        that resulted.

                   TITLE V--RESEARCH AND DEVELOPMENT

SEC. 501. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.

    (a) Fundamental Cybersecurity Research.--The Director of the Office 
of Science and Technology Policy (referred to in this section as the 
``Director''), in coordination with the Secretary and the head of any 
relevant Federal agency, shall develop a national cybersecurity 
research and development plan.
    (b) Requirements.--The plan required to be developed under 
subsection (a) shall encourage computer and information science and 
engineering research to meet challenges in cybersecurity, including--
            (1) how to design and build complex software-intensive 
        systems that are secure and reliable when first deployed;
            (2) how to test and verify that software, whether developed 
        locally or obtained from a third party, is free of significant 
        known security flaws;
            (3) how to test and verify that software obtained from a 
        third party correctly implements stated functionality, and only 
        that functionality;
            (4) how to guarantee the privacy of the identity, 
        information, or lawful transactions of an individual when 
        stored in distributed systems or transmitted over networks;
            (5) how to build new protocols to enable the Internet to 
        have robust security as one of the key capabilities of the 
        Internet;
            (6) how to determine the origin of a message transmitted 
        over the Internet;
            (7) how to support privacy in conjunction with improved 
        security;
            (8) how to address the growing problem of insider threat; 
        and
            (9) how improved consumer education and digital literacy 
        initiatives can address human factors that contribute to 
        cybersecurity.
    (c) Secure Coding Research.--The Director shall support research--
            (1) that evaluates selected secure coding education and 
        improvement programs; and
            (2) of new methods of integrating secure coding improvement 
        into the core curriculum of computer science programs and of 
        other programs where graduates of such programs have a 
        substantial probability of developing software after 
        graduation.
    (d) Assessment of Secure Coding Education in Colleges and 
Universities.--
            (1) Report.--Not later than 1 year after the date of 
        enactment of this Act, the Director shall submit to the 
        Committee on Commerce, Science, and Transportation of the 
        Senate and the Committee on Science and Technology of the House 
        of Representatives a report on the state of secure coding 
        education in institutions of higher education of the United 
        States for each institution that received National Science 
        Foundation funding in excess of $1,000,000 during fiscal year 
        2011.
            (2) Contents of report.--The report required under 
        paragraph (1) shall include--
                    (A) the number of students who earned baccalaureate 
                degrees in computer science or in each other program 
                where graduates have a substantial probability of being 
                engaged in software design or development after 
                graduation;
                    (B) the percentage of the students described in 
                subparagraph (A) who completed substantive secure 
                coding education or improvement programs during their 
                undergraduate experience; and
                    (C) descriptions of the length and content of the 
                education and improvement programs and an evaluation of 
                the effectiveness of those programs based on the 
                students' scores on standard tests of secure coding and 
                design skills.
    (e) Cybersecurity Modeling and Test Beds.--
            (1) Review.--Not later than 1 year after the date of 
        enactment of this Act, the Director shall conduct a review of 
        cybersecurity test beds in existence on the date of enactment 
        of this Act.
            (2) Establishment of program.--
                    (A) In general.--Based on the results of the review 
                conducted under paragraph (1), the Director shall 
                establish a program to award grants to institutions of 
                higher education to establish cybersecurity test beds 
                capable of realistic modeling of real-time cyber 
                attacks and defenses.
                    (B) Requirement.--The test beds established under 
                subparagraph (A) shall be sufficiently large in order 
                to model the scale and complexity of real world 
                networks and environments.
            (3) Purpose.--The purpose of the program established under 
        paragraph (2) shall be to support the rapid development of new 
        cybersecurity defenses, techniques, and processes by improving 
        understanding and assessing the latest technologies in a real-
        world environment.
    (f) Coordination With Other Research Initiatives.--The Director 
shall--
            (1) ensure that the research and development program 
        carried out under this section is consistent with any strategy 
        to increase the security and resilience of cyberspace; and
            (2) to the extent practicable, coordinate research and 
        development activities with other ongoing research and 
        development security-related initiatives, including research 
        being conducted by--
                    (A) the National Institute of Standards and 
                Technology;
                    (B) the Department;
                    (C) the National Academy of Sciences;
                    (D) other Federal agencies;
                    (E) other Federal and private research 
                laboratories, research entities, and universities and 
                institutions of higher education, and relevant 
                nonprofit organizations; and
                    (F) international partners of the United States.
    (g) NSF Computer and Network Security Research Grant Areas.--
Section 4(a)(1) of the Cyber Security Research and Development Act (15 
U.S.C. 7403(a)(1)) is amended--
            (1) in subparagraph (H), by striking ``and'' at the end;
            (2) in subparagraph (I), by striking the period at the end 
        and inserting a semicolon; and
            (3) by adding at the end the following:
                    ``(J) secure fundamental protocols that are at the 
                heart of inter-network communications and data 
                exchange;
                    ``(K) secure software engineering and software 
                assurance, including--
                            ``(i) programming languages and systems 
                        that include fundamental security features;
                            ``(ii) portable or reusable code that 
                        remains secure when deployed in various 
                        environments;
                            ``(iii) verification and validation 
                        technologies to ensure that requirements and 
                        specifications have been implemented; and
                            ``(iv) models for comparison and metrics to 
                        assure that required standards have been met;
                    ``(L) holistic system security that--
                            ``(i) addresses the building of secure 
                        systems from trusted and untrusted components;
                            ``(ii) proactively reduces vulnerabilities;
                            ``(iii) addresses insider threats; and
                            ``(iv) supports privacy in conjunction with 
                        improved security;
                    ``(M) monitoring and detection; and
                    ``(N) mitigation and rapid recovery methods.''.
    (h) Cybersecurity Faculty Development Traineeship Program.--Section 
5(e)(9) of the Cyber Security Research and Development Act (15 U.S.C. 
7404(e)(9)) is amended by striking ``2003 through 2007'' and inserting 
``2012 through 2014''.
    (i) Networking and Information Technology Research and Development 
Program.--Section 204(a)(1) of the High-Performance Computing Act of 
1991 (15 U.S.C. 5524(a)(1)) is amended--
            (1) in subparagraph (B), by striking ``and'' at the end; 
        and
            (2) by adding at the end the following:
                    ``(D) develop and propose standards and guidelines, 
                and develop measurement techniques and test methods, 
                for enhanced cybersecurity for computer networks and 
                common user interfaces to systems; and''.

SEC. 502. HOMELAND SECURITY CYBERSECURITY RESEARCH AND DEVELOPMENT.

    Subtitle D of title II of the Homeland Security Act of 2002 (6 
U.S.C. 161 et seq.) is amended by adding at the end the following:

``SEC. 238. CYBERSECURITY RESEARCH AND DEVELOPMENT.

