1.Short
title; table of contents
(a)This Act may be cited
as the Cybersecurity Act of
2012
.
(b)The table of contents for this Act is as follows:
Sec. 1. Short title; table of
contents.
Sec. 2. Definitions.
TITLE I—Protecting critical infrastructure
Sec. 101. Definitions and responsibilities.
Sec. 102. Sector-by-sector cyber risk assessments.
Sec. 103. Procedure for designation of covered critical
infrastructure.
Sec. 104. Sector-by-sector risk-based cybersecurity performance
requirements.
Sec. 105. Security of covered critical
infrastructure.
Sec. 106. Sector-specific agencies.
Sec. 107. Protection of information.
Sec. 108. Voluntary technical assistance.
Sec. 109. Emergency planning.
Sec. 110. International cooperation.
Sec. 111. Effect on other laws.
TITLE II—Protecting government networks
Sec. 201. FISMA Reform.
Sec. 202. Management of information technology.
Sec. 203. Savings provisions.
TITLE III—Clarifying and Strengthening Existing Roles and
Authorities
Sec. 301. Consolidation of existing departmental cyber
resources and authorities.
TITLE IV—Education, recruitment, and workforce
development
Sec. 401. Definitions.
Sec. 402. National education and awareness
campaign.
Sec. 403. National cybersecurity competition and
challenge.
Sec. 404. Federal cyber scholarship-for-service
program.
Sec. 405. Assessment of cybersecurity Federal
workforce.
Sec. 406. Federal cybersecurity occupation
classifications.
Sec. 407. Training and education.
Sec. 408. Cybersecurity incentives.
TITLE V—Research and development
Sec. 501. Federal cybersecurity research and
development.
Sec. 502. Homeland security cybersecurity research and
development.
TITLE VI—Federal acquisition risk management strategy
Sec. 601. Federal acquisition risk management
strategy.
Sec. 602. Amendments to Clinger-Cohen provisions to enhance
agency planning for information security needs.
TITLE VII—Information Sharing
Sec. 701. Affirmative authority to monitor and defend against
cybersecurity threats.
Sec. 702. Voluntary disclosure of cybersecurity threat
indicators among private entities.
Sec. 703. Cybersecurity exchanges.
Sec. 704. Voluntary disclosure of cybersecurity threat
indicators to a cybersecurity exchange.
Sec. 705. Sharing of classified cybersecurity threat
indicators.
Sec. 706. Limitation on liability and good faith defense for
cybersecurity activities.
Sec. 707. Construction; Federal preemption.
Sec. 708. Definitions.
TITLE VIII—Public Awareness Reports
Sec. 801. Findings.
Sec. 802. Report on cyber incidents against Government
networks.
Sec. 803. Reports on prosecution for cybercrime.
Sec. 804. Report on research relating to secure
domain.
Sec. 805. Report on preparedness of Federal courts to promote
cybersecurity.
Sec. 806. Report on impediments to public
awareness.
Sec. 807. Report on protecting the electrical grid of the
United States.
TITLE IX—International cooperation
Sec. 901. Definitions.
Sec. 902. Findings.
Sec. 903. Sense of Congress.
Sec. 904. Coordination of international cyber issues within the
United States Government.
Sec. 905. Consideration of cybercrime in foreign policy and
foreign assistance programs.
2.In this Act:
(1)Commercial
information technology productThe term commercial
information technology product means a commercial item that organizes or
communicates information electronically.
(2)The term commercial item has the meaning given
the term in section 103 of title 41, United States Code.
(3)Covered
critical infrastructureThe term covered critical
infrastructure means a system or asset designated by the Secretary as
covered critical infrastructure in accordance with the procedure established
under section 103.
(4)The term covered system or asset means a
system or asset of covered critical infrastructure.
(5)The term critical infrastructure has
the meaning given that term in section 1016(e) of the USA PATRIOT Act (42
U.S.C. 5195c(e)).
(6)The term Department means the
Department of Homeland Security.
(7)The term Federal agency has the meaning given
the term agency
in section 3502 of title 44, United States
Code.
(8)Federal
information infrastructureThe term Federal information
infrastructure—
(A)means information
and information systems that are owned, operated, controlled, or licensed for
use by, or on behalf of, any Federal agency, including information systems used
or operated by another entity on behalf of a Federal agency; and
(B)does not
include—
(i)a
national security system; or
(ii)information and
information systems that are owned, operated, controlled, or licensed for use
by, or on behalf of, the Department of Defense, a military department, or
another element of the intelligence community.
(9)The
term incident has the meaning given that term in section 3552 of
title 44, United States Code, as added by section 201 of this Act.
(10)Information
infrastructureThe term information infrastructure
means the underlying framework that information systems and assets rely on to
process, transmit, receive, or store information electronically, including
programmable electronic devices and communications networks and any associated
hardware, software, or data.
(11)Information
Sharing and Analysis OrganizationThe term Information
Sharing and Analysis Organization has the meaning given that term in
section 212 of the Homeland Security Act of 2002 (6 U.S.C. 131).
(12)The term information system has the meaning
given that term in section 3502 of title 44, United States Code.
(13)Institution of
higher educationThe term institution of higher
education has the meaning given that term in section 102 of the Higher
Education Act of 1965 (20 U.S.C. 1002).
(14)The term intelligence community has the
meaning given that term under section 3(4) of the National Security Act of 1947
(50 U.S.C. 401a(4)).
(15)National
information infrastructureThe term national information
infrastructure means information and information systems—
(A)that are owned,
operated, or controlled, in whole or in part, within or from the United States;
and
(B)that are not
owned, operated, controlled, or licensed for use by a Federal agency.
(16)The term national security system
has the meaning given that term in section 3552 of title 44, United States
Code, as added by section 201 of this Act.
(17)The
term owner—
(A)means an entity
that owns a covered system or asset; and
(B)does not include
a company contracted by the owner to manage, run, or operate a covered system
or asset, or to provide a specific information technology product or service
that is used or incorporated into a covered system or asset.
(18)The
term operator—
(A)means an entity
that manages, runs, or operates, in whole or in part, the day-to-day operations
of a covered system or asset; and
(B)may include the
owner of a covered system or asset.
(19)The
term Secretary means the Secretary of Homeland Security.
<enum>I</enum><header>Protecting
critical infrastructure</header>
<section id="ID4dc5959307ed48019d0a30e97327e478"><enum>101.</enum><header>Definitions
and responsibilities</header>
<subsection id="ID803f11d204bd4df28cf3ce5ae500bd41"><enum>(a)</enum><header>Definitions</header><text>In
this title:</text>
<paragraph commented="no" id="id3574BBCE02BC4404B85F3A142CFEB211"><enum>(1)</enum><header>Cyber
risk</header><text>The term <term>cyber risk</term> means any risk to
information infrastructure, including physical or personnel risks and security
vulnerabilities, that, if exploited or not mitigated, could pose a significant
risk of disruption to the operation of information infrastructure essential to
the reliable operation of covered critical infrastructure.</text>
</paragraph><paragraph commented="no" id="idED040F88003945B9947BA0313BF627D9"><enum>(2)</enum><header>Sector-specific
agency</header><text>The term <term>sector-specific agency</term> means the
relevant Federal agency responsible for infrastructure protection activities in
a designated critical infrastructure sector or key resources category under the
National Infrastructure Protection Plan, or any other appropriate Federal
agency identified by the President after the date of enactment of this
Act.</text>
</paragraph></subsection><subsection id="IDfe77a32206a34c6a899a5abe6102e841"><enum>(b)</enum><header>Responsibility
of owner</header><text>It shall be the responsibility of an owner to comply
with the requirements of this Act.</text>
</subsection></section><section id="IDe8847412f17242b9b3961b448370cd39"><enum>102.</enum><header>Sector-by-sector
cyber risk assessments</header>
<subsection id="idE737408FE6D74D39ABB8A8DD5644FC47"><enum>(a)</enum><header>In
general</header><text>The Secretary, in consultation with entities that own or
operate critical infrastructure, the Critical Infrastructure Partnership
Advisory Council, and appropriate Information Sharing and Analysis
Organizations, and in coordination with the intelligence community, the
Department of Defense, the Department of Commerce, sector-specific agencies and
other Federal agencies with responsibilities for regulating the security of
entities that own or operate critical infrastructure shall—</text>
<paragraph id="ID177933e160234549b56a46f7ee951590"><enum>(1)</enum><text>not later than 90
days after the date of enactment of this Act, conduct a top-level assessment of
the cybersecurity threats, vulnerabilities, risks, and probability of a
catastrophic incident across all critical infrastructure sectors to determine
which sectors pose the greatest immediate risk, in order to guide the
allocation of resources for the implementation of this Act; and</text>
</paragraph><paragraph id="ID22501e90904b49acb78dd2f896717bdc"><enum>(2)</enum><text>beginning with
the highest priority sectors identified under paragraph (1), conduct, on an
ongoing, sector-by-sector basis, cyber risk assessments of the critical
infrastructure in a manner that—</text>
<subparagraph id="ID20bf669bfa43469ea696f320db0d955d"><enum>(A)</enum><text>uses state-of-the
art threat modeling, simulation, and analysis techniques;</text>
</subparagraph><subparagraph id="IDdc01d011d74b42eab0ffeb1907db27b2"><enum>(B)</enum><text>incorporates, as
appropriate, any existing similar risk assessments; and</text>
</subparagraph><subparagraph id="IDfb74e81f9359483b86b54bd58165f3bd"><enum>(C)</enum><text>considers—</text>
<clause id="ID2fd7a29cfc744cbc980ff4e4b2a5e7e8"><enum>(i)</enum><text>the
actual or assessed threat, including consideration of adversary capabilities
and intent, intrusion techniques, preparedness, target attractiveness, and
deterrence capabilities;</text>
</clause><clause id="ID010b03050c2c4a579adea56a5f7cf1d8"><enum>(ii)</enum><text>the extent and
likelihood of death, injury, or serious adverse effects to human health and
safety caused by damage or unauthorized access to critical
infrastructure;</text>
</clause><clause id="IDece017fe39cd4f58b67bf4599baad5c3"><enum>(iii)</enum><text>the threat to
or impact on national security caused by damage or unauthorized access to
critical infrastructure;</text>
</clause><clause id="IDd12cf625896e4e9490e0f462a51b7863"><enum>(iv)</enum><text>the extent to
which damage or unauthorized access to critical infrastructure will disrupt the
reliable operation of other critical infrastructure;</text>
</clause><clause id="IDee68b978ed7249f2b4de18854c043a46"><enum>(v)</enum><text>the
harm to the economy that would result from damage or unauthorized access to
critical infrastructure;</text>
</clause><clause id="ID10b87ca285fe43f383a88e347d219c00"><enum>(vi)</enum><text>the risk of
national or regional catastrophic damage within the United States caused by
damage or unauthorized access to information infrastructure located outside the
United States;</text>
</clause><clause id="IDc3affff98a884b74b8c37f1886398357"><enum>(vii)</enum><text>the overall
preparedness and resilience of each sector against damage or unauthorized
access to critical infrastructure, including the effectiveness of market forces
at driving security innovation and secure practices; and</text>
</clause><clause id="IDfcccaf9bd22e436380f1053b7c5c8768"><enum>(viii)</enum><text>any other
risk-based security factors appropriate and necessary to protect public health
and safety, critical infrastructure, or national and economic security.</text>
</clause></subparagraph></paragraph></subsection><subsection id="IDa3dddb2581e94f18b4d9ef27d19b84ca"><enum>(b)</enum><header>Input of owners
and operators</header>
<paragraph id="idC13DD5AA98D843CE93260AE3A605DFCF"><enum>(1)</enum><header>In
general</header><text>The Secretary shall—</text>
<subparagraph id="idCD95C56D583B4718A83825A0298F9076"><enum>(A)</enum><text>establish a
process under which entities that own or operate critical infrastructure and
other relevant private sector experts provide input into the risk assessments
conducted under this section; and</text>
</subparagraph><subparagraph id="idBC93DFD7838D4F2F95353C9E82BEFBAA"><enum>(B)</enum><text>seek and
incorporate private sector expertise available through established
public-private partnerships, including the Critical Infrastructure Partnership
Advisory Council and appropriate Information Sharing and Analysis
Organizations.</text>
</subparagraph></paragraph><paragraph id="id905E06EEFE68434E8D07E59E90AF6494"><enum>(2)</enum><header>Protection of
information</header><text>Any information submitted as part of the process
established under paragraph (1) shall be protected in accordance with section
107.</text>
</paragraph></subsection><subsection id="ID85e976bdfbf1479d9fd8b192315d99ad"><enum>(c)</enum><header>Methodologies
for assessing information security risk</header><text>The Secretary and the
Director of the National Institute of Standards and Technology, in consultation
with entities that own or operate critical infrastructure and relevant private
sector and academic experts, shall—</text>
<paragraph id="idE9D520E02973496FBC1AD16B9B03255A"><enum>(1)</enum><text>develop
repeatable, qualitative, and quantitative methodologies for assessing
information security risk; or</text>
</paragraph><paragraph id="idACC7153F77054C92983921F42A8FD6AA"><enum>(2)</enum><text>use methodologies
described in paragraph (1) that are in existence on the date of enactment of
this Act and make the methodologies publicly available.</text>
</paragraph></subsection><subsection id="IDed0c68c6e9084e3e942d56c386413863"><enum>(d)</enum><header>Submission of
risk assessments</header><text>The Secretary shall submit each risk assessment
conducted under this section, in a classified or unclassified form as
necessary, to—</text>
<paragraph id="id6A9120EC147F4F69BB3EE4E3AD162026"><enum>(1)</enum><text>the
President;</text>