    ``(a) Establishment of Research and Development Program.--The Under 
Secretary for Science and Technology, in coordination with the Director 
of the National Center for Cybersecurity and Communications, shall 
carry out a research and development program for the purpose of 
improving the security of information infrastructure.
    ``(b) Eligible Projects.--The research and development program 
carried out under subsection (a) may include projects to--
            ``(1) advance the development and accelerate the deployment 
        of more secure versions of fundamental Internet protocols and 
        architectures, including for the secure domain name addressing 
        system and routing security;
            ``(2) improve and create technologies for detecting and 
        analyzing attacks or intrusions, including analysis of 
        malicious software;
            ``(3) improve and create mitigation and recovery 
        methodologies, including techniques for containment of attacks 
        and development of resilient networks and systems;
            ``(4) develop and support infrastructure and tools to 
        support cybersecurity research and development efforts, 
        including modeling, test beds, and data sets for assessment of 
        new cybersecurity technologies;
            ``(5) assist the development and support of technologies to 
        reduce vulnerabilities in process control systems;
            ``(6) understand human behavioral factors that can affect 
        cybersecurity technology and practices;
            ``(7) test, evaluate, and facilitate, with appropriate 
        protections for any proprietary information concerning the 
        technologies, the transfer of technologies associated with the 
        engineering of less vulnerable software and securing the 
        information technology software development lifecycle;
            ``(8) assist the development of identity management and 
        attribution technologies;
            ``(9) assist the development of technologies designed to 
        increase the security and resiliency of telecommunications 
        networks;
            ``(10) advance the protection of privacy and civil 
        liberties in cybersecurity technology and practices; and
            ``(11) address other risks identified by the Director of 
        the National Center for Cybersecurity and Communications.
    ``(c) Coordination With Other Research Initiatives.--The Under 
Secretary for Science and Technology--
            ``(1) shall ensure that the research and development 
        program carried out under subsection (a) is consistent with any 
        strategy to increase the security and resilience of cyberspace;
            ``(2) shall, to the extent practicable, coordinate the 
        research and development activities of the Department with 
        other ongoing research and development security-related 
        initiatives, including research being conducted by--
                    ``(A) the National Institute of Standards and 
                Technology;
                    ``(B) the National Science Foundation;
                    ``(C) the National Academy of Sciences;
                    ``(D) other Federal agencies;
                    ``(E) other Federal and private research 
                laboratories, research entities, and universities and 
                institutions of higher education, and relevant 
                nonprofit organizations; and
                    ``(F) international partners of the United States;
            ``(3) shall carry out any research and development project 
        under subsection (a) through a reimbursable agreement with an 
        appropriate Federal agency, if the Federal agency--
                    ``(A) is sponsoring a research and development 
                project in a similar area; or
                    ``(B) has a unique facility or capability that 
                would be useful in carrying out the project;
            ``(4) may make grants to, or enter into cooperative 
        agreements, contracts, other transactions, or reimbursable 
        agreements with, the entities described in paragraph (2); and
            ``(5) shall submit a report to the appropriate committees 
        of Congress on a review of the cybersecurity activities, and 
        the capacity, of the national laboratories and other research 
        entities available to the Department to determine if the 
        establishment of a national laboratory dedicated to 
        cybersecurity research and development is necessary.''.

         TITLE VI--FEDERAL ACQUISITION RISK MANAGEMENT STRATEGY

SEC. 601. FEDERAL ACQUISITION RISK MANAGEMENT STRATEGY.

    (a) In General.--The Secretary, in coordination with relevant 
private sector and academic experts and each Federal entity described 
in paragraphs (1) through (9) of subsection (b), shall develop and 
periodically update an acquisition risk management strategy designed to 
ensure, based on mission criticality and cost effectiveness, the 
security of the Federal information infrastructure.
    (b) Coordination.--In developing the acquisition risk management 
strategy required under subsection (a), the Secretary shall coordinate 
with--
            (1) the Secretary of Defense;
            (2) the Secretary of Commerce;
            (3) the Secretary of State;
            (4) the Director of National Intelligence;
            (5) the Administrator of General Services;
            (6) the Administrator for Federal Procurement Policy;
            (7) the members of the Chief Information Officers Council 
        established under section 3603 of title 44, United States Code;
            (8) the Chief Acquisition Officers Council established 
        under section 1311 of title 41, United States Code; and
            (9) the Chief Financial Officers Council established under 
        section 302 of the Chief Financial Officers Act of 1990 (31 
        U.S.C. 901 note).
    (c) Elements.--The risk management strategy developed under 
subsection (a) shall--
            (1) address risks in the acquisition of any part of the 
        Federal information infrastructure; and
            (2) include developing processes that--
                    (A) incorporate all-source intelligence analysis 
                into assessments of the integrity of the supply chain 
                for the Federal information infrastructure;
                    (B) incorporate internationally recognized 
                standards, guidelines, and best practices, including 
                those developed by the private sector, for supply chain 
                integrity;
                    (C) enhance capabilities to test and evaluate 
                software and hardware within or for use in the Federal 
                information infrastructure, and, where appropriate, 
                make the capabilities available for use by the private 
                sector;
                    (D) protect the intellectual property and trade 
                secrets of suppliers of information and communications 
                technology products and services;
                    (E) share with the private sector, to the fullest 
                extent possible, the risks identified in the supply 
                chain and working with the private sector to mitigate 
                those threats as identified;
                    (F) identify specific acquisition practices of 
                Federal agencies that increase risks to the supply 
                chain and develop a process to provide recommendations 
                for revisions to those processes; and
                    (G) to the maximum extent practicable, promote the 
                ability of Federal agencies to procure authentic 
                commercial off-the-shelf information and communications 
                technology products and services from a diverse pool of 
                suppliers, consistent with the preferences for the 
                acquisition of commercial items under section 2377 of 
                title 10, United States Code, and section 3307 of title 
                41, United States Code.

SEC. 602. AMENDMENTS TO CLINGER-COHEN PROVISIONS TO ENHANCE AGENCY 
              PLANNING FOR INFORMATION SECURITY NEEDS.

    Chapter 113 of title 40, United States Code, is amended--
            (1) in section 11302--
                    (A) in subsection (f), by striking ``technology.'' 
                and inserting ``technology, including information 
                technology or network information security 
                requirements.'';
                    (B) in subsection (i)--
                            (i) by inserting ``, including information 
                        security requirements,'' after ``information 
                        resources management''; and
                            (ii) by adding at the end the following: 
                        ``The Administrator for Federal Procurement 
                        Policy, in coordination with the Chief 
                        Information Officers Council and the Federal 
                        Acquisition Institute, shall ensure that 
                        contracting officers and the individuals 
                        preparing descriptions of the Government 
                        requirements and statements of work have 
                        adequate training in information security 
                        requirements, including in information 
                        technology security contracts.'';
                    (C) in subsection (j), by adding at the end the 
                following: ``The Director shall review and report on 
                possible impediments in the acquisition process or 
                elsewhere that are acting to slow agency uptake of the 
                newest, most secure technologies.''; and
                    (D) by adding at the end the following:
    ``(l) Multiple Award Schedule for Information Security.--The 
Administrator of General Services shall develop a special item number 
under Schedule 70 for information security products and services and 
consolidate those products and services under that special item number 
to promote acquisition.
    ``(m) Reducing the Use of Counterfeit Products.--Not later than 180 
days after the date of enactment of the Cybersecurity Act of 2012, the 
Director shall issue guidance requiring, to the extent practicable, 
Federal agencies to purchase information technology products only 
through the authorized channels or distributors of a supplier.''; and
            (2) in section 11312(b)(3), by inserting ``, information 
        security improvement,'' after ``risk-adjusted return on 
        investment''.

                     TITLE VII--INFORMATION SHARING

SEC. 701. AFFIRMATIVE AUTHORITY TO MONITOR AND DEFEND AGAINST 
              CYBERSECURITY THREATS.

    Notwithstanding chapter 119, 121, or 206 of title 18, United States 
Code, the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 
et seq.), and the Communications Act of 1934 (47 U.S.C. 151 et seq.), 
any private entity may--
            (1) monitor information systems of the entity and 
        information that is stored on, processed by, or transiting the 
        information systems for cybersecurity threats;
            (2) monitor a third party's information systems and 
        information that is stored on, processed by, or transiting the 
        information systems for cybersecurity threats, if the third 
        party lawfully authorizes the monitoring;
            (3) operate countermeasures on information systems of the 
        entity to protect the information systems and information that 
        is stored on, processed by, or transiting the information 
        systems; and
            (4) operate countermeasures on a third party's information 
        systems to protect the third party's information systems and 
        information that is stored on, processed by, or transiting the 
        information systems, if the third party lawfully authorizes the 
        countermeasures.

SEC. 702. VOLUNTARY DISCLOSURE OF CYBERSECURITY THREAT INDICATORS AMONG 
              PRIVATE ENTITIES.

    (a) Authority to Disclose.--Notwithstanding any other provision of 
law, any private entity may disclose lawfully obtained cybersecurity 
threat indicators to any other private entity.
    (b) Use and Protection of Information.--A private entity disclosing 
or receiving cybersecurity threat indicators under subsection (a)--
            (1) shall make reasonable efforts to safeguard 
        communications, records, system traffic, or other information 
        that can be used to identify specific persons from unauthorized 
        access or acquisition;
            (2) shall comply with any lawful restrictions placed on the 
        disclosure or use of cybersecurity threat indicators by the 
        disclosing entity, including, if requested, the removal of 
        information that can be used to identify specific persons from 
        such indicators;
            (3) may not use the cybersecurity threat indicators to gain 
        an unfair competitive advantage to the detriment of the entity 
        that authorized such sharing; and
            (4) may only use, retain, or further disclose the 
        cybersecurity threat indicators for the purpose of protecting 
        an information system or information that is stored on, 
        processed by, or transiting an information system from 
        cybersecurity threats or mitigating the threats.

SEC. 703. CYBERSECURITY EXCHANGES.

    (a) Designation of Cybersecurity Exchanges.--The Secretary, in 
consultation with the Director of National Intelligence, the Attorney 
General, and the Secretary of Defense, shall establish--
            (1) a process for designating appropriate Federal entities 
        (such as 1 or more Federal cybersecurity centers) and non-
        Federal entities as cybersecurity exchanges;
            (2) procedures to facilitate and encourage the sharing of 
        classified and unclassified cybersecurity threat indicators 
        with designated cybersecurity exchanges and other appropriate 
        Federal entities and non-Federal entities; and
            (3) a process for identifying certified entities authorized 
        to receive classified cybersecurity threat indicators in 
        accordance with paragraph (2).
    (b) Purpose.--The purpose of a cybersecurity exchange is to 
efficiently receive and distribute cybersecurity threat indicators in 
accordance with this title.
    (c) Requirement for a Lead Federal Cybersecurity Exchange.--
            (1) In general.--The Secretary, in consultation with the 
        Director of National Intelligence, the Attorney General, and 
        the Secretary of Defense, shall designate a Federal entity as 
        the lead cybersecurity exchange to serve as the focal point 
        within the Federal Government for cybersecurity information 
        sharing among Federal entities and with non-Federal entities.
            (2) Responsibilities.--The lead cybersecurity exchange 
        designated under paragraph (1) shall--
                    (A) receive and distribute cybersecurity threat 
                indicators in accordance with this title;
                    (B) facilitate information sharing, interaction, 
                and collaboration among and between--
                            (i) Federal entities;
                            (ii) State, local, tribal, and territorial 
                        governments;
                            (iii) private entities;
                            (iv) academia;
                            (v) international partners, in consultation 
                        with the Secretary of State; and
                            (vi) other cybersecurity exchanges;
                    (C) disseminate timely and actionable cybersecurity 
                threat, vulnerability, mitigation, and warning 
                information, including alerts, advisories, indicators, 
                signatures, and mitigation and response measures, to 
                improve the security and protection of information 
                systems;
                    (D) coordinate with other Federal and non-Federal 
                entities, as appropriate, to integrate information from 
                Federal and non-Federal entities, including Federal 
                cybersecurity centers, non-Federal network or security 
                operation centers, other cybersecurity exchanges, and 
                non-Federal entities that disclose cybersecurity threat 
                indicators under section 704(a) to provide situational 
                awareness of the United States information security 
                posture and foster information security collaboration 
                among information system owners and operators;
                    (E) conduct, in consultation with private entities 
                and relevant Federal and other governmental entities, 
                regular assessments of existing and proposed 
                information sharing models to eliminate bureaucratic 
                obstacles to information sharing and identify best 
                practices for such information sharing; and
                    (F) coordinate with other Federal entities, as 
                appropriate, to compile and analyze information about 
                risks and incidents that threaten information systems, 
                including information voluntarily submitted in 
                accordance with section 704(a) or otherwise in 
                accordance with applicable laws.
            (3) Schedule for designation.--
                    (A) Initial designation.--Not later than 60 days 
                after the date of enactment of this Act, the Secretary 
                shall designate a lead cybersecurity exchange under 
                paragraph (1).
                    (B) Interim designation.--The National 
                Cybersecurity and Communications Integration Center of 
                the Department shall serve as the interim lead 
                cybersecurity exchange until the Secretary designates a 
                lead cybersecurity exchange under paragraph (1).
    (d) Additional Federal Cybersecurity Exchanges.--In accordance with 
the process and procedures established under subsection (a), the 
Secretary, in consultation with the Director of National Intelligence, 
the Attorney General, and the Secretary of Defense, may designate 
additional existing Federal entities as cybersecurity exchanges, if the 
cybersecurity exchanges are subject to the requirements for use, 
retention, and disclosure of information by a cybersecurity exchange 
under section 704(b) and the special requirements for Federal entities 
under section 704(g).
    (e) Requirements for Non-Federal Cybersecurity Exchanges.--
            (1) In general.--In considering whether to designate a non-
        Federal entity as a cybersecurity exchange to receive 
        cybersecurity threat indicators under section 704(a), and what 
        entity to designate, the Secretary shall consider the following 
        factors:
                    (A) The net effect that an additional cybersecurity 
                exchange would have on the overall cybersecurity of the 
                United States.
                    (B) Whether the designation could substantially 
                improve the overall cybersecurity of the United States 
                by serving as a hub for receiving and sharing 
                cybersecurity threat indicators, including the capacity 
                of the non-Federal entity for performing those 
                functions.
                    (C) The capacity of the non-Federal entity to 
                safeguard cybersecurity threat indicators from 
                unauthorized disclosure and use.
                    (D) The adequacy of the policies and procedures of 
                the non-Federal entity to protect personally 
                identifiable information from unauthorized disclosure 
                and use.
                    (E) The ability of the non-Federal entity to 
                sustain operations using entirely non-Federal sources 
                of funding.
            (2) Regulations.--The Secretary may promulgate regulations 
        as may be necessary to carry out this subsection.
    (f) Construction With Other Authorities.--Nothing in this section 
may be construed to alter the authorities of a Federal cybersecurity 
center, unless such cybersecurity center is acting in its capacity as a 
designated cybersecurity exchange.
    (g) No New Bureaucracies.--Nothing in this section may be construed 
to authorize additional layers of Federal bureaucracy for the receipt 
and disclosure of cybersecurity threat indicators.
    (h) Report on Designation of Cybersecurity Exchange.--Not later 
than 90 days after the date on which the Secretary designates the 
initial cybersecurity exchange under this section, the Secretary, the 
Director of National Intelligence, the Attorney General, and the 
Secretary of Defense shall jointly submit to Congress a written report 
that--
            (1) describes the processes established to designate 
        cybersecurity exchanges under subsection (a);
            (2) summarizes the policies and procedures established 
        under section 704(g); and
            (3) if the Secretary has not designated any non-Federal 
        entities as a cybersecurity exchange, provides recommendations 
        concerning the advisability of designating non-Federal entities 
        as cybersecurity exchanges.

SEC. 704. VOLUNTARY DISCLOSURE OF CYBERSECURITY THREAT INDICATORS TO A 
              CYBERSECURITY EXCHANGE.