</paragraph><paragraph id="idE86DAE7847A74097AF6556B45E0C83E0"><enum>(2)</enum><text>appropriate
Federal agencies; and</text>
</paragraph><paragraph id="id44E064ED1A5E4B0CB98A51672EC76D0F"><enum>(3)</enum><text>appropriate
congressional committees.</text>
</paragraph></subsection></section><section id="ID197f2f93544b4deab54a4e665651bb48"><enum>103.</enum><header>Procedure for
designation of covered critical infrastructure</header>
<subsection id="IDc91751ce69624f68a87825d3b4acb49a"><enum>(a)</enum><header>Responsibility
for designation of covered critical infrastructure</header>
<paragraph id="ID3fe8a49b64fe459da46ec32e06438ce2"><enum>(1)</enum><header>In
general</header><text>The Secretary, in consultation with entities that own or
operate critical infrastructure, the Critical Infrastructure Partnership
Advisory Council, appropriate Information Sharing and Analysis Organizations,
and other appropriate representatives of State and local governments, shall
establish a procedure for the designation of critical infrastructure, on a
sector-by-sector basis, as covered critical infrastructure for the purposes of
this Act.</text>
</paragraph><paragraph id="IDb85e5c2eec6b44da9099218cc57dc56f"><enum>(2)</enum><header>Duties</header><text>In
establishing the procedure under paragraph (1), the Secretary shall—</text>
<subparagraph id="ID908ad2957c3948858f387750a465d437"><enum>(A)</enum><text>prioritize the
efforts of the Department based on the prioritization established under section
102(a)(1);</text>
</subparagraph><subparagraph id="IDbcbbd47e485640368464a0ccba6e1b99"><enum>(B)</enum><text>incorporate, to
the extent practicable, the input of entities that own or operate critical
infrastructure, the Critical Infrastructure Partnership Advisory Council,
appropriate Information Sharing and Analysis Organizations, and other
appropriate representatives of the private sector and State and local
governments;</text>
</subparagraph><subparagraph id="ID84050f62b9764192b364cfc1e22d035c"><enum>(C)</enum><text>coordinate with
the head of the sector-specific agency with responsibility for critical
infrastructure and the head of any Federal agency with responsibilities for
regulating the security of critical infrastructure;</text>
</subparagraph><subparagraph id="ID8515084948d3482d92061d4384d5a3f2"><enum>(D)</enum><text>develop a
mechanism for owners to submit information to assist the Secretary in making
determinations under this section; and</text>
</subparagraph><subparagraph id="IDf8f3ac300a494960bd2ea28414f151ae"><enum>(E)</enum><text>periodically, but
not less often than annually, review and update designations under this
section.</text>
</subparagraph></paragraph></subsection><subsection id="ID3aa66c2e2f41472280768f410a92083a"><enum>(b)</enum><header>Designation of
covered critical infrastructure</header>
<paragraph id="ID9b16032cb1d947bfac57a2c6913a56e9"><enum>(1)</enum><header>Guidelines for
designation</header><text>In designating covered critical infrastructure for
the purposes of this Act, the Secretary shall—</text>
<subparagraph id="IDfdd6389f5f124624b3528a7dafc08a18"><enum>(A)</enum><text>designate covered
critical infrastructure on a sector-by-sector basis and at the system or asset
level;</text>
</subparagraph><subparagraph id="ID4596e5396fe84e5781a890b71088f1be"><enum>(B)</enum><text>inform owners of
the criteria used to identify covered critical infrastructure;</text>
</subparagraph><subparagraph id="ID6dcc06820ea4406daac8844e34053988"><enum>(C)</enum><text>only designate a
system or asset as covered critical infrastructure if damage or unauthorized
access to that system or asset could reasonably result in—</text>
<clause id="IDa035090d38434287921a4c0e71a8e0bb"><enum>(i)</enum><text>the
interruption of life-sustaining services, including energy, water,
transportation, emergency services, or food, sufficient to cause—</text>
<subclause id="ID1ef7011b6e3842eca6149843a5186a48"><enum>(I)</enum><text>a mass casualty
event that includes an extraordinary number of fatalities; or</text>
</subclause><subclause id="ID4fccf0ab94554c74868fcae2b97acd6d"><enum>(II)</enum><text>mass evacuations
with a prolonged absence;</text>
</subclause></clause><clause id="IDbf263b5479204ace8870e7963d45784e"><enum>(ii)</enum><text>catastrophic
economic damage to the United States including—</text>
<subclause id="ID1a248cd0580b4474a9d8122724ddb5f6"><enum>(I)</enum><text>failure or
substantial disruption of a United States financial market;</text>
</subclause><subclause id="ID0028b81c2a36450eb651199d4302357d"><enum>(II)</enum><text>incapacitation
or sustained disruption of a transportation system; or</text>
</subclause><subclause id="ID98b32c6408e740e2a720bdcf5d26a065"><enum>(III)</enum><text>other systemic,
long-term damage to the United States economy; or</text>
</subclause></clause><clause id="ID92c25a5b44a746b380f3f2418f90566b"><enum>(iii)</enum><text>severe
degradation of national security or national security capabilities, including
intelligence and defense functions; and</text>
</clause></subparagraph><subparagraph id="IDbfb8872a71774ddb84b1b8a5deb0d240"><enum>(D)</enum><text>consider the
sector-by-sector risk assessments developed in accordance with section
102.</text>
</subparagraph></paragraph><paragraph id="IDbf6a8a5f434a43f1bc5ceab6373b6032"><enum>(2)</enum><header>Limitations</header><text>The
Secretary may not designate as covered critical infrastructure under this
section—</text>
<subparagraph id="id8E861CF910504710A03A2898E93651DC"><enum>(A)</enum><text>a system or asset
based solely on activities protected by the first amendment to the Constitution
of the United States;</text>
</subparagraph><subparagraph id="idCE740CF133984DC38F0590688D98C07D"><enum>(B)</enum><text>an information
technology product or service based solely on a finding that the product or
service is capable of, or is actually, being used in covered critical
infrastructure;</text>
</subparagraph><subparagraph id="idCD7CE13EC0F044C090C43C7428534A63"><enum>(C)</enum><text>a commercial
information technology product, including hardware and software; or</text>
</subparagraph><subparagraph id="id4CDED38DC55B4C4494284A86559E327A"><enum>(D)</enum><text>any service
provided in support of a product specified in subparagraph (C), including
installation services, maintenance services, repair services, training
services, and any other services provided in support of the product.</text>
</subparagraph></paragraph><paragraph id="IDd6e6dde030e8491ca2e74d30ab13aa48"><enum>(3)</enum><header>Notification of
identification of system or asset</header><text>Not later than 30 days after
the Secretary designates a system or asset as covered critical infrastructure
under this section, the Secretary shall notify the owner of the system or asset
that was designated and the basis for the designation.</text>
</paragraph><paragraph id="IDf645c4e594fd4ee488e66576bda992e0"><enum>(4)</enum><header>Self-designation
of system or asset as covered critical infrastructure</header><text>The owner
of a system or asset may request that the system or asset be designated as
covered critical infrastructure under this section if the owner determines that
the system or asset meets the criteria for designation.</text>
</paragraph><paragraph id="ID47676360552046cdab78be1882423b4a"><enum>(5)</enum><header>System or asset
no longer covered critical infrastructure</header>
<subparagraph id="ID6db3f6931bd24a44a6a55b7d304fe0d9"><enum>(A)</enum><header>In
general</header><text>If the Secretary determines that any system or asset that
was designated as covered critical infrastructure under this section no longer
constitutes covered critical infrastructure, the Secretary shall promptly
notify the owner of that system or asset of that determination.</text>
</subparagraph><subparagraph id="IDb37c6104e0054eacba7b889c7b3a96f3"><enum>(B)</enum><header>Self-designation</header><text>If
an owner determines that an asset or system previously self-designated as
covered critical infrastructure under paragraph (4) no longer meets the
criteria for designation, the owner shall notify the Secretary of this
determination and submit to the redress process under subsection (c).</text>
</subparagraph></paragraph><paragraph id="ID54e4511d7b1e4f0eac9fcf3b6990e1df"><enum>(6)</enum><header>Definition</header><text>In
this subsection, the term <term>damage</term> has the meaning given that term
in section 1030(e) of title 18, United States Code.</text>
</paragraph></subsection><subsection id="IDc1121c7b540c442ab9bf480ce03c7001"><enum>(c)</enum><header>Redress</header>
<paragraph id="ID443cce7ddbf4479ea0aad0928a4f22da"><enum>(1)</enum><header>In
general</header><text>Subject to paragraphs (2) and (3), the Secretary shall
develop a mechanism, consistent with subchapter II of chapter 5 of title 5,
United States Code, for an owner notified under subsection (b)(3) or for an
owner that self-designates under subsection (b)(4) to request that the
Secretary review—</text>
<subparagraph id="ID26d34215b6bc4872b08bc5994d9ebac8"><enum>(A)</enum><text>the designation
of a system or asset as covered critical infrastructure;</text>
</subparagraph><subparagraph id="ID1856958ab0414bebadd3fa683e3cc489"><enum>(B)</enum><text>the rejection of
the self-designation of an owner of a system or asset as covered critical
infrastructure; or</text>
</subparagraph><subparagraph id="ID2fcfd812ddb24703a123563ee38e9184"><enum>(C)</enum><text>a determination
under subsection (b)(5)(B).</text>
</subparagraph></paragraph><paragraph id="ID99a0cc315d5549518255c0bf574e1390"><enum>(2)</enum><header>Appeal to
Federal court</header><text>A civil action seeking judicial review of a final
agency action taken under the mechanism developed under paragraph (1) shall be
filed in the United States District Court for the District of Columbia.</text>
</paragraph><paragraph id="ID9adc534c755a486ca6448ebb412a053f"><enum>(3)</enum><header>Compliance</header><text>An
owner shall comply with this title relating to covered critical infrastructure
until such time as the critical infrastructure is no longer designated as
covered critical infrastructure, based on—</text>
<subparagraph id="ID454328b92f2c4d2d9fff74725f172ab5"><enum>(A)</enum><text>an appeal under
paragraph (1);</text>
</subparagraph><subparagraph id="ID49d2ce046f7344a091b2bf8c88b228e9"><enum>(B)</enum><text>a determination
of the Secretary unrelated to an appeal; or</text>
</subparagraph><subparagraph id="ID012e849258c9497c9a4275ba60a999d0"><enum>(C)</enum><text>a final judgment
entered in a civil action seeking judicial review brought in accordance with
paragraph (2).</text>
</subparagraph></paragraph></subsection></section><section id="IDce73188f26c448c0bb2cdfd090d8107d"><enum>104.</enum><header>
Sector-by-sector risk-based cybersecurity performance requirements</header>
<subsection id="idEC2D06D0E6BF43B3AF00D114852CE634"><enum>(a)</enum><header>Purpose</header><text>The
purpose of this section is to secure the critical infrastructure of the Nation
while promoting and protecting private sector innovation in design and
development of technology for the global market for commercial information
technology products, including hardware and software and related products and
services.</text>
</subsection><subsection id="ID9d6206f669bb4783b0d256356371e3eb"><enum>(b)</enum><header>Performance
requirements</header><text>The Secretary, in consultation with owners and
operators, the Critical Infrastructure Partnership Advisory Council, and
appropriate Information Sharing and Analysis Organizations, and in coordination
with the National Institute of Standards and Technology, the Director of the
National Security Agency, sector-specific agencies, appropriate representatives
from State and local governments, and other Federal agencies with
responsibilities for regulating the security of covered critical
infrastructure, shall identify or develop, on a sector-by-sector basis,
risk-based cybersecurity performance requirements (referred to in this section
as <quote>performance requirements</quote>) that—</text>
<paragraph id="ID1bd04885422d45298acd37d4024a1b2e"><enum>(1)</enum><text>require owners to
remediate or mitigate identified cyber risks and any associated consequences
identified under section 102(a) or otherwise; and</text>
</paragraph><paragraph id="idededd23cd52f463fa755eef0fc66b016"><enum>(2)</enum><text>do not permit any
Federal employee or agency to—</text>
<subparagraph id="ide1132c8166574c0694217e5bca5b09af"><enum>(A)</enum><text>regulate
commercial information technology products, including hardware and software and
related services, including installation services, maintenance services, repair
services, training services, and any other services provided in support of the
product;</text>
</subparagraph><subparagraph id="ide36fac0bb4714eda85a1d2d461711fb4"><enum>(B)</enum><text>require
commercial information technology products, including hardware and software and
related services, for use or non-use in covered critical infrastructure;
or</text>
</subparagraph><subparagraph id="id2752d106f8e34cbeb27955dd01b3e195"><enum>(C)</enum><text>regulate the
design, development, manufacturing, or attributes of commercial information
technology products, including hardware and software and related services, for
use or non-use in covered critical infrastructure.</text>
</subparagraph></paragraph></subsection><subsection id="id42A79203E0864D09B85F96F679CF535B"><enum>(c)</enum><header>Limitation</header><text>If
the Secretary determines that there are regulations in effect on the date of
enactment of this Act that apply to covered critical infrastructure and that
address some or all of the risks identified under section 102, the Secretary
shall identify or develop performance requirements under this section only if
the regulations do not require an appropriate level of security.</text>
</subsection><subsection id="id67ff1495d48047c1bb14d35e8a0a8c3c"><enum>(d)</enum><header>Identification
and development of performance requirements</header><text>In establishing the
performance requirements under this section, the Secretary shall—</text>
<paragraph id="id7a4e6961c5784882ab93218765a0178a"><enum>(1)</enum><text>establish a
process for entities that own or operate critical infrastructure, voluntary
consensus standards development organizations, representatives of State and
local government, and the private sector, including sector coordinating
councils and appropriate Information Sharing and Analysis Organizations to
propose performance requirements;</text>
</paragraph><paragraph id="id1cb0a7165b294cf183ac1b251cc1de82"><enum>(2)</enum><text>identify existing
industry practices, standards, and guidelines; and</text>
</paragraph><paragraph id="id668d69d1b4a244308df609c14d6ca606"><enum>(3)</enum><text>select and adopt
performance requirements submitted under paragraph (1) or identified under
paragraph (2) that satisfy other provisions of this section.</text>
</paragraph></subsection><subsection id="id021ef10e3ce84e50a78cd8a93c8d70df"><enum>(e)</enum><header>Requirement</header><text>If
the Secretary determines that none of the performance requirements submitted or
identified under paragraphs (1) and (2) of subsection (d) satisfy the other
provisions of this section, the Secretary shall, in consultation with owners
and operators, the Critical Infrastructure Partnership Advisory Council, and
appropriate Information Sharing and Analysis Organizations, and in coordination
with the National Institute of Standards and Technology, the Director of the
National Security Agency, sector-specific agencies, and other Federal agencies
with responsibilities for regulating the security of covered critical
infrastructure, develop satisfactory performance requirements.</text>
</subsection><subsection id="ID6c488ff283d2419d820d9f01eaf84537"><enum>(f)</enum><header>Exemption
authority</header>
<paragraph id="idc3f570574fab47dc99fa0ebbffd7a6da"><enum>(1)</enum><header>In
general</header><text>The President, in consultation with the Director of the
Office of Management and Budget, may exempt an appropriate part of covered
critical infrastructure from the requirements of this title if the President
determines that a sector-specific regulatory agency has sufficient specific
requirements and enforcement mechanisms to effectively mitigate the risks
identified under section 102.</text>
</paragraph><paragraph id="id6aec436d916d482da48f604f88585511"><enum>(2)</enum><header>Reconsideration</header><text>The
President may reconsider any exemption under paragraph (1) as
appropriate.</text>
</paragraph></subsection><subsection id="id818929838cb647098910700a37a4a041"><enum>(g)</enum><header>Consideration</header><text>The
Secretary, in establishing performance requirements under this section, shall
take into consideration available resources and anticipated consequences of a
cyber attack.</text>
</subsection></section><section id="ID6ea7743415374997841719f5da93b562"><enum>105.</enum><header>Security of
covered critical infrastructure</header>
<subsection id="ID4a6323c735124a698cf85f61d7491110"><enum>(a)</enum><header>In
general</header><text>Not later than 1 year after the date of enactment of this
Act, the Secretary, in consultation with owners and operators, and the Critical
Infrastructure Partnership Advisory Council, and in coordination with
sector-specific agencies and other Federal agencies with responsibilities for
regulating the security of covered critical infrastructure, shall promulgate
regulations to enhance the security of covered critical infrastructure against
cyber risks.</text>
</subsection><subsection id="ID087a2d9f6436460295cdaf07a22f1f74"><enum>(b)</enum><header>Responsibilities</header><text>The
regulations promulgated under this section shall establish procedures under
which—</text>
<paragraph id="IDdeb9c9b813044415a0d1319f2b6df19d"><enum>(1)</enum><text>each
owner—</text>
<subparagraph id="ID2e08e8ca111640018a89ae13c007cb86"><enum>(A)</enum><text>is regularly
informed of cyber risk assessments, identified cybersecurity threats, and the
risk-based security performance requirements appropriate to the sector of the
owner established under section 104;</text>
</subparagraph><subparagraph id="ID7ee7cf7d7f7d4c00b6271581bbcd4690"><enum>(B)</enum><text>selects and
implements the cybersecurity measures the owner determines to be best suited to
satisfy the risk-based cybersecurity performance requirements established under
section 104;</text>
</subparagraph><subparagraph id="ID2bb588d552384d3b8e37af376e92b228"><enum>(C)</enum><text>develop or update
continuity of operations and incident response plans; and</text>
</subparagraph><subparagraph id="ID711ab1fb76ae40598e89d4c819b006c2"><enum>(D)</enum><text>shall report,
consistent with the protections in section 107, significant cyber incidents
affecting covered critical infrastructure;</text>
</subparagraph></paragraph><paragraph id="IDd22e1f7b62a64281b40df6766b4f7b5c"><enum>(2)</enum><text>the Secretary and
each Federal agency with responsibilities for regulating the security of
covered critical infrastructure, is notified of the security measure or
measures selected by an owner in accordance with paragraph (1)(B); and</text>
</paragraph><paragraph id="id8424438B7A594348A6AD678511A413FC"><enum>(3)</enum><text>the
Secretary—</text>
<subparagraph id="IDbaf775a31cf0477f87dca1dc20d73c09"><enum>(A)</enum><text>identifies, in
consultation with owners and operators, cyber risks that are not capable of
effective remediation or mitigation using available standards, industry
practices or other available security measures;</text>
</subparagraph><subparagraph id="ID1e857909cf4f4c4190c0c694acd02c29"><enum>(B)</enum><text>provides owners
the opportunity to develop practices or security measures to remediate or
mitigate the cyber risks identified in section 102 without the prior approval
of the Secretary and without affecting the compliance of the covered critical
infrastructure with the requirements under this section;</text>
</subparagraph><subparagraph id="IDff5603af066f465887768a70daedea70"><enum>(C)</enum><text>in accordance
with applicable law relating to the protection of trade secrets, permits owners
and operators to report to the Secretary the development of effective practices
or security measures to remediate or mitigate the cyber risks identified under
section 102; and</text>
</subparagraph><subparagraph id="IDd5edce32d4674b439b51c282c84e7c94"><enum>(D)</enum><text>shall develop, in
conjunction with the Secretary of Defense and the Director of National
Intelligence and in coordination with owners and operators, a procedure for
ensuring that owners and operators are, to the maximum extent practicable and
consistent with the protection of sources and methods, informed of relevant
real-time threat information.</text>
</subparagraph></paragraph></subsection><subsection id="ID8061e969d1b64246a309e8c135b9c312"><enum>(c)</enum><header>Enforcement</header>
<paragraph id="IDffd45b0769e24e03938a99b81c045dda"><enum>(1)</enum><header>Requirements</header><text>The
regulations promulgated under this section shall establish procedures
that—</text>
<subparagraph id="ID851692f4fbf848ad942bd5e8543355b4"><enum>(A)</enum><text>require each
owner—</text>
<clause id="ID6fabea367d43417cb71adcbdfcf6dea1"><enum>(i)</enum><text>to
certify, on an annual basis, in writing to the Secretary and the head of the
Federal agency with responsibilities for regulating the security of the covered
critical infrastructure whether the owner has developed and effectively
implemented security measures sufficient to satisfy the risk-based security
performance requirements established under section 104; or</text>
</clause><clause id="ID529f95153817462abbe7d6c6a50e9856"><enum>(ii)</enum><text>to
submit a third-party assessment in accordance with subsection (d), on an annual
basis;</text>
</clause></subparagraph><subparagraph id="IDf08acbcd340a46fbb234ef38ba079581"><enum>(B)</enum><text>provide for civil
penalties for any person who—</text>
<clause id="idB06A31A8B3DA442C9A374886C305BD78"><enum>(i)</enum><text>violates this
section; and</text>
</clause><clause id="id4F246A2EA2F047D5A1FA914F106C77FB"><enum>(ii)</enum><text>fails to
remediate such violation in an appropriate timeframe; and</text>
</clause></subparagraph><subparagraph id="IDa99039c894cd400ab692bd42d06cb66f"><enum>(C)</enum><text>do not confer
upon any person, except the Federal agency with responsibilities for regulating
the security of the covered critical infrastructure and the Secretary, a right
of action against an owner or operator to enforce any provision of this
section.</text>
</subparagraph></paragraph><paragraph id="IDf6d560fd2ef24e89abd181a28290f757"><enum>(2)</enum><header>Proposed
security measures</header><text>An owner may select any security measures that
satisfy the risk-based security performance requirements established under
section 104.</text>
</paragraph><paragraph id="ID6488f55da0384c7a8a48a5c7878e7230"><enum>(3)</enum><header>Recommended
security measures</header><text>Upon request from an owner or operator, the
Secretary may recommend a specific security measure that the Secretary believes
will satisfy the risk-based security performance requirements established under
section 104.</text>
</paragraph><paragraph id="IDbbcf2f7f34c44d41afc294d13808b0b2"><enum>(4)</enum><header>Security and
performance-based exemptions</header>
<subparagraph id="IDc4c9583865ab4d0eb2d54acf59280b75"><enum>(A)</enum><header>In
general</header><text>The Secretary shall develop a process for an owner to
demonstrate that—</text>
<clause id="id2d639c6bc17e4910bfdd713f7a93e2d0"><enum>(i)</enum><text>a
covered system or asset is sufficiently secured against the risks identified in
section 102; or</text>
</clause><clause id="ida02822497f684fa3b7e6662a7c9b637f"><enum>(ii)</enum><text>compliance with
risk-based performance requirements developed under section 104 would not
substantially improve the security of the covered system or asset.</text>
</clause></subparagraph><subparagraph id="id5c07c7532a9c47e28594014eef01dc50"><enum>(B)</enum><header>Exemption
authority</header><text>Upon a determination by the Secretary that a covered
system or asset is sufficiently secured against the risks identified in section
102, or that compliance with risk based performance requirements developed
under section 104 would not substantially improve the security of the system or
asset, the Secretary may not require the owner to select or implement
cybersecurity measures or submit an annual certification or third party
assessment as required under this Act.</text>
</subparagraph><subparagraph id="id47325fd649c24b288e078ba80255f0dc"><enum>(C)</enum><header>Requirement</header><text>The
Secretary shall require an owner that was exempted under subparagraph (B) to
demonstrate that the covered system or asset of the owner is sufficiently
secured against the risks identified in section 102, or that compliance with
risk based performance requirements developed under section 104 would not
substantially improve the security of the system or asset—</text>
<clause id="id4e33151fbf144ed58e23a9e823cc4143"><enum>(i)</enum><text>not
less than once every 3 years; or</text>
</clause><clause id="id347696703a774099911f3ef885a51c06"><enum>(ii)</enum><text>if
the Secretary has reason to believe that the covered system or asset no longer
meets the exemption qualifications under subparagraph (B).</text>
</clause></subparagraph></paragraph><paragraph id="ID20d1590cb120441eb4e751a1ce7fd321"><enum>(5)</enum><header>Enforcement
actions</header><text>An action to enforce any regulation promulgated pursuant
to this section shall be initiated by—</text>
<subparagraph id="IDf9d121e25a8c47fa9bcf4f2d0f965f1d"><enum>(A)</enum><text>the Federal
agency with responsibilities for regulating the security of the covered
critical infrastructure, in consultation with the Secretary; or</text>
</subparagraph><subparagraph id="ID93dc644cf3a049be977ecb60c4b97b82"><enum>(B)</enum><text>the Secretary,
when—</text>
<clause id="ID5ec2262d17c24c47857f757ec7c0eef6"><enum>(i)</enum><text>the
covered critical infrastructure is not subject to regulation by another Federal
agency;</text>
</clause><clause id="IDdf4c29f7d97a464ebfbf08e1f60715ef"><enum>(ii)</enum><text>the head of the
Federal agency with responsibilities for regulating the security of the covered
critical infrastructure requests the Secretary take such action; or</text>
</clause><clause id="IDe8173efde2dd4ea9a322c9625a26de0a"><enum>(iii)</enum><text>the Federal
agency with responsibilities for regulating the security of the covered
critical infrastructure fails to initiate such action after a request by the
Secretary.</text>
</clause></subparagraph></paragraph></subsection><subsection id="ID3a9acb2bb5e1467a836517a672be0c2b"><enum>(d)</enum><header>Assessments</header>
<paragraph id="ID059ef48a78424ee3bd06223376cf2e9a"><enum>(1)</enum><header>Third-party
assessments</header><text>The regulations promulgated under this section shall
establish procedures for third-party private entities to conduct assessments
that use reliable, repeatable, performance-based evaluations and metrics
to—</text>
<subparagraph id="ID0ace512574c2467aa87d090eaf537c33"><enum>(A)</enum><text>assess the
implementation of the selected security measures;</text>
</subparagraph><subparagraph id="IDa542782db41d426cadce3a4a8479db83"><enum>(B)</enum><text>assess the
effectiveness of the security measure or measures implemented by the owner in
satisfying the risk-based security performance requirements established under
section 104;</text>
</subparagraph><subparagraph id="IDebdc3e217e904feeb31800507d051a0d"><enum>(C)</enum><text>require that
third party assessors—</text>
<clause id="IDbade39c982444106a3a7a538bac08ba3"><enum>(i)</enum><text>be
certified by the Secretary, in consultation with the head of any Federal agency
with responsibilities for regulating the security of covered critical
infrastructure, after completing a proficiency program established by the
Secretary in consultation with owners and operators, the Critical
Infrastructure Partnership Advisory Council, appropriate Information Sharing
and Analysis Organizations, and in coordination with the Director of the
National Institute of Standards and Technology, and relevant Federal
agencies;</text>
</clause><clause id="ID6ae3fe91dea74300bc44d05fc8c45787"><enum>(ii)</enum><text>undergo regular
retraining and certification;</text>
</clause><clause id="ID5e6f17daa3be45fc9aebc3ab91f4c19f"><enum>(iii)</enum><text>provide the
findings of the third party assessors to the owners and operators; and</text>
</clause><clause id="ID89a2bd7c19c743d19f8875c8c870e5b8"><enum>(iv)</enum><text>submit each
independent assessment to the owner, the Secretary, and to the Federal agency
with responsibilities for regulating the security of the covered critical
infrastructure.</text>
</clause></subparagraph></paragraph><paragraph id="IDe25761c99aeb47ef8e3d6ab32dd3eb67"><enum>(2)</enum><header>Other
assessments</header><text>The regulations promulgated under this section shall
establish procedures under which the Secretary—</text>
<subparagraph id="IDbd3a1bc371bd4a5e814e7fa0d6abd56b"><enum>(A)</enum><text>may perform