    (a) Authority to Disclose.--Notwithstanding any other provision of 
law, a non-Federal entity may disclose lawfully obtained cybersecurity 
threat indicators to a cybersecurity exchange.
    (b) Use, Retention, and Disclosure of Information by a 
Cybersecurity Exchange.--Except as provided in subsection (g), a 
cybersecurity exchange may only use, retain, or further disclose 
information provided under subsection (a) in order to protect 
information systems from cybersecurity threats or mitigate 
cybersecurity threats.
    (c) Use and Protection of Information Received From a Cybersecurity 
Exchange.--A non-Federal entity receiving cybersecurity threat 
indicators from a cybersecurity exchange--
            (1) shall make reasonable efforts to safeguard 
        communications, records, system traffic, and other information 
        that can be used to identify specific persons from unauthorized 
        access or acquisition;
            (2) shall comply with any lawful restrictions placed on the 
        disclosure or use of cybersecurity threat indicators by the 
        cybersecurity exchange or a third party, if the cybersecurity 
        exchange received the information from the third party, 
        including, if requested, the removal of information that can be 
        used to identify specific persons from the indicators;
            (3) may not use the cybersecurity threat indicators to gain 
        an unfair competitive advantage to the detriment of the third 
        party that authorized the sharing; and
            (4) may only use, retain, or further disclose the 
        cybersecurity threat indicators for the purpose of protecting 
        an information system or information that is stored on, 
        processed by, or transiting an information system from 
        cybersecurity threats or mitigating such threats.
    (d) Exemption From Public Disclosure.--Any cybersecurity threat 
indicator disclosed by a non-Federal entity to a cybersecurity exchange 
under subsection (a) shall be--
            (1) exempt from disclosure under section 552(b)(3) of title 
        5, United States Code, or any comparable State law; and
            (2) treated as voluntarily shared information under section 
        552 of title 5, United States Code, or any comparable State 
        law.
    (e) Exemption From Ex Parte Limitations.--Any cybersecurity threat 
indicator disclosed by a non-Federal entity to a cybersecurity exchange 
under subsection (a) shall not be subject to the rules of any 
governmental entity or judicial doctrine regarding ex parte 
communications with a decision making official.
    (f) Exemption From Waiver of Privilege.--Any cybersecurity threat 
indicator disclosed by a non-Federal entity to a cybersecurity exchange 
under subsection (a) may not be construed to be a waiver of any 
applicable privilege or protection provided under Federal, State, 
tribal, or territorial law, including any trade secret protection.
    (g) Special Requirements for Federal Entities.--
            (1) Permitted disclosures.--Notwithstanding any other 
        provision of law and consistent with the requirements of this 
        subsection, a Federal entity that lawfully intercepts, 
        acquires, or otherwise obtains or possesses any communication, 
        record, or other information from its electronic communications 
        system, may disclose that communication, record, or other 
        information if--
                    (A) the disclosure is made for the purpose of--
                            (i) protecting the information system of a 
                        Federal entity from cybersecurity threats; or
                            (ii) mitigating cybersecurity threats to--
                                    (I) another component, officer, 
                                employee, or agent of the Federal 
                                entity with cybersecurity 
                                responsibilities;
                                    (II) any cybersecurity exchange; or
                                    (III) a private entity that is 
                                acting as a provider of electronic 
                                communication services, remote 
                                computing service, or cybersecurity 
                                services to a Federal entity; and
                    (B) the recipient of the communication, record, or 
                other information agrees to comply with the Federal 
                entity's lawful requirements regarding the protection 
                and further disclosure of the information, except to 
                the extent the requirements are inconsistent with the 
                policies and procedures developed by the Secretary and 
                approved by the Attorney General under paragraph (4).
            (2) Disclosure to law enforcement.--A cybersecurity 
        exchange that is a Federal entity may disclose cybersecurity 
        threat indicators received under subsection (a) to a law 
        enforcement entity if--
                    (A) the information appears to relate to a crime 
                which has been, is being, or is about to be committed; 
                and
                    (B) the disclosure is permitted under the 
                procedures developed by the Secretary and approved by 
                the Attorney General under paragraph (4).
            (3) Further disclosure and use of information by a federal 
        entity.--
                    (A) Authority to receive cybersecurity threat 
                indicators.--A Federal entity that is not a 
                cybersecurity exchange may receive cybersecurity threat 
                indicators from a cybersecurity exchange under section 
                703, but shall only use or retain the cybersecurity 
                threat indicators in a manner that is consistent with 
                this subsection in order--
                            (i) to protect information systems from 
                        cybersecurity threats and to mitigate 
                        cybersecurity threats; or
                            (ii) to disclose the cybersecurity threat 
                        indicators to a law enforcement agency under 
                        paragraph (2).
                    (B) Authority to use cybersecurity threat 
                indicators.--A Federal entity that is not a 
                cybersecurity exchange shall ensure, by written 
                agreement, that when disclosing cybersecurity threat 
                indicators to a non-Federal entity under this section, 
                the non-Federal entity shall use or retain the 
                cybersecurity threat indicators in a manner that is 
                consistent with the requirements under section 702(b) 
                on the use and protection of information and paragraph 
                (2) of this subsection.
            (4) Privacy and civil liberties.--
                    (A) Requirement for policies and procedures.--In 
                consultation with privacy and civil liberties experts, 
                the Director of National Intelligence, and the 
                Secretary of Defense, the Secretary shall develop and 
                periodically review policies and procedures governing 
                the receipt, retention, use, and disclosure of 
                cybersecurity threat indicators by a Federal entity 
                obtained in connection with activities authorized under 
                this title, which shall--
                            (i) minimize the impact on privacy and 
                        civil liberties, consistent with the need to 
                        protect information systems from cybersecurity 
                        threats and mitigate cybersecurity threats;
                            (ii) reasonably limit the receipt, 
                        retention, use and disclosure of cybersecurity 
                        threat indicators associated with specific 
                        persons consistent with the need to carry out 
                        the responsibilities of this title, including 
                        establishing a process for the timely 
                        destruction of cybersecurity threat indicators 
                        that are received under this section that do 
                        not reasonably appear to be related to 
                        protecting information systems from 
                        cybersecurity threats and mitigating 
                        cybersecurity threats, unless the indicators 
                        appear to relate to a crime which has been, is 
                        being, or is about to be committed;
                            (iii) include requirements to safeguard 
                        cybersecurity threat indicators that can be 
                        used to identify specific persons from 
                        unauthorized access or acquisition; and
                            (iv) protect the confidentiality of 
                        cybersecurity threat indicators associated with 
                        specific persons to the greatest extent 
                        practicable and require recipients to be 
                        informed that such indicators may only be used 
                        for protecting information systems against 
                        cybersecurity threats, mitigating against 
                        cybersecurity threats, or disclosed to law 
                        enforcement under paragraph (2).
                    (B) Adoption of policies and procedures.--The head 
                of a Federal agency responsible for a Federal entity 
                designated as a cybersecurity exchange under section 
                703 shall adopt and comply with the policies and 
                procedures developed under this subsection.
                    (C) Review by the attorney general.--Not later than 
                1 year after the date of the enactment of this Act, the 
                Attorney General shall review and approve policies and 
                procedures developed under this subsection.
                    (D) Provision to congress.--The policies and 
                procedures issued under this subsection and any 
                amendments to such policies and procedures shall be 
                provided to Congress.
            (5) Oversight.--
                    (A) Requirement for oversight.--The Secretary and 
                the Attorney General shall establish a mandatory 
                program to monitor and oversee compliance with the 
                policies and procedures issued under this subsection.
                    (B) Notification of the attorney general.--The head 
                of each Federal entity that receives information under 
                this title shall--
                            (i) comply with the policies and procedures 
                        developed by the Secretary and approved by the 
                        Attorney General under paragraph (4);
                            (ii) promptly notify the Attorney General 
                        of significant violations of the policies and 
                        procedures; and
                            (iii) provide the Attorney General with any 
                        information relevant to the violation that any 
                        Attorney General requires.
                    (C) Annual report.--On an annual basis, the Chief 
                Privacy and Civil Liberties Officer of the Department 
                of Justice and the Department of Homeland Security, in 
                consultation with the most senior privacy and civil 
                liberties officer or officers of any appropriate 
                agencies, shall jointly submit to Congress a report 
                assessing the privacy and civil liberties impact of the 
                activities of the Federal Government conducted under 
                this title.
            (6) Privacy and civil liberties oversight board.--Not later 
        than 2 years after the date of enactment of this Act, the 
        Privacy and Civil Liberties Oversight Board shall submit to 
        Congress and the President a report providing--
                    (A) an assessment of the privacy and civil 
                liberties impact of the activities carried out by the 
                Federal entities under this title; and
                    (B) recommendations for improvements to or 
                modifications of the law to address privacy and civil 
                liberties concerns.
            (7) Sanctions.--The heads of Federal entities shall develop 
        and enforce appropriate sanctions for officers, employees, or 
        agents of the Federal entities who conduct activities under 
        this title--
                    (A) outside the normal course of their specified 
                duties;
                    (B) in a manner inconsistent with the discharge of 
                the responsibilities of the Federal entities; or
                    (C) in contravention of the requirements, policies 
                and procedures required under this subsection.

SEC. 705. SHARING OF CLASSIFIED CYBERSECURITY THREAT INDICATORS.