cybersecurity assessments of selected covered critical infrastructure, in
consultation with relevant agencies, based on—</text>
<clause id="ID4aa64c5ddf624e088f64758f297728ac"><enum>(i)</enum><text>the
specific cyber risks affecting or potentially affecting the information
infrastructure of the specific system or asset constituting covered critical
infrastructure;</text>
</clause><clause id="IDc003044878e1415290e6ff07ad8e6c35"><enum>(ii)</enum><text>any reliable
intelligence or other information indicating a cyber risk to the information
infrastructure of the specific system or asset constituting covered critical
infrastructure;</text>
</clause><clause id="IDeb3971bc7a3248c3830836449c140eab"><enum>(iii)</enum><text>actual
knowledge or reasonable suspicion that an owner is not in compliance with
risk-based security performance requirements established under section 104;
or</text>
</clause><clause id="IDa8028d3beb1a45c0af7b5373fb19ad76"><enum>(iv)</enum><text>such other
risk-based factors as identified by the Secretary; and</text>
</clause></subparagraph><subparagraph id="ID77b04fa9a144472d91df6a419f62e4df"><enum>(B)</enum><text>may use the
resources of any relevant Federal agency with the concurrence of the head of
such agency;</text>
</subparagraph><subparagraph id="IDeb84ed92673b4db69e2d72e162476c99"><enum>(C)</enum><text>to the extent
practicable uses government and private sector information security assessment
programs that were in existence on the date of enactment of this Act to conduct
assessments; and</text>
</subparagraph><subparagraph id="ID5eb0874db90044669e829094c62bbb01"><enum>(D)</enum><text>provides copies
of any Federal Government assessments to the owner of the covered system or
asset.</text>
</subparagraph></paragraph><paragraph id="ID82e2ca5944344bb38497469e95b322aa"><enum>(3)</enum><header>Access to
information</header>
<subparagraph id="ID1bd4a05c822d4576839f015527bd7986"><enum>(A)</enum><header>In
general</header><text>For the purposes of an assessment conducted under
paragraph (1) or (2), an owner or operator shall provide an assessor any
reasonable access necessary to complete the assessment.</text>
</subparagraph><subparagraph id="ID051c65bb3f4f4a64a304a69a579212cc"><enum>(B)</enum><header>Protection of
information</header><text>Information provided to the Secretary, the
Secretary’s designee, or any assessor during the course of an assessment under
this section shall be protected from disclosure in accordance with section
107.</text>
</subparagraph></paragraph></subsection><subsection id="ID79694bd6a9824e42bb61bf984598c33b"><enum>(e)</enum><header>Limitations on
civil liability</header>
<paragraph id="IDfe04190fd8b040689003fbb2a2e4a0ec"><enum>(1)</enum><header>In
general</header><text>Except as provided in paragraph (2), in any civil action
for damages directly caused by an incident related to a cyber risk identified
under section 102, an owner or operator shall not be liable for any punitive
damages intended to punish or deter if the owner or operator—</text>
<subparagraph id="ID06797fa9dd384a91bf541d085c9800ab"><enum>(A)</enum><text>has implemented
security measures, or a combination thereof, that satisfy the security
performance requirements established under section 104;</text>
</subparagraph><subparagraph id="ID5fbed9376a8a4466bc4500a42d5908e8"><enum>(B)</enum><text>has undergone
successful assessments, submitted an annual certification or third party
assessment required by subsection (c)(1), or been granted an exemption in
accordance with subsection (c)(4); and</text>
</subparagraph><subparagraph id="IDdced3697b4f54d2eae3c85d34b5deca2"><enum>(C)</enum><text>is in substantial
compliance with the appropriate risk based cybersecurity performance
requirements at the time of the incident related to that cyber risk.</text>
</subparagraph></paragraph><paragraph id="IDab8123909ad14fb3beca75b5c6377e69"><enum>(2)</enum><header>Limitation</header><text>Paragraph
(1) shall only apply to harm directly caused by the incident related to the
cyber risk and shall not apply to damages caused by any additional or
intervening acts or omissions by the owner or operator.</text>
</paragraph></subsection></section><section id="ID2e7950c1316c4aa4b9627f3b08ea233f"><enum>106.</enum><header>Sector-specific
agencies</header>
<subsection id="ID7ff8b0ed1a714de0a36bc79669f25c04"><enum>(a)</enum><header>In
general</header><text>The head of each sector-specific agency and the head of
any Federal agency that is not a sector-specific agency with responsibilities
for regulating the security of covered critical infrastructure shall coordinate
with the Secretary on any activities of the sector-specific agency or Federal
agency that relate to the efforts of the agency regarding the cybersecurity and
resiliency to cyber attack of critical infrastructure and covered critical
infrastructure, within or under the supervision of the agency.</text>
</subsection><subsection id="ID82569a382b7646c8b2cbcb2834de6b20"><enum>(b)</enum><header>Duplicative
reporting requirements</header>
<paragraph id="ID15546830b56542d0a15bcf1d76e6dcc2"><enum>(1)</enum><header>In
general</header><text>The Secretary shall coordinate with the head of each
sector-specific agency and the head of any Federal agency that is not a
sector-specific agency with responsibilities for regulating the security of
covered critical infrastructure to determine whether reporting requirements in
effect on the date of enactment of this Act substantially fulfill any reporting
requirements described in this title.</text>
</paragraph><paragraph id="id38B8FB9A9816410D885E31A1F138F2AE"><enum>(2)</enum><header>Prior required
reports</header><text>If the Secretary determines that a report that was
required under a regulatory regime in existence on the date of enactment of
this Act substantially satisfies a reporting requirement under this title, the
Secretary shall use such report and may not require an owner or operator to
submit an additional report.</text>
</paragraph><paragraph id="IDc5497e823904492b9a8a3a5293d91a1e"><enum>(3)</enum><header>Coordination</header><text>The
Secretary shall coordinate with the head of each sector-specific agency and the
head of any Federal agency that is not a sector-specific agency with
responsibilities for regulating the security of covered critical infrastructure
to eliminate any duplicate reporting or compliance requirements relating to the
security or resiliency of critical infrastructure and covered critical
infrastructure, within or under the supervision of the agency.</text>
</paragraph></subsection><subsection id="ID7bb86f497d824824aa58a887d8e1acfc"><enum>(c)</enum><header>Requirements</header>
<paragraph id="ID74224ee857c0495b955f531d300d470a"><enum>(1)</enum><header>In
general</header><text>To the extent that the head of each sector-specific
agency and the head of any Federal agency that is not a sector-specific agency
with responsibilities for regulating the security of covered critical
infrastructure has the authority to establish regulations, rules, or
requirements or other required actions that are applicable to the security of
critical infrastructure and covered critical infrastructure, the head of the
agency shall—</text>
<subparagraph id="ID72e312c7f2c34f62b744f2f3e2326945"><enum>(A)</enum><text>notify the
Secretary in a timely fashion of the intent to establish the regulations,
rules, requirements, or other required actions;</text>
</subparagraph><subparagraph id="ID1dec826c7a9c46bfa6d89fbb5a32f7d6"><enum>(B)</enum><text>coordinate with
the Secretary to ensure that the regulations, rules, requirements, or other
required actions are consistent with, and do not conflict or impede, the
activities of the Secretary under this title; and</text>
</subparagraph><subparagraph id="ID76aa4808b189445ca02dc0c1dfc08dd0"><enum>(C)</enum><text>in coordination
with the Secretary, ensure that the regulations, rules, requirements, or other
required actions are implemented, as they relate to covered critical
infrastructure, in accordance with subsection (a).</text>
</subparagraph></paragraph><paragraph id="IDc7f73982b6dc4ae08e7f89568dedfc21"><enum>(2)</enum><header>Rule of
construction</header><text>Nothing in this section shall be construed to
provide additional authority for any sector-specific agency or any Federal
agency that is not a sector-specific agency with responsibilities for
regulating the security of critical infrastructure or covered critical
infrastructure to establish standards or other measures that are applicable to
the security of critical infrastructure not otherwise authorized by law.</text>
</paragraph></subsection></section><section id="ID217d62ce62714ad7a76de332ce9fdb85"><enum>107.</enum><header>Protection of
information</header>
<subsection id="ID1c168914c9d5450398fd72f19a7ec5da"><enum>(a)</enum><header>Definition</header><text>In
this section, the term <term>covered information</term>—</text>
<paragraph id="ID3caa89b91e274f2286ea961a059a56e8"><enum>(1)</enum><text>means—</text>
<subparagraph id="IDff8b0e4104e24243b1b55bb7fa60ec7c"><enum>(A)</enum><text>any information
that constitutes a privileged or confidential trade secret or commercial or
financial transaction that is appropriately marked at the time it is provided
by entities that own or operate critical infrastructure in sector-by-sector
risk assessments conducted under section 102;</text>
</subparagraph><subparagraph id="id45799CB4041A4A51BAFBC4C5967B9339"><enum>(B)</enum><text>any information
required to be submitted by owners and operators under section 105; and</text>
</subparagraph><subparagraph id="ID146c56218c91428ca603a0b8ef5150a6"><enum>(C)</enum><text>any information
submitted by State and local governments, private entities, and international
partners of the United States regarding threats, vulnerabilities, risks, and
incidents affecting—</text>
<clause id="ID8e0999c898984da998aed5ff6e128718"><enum>(i)</enum><text>the
Federal information infrastructure;</text>
</clause><clause id="ID324ddb943a1d47b1a043b6ef1069a129"><enum>(ii)</enum><text>information
infrastructure that is owned, operated, controlled, or licensed for use by, or
on behalf of, the Department of Defense, a military department, or another
element of the intelligence community; or</text>
</clause><clause id="IDe361c42008ff412d8410b554be225c86"><enum>(iii)</enum><text>critical
infrastructure; and</text>
</clause></subparagraph></paragraph><paragraph id="IDcd0bb149d42d46ed9e3c49f9f248b745"><enum>(2)</enum><text>does not include
any information described under paragraph (1), if that information is submitted
to—</text>
<subparagraph id="ID282aec974ee1467ead7f9ed674c7a2b2"><enum>(A)</enum><text>conceal
violations of law, inefficiency, or administrative error;</text>
</subparagraph><subparagraph id="ID0303f08f763a47eeb74202d746ad527d"><enum>(B)</enum><text>prevent
embarrassment to a person, organization, or agency; or</text>
</subparagraph><subparagraph id="IDd9a59779b7b44fc8b1ca07e1e6bbded5"><enum>(C)</enum><text>interfere with
competition in the private sector.</text>
</subparagraph></paragraph></subsection><subsection id="IDc7f0d3b6a3cb4ec98e42f5ad51082dd9"><enum>(b)</enum><header>Voluntarily
shared critical infrastructure information</header><text>Covered information
submitted in accordance with this section shall be treated as voluntarily
shared critical infrastructure information under section 214 of the Homeland
Security Act (6 U.S.C. 133), except that the requirement of such section 214
that the information be voluntarily submitted, including the requirement for an
express statement, shall not be required for protection of information under
this section to apply.</text>
</subsection><subsection id="IDded76a8ad90d4bff8bd9fc186144cde9"><enum>(c)</enum><header>Guidelines</header>
<paragraph id="idc14e3f516b664c46a16451cf5830752e"><enum>(1)</enum><header>In
general</header><text>Subject to paragraph (2), the Secretary shall develop and
issue guidelines, in consultation with the Attorney General and the Critical
Infrastructure Partnership Advisory Council, appropriate Information Sharing
and Analysis Organizations, as necessary to implement this section.</text>
</paragraph><paragraph id="IDc5bdc681a35a40769f671cae7efa98a7"><enum>(2)</enum><header>Requirements</header><text>The
guidelines developed under this section shall—</text>
<subparagraph id="ID7e9c95e13b5f42a4afb22646ea3e0707"><enum>(A)</enum><text>include
provisions for the sharing of information among governmental and
nongovernmental officials and entities in furtherance of carrying out the
authorities and responsibilities of the Secretary;</text>
</subparagraph><subparagraph id="ID68cf9d4ce9514a5f9c0e795b723e6d5e"><enum>(B)</enum><text>be consistent, to
the maximum extent possible, with policy guidance and implementation standards
developed by the National Archives and Records Administration for controlled
unclassified information, including with respect to marking, safeguarding,
dissemination, and dispute resolution; and</text>
</subparagraph><subparagraph id="ID794381fbb4ae416bbfb7745fe960f330"><enum>(C)</enum><text>describe, with as
much detail as possible, the categories and type of information entities should
voluntarily submit.</text>
</subparagraph></paragraph></subsection><subsection id="ID916cf0cd139f42c49185e24711c6e464"><enum>(d)</enum><header>Process for
reporting security threats, vulnerabilities, risks, and incidents</header>
<paragraph id="ID28e0a6184f0f4e32ad4929b883daa806"><enum>(1)</enum><header>Establishment
of process</header><text>The Secretary shall establish through regulation, and
provide information to the public regarding, a process by which any person may
submit a report to the Secretary regarding cybersecurity threats,
vulnerabilities, risks, and incidents affecting—</text>
<subparagraph id="IDa14bdc564d4e47e78857f2ac75d3034b"><enum>(A)</enum><text>the Federal
information infrastructure;</text>
</subparagraph><subparagraph id="IDf9d091f9d9f94f9c87cb26dd095763c2"><enum>(B)</enum><text>information
infrastructure that is owned, operated, controlled, or licensed for use by, or
on behalf of, the Department of Defense, a military department, or another
element of the intelligence community; or</text>
</subparagraph><subparagraph id="ID3c5b3674243e482f88857e5880142012"><enum>(C)</enum><text>critical
infrastructure.</text>
</subparagraph></paragraph><paragraph id="ID3efbb1611bfc47ce81673cb6f3759dde"><enum>(2)</enum><header>Acknowledgment
of receipt</header><text>If a report submitted under paragraph (1) includes the