    (a) Sharing of Classified Cybersecurity Threat Indicators.--The 
procedures established under section 703(a)(2) shall provide that 
classified cybersecurity threat indicators may only be--
            (1) shared with certified entities;
            (2) shared in a manner that is consistent with the need to 
        protect the national security of the United States;
            (3) shared with a person with an appropriate security 
        clearance to receive the cybersecurity threat indicators; and
            (4) used by a certified entity in a manner that protects 
        the cybersecurity threat indicators from unauthorized 
        disclosure.
    (b) Requirement for Guidelines.--Not later than 60 days after the 
date of enactment of this Act, the Director of National Intelligence 
shall issue guidelines providing that appropriate Federal officials 
may, as the Director considers necessary to carry out this title--
            (1) grant a security clearance on a temporary or permanent 
        basis to an employee of a certified entity;
            (2) grant a security clearance on a temporary or permanent 
        basis to a certified entity and approval to use appropriate 
        facilities; or
            (3) expedite the security clearance process for a certified 
        entity or employee of a certified entity, if appropriate, in a 
        manner consistent with the need to protect the national 
        security of the United States.
    (c) Distribution of Procedures and Guidelines.--Following the 
establishment of the procedures under section 703(a)(2) and the 
issuance of the guidelines under subsection (b), the Secretary and the 
Director of National Intelligence shall expeditiously distribute the 
procedures and guidelines to--
            (1) appropriate governmental entities and private entities;
            (2) the Committee on Armed Services, the Committee on 
        Commerce, Science, and Transportation, the Committee on 
        Homeland Security and Governmental Affairs, the Committee on 
        the Judiciary, and the Select Committee on Intelligence of the 
        Senate; and
            (3) the Committee on Armed Services, the Committee on 
        Energy and Commerce, the Committee on Homeland Security, the 
        Committee on the Judiciary, and the Permanent Select Committee 
        on Intelligence of the House of Representatives.

SEC. 706. LIMITATION ON LIABILITY AND GOOD FAITH DEFENSE FOR 
              CYBERSECURITY ACTIVITIES.

    (a) In General.--No civil or criminal cause of action shall lie or 
be maintained in any Federal or State court against any entity, and any 
such action shall be dismissed promptly, based on--
            (1) the cybersecurity monitoring activities authorized by 
        paragraphs (1) and (2) of section 701; or
            (2) the voluntary disclosure of a lawfully obtained 
        cybersecurity threat indicator--
                    (A) to a cybersecurity exchange under section 
                704(a);
                    (B) by a provider of cybersecurity services to a 
                customer of the provider;
                    (C) to a private entity or governmental entity that 
                provides or manages critical infrastructure; or
                    (D) to any other private entity under section 
                702(a), if the cybersecurity threat indicator is also 
                disclosed within a reasonable time to a cybersecurity 
                exchange.
    (b) Good Faith Defense.--If a civil or criminal cause of action is 
not barred under subsection (a), good faith reliance that this title 
permitted the conduct complained of is a complete defense against any 
civil or criminal action brought under this title or any other law.
    (c) Limitation on Use of Cybersecurity Threat Indicators for 
Regulatory Enforcement Actions.--No Federal entity may use a 
cybersecurity threat indicator received under this title as evidence in 
a regulatory enforcement action against the entity that lawfully shared 
the cybersecurity threat indicator with a cybersecurity exchange that 
is a Federal entity.
    (d) Delay of Notification Authorized for Law Enforcement or 
National Security Purposes.--No civil or criminal cause of action shall 
lie or be maintained in any Federal or State court against any entity, 
and any such action shall be dismissed promptly, for a failure to 
disclose a cybersecurity threat indicator if--
            (1) the Attorney General determines that disclosure of a 
        cybersecurity threat indicator would impede a civil or criminal 
        investigation and submits a written request to delay 
        notification for up to 30 days, except that the Attorney 
        General may, by a subsequent written request, revoke such delay 
        or extend the period of time set forth in the original request 
        made under this paragraph if further delay is necessary; or
            (2) the Secretary, the Attorney General, or the Director of 
        National Intelligence determines that disclosure of a 
        cybersecurity threat indicator would threaten national or 
        homeland security and submits a written request to delay 
        notification, except that the Secretary, the Attorney General 
        or the Director of National Intelligence may, by a subsequent 
        written request, revoke such delay or extend the period of time 
        set forth in the original request made under this paragraph if 
        further delay is necessary.
    (e) Limitation on Liability for Failure to Act.--No civil or 
criminal cause of action shall lie or be maintained in any Federal or 
State court against any private entity, or any officer, employee, or 
agent of such an entity, and any such action shall be dismissed 
promptly, for the reasonable failure to act on information received 
under this title.
    (f) Limitation on Protections.--Any person who knowingly and 
willfully violates restrictions under this title shall not receive the 
protections under this title.
    (g) Private Right of Action.--Nothing in this title may be 
construed to limit liability for a failure to comply with the 
requirements of section 702(b) and section 704(c) on the use and 
protection of information.
    (h) Defense for Breach of Contract.--Compliance with lawful 
restrictions placed on the disclosure or use of cybersecurity threat 
indicators is a complete defense to any tort or breach of contract 
claim originating in a failure to disclose cybersecurity threat 
indicators to a third party.

SEC. 707. CONSTRUCTION; FEDERAL PREEMPTION.

    (a) Construction.--Nothing in this title may be construed--
            (1) to permit the unauthorized disclosure of--
                    (A) information that has been determined by the 
                Federal Government pursuant to an Executive Order or 
                statute to require protection against unauthorized 
                disclosure for reasons of national defense or foreign 
                relations;
                    (B) any restricted data (as that term is defined in 
                paragraph (y) of section 11 of the Atomic Energy Act of 
                1954 (42 U.S.C. 2014));
                    (C) information related to intelligence sources and 
                methods; or
                    (D) information that is specifically subject to a 
                court order or a certification, directive, or other 
                authorization by the Attorney General precluding such 
                disclosure;
            (2) to limit or prohibit otherwise lawful disclosures of 
        communications, records, or information by a private entity to 
        a cybersecurity exchange or any other governmental or private 
        entity not conducted under this title;
            (3) to limit the ability of a private entity or 
        governmental entity to receive data about the information 
        systems of the entity, including lawfully obtained 
        cybersecurity threat indicators;
            (4) to authorize or prohibit any law enforcement, homeland 
        security, or intelligence activities not otherwise authorized 
        or prohibited under another provision of law;
            (5) to permit price-fixing, allocating a market between 
        competitors, monopolizing or attempting to monopolize a market, 
        boycotting, or exchanges of price or cost information, customer 
        lists, or information regarding future competitive planning; or
            (6) to prevent a governmental entity from using information 
        not acquired through a cybersecurity exchange for regulatory 
        purposes.
    (b) Federal Preemption.--This title supersedes any law or 
requirement of a State or political subdivision of a State that 
restricts or otherwise expressly regulates the provision of 
cybersecurity services or the acquisition, interception, retention, use 
or disclosure of communications, records, or other information by 
private entities to the extent such law contains requirements 
inconsistent with this title.
    (c) Preservation of Other State Law.--Except as expressly provided, 
nothing in this title shall be construed to preempt the applicability 
of any other State law or requirement.
    (d) No Creation of a Right to Information.--The provision of 
information to a non-Federal entity under this title shall not create a 
right or benefit to similar information by any other non-Federal 
entity.
    (e) Prohibition on Requirement to Provide Information to the 
Federal Government.--Nothing in this title, except as expressly stated, 
may be construed to permit a Federal entity--
            (1) to require a non-Federal entity to share information 
        with the Federal Government; or
            (2) to condition the disclosure of unclassified or 
        classified cybersecurity threat indicators under this title 
        with a non-Federal entity on the provision of cybersecurity 
        threat information to the Federal Government.
    (f) Limitation on Use of Information.--No cybersecurity threat 
indicators obtained under this title may be used, retained, or 
disclosed by a Federal entity or non-Federal entity, except as 
authorized under this title.
    (g) Declassification and Sharing of Information.--Consistent with 
the exemptions from public disclosure of section 704(d), the Director 
of National Intelligence, in consultation with the Secretary, shall 
facilitate the declassification and sharing of information in the 
possession of a Federal entity that is related to cybersecurity 
threats, as the Director of National Intelligence determines 
appropriate.
    (h) Report on Implementation.--Not later than 2 years after the 
date of enactment of this Act, the Secretary, the Director of National 
Intelligence, the Attorney General, and the Secretary of Defense shall 
jointly submit to Congress a report that--
            (1) describes the extent to which the authorities conferred 
        by this title have enabled the Federal Government and the 
        private sector to mitigate cybersecurity threats;
            (2) discloses any significant acts of noncompliance by a 
        non-Federal entity with this title, with special emphasis on 
        privacy and civil liberties, and any measures taken by the 
        Federal Government to uncover such noncompliance;
            (3) describes in general terms the nature and quantity of 
        information disclosed and received by governmental entities and 
        private entities under this title; and
            (4) proposes changes to the law, including the definitions, 
        authorities and requirements under this title, that are 
        necessary to ensure the law keeps pace with the threat while 
        protecting privacy and civil liberties.
    (i) Requirement for Annual Report.--On an annual basis, the 
Director of National Intelligence shall provide a report to the Select 
Committee on Intelligence of the Senate and the Permanent Select 
Committee on Intelligence of the House of Representatives on the 
implementation of section 705. Each report under this subsection, which 
shall be submitted in an unclassified form, but may include a 
classified annex, shall include a list of private entities that receive 
classified cybersecurity threat indicators under this title, except 
that the unclassified report shall not contain information that may be 
used to identify specific private entities unless such private entities 
consent to such identification.