identity of the person making the report, the Secretary shall respond promptly
to the person and acknowledge receipt of the report.</text>
</paragraph><paragraph id="ID48ad35f467f7431b8fc5a60ec4912db8"><enum>(3)</enum><header>Steps to
address problem</header><text>Consistent with existing authority, the Secretary
shall review and consider the information provided in any report submitted
under paragraph (1) and, at the sole, unreviewable discretion of the Secretary,
determine what, if any, steps are necessary or appropriate to address any
threats, vulnerabilities, risks, and incidents identified.</text>
</paragraph><paragraph id="IDf61fe122cfb046e5a98dddeea7748c70"><enum>(4)</enum><header>Disclosure of
identity</header>
<subparagraph id="ID759de131035a4dd6b508a630c10696a4"><enum>(A)</enum><header>In
general</header><text>Except as provided in subparagraph (B), or with the
written consent of the person, the Secretary may not disclose the identity of a
person who has provided information described in paragraph (1).</text>
</subparagraph><subparagraph id="IDf96f1aa63e964008be6611a1daf960d4"><enum>(B)</enum><header>Referral to the
Attorney General</header>
<clause id="id12AC293052F3439E97DC15F43273534D"><enum>(i)</enum><header>In
general</header><text>The Secretary shall disclose to the Attorney General the
identity of a person who has provided information described in paragraph (1) if
the matter is referred to the Attorney General for enforcement.</text>
</clause><clause id="id6412C7D8AD60420E82DF609578806B0F"><enum>(ii)</enum><header>Notice</header><text>The
Secretary shall provide reasonable advance notice to the person described in
clause (i) if disclosure of that person’s identity is to occur, unless such
notice would risk compromising a criminal or civil enforcement investigation or
proceeding.</text>
</clause></subparagraph></paragraph></subsection><subsection id="IDabd0cdb3905b4f80b4fb08e3551ca672"><enum>(e)</enum><header>Rules of
construction</header><text>Nothing in this section shall be construed
to—</text>
<paragraph id="ID6af0cf300bc842818dd25495a76f4538"><enum>(1)</enum><text>limit or
otherwise affect the right, ability, duty, or obligation of any entity to use
or disclose any information of that entity, including in the conduct of any
judicial or other proceeding;</text>
</paragraph><paragraph id="ID9765cd4dbb8e404f80dc1a37d3f560cc"><enum>(2)</enum><text>prevent the
classification of information submitted under this section if that information
meets the standards for classification under Executive Order 12958, or any
successor thereto, or affect measures and controls relating to the protection
of classified information as prescribed by Federal statute or under Executive
Order 12958, or any successor thereto;</text>
</paragraph><paragraph id="ID2614fab4e9de47b7a6ce149fcf61e3bf"><enum>(3)</enum><text>limit the right
of an individual to make any disclosure—</text>
<subparagraph id="ID996cc36f6a3e4e8eb740e41e63b33bdc"><enum>(A)</enum><text>protected or
authorized under section 2302(b)(8) or 7211 of title 5, United States
Code;</text>
</subparagraph><subparagraph id="IDc7a137dc92eb43968c68fdd63818c311"><enum>(B)</enum><text>to an appropriate
official of information that the individual reasonably believes evidences a
violation of any law, rule, or regulation, gross mismanagement, or substantial
and specific danger to public health, safety, or security, and that is
protected under any Federal or State law (other than those referenced in
subparagraph (A)) that shields the disclosing individual against retaliation or
discrimination for having made the disclosure if such disclosure is not
specifically prohibited by law and if such information is not specifically
required by Executive order to be kept secret in the interest of national
defense or the conduct of foreign affairs; or</text>
</subparagraph><subparagraph id="ID0a3a8f50cac6489a9df6b105df199275"><enum>(C)</enum><text>to the Special
Counsel, the Inspector General of an agency, or any other employee designated
by the head of an agency to receive similar disclosures;</text>
</subparagraph></paragraph><paragraph id="IDc896108c37f54d3f9e4cc55ebd76bcd2"><enum>(4)</enum><text>prevent the
Secretary from using information required to be submitted under this Act for
enforcement of this title, including enforcement proceedings subject to
appropriate safeguards;</text>
</paragraph><paragraph id="ID31ed5bbb24c54dbe9451f70e9eb7a569"><enum>(5)</enum><text>authorize
information to be withheld from Congress, the Comptroller General, or the
Inspector General of the Department;</text>
</paragraph><paragraph id="ID6cf659d028a64ce19d01973e6976250e"><enum>(6)</enum><text>affect
protections afforded to trade secrets under any other provision of law;
or</text>
</paragraph><paragraph id="ID1dfba35a5ead43bcba2bd31a28b483a8"><enum>(7)</enum><text>create a private
right of action for enforcement of any provision of this section.</text>
</paragraph></subsection><subsection id="IDf75a96b3c28b475c99c0c684b7bf94dd"><enum>(f)</enum><header>Audit</header>
<paragraph id="ID0aadca64b73b4df08fc22d9255f8ff42"><enum>(1)</enum><header>In
general</header><text>Not later than 1 year after the date of enactment of this
Act, the Inspector General of the Department shall conduct an audit of the
management of information submitted under this section and report the findings
to appropriate committees of Congress.</text>
</paragraph><paragraph id="ID5d78d8a161b44bb68f96d4939957af23"><enum>(2)</enum><header>Contents</header><text>The
audit under paragraph (1) shall include assessments of—</text>
<subparagraph id="ID11e36165a625449c923ef0b0cce1599a"><enum>(A)</enum><text>whether the
information is adequately safeguarded against inappropriate disclosure;</text>
</subparagraph><subparagraph id="ID36977b68f08347a3a3cd59e9b06c993d"><enum>(B)</enum><text>the processes for
marking and disseminating the information and resolving any disputes;</text>
</subparagraph><subparagraph id="IDa6ebaad67b0e48f9bce498c16db22419"><enum>(C)</enum><text>how the
information is used for the purposes of this section, and whether that use is
effective;</text>
</subparagraph><subparagraph id="ID1350c6e651244a7da3f39f15fc2fdf91"><enum>(D)</enum><text>whether
information sharing has been effective to fulfill the purposes of this
section;</text>
</subparagraph><subparagraph id="IDfd218df530e840519a9fe45449a61b83"><enum>(E)</enum><text>whether the kinds
of information submitted have been appropriate and useful, or overbroad or
overnarrow;</text>
</subparagraph><subparagraph id="IDec1ed84080ec45c296a861a30defb1d4"><enum>(F)</enum><text>whether the
information protections allow for adequate accountability and transparency of
the regulatory, enforcement, and other aspects of implementing this title;
and</text>
</subparagraph><subparagraph id="IDd480b82ace7b4a6a99598cc042999d3a"><enum>(G)</enum><text>any other factors
at the discretion of the Inspector General.</text>
</subparagraph></paragraph></subsection></section><section id="ID659a80eb78fc46329f7bbcc496584313"><enum>108.</enum><header>Voluntary
technical assistance</header><text display-inline="no-display-inline">Subject
to the availability of resources, in accordance with applicable law relating to
the protection of trade secrets, and at the discretion of the Secretary, the
Secretary shall provide voluntary technical assistance at the request of an
owner or operator of covered critical infrastructure, to assist the owner or
operator in meeting the requirements of section 105, including implementing
required security or emergency measures, restoring the critical infrastructure
in the event of destruction or serious disruption, and developing emergency
response plans.</text>
</section><section id="ID1fba16e2e2ec48b1ba6ece63a10e1856"><enum>109.</enum><header>Emergency
planning</header>
<subsection id="ID2b3709ee762a4ce99abbddabaf2f4ebf"><enum>(a)</enum><header>Emergency
planning</header><text>In partnership with owners and operators, the Secretary,
in coordination with the heads of sector-specific agencies and the heads of
other Federal agencies with responsibilities for regulating the security of
covered critical infrastructure, shall exercise response and restoration plans,
including plans required under section 105(b) to—</text>
<paragraph id="ID60b4d7e9520d49618ba3809f6bdf7fe9"><enum>(1)</enum><text>assess
performance and improve the capabilities and procedures of government and
private sector entities to respond to a major cyber incident; and</text>
</paragraph><paragraph id="ID4c3abdfa06fa46ac8040929e743e98f2"><enum>(2)</enum><text>clarify specific
roles, responsibilities, and authorities of government and private sector
entities when responding to a major cyber incident.</text>
</paragraph></subsection></section><section id="ID467a4038865949a29794621b1cc3db37"><enum>110.</enum><header>International
cooperation</header>
<subsection id="ID68bf234cc02f462d811eba2cfa318393"><enum>(a)</enum><header>In
general</header><text>The Secretary, in coordination with the Secretary of
State or the head of the sector-specific agencies and the head of any Federal
agency with responsibilities for regulating the security of covered critical
infrastructure, shall—</text>
<paragraph id="ID7b743f8a9c1a4e64874d114f3e4a4e70"><enum>(1)</enum><text>consistent with
the protection of intelligence sources and methods and other sensitive matters,
inform the owner or operator of information infrastructure located outside the
United States the disruption of which could result in national or regional
catastrophic damage within the United States and the government of the country
in which the information infrastructure is located of any cyber risks to such
information infrastructure; and</text>
</paragraph><paragraph id="ID7d459688a3b744568d105f1d722baedb"><enum>(2)</enum><text>coordinate with
the government of the country in which such information infrastructure is
located and, as appropriate, the owner or operator of the information
infrastructure regarding the implementation of security measures or other
measures to the information infrastructure to mitigate or remediate cyber
risks.</text>
</paragraph></subsection><subsection id="ID1297f484d5cb4f0c97bfe6452c0ea723"><enum>(b)</enum><header>International
agreements</header><text>The Secretary, in coordination with the Secretary of
State, including in particular with the interpretation of international
agreements, shall perform the functions prescribed by this section consistent
with applicable international agreements.</text>
</subsection></section><section id="idBD892291DB8043368D99C666870DC5F7"><enum>111.</enum><header>Effect on
other laws</header>
<subsection id="id358F86F80D3348E0B900FE0BDC2F1D9B"><enum>(a)</enum><header>Preemption of
State cybersecurity laws</header><text>This Act shall supersede any statute,
provision of a statute, regulation, or rule of a State or political subdivision
of a State that expressly requires comparable cybersecurity practices to
protect covered critical infrastructure.</text>
</subsection><subsection id="idAE9B14DF136F454AA4F80EEF2F28FA29"><enum>(b)</enum><header>Preservation of
other State law</header><text>Except as expressly provided in subsection (a)
and section 105(e), nothing in this Act shall be construed to preempt the
applicability of any other State law or requirement.</text>
</subsection></section><enum>II</enum><header>Protecting
government networks</header>
<section id="idB8E6DBD0445A4F699A897BBEFB635C0E"><enum>201.</enum><header>FISMA
Reform</header>
<subsection id="ID057dad156e784e99a57c8e1ecfc75ec2"><enum>(a)</enum><header>In
general</header><text>Chapter 35 of title 44, United States Code, is amended by
striking subchapters II and III and inserting the following:</text>
<quoted-block display-inline="no-display-inline" id="id25ADF0647BDD4E58AE1ADCFE9B52BF48" style="USC">
<subchapter id="id860D576E970C4A0A84DF9DADD66F6212"><enum>II</enum><header>Information
security</header>
<section id="id3BB7B7410F744A88987C767B601D23F2" section-type="subsequent-section"><enum>3551.</enum><header>Purposes</header><text display-inline="no-display-inline">The purposes of this subchapter are
to—</text>
<paragraph id="IDee295761b02a4efdbc4674a033746243"><enum>(1)</enum><text>provide a
comprehensive framework for ensuring the effectiveness of information security
controls over information resources that support Federal operations and
assets;</text>
</paragraph><paragraph id="ID93d168822698441f9e1517004b173b8a"><enum>(2)</enum><text>recognize the
highly networked nature of the Federal computing environment and provide
effective governmentwide management of policies, directives, standards, and
guidelines, as well as effective and nimble oversight of and response to
information security risks, including coordination of information security
efforts throughout the Federal civilian, national security, and law enforcement
communities;</text>
</paragraph><paragraph id="IDa0cfb52eff9d4e0f9987fe21f9640f7b"><enum>(3)</enum><text>provide for
development and maintenance of controls required to protect agency information
and information systems and contribute to the overall improvement of agency
information security posture; and</text>
</paragraph><paragraph id="ID0963cd2d21764caf84d9d86c912d9f6c"><enum>(4)</enum><text>provide a
mechanism to improve and continuously monitor the security of agency
information security programs and systems through a focus on continuous
monitoring of agency information systems and streamlined reporting requirements
rather than overly prescriptive manual reporting.</text>
</paragraph></section><section id="ID18c656f7bdd64b6fbe88a4bff412793d"><enum>3552.</enum><header>Definitions</header>
<subsection id="ID88f7f7e8f0504a9cab0e6335954533f0"><enum>(a)</enum><header>In
general</header><text>Except as provided under subsection (b), the definitions
under section 3502 (including the definitions of the terms <term>agency</term>
and <term>information system</term>) shall apply to this subchapter.</text>
</subsection><subsection id="IDc423ac5a99fc4ef2876acddd424fca33"><enum>(b)</enum><header>Other
terms</header><text>In this subchapter:</text>
<paragraph id="ID05cc6ffd52214284b6bcf36d6d533223"><enum>(1)</enum><header>Adequate
security</header><text>The term <term>adequate security</term> means security
commensurate with the risk and impact resulting from the unauthorized access to
or loss, misuse, destruction, or modification of information.</text>
</paragraph><paragraph id="IDb8f49f61899247659b05d7ca955c1b50"><enum>(2)</enum><header>Continuous
monitoring</header><text>The term <term>continuous monitoring</term> means the