SEC. 708. DEFINITIONS.

    In this title:
            (1) Certified entity.--The term ``certified entity'' means 
        a protected entity, a self-protected entity, or a provider of 
        cybersecurity services that--
                    (A) possesses or is eligible to obtain a security 
                clearance, as determined by the Director of National 
                Intelligence; and
                    (B) is able to demonstrate to the Director of 
                National Intelligence that the provider or entity can 
                appropriately protect and use classified cybersecurity 
                threat indicators.
            (2) Countermeasure.--The term ``countermeasure'' means 
        automated or manual actions with defensive intent to modify or 
        block data packets associated with electronic or wire 
        communications, internet traffic, program code, or other system 
        traffic transiting to or from or stored on an information 
        system for the purpose of protecting the information system 
        from cybersecurity threats, conducted on an information system 
        owned or operated by or on behalf of the party to be protected 
        or operated by a private entity acting as a provider of 
        electronic communication services, remote computing services, 
        or cybersecurity services to the party to be protected.
            (3) Cybersecurity exchange.--The term ``cybersecurity 
        exchange'' means any governmental entity or private entity 
        designated by the Secretary as a cybersecurity exchange under 
        section 703(a).
            (4) Cybersecurity services.--The term ``cybersecurity 
        services'' means products, goods, or services intended to 
        detect, mitigate, or prevent cybersecurity threats.
            (5) Cybersecurity threat.--The term ``cybersecurity 
        threat'' means any action that may result in unauthorized 
        access to, exfiltration of, manipulation of, or impairment to 
        the integrity, confidentiality, or availability of an 
        information system or information that is stored on, processed 
        by, or transiting an information system.
            (6) Cybersecurity threat indicator.--The term 
        ``cybersecurity threat indicator'' means information--
                    (A) that may be indicative of or describe--
                            (i) malicious reconnaissance, including 
                        anomalous patterns of communications that 
                        reasonably appear to be transmitted for the 
                        purpose of gathering technical information 
                        related to a cybersecurity threat;
                            (ii) a method of defeating a technical 
                        control;
                            (iii) a technical vulnerability;
                            (iv) a method of defeating an operational 
                        control;
                            (v) a method of causing a user with 
                        legitimate access to an information system or 
                        information that is stored on, processed by, or 
                        transiting an information system to unwittingly 
                        enable the defeat of a technical control or an 
                        operational control;
                            (vi) malicious cyber command and control;
                            (vii) the actual or potential harm caused 
                        by an incident, including information 
                        exfiltrated as a result of subverting a 
                        technical control when it is necessary in order 
                        to identify or describe a cybersecurity threat;
                            (viii) any other attribute of a 
                        cybersecurity threat, if disclosure of such 
                        attribute is not otherwise prohibited by law; 
                        or
                            (ix) any combination thereof; and
                    (B) from which reasonable efforts have been made to 
                remove information that can be used to identify 
                specific persons unrelated to the cybersecurity threat.
            (7) Federal cybersecurity center.--The term ``Federal 
        cybersecurity center'' means the Department of Defense Cyber 
        Crime Center, the Intelligence Community Incident Response 
        Center, the United States Cyber Command Joint Operations 
        Center, the National Cyber Investigative Joint Task Force, the 
        National Security Agency/Central Security Service Threat 
        Operations Center, or the United States Computer Emergency 
        Readiness Team, or any successor to such a center.
            (8) Federal entity.--The term ``Federal entity'' means a 
        Federal agency, or any component, officer, employee, or agent 
        of a Federal agency.
            (9) Governmental entity.--The term ``governmental entity'' 
        means any Federal entity and agency or department of a State, 
        local, tribal, or territorial government other than an 
        educational institution, or any component, officer, employee, 
        or agent of such an agency or department.
            (10) Information system.--The term ``information system'' 
        means a discrete set of information resources organized for the 
        collection, processing, maintenance, use, sharing, 
        dissemination, or disposition of information, including 
        communications with, or commands to, specialized systems such 
        as industrial and process control systems, telephone switching 
        and private branch exchange, and environmental control systems.
            (11) Malicious cybercommand and control.--The term 
        ``malicious cyber command and control'' means a method for 
        remote identification of, access to, or use of, an information 
        system or information that is stored on, processed by, or 
        transiting an information system associated with a known or 
        suspected cybersecurity threat.
            (12) Malicious reconnaissance.--The term ``malicious 
        reconnaissance'' means a method for actively probing or 
        passively monitoring an information system for the purpose of 
        discerning technical vulnerabilities of the information system, 
        if such method is associated with a known or suspected 
        cybersecurity threat.
            (13) Monitor.--The term ``monitor'' means the interception, 
        acquisition, or collection of information that is stored on, 
        processed by, or transiting an information system for the 
        purpose of identifying cybersecurity threats.
            (14) Non-federal entity.--The term ``non-Federal entity'' 
        means a private entity or a governmental entity other than a 
        Federal entity.
            (15) Operational control.--The term ``operational control'' 
        means a security control for an information system that 
        primarily is implemented and executed by people.
            (16) Private entity.--The term ``private entity'' has the 
        meaning given the term ``person'' in section 1 of title 1, 
        United States Code, and does not include a governmental entity.
            (17) Protect.--The term ``protect'' means actions 
        undertaken to secure, defend, or reduce the vulnerabilities of 
        an information system, mitigate cybersecurity threats, or 
        otherwise enhance information security or the resiliency of 
        information systems or assets.
            (18) Protected entity.--The term ``protected entity'' means 
        an entity, other than an individual, that contracts with a 
        provider of cybersecurity services for goods or services to be 
        used for cybersecurity purposes.
            (19) Self-protected entity.--The term ``self-protected 
        entity'' means an entity, other than an individual, that 
        provides cybersecurity services to itself.
            (20) Technical control.--The term ``technical control'' 
        means a hardware or software restriction on, or audit of, 
        access or use of an information system or information that is 
        stored on, processed by, or transiting an information system 
        that is intended to ensure the confidentiality, integrity, or 
        availability of that system.
            (21) Technical vulnerability.--The term ``technical 
        vulnerability'' means any attribute of hardware or software 
        that could enable or facilitate the defeat of a technical 
        control.
            (22) Third party.--The term ``third party'' includes 
        Federal entities and non-Federal entities.

                  TITLE VIII--PUBLIC AWARENESS REPORTS

SEC. 801. FINDINGS.