ongoing real time or near real-time process used to determine if the complete
set of planned, required, and deployed security controls within an information
system continue to be effective over time in light of rapidly changing
information technology and threat development. To the maximum extent possible,
this also requires automation of that process to enable cost effective,
efficient, and consistent monitoring and provide a more dynamic view of the
security state of those deployed controls.</text>
</paragraph><paragraph id="ID62f1b9678f9a486ab45e5eb214f2ba5c"><enum>(3)</enum><header>Incident</header><text>The
term <term>incident</term> means an occurrence that—</text>
<subparagraph id="ID92c42dcd28c740cfa8d5c2c176d3ec90"><enum>(A)</enum><text>actually or
imminently jeopardizes, without lawful authority, the integrity,
confidentiality, or availability of information or an information system;
or</text>
</subparagraph><subparagraph id="ID4c3a2d969c034d98b50a1bd498c6e0f4"><enum>(B)</enum><text>constitutes a
violation or imminent threat of violation of law, security policies, security
procedures, or acceptable use policies.</text>
</subparagraph></paragraph><paragraph id="ID9031e804b63b4b2189b6e32123b2cb75"><enum>(4)</enum><header>Information
security</header><text>The term <term>information security</term> means
protecting information and information systems from unauthorized access, use,
disclosure, disruption, modification, or destruction in order to
provide—</text>
<subparagraph id="IDcc1b69bbd8564c32bc5a4f4eafd4ffd6"><enum>(A)</enum><text>integrity, which
means guarding against improper information modification or destruction, and
includes ensuring nonrepudiation and authenticity;</text>
</subparagraph><subparagraph id="ID5d2e839fbed54076911cb425b06b1533"><enum>(B)</enum><text>confidentiality,
which means preserving authorized restrictions on access and disclosure,
including means for protecting personal privacy and proprietary information;
and</text>
</subparagraph><subparagraph id="IDbd27982da0e24b0f98db0c37cbffe161"><enum>(C)</enum><text>availability,
which means ensuring timely and reliable access to and use of
information.</text>
</subparagraph></paragraph><paragraph id="ID5dfa5581d3504a20a287d916cb4882bb"><enum>(5)</enum><header>Information
technology</header><text>The term <term>information technology</term> has the
meaning given that term in section 11101 of title 40.</text>
</paragraph><paragraph id="IDc549876fda874a47bea1abd15a77a285"><enum>(6)</enum><header>National
security system</header>
<subparagraph id="IDa8bae2f833d149ea977f9f8b115b6fdb"><enum>(A)</enum><header>In
general</header><text>The term <term>national security system</term> means any
information system (including any telecommunications system) used or operated
by an agency or by a contractor of an agency, or other organization on behalf
of an agency—</text>
<clause id="ID5779f2bfad8941dea6c7acacdd617c75"><enum>(i)</enum><text>the function,
operation, or use of which—</text>
<subclause id="ID0a48c95f4b76453abe0d8257ac89dd02"><enum>(I)</enum><text>involves
intelligence activities;</text>
</subclause><subclause id="ID5b70b6b2884b4358a79f5a676b8f4775"><enum>(II)</enum><text>involves
cryptologic activities related to national security;</text>
</subclause><subclause id="ID937257a11c354f99ae2c71f2bc4fd3f2"><enum>(III)</enum><text>involves
command and control of military forces;</text>
</subclause><subclause id="ID54a2a8b5549141deaad9d03c0d681f19"><enum>(IV)</enum><text>involves
equipment that is an integral part of a weapon or weapons system; or</text>
</subclause><subclause id="IDc07cc2c4ce134d8bbe054bed55861536"><enum>(V)</enum><text>subject to
subparagraph (B), is critical to the direct fulfillment of military or
intelligence missions; or</text>
</subclause></clause><clause id="IDcd08ea3fe7a740ffa7021e81e523dc81"><enum>(ii)</enum><text>that is
protected at all times by procedures established for information that have been
specifically authorized under criteria established by an Executive order or an
Act of Congress to be kept classified in the interest of national defense or
foreign policy.</text>
</clause></subparagraph><subparagraph id="ID63178e4ff73145c092b0872f7cca482d"><enum>(B)</enum><header>Exclusion</header><text>Subparagraph
(A)(i)(V) does not include a system that is to be used for routine
administrative and business applications (including payroll, finance,
logistics, and personnel management applications).</text>
</subparagraph></paragraph><paragraph id="ID8c3a74e57e65450cb69bb9d103438177"><enum>(7)</enum><header>Secretary</header><text>The
term <term>Secretary</term> means the Secretary of Homeland Security.</text>
</paragraph><paragraph id="id568FFD6192364483BC66B6F3C785E7DF"><enum>(8)</enum><header>Threat
assessment</header><text>The term <term>threat assessment</term> means the real
time or near real time process of formally evaluating the degree of threat to
an information system or enterprise and describing the nature of the threat.
Threat assessments consist of identifying threat sources, possible threat
events, vulnerabilities within a system or network environment, determining the
likelihood that an identified threat will occur and the possible adverse
impacts of such an occurrence. This requires automation of that process and
rapid sharing of emerging threat information among government agencies.</text>
</paragraph></subsection></section><section id="ID7c9ab5fec0964a36b57f51932d5ca0ad"><enum>3553.</enum><header>Federal
information security authority and coordination</header>
<subsection id="IDf3da1efd7258457db0418e7c85154b3a"><enum>(a)</enum><header>In
general</header><text>Except as provided in subsections (f) and (g), the
Secretary shall oversee agency information security policies and practices,
including the development and oversight of information security policies and
directives and compliance with this subchapter.</text>
</subsection><subsection id="ID2ef9a80dda6844adaa74f7fc2410e261"><enum>(b)</enum><header>Duties</header><text>The
Secretary shall—</text>
<paragraph id="ID12d1f46967254dae91b879fefc8d6913"><enum>(1)</enum><text>develop, issue,
and oversee the implementation of information security policies and directives,
which shall be compulsory and binding on agencies to the extent determined
appropriate by the Secretary, including—</text>
<subparagraph id="IDf9785587179346afaab36ddec05e0f0d"><enum>(A)</enum><text>policies and
directives consistent with the standards promulgated under section 11331 of
title 40 to identify and provide information security protections that are
commensurate with the risk and impact resulting from the unauthorized access,
use, disclosure, disruption, modification, or destruction of—</text>
<clause id="ID1d13358bd31f40c29f7b0c5e13b78d5e"><enum>(i)</enum><text>information
collected, created, processed, stored, disseminated, or otherwise used or
maintained by or on behalf of an agency; or</text>
</clause><clause id="IDb7b32e290ab64be1b5ad0bb1865b2800"><enum>(ii)</enum><text>information
systems used or operated by an agency or by a contractor of an agency or other
organization on behalf of an agency;</text>
</clause></subparagraph><subparagraph id="ID32a9ba6ea6bd47fcadf327491dcb48a0"><enum>(B)</enum><text>minimum
operational requirements for network operations centers and security operations
centers of agencies to facilitate the protection of and provide common
situational awareness for all agency information and information
systems;</text>
</subparagraph><subparagraph id="IDb7e3d5f4e2224b018cce868233477419"><enum>(C)</enum><text>reporting
requirements, consistent with relevant law, regarding information security
incidents;</text>
</subparagraph><subparagraph id="IDc42af3e08cb5435d98cc31b7d8fede98"><enum>(D)</enum><text>requirements for
agencywide information security programs, including continuous monitoring of
information security;</text>
</subparagraph><subparagraph id="IDfec32ec2e8e348ff8b154bec37e41dee"><enum>(E)</enum><text>performance
requirements and metrics for the security of agency information systems;</text>
</subparagraph><subparagraph id="IDe6f45b1e4ab14b618c2658fc879fc26d"><enum>(F)</enum><text>training
requirements to ensure that agencies are able to fully and timely comply with
directions issued by the Secretary under this subchapter;</text>
</subparagraph><subparagraph id="ID4360d5311c25436b8b7fa6c1048bbf47"><enum>(G)</enum><text>training
requirements regarding privacy, civil rights, civil liberties, and information
oversight for agency information security employees;</text>
</subparagraph><subparagraph id="ID0b5ede98cb4b434c84e2bfab31b63a23"><enum>(H)</enum><text>requirements for
the annual reports to the Secretary under section 3554(c); and</text>
</subparagraph><subparagraph id="ID4d678b60157b4313bb84544666ec289a"><enum>(I)</enum><text>any other
information security requirements as determined by the Secretary;</text>
</subparagraph></paragraph><paragraph id="ID0a9414ed78c74416b3fce2c772397833"><enum>(2)</enum><text>review agency
information security programs required to be developed under section
3554(b);</text>
</paragraph><paragraph id="IDced0418db73f4b91a4c695cbf260bca5"><enum>(3)</enum><text>develop and
conduct targeted risk assessments and operational evaluations for agency
information and information systems in consultation with the heads of other
agencies or governmental and private entities that own and operate such
systems, that may include threat, vulnerability, and impact assessments and
penetration testing;</text>
</paragraph><paragraph id="IDf6e3da367a9c4b24b1b5e3adc56b02d1"><enum>(4)</enum><text>operate
consolidated intrusion detection, prevention, or other protective capabilities
and use associated countermeasures for the purpose of protecting agency
information and information systems from information security threats;</text>
</paragraph><paragraph id="ID6b684c6d4c02479fa435972c88e47101"><enum>(5)</enum><text>in conjunction
with other agencies and the private sector, assess and foster the development
of information security technologies and capabilities for use across multiple
agencies;</text>
</paragraph><paragraph id="ID7b12817b25904ae5a247467a50332e15"><enum>(6)</enum><text>designate an
entity to receive reports and information about information security incidents,
threats, and vulnerabilities affecting agency information systems;</text>
</paragraph><paragraph id="IDaae099bc83f24d43a4b7e70392531ce2"><enum>(7)</enum><text>provide incident
detection, analysis, mitigation, and response information and remote or on-site
technical assistance to the heads of agencies; and</text>
</paragraph><paragraph id="IDa754222effb548e7922e2cb18b934445"><enum>(8)</enum><text>coordinate with
appropriate agencies and officials to ensure, to the maximum extent feasible,
that policies and directives issued under paragraph (1) are complementary
with—</text>
<subparagraph id="IDdebb2c0c2a484bccb1b84e6b593bbd60"><enum>(A)</enum><text>standards and
guidelines developed for national security systems; and</text>
</subparagraph><subparagraph id="ID219da843aa9c427da1d6d6f0a7599250"><enum>(B)</enum><text>policies and
directives issues by the Secretary of Defense, Director of the Central
Intelligence Agency, and Director of National Intelligence under subsection
(g)(1).</text>
</subparagraph></paragraph></subsection><subsection id="ID57e7375c7a1e4f8b857b835ccebd87ee"><enum>(c)</enum><header>Issuing
policies and directives</header><text>When issuing policies and directives
under subsection (b), the Secretary shall consider any applicable standards or
guidelines developed by the National Institute of Standards and Technology and
issued by the Secretary of Commerce under section 11331 of title 40. The
Secretary shall consult with the Director of the National Institute of
Standards and Technology when such policies and directives implement standards
or guidelines developed by National Institute of Standards and Technology. To
the maximum extent feasible, such standards and guidelines shall be
complementary with standards and guidelines developed for national security
systems.</text>
</subsection><subsection id="IDcf6dd4cfe8b2462f8cd7a964907c4348"><enum>(d)</enum><header>Communications
and system traffic</header>
<paragraph id="idF81FF41D59B046C5B02D93F53A49449D"><enum>(1)</enum><header>In
general</header><text>Notwithstanding any other provision of law, in carrying
out the responsibilities under paragraphs (3) and (4) of subsection (b), if the
Secretary makes a certification described in paragraph (2), the Secretary may
acquire, intercept, retain, use, and disclose communications and other system
traffic that are transiting to or from or stored on agency information systems
and deploy countermeasures with regard to the communications and system
traffic.</text>
</paragraph><paragraph id="idBC95CF3A3CF54808A9AA979FF078E3E6"><enum>(2)</enum><header>Certification</header><text>A
certification described in this paragraph is a certification by the Secretary
that—</text>
<subparagraph id="ID18fc37f5ffe84022a57a573bb41fbe43"><enum>(A)</enum><text>the acquisitions,
interceptions, and countermeasures are reasonably necessary for the purpose of
protecting agency information systems from information security threats;</text>
</subparagraph><subparagraph id="ID0de5325f4d6049a28b788581b33f84ba"><enum>(B)</enum><text>the content of
communications will be collected and retained only when the communication is
associated with a known or reasonably suspected information security threat,
and communications and system traffic will not be subject to the operation of a
countermeasure unless associated with the threats;</text>
</subparagraph><subparagraph id="ID14991767086242d48aeccdfa83393735"><enum>(C)</enum><text>information
obtained under activities authorized under this subsection will only be
retained, used, or disclosed to protect agency information systems from
information security threats, mitigate against such threats, or, with the
approval of the Attorney General, for law enforcement purposes when the
information is evidence of a crime which has been, is being, or is about to be
committed;</text>
</subparagraph><subparagraph id="ID4f0d6f00004941ad8b05669a68bc12d1"><enum>(D)</enum><text>notice has been
provided to users of agency information systems concerning the potential for
acquisition, interception, retention, use, and disclosure of communications and
other system traffic; and</text>
</subparagraph><subparagraph id="IDe2312313703543f69f4e43eada174a8a"><enum>(E)</enum><text>the activities
are implemented pursuant to policies and procedures governing the acquisition,