    Congress finds the following:
            (1) Information technology is central to the effectiveness, 
        efficiency, and reliability of the industry and commercial 
        services, Armed Forces and national security systems, and the 
        critical infrastructure of the United States.
            (2) Cyber criminals, terrorists, and agents of foreign 
        powers have taken advantage of the connectivity of the United 
        States to inflict substantial damage to the economic and 
        national security interests of the Nation.
            (3) The cybersecurity threat is sophisticated, relentless, 
        and massive, exposing all consumers in the United States to the 
        risk of substantial harm.
            (4) Businesses in the United States are bearing enormous 
        losses as a result of criminal cyber attacks, depriving 
        businesses of hard-earned profits that could be reinvested in 
        further job-producing innovation.
            (5) Hackers continuously probe the networks of Federal and 
        State agencies, the Armed Forces, and the commercial industrial 
        base of the Armed Forces, and already have caused substantial 
        damage and compromised sensitive and classified information.
            (6) Severe cybersecurity threats will continue, and will 
        likely grow, as the economy of the United States grows more 
        connected, criminals become increasingly sophisticated in 
        efforts to steal from consumers, industries, and businesses in 
        the United States, and terrorists and foreign nations continue 
        to use cyberspace as a means of attack against the national and 
        economic security of the United States.
            (7) Public awareness of cybersecurity threats is essential 
        to cybersecurity defense. Only a well-informed public and 
        Congress can make the decisions necessary to protect consumers, 
        industries, and the national and economic security of the 
        United States.
            (8) As of 2012, the level of public awareness of 
        cybersecurity threats is unacceptably low. Only a tiny portion 
        of relevant cybersecurity information is released to the 
        public. Information about attacks on Federal Government systems 
        is usually classified. Information about attacks on private 
        systems is ordinarily kept confidential. Sufficient mechanisms 
        do not exist to provide meaningful threat reports to the public 
        in unclassified and anonymized form.

SEC. 802. REPORT ON CYBER INCIDENTS AGAINST GOVERNMENT NETWORKS.

    (a) Department of Homeland Security.--Not later than 180 days after 
the date of enactment of this Act, and annually thereafter, the 
Secretary shall submit to Congress a report that--
            (1) summarizes major cyber incidents involving networks of 
        Executive agencies (as defined in section 105 of title 5, 
        United States Code), except for the Department of Defense;
            (2) provides aggregate statistics on the number of breaches 
        of networks of Executive agencies, the volume of data 
        exfiltrated, and the estimated cost of remedying the breaches; 
        and
            (3) discusses the risk of cyber sabotage.
    (b) Department of Defense.--Not later than 180 days after the date 
of enactment of this Act, and annually thereafter, the Secretary of 
Defense shall submit to Congress a report that--
            (1) summarizes major cyber incidents against networks of 
        the Department of Defense and the military departments;
            (2) provides aggregate statistics on the number of breaches 
        against networks of the Department of Defense and the military 
        departments, the volume of data exfiltrated, and the estimated 
        cost of remedying the breaches; and
            (3) discusses the risk of cyber sabotage.
    (c) Form of Reports.--Each report submitted under this section 
shall be in unclassified form, but may include a classified annex as 
necessary to protect sources, methods, and national security.

SEC. 803. REPORTS ON PROSECUTION FOR CYBERCRIME.

    (a) In General.--Not later than 180 days after the date of 
enactment of this Act, the Attorney General and the Director of the 
Federal Bureau of Investigation shall submit to Congress reports--
            (1) describing investigations and prosecutions by the 
        Department of Justice relating to cyber intrusions or other 
        cybercrimes the preceding year, including--
                    (A) the number of investigations initiated relating 
                to such crimes;
                    (B) the number of arrests relating to such crimes;
                    (C) the number and description of instances in 
                which investigations or prosecutions relating to such 
                crimes have been delayed or prevented because of an 
                inability to extradite a criminal defendant in a timely 
                manner; and
                    (D) the number of prosecutions for such crimes, 
                including--
                            (i) the number of defendants prosecuted;
                            (ii) whether the prosecutions resulted in a 
                        conviction;
                            (iii) the sentence imposed and the 
                        statutory maximum for each such crime for which 
                        a defendant was convicted; and
                            (iv) the average sentence imposed for a 
                        conviction of such crimes;
            (2) identifying the number of employees, financial 
        resources, and other resources (such as technology and 
        training) devoted to the enforcement, investigation, and 
        prosecution of cyber intrusions or other cybercrimes, including 
        the number of investigators, prosecutors, and forensic 
        specialists dedicated to investigating and prosecuting cyber 
        intrusions or other cybercrimes; and
            (3) discussing any impediments under the laws of the United 
        States or international law to prosecutions for cyber 
        intrusions or other cybercrimes.
    (b) Updates.--The Attorney General and the Director of the Federal 
Bureau of Investigation shall annually submit to Congress reports 
updating the reports submitted under subsection (a) at the same time 
the Attorney General and Director submit annual reports under section 
404 of the Prioritizing Resources and Organization for Intellectual 
Property Act of 2008 (42 U.S.C. 3713d).

SEC. 804. REPORT ON RESEARCH RELATING TO SECURE DOMAIN.

    (a) In General.--The Secretary shall enter into a contract with the 
National Research Council, or another federally funded research and 
development corporation, under which the Council or corporation shall 
submit to Congress reports on available technical options, consistent 
with constitutional and statutory privacy rights, for enhancing the 
security of the information networks of entities that own or manage 
critical infrastructure through--
            (1) technical improvements, including developing a secure 
        domain; or
            (2) increased notice of and consent to the use of 
        technologies to scan for, detect, and defeat cyber security 
        threats, such as technologies used in a secure domain.
    (b) Timing.--The contract entered into under subsection (a) shall 
require that the report described in subsection (a) be submitted--
            (1) not later than 180 days after the date of enactment of 
        this Act;
            (2) annually, after the first report submitted under 
        subsection (a), for 3 years; and
            (3) more frequently, as determined appropriate by the 
        Secretary in response to new risks or technologies that emerge.

SEC. 805. REPORT ON PREPAREDNESS OF FEDERAL COURTS TO PROMOTE 
              CYBERSECURITY.

    Not later than 180 days after the date of enactment of this Act, 
the Attorney General, in coordination with the Administrative Office of 
the United States Courts, shall submit to Congress a report--
            (1) on whether Federal courts have granted timely relief in 
        matters relating to botnets and other cybercrime and cyber 
        security threats; and
            (2) that includes, as appropriate, recommendations on 
        changes or improvements to--
                    (A) the Federal Rules of Civil Procedure or the 
                Federal Rules of Criminal Procedure;
                    (B) the training and other resources available to 
                support the Federal judiciary;
                    (C) the capabilities and specialization of courts 
                to which such cases may be assigned; and
                    (D) Federal civil and criminal laws.

SEC. 806. REPORT ON IMPEDIMENTS TO PUBLIC AWARENESS.

    Not later than 180 days after the date of enactment of this Act, 
and annually thereafter for 3 years (or more frequently if determined 
appropriate by the Secretary) the Secretary shall submit to Congress a 
report on--
            (1) legal or other impediments to appropriate public 
        awareness of--
                    (A) the nature of, methods of propagation of, and 
                damage caused by common cyber security threats such as 
                computer viruses, phishing techniques, and malware;
                    (B) the minimal standards of computer security 
                necessary for responsible Internet use; and
                    (C) the availability of commercial off the shelf 
                technology that allows consumers to meet such levels of 
                computer security;
            (2) a summary of the plans of the Secretary to enhance 
        public awareness of common cyber security threats, including a 
        description of the metrics used by the Department for 
        evaluating the efficacy of public awareness campaigns; and
            (3) recommendations for congressional actions to address 
        these impediments to appropriate public awareness of common 
        cyber security threats.

SEC. 807. REPORT ON PROTECTING THE ELECTRICAL GRID OF THE UNITED 
              STATES.

    Not later than 180 days after the date of enactment of this Act, 
the Secretary, in consultation with the Secretary of Defense and the 
Director of National Intelligence, shall submit to Congress a report 
on--
            (1) the threat of a cyber attack disrupting the electrical 
        grid of the United States;
            (2) the implications for the national security of the 
        United States if the electrical grid is disrupted;
            (3) the options available to the United States and private 
        sector entities to quickly reconstitute electrical service to 
        provide for the national security of the United States, and, 
        within a reasonable time frame, the reconstitution of all 
        electrical service within the United States; and
            (4) a plan to prevent disruption of the electric grid of 
        the United States caused by a cyber attack.

                  TITLE IX--INTERNATIONAL COOPERATION

SEC. 901. DEFINITIONS.

    In this title:
            (1) Computer system; computer data.--The terms ``computer 
        system'' and ``computer data'' have the meanings given those 
        terms in chapter I of the Convention on Cybercrime.
            (2) Convention on cybercrime.--The term ``Convention on 
        Cybercrime'' means the Council of Europe's Convention on 
        Cybercrime, done at Budapest November 23, 2001 as ratified by 
        the United States Senate on August 3, 2006 (Treaty 108-11) with 
        any relevant reservations of declarations.
            (3) Cyber issues.--The term ``cyber issues'' means the full 
        range of international policies designed to ensure an open, 
        interoperable, secure, and reliable global information and 
        communications infrastructure.
            (4) Cybercrime.--The term ``cybercrime'' refers to criminal 
        offenses relating to computer systems of computer data 
        described in the Convention of Cybercrime.
            (5) Relevant federal agencies.--The term ``relevant Federal 
        agencies'' means any Federal agency that has responsibility for 
        combating cybercrime globally, including the Department of 
        Commerce, the Department of Homeland Security, the Department 
        of Justice, the Department of State, the Department of the 
        Treasury, and the Office of the United States Trade 
        Representative.

SEC. 902. FINDINGS.

    Congress finds the following:
            (1) On February 2, 2010, Admiral Dennis C. Blair, the 
        Director of National Intelligence, testified before the Select 
        Committee on Intelligence of the Senate regarding the Annual 
        Threat Assessment of the U.S. Intelligence Community, stating 
        ``The national security of the United States, our economic 
        prosperity, and the daily functioning of our government are 
        dependent on a dynamic public and private information 
        infrastructure, which includes tele-communications, computer 
        networks and systems, and the information residing within. This 
        critical infrastructure is severely threatened. . . . We cannot 
        protect cyberspace without a coordinated and collaborative 
        effort that incorporates both the US private sector and our 
        international partners.''
            (2) In a January 2010 speech on Internet freedom, Secretary 
        of State Hillary Clinton stated: ``Those who disrupt the free 
        flow of information in our society, or any other, pose a threat 
        to our economy, our government, and our civil society. 
        Countries or individuals that engage in cyber attacks should 
        face consequences and international condemnation. In an 
        Internet-connected world, an attack on one nation's networks 
        can be an attack on all. And by reinforcing that message, we 
        can create norms of behavior among states and encourage respect 
        for the global networked commons.''
            (3) November 2011 marked the tenth anniversary of the 
        Convention on Cybercrime, the only multilateral agreement on 
        cybercrime, to which the Senate provided advice and consent on 
        August 3, 2006, and is currently ratified by over 30 countries.
            (4) The May 2009 White House Cyberspace Policy Review 
        asserts ``[t]he Nation also needs a strategy for cybersecurity 
        designed to shape the international environment and bring like-
        minded nations together on a host of issues, such as technical 
        standards and acceptable legal norms regarding territorial 
        jurisdiction, sovereign responsibility, and use of force. 
        International norms are critical to establishing a secure and 
        thriving digital infrastructure.''

SEC. 903. SENSE OF CONGRESS.

    It is the sense of Congress that--
            (1) engagement with other countries to advance the 
        cyberspace objectives of the United States should be an 
        integral part of the conduct of United States foreign relations 
        and diplomacy;
            (2) the cyberspace objectives of the United States include 
        the full range of cyber issues, including issues related to 
        governance, standards, cybersecurity, cybercrime, international 
        security, human rights, and the free flow of information;
            (3) it is in the interest of the United States to work with 
        other countries to build consensus on principles and standards 
        of conduct that protect computer systems and users that rely on 
        them, prevent and punish acts of cybercrime, and promote the 
        free flow of information;
            (4) a comprehensive national cyberspace strategy must 
        include tools for addressing threats to computer systems and 
        acts of cybercrime from sources and by persons outside the 
        United States;
            (5) developing effective solutions to international 
        cyberspace threats requires engagement with foreign countries 
        on a bilateral basis and through relevant regional and 
        multilateral fora;
            (6) it is in the interest of the United States to encourage 
        the development of effective frameworks for international 
        cooperation to combat cyberthreats, and the development of 
        foreign government capabilities to combat cyberthreats; and
            (7) the Secretary of State, in consultation with other 
        relevant Federal agencies, should develop and lead Federal 
        Government efforts to engage with other countries to advance 
        the cyberspace objectives of the United States, including 
        efforts to bolster an international framework of cyber norms, 
        governance and deterrence.

SEC. 904. COORDINATION OF INTERNATIONAL CYBER ISSUES WITHIN THE UNITED 
              STATES GOVERNMENT.

    The Secretary of State is authorized to designate a senior level 
official at the Department of State, to carry out the Secretary's 
responsibilities to--
            (1) coordinate the United States global diplomatic 
        engagement on the full range of international cyber issues, 
        including building multilateral cooperation and developing 
        international norms, common policies, and responses to secure 
        the integrity of cyberspace;
            (2) provide strategic direction and coordination for United 
        States Government policy and programs aimed at addressing and 
        responding to cyber issues overseas, especially in relation to 
        issues that affect United States foreign policy and related 
        national security concerns;
            (3) coordinate with relevant Federal agencies, including 
        the Department, the Department of Defense, the Department of 
        the Treasury, the Department of Justice, the Department of 
        Commerce, and the intelligence community to develop interagency 
        plans regarding international cyberspace, cybersecurity, and 
        cybercrime issues; and
            (4) ensure that cyber issues, including cybersecurity and 
        cybercrime, are included in the responsibilities of overseas 
        Embassies and consulates of the United States, as appropriate.

SEC. 905. CONSIDERATION OF CYBERCRIME IN FOREIGN POLICY AND FOREIGN 
              ASSISTANCE PROGRAMS.

    (a) Briefing.--
            (1) In general.--Not later than 1 year after the date of 
        enactment of this Act, the Secretary of State, after 
        consultation with the heads of the relevant Federal agencies, 
        shall provide a comprehensive briefing to relevant 
        congressional committees--
                    (A) assessing global issues, trends, and actors 
                considered to be significant with respect to 
                cybercrime;
                    (B) assessing, after consultation with private 
                industry groups, civil society organizations, and other 
                relevant domestic or multilateral organizations, which 
                shall be selected by the President based on an interest 
                in combating cybercrime, means of enhancing 
                multilateral or bilateral efforts in areas of 
                significance--
                            (i) to prevent and investigate cybercrime;
                            (ii) to develop and share best practices 
                        with respect to directly or indirectly 
                        combating cybercrime; and
                            (iii) to cooperate and take action with 
                        respect to the prevention, investigation, and 
                        prosecution of cybercrime; and
                    (C) describing the steps taken by the United States 
                to promote the multilateral or bilateral efforts 
                described in subparagraph (B).
            (2) Contributions from relevant federal agencies.--Not 
        later than 30 days before the date on which the briefing is to 
        be provided under paragraph (1), the head of each relevant 
        Federal agency shall consult with and provide to the Secretary 
        of State relevant information appropriate for the briefing.
    (b) Periodic Updates.--The Secretary of State shall provide updated 
information highlighting significant developments relating to the 
issues described in subsection (a), through periodic briefings to 
Congress.
    (c) Use of Foreign Assistance Programs.--
            (1) Foreign assistance programs to combat cybercrime.--The 
        Secretary of State is authorized to accord priority in foreign 
        assistance to programs designed to combat cybercrime in a 
        region or program of significance in order to better combat 
        cybercrime by, among other things, improving the effectiveness 
        and capacity of the legal and judicial systems and the 
        capabilities of law enforcement agencies with respect to 
        cybercrime.
            (2) Sense of the congress with respect to bilateral and 
        multilateral assistance.--It is the sense of Congress that the 
        Secretary of State should include programs designed to combat 
        cybercrime in relevant bilateral or multilateral assistance 
        programs administered or supported by the United States 
        Government.
                                                       Calendar No. 323

112th CONGRESS

  2d Session

                                S. 2105

_______________________________________________________________________

                                 A BILL

To enhance the security and resiliency of the cyber and communications 
                  infrastructure of the United States.

_______________________________________________________________________

                           February 15, 2012

            Read the second time and placed on the calendar