interception, retention, use, and disclosure of communications and other system
traffic that have been reviewed and approved by the Attorney General.</text>
</subparagraph></paragraph><paragraph id="IDed1542418db44c638c9675e9889a6149"><enum>(3)</enum><header>Private
entities</header><text>The Secretary may enter into contracts or other
agreements, or otherwise request and obtain the assistance of, private entities
that provide electronic communication or information security services to
acquire, intercept, retain, use, and disclose communications and other system
traffic in accordance with this subsection.</text>
</paragraph></subsection><subsection id="ID39d05502e08b45999d9c0d7f3f2e3782"><enum>(e)</enum><header>Directions to
agencies</header>
<paragraph id="ID99d78c93450a4006b36aa2658195a0c9"><enum>(1)</enum><header>Authority</header>
<subparagraph id="ID36268b048d8a44e6942694309565a231"><enum>(A)</enum><header>In
general</header><text>Notwithstanding section 3554, and subject to subparagraph
(B), in response to a known or reasonably suspected information security
threat, vulnerability, or incident that represents a substantial threat to the
information security of an agency, the Secretary may direct other agency heads
to take any lawful action with respect to the operation of the information
systems, including those owned or operated by another entity on behalf of an
agency, that collect, process, store, transmit, disseminate, or otherwise
maintain agency information, for the purpose of protecting the information
system from or mitigating an information security threat.</text>
</subparagraph><subparagraph id="ID8d4fb32fb993405d9e998465434a3611"><enum>(B)</enum><header>Exception</header><text>The
authorities of the Secretary under this subsection shall not apply to a system
described in paragraph (2), (3), or (4) of subsection (g).</text>
</subparagraph></paragraph><paragraph id="IDb48310a527ee4318b1b43e2f79026ad8"><enum>(2)</enum><header>Procedures for
use of authority</header><text>The Secretary shall—</text>
<subparagraph id="ID47b79b0919c34c4395e249aed2c066f9"><enum>(A)</enum><text>in coordination
with the Director of the Office of Management and Budget and in consultation
with Federal contractors, as appropriate, establish procedures governing the
circumstances under which a directive may be issued under this subsection,
which shall include—</text>
<clause id="IDf277cc079c7e4d90a3d3c5cee28b8d1e"><enum>(i)</enum><text>thresholds and
other criteria;</text>
</clause><clause id="ID6ab5233d2b044508a2f1b54eceda3e2d"><enum>(ii)</enum><text>privacy and
civil liberties protections; and</text>
</clause><clause id="IDb74e0d79c23a4b729f6cd42667fffd7b"><enum>(iii)</enum><text>providing
notice to potentially affected third parties;</text>
</clause></subparagraph><subparagraph id="ID242f5f63952245c6b5ae283fc8535127"><enum>(B)</enum><text>specify the
reasons for the required action and the duration of the directive;</text>
</subparagraph><subparagraph id="IDe98330aeda004c1f978d3819c7f01c56"><enum>(C)</enum><text>minimize the
impact of directives under this subsection by—</text>
<clause id="ID57004b6cc4f94afdb4ecb33f863d8de6"><enum>(i)</enum><text>adopting the
least intrusive means possible under the circumstances to secure the agency
information systems; and</text>
</clause><clause id="ID2aae11bf07fd4065830fd04fd86135c1"><enum>(ii)</enum><text>limiting
directives to the shortest period practicable; and</text>
</clause></subparagraph><subparagraph id="ID119584030304419c8ebc1f3a95bff4bc"><enum>(D)</enum><text>notify the
Director of the Office of Management and Budget and head of any affected agency
immediately upon the issuance of a directive under this subsection.</text>
</subparagraph></paragraph><paragraph id="ID1f484ac5230c4b98b86e06d25d88ab7a"><enum>(3)</enum><header>Imminent
threats</header>
<subparagraph id="ID496ce35b077d469f94bc80b1c8af04fb"><enum>(A)</enum><header>In
general</header><text>If the Secretary determines that there is an imminent
threat to agency information systems and a directive under this subsection is
not reasonably likely to result in a timely response to the threat, the
Secretary may authorize the use of protective capabilities under the control of
the Secretary for communications or other system traffic transiting to or from
or stored on an agency information system without prior consultation with the
affected agency for the purpose of ensuring the security of the information or
information system or other agency information systems.</text>
</subparagraph><subparagraph id="ID0d6164534d8448468315f07aa2f20b25"><enum>(B)</enum><header>Limitation on
delegation</header><text>The authority under this paragraph may not be
delegated to an official in a position lower than Assistant Secretary.</text>
</subparagraph><subparagraph id="ID75674c5b92884e3d9dbd65fbafe9d873"><enum>(C)</enum><header>Notice</header><text>The
Secretary or designee of the Secretary shall immediately notify the Director of
the Office of Management and Budget and the head and chief information officer
(or equivalent official) of each affected agency of—</text>
<clause id="IDeaa6e01712aa46339fbf82a9886d7f16"><enum>(i)</enum><text>any action taken
under this subsection; and</text>
</clause><clause id="ID1365da46007f48f5a80bb83d6c8928b5"><enum>(ii)</enum><text>the reasons for
and duration and nature of the action.</text>
</clause></subparagraph><subparagraph commented="no" id="ID59cc761410034b94ab2d7d17ab40d387"><enum>(D)</enum><header>Other
law</header><text>The actions of the Secretary under this paragraph shall be
consistent with applicable law.</text>
</subparagraph></paragraph><paragraph id="ID44bfc234c55a4923b994bacb9a42b645"><enum>(4)</enum><header>Limitation</header><text>The
Secretary may direct or authorize lawful action or protective capability under
this subsection only to—</text>
<subparagraph id="IDd9143cf0116d490684003d70336bae1c"><enum>(A)</enum><text>protect agency
information from unauthorized access, use, disclosure, disruption,
modification, or destruction; or</text>
</subparagraph><subparagraph id="IDaf3dbfc8e02443efb81d4788d837de60"><enum>(B)</enum><text>require the
remediation of or protect against identified information security risks with
respect to—</text>
<clause id="ID64bc002fc90d4256963bef3fada9872c"><enum>(i)</enum><text>information
collected or maintained by or on behalf of an agency; or</text>
</clause><clause id="ID767d5438775d4e2e80997fadc6db34e0"><enum>(ii)</enum><text>that portion of
an information system used or operated by an agency or by a contractor of an
agency or other organization on behalf of an agency.</text>
</clause></subparagraph></paragraph></subsection><subsection id="idB03EB83C9C9E4516A79A71D27F4E2E50"><enum>(f)</enum><header>National
security systems</header>
<paragraph id="ID7329df9d8756497db6116285caf5a642"><enum>(1)</enum><header>In
general</header><text>This section shall not apply to a national security
system.</text>
</paragraph><paragraph id="IDbe31297dc89f48dabcca2ef0d786d236"><enum>(2)</enum><header>Information
security</header><text>Information security policies, directives, standards,
and guidelines for national security systems shall be overseen as directed by
the President and, in accordance with that direction, carried out under the
authority of the heads of agencies that operate or exercise authority over
national security systems.</text>
</paragraph></subsection><subsection id="ID9a2f6725a2294aa78c847f38f07f4c1f"><enum>(g)</enum><header>Delegation of
authorities</header>
<paragraph id="ID6091272a014d4f79b2f0312d2cd7f203"><enum>(1)</enum><header>In
general</header><text>The authorities of the Secretary described in paragraphs
(1), (2), (3), and (4) of subsection (b) shall be delegated to—</text>
<subparagraph id="ID515cdca2b4774ec4ae01833d290e22e7"><enum>(A)</enum><text>the Secretary of
Defense in the case of systems described in paragraph (2);</text>
</subparagraph><subparagraph id="ID51d928594d134cb08a10023a5129134e"><enum>(B)</enum><text>the Director of
the Central Intelligence Agency in the case of systems described in paragraph
(3); and</text>
</subparagraph><subparagraph id="ID9e561a06c7b845328056375af535637f"><enum>(C)</enum><text>the Director of
National Intelligence in the case of systems described in paragraph (4).</text>
</subparagraph></paragraph><paragraph id="IDf9ded07580954447b7e8cfa56bf87a99"><enum>(2)</enum><header>Department of
defense</header><text>The systems described in this paragraph are systems that
are operated by the Department of Defense, a contractor of the Department of
Defense, or another entity on behalf of the Department of Defense that process
any information the unauthorized access, use, disclosure, disruption,
modification, or destruction of which would have a debilitating impact on the
mission of the Department of Defense.</text>
</paragraph><paragraph id="ID8e9d6124903f43448c7cfcf79558ab31"><enum>(3)</enum><header>Central
intelligence agency</header><text>The systems described in this paragraph are
systems that are operated by the Central Intelligence Agency, a contractor of
the Central Intelligence Agency, or another entity on behalf of the Central
Intelligence Agency that process any information the unauthorized access, use,
disclosure, disruption, modification, or destruction of which would have a
debilitating impact on the mission of the Central Intelligence Agency.</text>
</paragraph><paragraph id="ID79f5cf53c4d547078473ee664a33f885"><enum>(4)</enum><header>Office of the
director of national intelligence</header><text>The systems described in this
paragraph are systems that are operated by the Office of the Director of
National Intelligence, a contractor of the Office of the Director of National
Intelligence, or another entity on behalf of the Office of the Director of
National Intelligence that process any information the unauthorized access,
use, disclosure, disruption, modification, or destruction of which would have a
debilitating impact on the mission of the Office of the Director of National
Intelligence.</text>
</paragraph><paragraph id="ID3bf1dee9411f472f89b8e70f5b42fcfd"><enum>(5)</enum><header>Integration of
information</header><text>The Secretary of Defense, the Director of the Central
Intelligence Agency, and the Director of National Intelligence shall carry out
their responsibilities under this subsection in coordination with the Secretary
and share relevant information in a timely manner with the Secretary relating
to the security of agency information and information systems, including
systems described in paragraphs (2), (3), and (4), to enable the Secretary to
carry out the responsibilities set forth in this section and to maintain
comprehensive situational awareness regarding information security incidents,
threats, and vulnerabilities affecting agency information systems, consistent
with standards and guidelines for national security systems, issued in
accordance with law and as directed by the President.</text>
</paragraph></subsection></section><section id="ID9fd9630e3c2242a3914854923dbbc7f9"><enum>3554.</enum><header>Agency
responsibilities</header>
<subsection id="IDfe14bef9a28e4a92889f0018b66ac917"><enum>(a)</enum><header>In
general</header><text>The head of each agency shall—</text>
<paragraph id="IDdc20acc3bb9d48bb9953a2b798cf2bb9"><enum>(1)</enum><text>be responsible
for—</text>
<subparagraph id="ID267e81c67f624b8c8a4ec003adfb23e4"><enum>(A)</enum><text>providing
information security protections commensurate with the risk resulting from
unauthorized access, use, disclosure, disruption, modification, or destruction
of—</text>
<clause id="ID4537d2a7db154dc9b9709526904eedbc"><enum>(i)</enum><text>information
collected, created, processed, stored, disseminated, or otherwise used or
maintained by or on behalf of the agency; or</text>
</clause><clause id="IDdd11bfae4077468c86b2b704b973eee2"><enum>(ii)</enum><text>information
systems used or operated by the agency or by a contractor of the agency or
other organization on behalf of the agency;</text>
</clause></subparagraph><subparagraph id="IDe8db5b0845ad40afab3e44b94477daef"><enum>(B)</enum><text>complying with
this subchapter, including—</text>
<clause id="IDf8c2f1ac6729454d9976e6f39d7d79c9"><enum>(i)</enum><text>the policies and
directives issued under section 3553, including any directions under section
3553(e); and</text>
</clause><clause id="ID728601a74cc14f50b6cd379a45958a84"><enum>(ii)</enum><text>information
security policies, directives, standards, and guidelines for national security
systems issued in accordance with law and as directed by the President;</text>
</clause></subparagraph><subparagraph id="ID544461ea5a184a7a9a9903b65a63b48e"><enum>(C)</enum><text>complying with
the requirements of the information security standards prescribed under section
11331 of title 40, including any required security configuration checklists;
and</text>
</subparagraph><subparagraph id="ID4d0960b55d1b46f8b54d487f78adadf1"><enum>(D)</enum><text>ensuring that
information security management processes are integrated with agency strategic
and operational planning processes;</text>
</subparagraph></paragraph><paragraph id="ID20c35813f93f48bc81cef632cd6626f2"><enum>(2)</enum><text>ensure that
senior agency officials provide information security for the information and
information systems that support the operations and assets under the control of
the officials, including through—</text>
<subparagraph id="IDf81fd21822e14bb39e3fbbd2ccc17596"><enum>(A)</enum><text>assessing, with a
frequency commensurate with risk, the risk and impact that could result from
the unauthorized access, use, disclosure, disruption, modification, or
destruction of the information or information systems;</text>
</subparagraph><subparagraph id="ID6018cfa1a56f4f64a9cb16978abb6e42"><enum>(B)</enum><text>determining the
levels of information security appropriate to protect the information and
information systems in accordance with the policies and directives issued under
section 3553(b) and standards prescribed under section 11331 of title
40;</text>
</subparagraph><subparagraph id="IDf1cf04a3f9e24be0a5f88b4fed577a9c"><enum>(C)</enum><text>implementing
policies, procedures, and capabilities to reduce risks to an acceptable level
in a cost-effective manner;</text>
</subparagraph><subparagraph id="ID7f18711f7cf44aac8bf320a63f28f281"><enum>(D)</enum><text>security testing
and evaluation, including continuously monitoring the effective implementation
of information security controls and techniques, threats, vulnerabilities,
assets, and other aspects of information security as appropriate; and</text>
</subparagraph><subparagraph id="IDd47945213bc74cc1b4370e8c66888fed"><enum>(E)</enum><text>reporting
information about information security incidents, threats, and vulnerabilities
in a timely manner as required under policies and procedures established under
subsection (b)(7);</text>
</subparagraph></paragraph><paragraph id="IDd88129c3766e4b5da0a69e26faa35d5d"><enum>(3)</enum><text>assess and
maintain the resiliency of information systems critical to the mission and
operations of the agency;</text>
</paragraph><paragraph id="IDf5981885437e49cd92fe10a396df194b"><enum>(4)</enum><text>delegate to the
chief information officer or equivalent official (or to a senior agency
official who reports to the chief information officer or equivalent official)
the authority to ensure and primary responsibility for ensuring compliance with
this subchapter, including—</text>
<subparagraph id="IDe46b3a65ec91474f83a741c792ff285b"><enum>(A)</enum><text>overseeing the
establishment and maintenance of an agencywide security operations capability
that on a continuous basis can—</text>
<clause id="ID62d7f9a3950145399e4dccbd256e97b2"><enum>(i)</enum><text>detect, report,
respond to, contain, and mitigate information security incidents that impair
adequate security of the agency information and information systems in a timely
manner and in accordance with the policies and directives issued under section
3553(b); and</text>
</clause><clause id="IDc8cf4a2a320a4dc9bb4c38c5616b340d"><enum>(ii)</enum><text>report any
information security incident described under clause (i) to the entity
designated under section 3553(b)(6);</text>
</clause></subparagraph><subparagraph id="ID3f850bb86503409291981acc78ccf8ad"><enum>(B)</enum><text>developing,
maintaining, and overseeing an agencywide information security program as
required under subsection (b);</text>
</subparagraph><subparagraph id="IDa4c9999f730946cc9961b217be333a1d"><enum>(C)</enum><text>developing,
maintaining, and overseeing information security policies, procedures, and
control techniques to address all applicable requirements, including those
issued under section 3553 and section 11331 of title 40;</text>
</subparagraph><subparagraph id="ID7dfe15bdef88451cac5f67b179a7986f"><enum>(D)</enum><text>training and
overseeing employees and contractors of the agency with significant
responsibilities for information security with respect to such
responsibilities; and</text>
</subparagraph><subparagraph id="IDe2db2430636d402297adc393ac824a9f"><enum>(E)</enum><text>assisting senior
agency officials concerning their responsibilities under paragraph (2);</text>
</subparagraph></paragraph><paragraph id="ID686e031f988c49afb431188446e051e1"><enum>(5)</enum><text>the agency has
trained and obtained security clearances for an adequate number of employees to
assist the agency in complying with this subchapter, including the policies and
directives issued under section 3553(b);</text>
</paragraph><paragraph id="IDee733f967b064205a43f2e9d53ce6e0f"><enum>(6)</enum><text>ensure that the
chief information officer (or other senior agency official designated under
paragraph (4)), in coordination with other senior agency officials, reports to
the head of the agency on the effectiveness of the agency information security
program, including the progress of remedial actions;</text>
</paragraph><paragraph id="ID6da15634441f4fa7bf9f58e12c29ce2e"><enum>(7)</enum><text>ensure that the
chief information officer (or other senior agency official designated under
paragraph (4))—</text>
<subparagraph id="ID34d1b1b3b6444b80ac205cd0ece25ea3"><enum>(A)</enum><text>possesses the
necessary qualifications to administer the duties of the official under this
subchapter; and</text>
</subparagraph><subparagraph id="ID1598c68d6b5947b2bc37e2adea26d4a6"><enum>(B)</enum><text>has information
security duties as a primary duty of the official; and</text>
</subparagraph></paragraph><paragraph id="ID40059124c1df46a6b62f2c6b5f3570fb"><enum>(8)</enum><text>ensure that
senior agency officials (including component chief information officers or
equivalent officials) carry out responsibilities under this subchapter as
directed by the official delegated authority under paragraph (4).</text>
</paragraph></subsection><subsection id="ID3eb75d1775274194aedab79b5eea3214"><enum>(b)</enum><header>Agency
program</header><text>The head of each agency shall develop, document, and
implement an agencywide information security program, which shall be reviewed
under section 3553(b)(2), to provide information security for the information
and information systems that support the operations and assets of the agency,
including those provided or managed by another agency, contractor, or other
source, which shall include—</text>
<paragraph id="ID7e599538b31447bbbc9d6df714773da9"><enum>(1)</enum><text>the development,
execution, and maintenance of a risk management strategy for information
security that—</text>
<subparagraph id="IDf30427c0a5a747898622439560aaccad"><enum>(A)</enum><text>considers
information security threats, vulnerabilities, and consequences;</text>
</subparagraph><subparagraph id="ID7e6b8989e260451e8a2a4b6fdd6690c4"><enum>(B)</enum><text>includes periodic
assessments and reporting of risk, with a frequency commensurate with risk and
impact;</text>
</subparagraph></paragraph><paragraph id="ID26363e1aba4b42ed8473bfa80986072d"><enum>(2)</enum><text>policies and
procedures that—</text>
<subparagraph id="ID4508c960624842ecb095be10d6a57680"><enum>(A)</enum><text>are based on the
risk management strategy and assessment results required under paragraph
(1);</text>
</subparagraph><subparagraph id="ID8db067a3421f426093be28c0c5109a45"><enum>(B)</enum><text>reduce
information security risks to an acceptable level in a cost-effective
manner;</text>
</subparagraph><subparagraph id="ID20f32bee4b114df3b21ef6dc2d14c587"><enum>(C)</enum><text>ensure that
cost-effective and adequate information security is addressed throughout the
life cycle of each agency information system; and</text>
</subparagraph><subparagraph id="ID55e94b9d517d490b8433f0be4ec18285"><enum>(D)</enum><text>ensure compliance
with—</text>
<clause id="ID66352f4c584b44b3a08674819aa5d7e8"><enum>(i)</enum><text>this
subchapter;</text>
</clause><clause id="ID354f7595574548c4813ca9f65f36b541"><enum>(ii)</enum><text>the information
security policies and directives issued under section 3553(b); and</text>
</clause><clause id="IDe05905ca67cd4a2aae3666bd7328c77c"><enum>(iii)</enum><text>any other
applicable requirements;</text>
</clause></subparagraph></paragraph><paragraph id="ID5857aada140945e2999286b88f67a726"><enum>(3)</enum><text>subordinate plans
for providing adequate information security for networks, facilities, and
systems or groups of information systems;</text>
</paragraph><paragraph id="IDc66c8da7e00f43508e915ea6b2b6a458"><enum>(4)</enum><text>security
awareness training developed in accordance with the requirements issued under
section 3553(b) to inform individuals with access to agency information
systems, including information security employees, contractors, and other users
of information systems that support the operations and assets of the agency,
of—</text>
<subparagraph id="ID3eb772db1f6f4714954d29c280ca8352"><enum>(A)</enum><text>information
security risks associated with their activities;</text>
</subparagraph><subparagraph id="ID6e45a67bc62849ac9da7c3f1540fa209"><enum>(B)</enum><text>their
responsibilities in complying with agency policies and procedures designed to
reduce those risks; and</text>
</subparagraph><subparagraph id="ID78f61d8ef9224c8ca68366b7083dbdc5"><enum>(C)</enum><text>requirements for
fulfilling privacy, civil rights, civil liberties, and other information
oversight responsibilities;</text>
</subparagraph></paragraph><paragraph id="ID78d7aa7df0de4cf58389b46037154730"><enum>(5)</enum><text>security testing
and evaluation commensurate with risk and impact that includes—</text>
<subparagraph id="ID31db547c0dcf4733b2d1e5a19adc97e9"><enum>(A)</enum><text>risk-based
continuous monitoring of the operational status and security of agency
information systems to enable evaluation of the effectiveness of and compliance
with information security policies, procedures, and practices, including a
relevant and appropriate selection of management, operational, and technical
controls of information systems identified in the inventory required under
section 3505(c);</text>
</subparagraph><subparagraph id="IDc455125c927e44398f756a60948a8472"><enum>(B)</enum><text>penetration
testing exercises and operational evaluations in accordance with the
requirements issued under section 3553(b) to evaluate whether the agency
adequately protects against, detects, and responds to incidents;</text>
</subparagraph><subparagraph id="IDc362b3c924e6430d936f14e32f828573"><enum>(C)</enum><text>vulnerability
scanning, intrusion detection and prevention, and penetration testing, in
accordance with the requirements issued under section 3553(b); and</text>
</subparagraph><subparagraph id="IDe9081eff47004551ab3ca79f1b447ae7"><enum>(D)</enum><text>any other
periodic testing and evaluation, in accordance with the requirements issued
under section 3553(b);</text>
</subparagraph></paragraph><paragraph id="IDf88d547bc5c74e5a93b6964347017dd0"><enum>(6)</enum><text>a process for
ensuring that remedial actions are taken to mitigate information security
vulnerabilities commensurate with risk and impact, and otherwise address any
deficiencies in the information security policies, procedures, and practices of
the agency;</text>
</paragraph><paragraph id="ID2cf7b411ad5f4b9eb2c11ed0b62c91bf"><enum>(7)</enum><text>policies and
procedures to ensure detection, mitigation, reporting, and responses to
information security incidents, in accordance with the policies and directives
issued under section 3553(b), including—</text>
<subparagraph id="IDed316885281f4c95b3bf055ac1317a4a"><enum>(A)</enum><text>ensuring timely
internal reporting of information security incidents;</text>
</subparagraph><subparagraph id="ID279f5530318a42f899ebc8f5266f6eb0"><enum>(B)</enum><text>establishing and
maintaining appropriate technical capabilities to detect and mitigate risks
associated with information security incidents;</text>
</subparagraph><subparagraph id="ID2af2c7d065f641af8b3b8dc5c7915d7b"><enum>(C)</enum><text>notifying and
consulting with the entity designated by the Secretary under section
3553(b)(6); and</text>
</subparagraph><subparagraph id="IDca8146e0bbce4513810e16015a5dc8ff"><enum>(D)</enum><text>notifying and
consulting with—</text>
<clause id="IDf2e6cbd321de4b258d411c44a0e7b5d9"><enum>(i)</enum><text>law enforcement
agencies and relevant Offices of Inspectors General; and</text>
</clause><clause id="IDb1b746df3e5d4102b6883a5d9b18924f"><enum>(ii)</enum><text>any other
entity, in accordance with law and as directed by the President; and</text>
</clause></subparagraph></paragraph><paragraph id="ID07fefd66cf0b4179afbbdc6606130f9e"><enum>(8)</enum><text>plans and
procedures to ensure continuity of operations for information systems that
support the operations and assets of the agency.</text>
</paragraph></subsection><subsection id="IDd70dfdb319af4c39aeb51a72169f56c7"><enum>(c)</enum><header>Agency
reporting</header><text>The head of each agency shall—</text>
<paragraph id="ID9b77b5f2e712485ca692ec1641238ae1"><enum>(1)</enum><text>report annually
to the Secretary on the adequacy and effectiveness of information security
policies, procedures, and practices, including—</text>
<subparagraph id="ID2211e51f816c46c3acfca91ee6bf01ed"><enum>(A)</enum><text>compliance of the
agency with the requirements of this subchapter;</text>
</subparagraph><subparagraph id="ID5eac56f982dd4ad0914c47cfa4ee7be9"><enum>(B)</enum><text>a conclusion as
to the effectiveness of the information security policies, procedures, and
practices of the agency based on a determination of the aggregate effect of
identified deficiencies;</text>
</subparagraph><subparagraph id="ID8e645121f77b4dceb220885a060d6693"><enum>(C)</enum><text>an identification
and analysis of, including actions and plans to address, any significant
deficiencies identified in such policies, procedures and practices; and</text>
</subparagraph><subparagraph id="ID29a2a5f511824b40a055c744e0846d72"><enum>(D)</enum><text>any information
or evaluation required under the reporting requirements issued under section
3553(b);</text>
</subparagraph></paragraph><paragraph id="ID323eadacd6fd4dff8bbfee584ed8ee62"><enum>(2)</enum><text>make the report
required under paragraph (1) available to the appropriate authorization and
appropriations committees of Congress and the Comptroller General of the United
States; and</text>
</paragraph><paragraph id="IDdebbc78ef7c547b7b9cba9f07ba90e5c"><enum>(3)</enum><text>address the
adequacy and effectiveness of the information security policies, procedures,
and practices of the agency as required for management and budget plans and
reports, as appropriate.</text>
</paragraph></subsection><subsection id="ID4775675054c444e1a89dffe34c0a309a"><enum>(d)</enum><header>Communications
and system traffic</header><text>Notwithstanding any other provision of law,
the head of each agency is authorized to allow the Secretary, or a private
entity providing assistance to the Secretary under section 3553, to acquire,
intercept, retain, use, and disclose communications, system traffic, records,
or other information transiting to or from or stored on an agency information
system for the purpose of protecting agency information and information systems
from information security threats or mitigating the threats in connection with
the implementation of the information security capabilities authorized by
paragraph (3) or (4) of section 3553(b).</text>
</subsection></section><section id="ID53ad35265c5a4499a1e33cfe60cde922"><enum>3555.</enum><header>Annual
assessments</header>
<subsection id="ID6b526b3152b94e5c880b2baf3bd55096"><enum>(a)</enum><header>In
general</header><text>Except as provided in subsection (c), the Secretary shall
conduct periodic assessments of the information security programs and practices
of agencies based on the annual agency reports required under section 3554(c),
the annual independent evaluations required under section 3556, the results of
any continuous monitoring, and other available information.</text>
</subsection><subsection id="ID1ff4b643496a45f89d440f72b1b2e0b7"><enum>(b)</enum><header>Contents</header><text>Each
assessment conducted under subsection (a) shall—</text>
<paragraph id="IDf934402777e04b2697f066d8197910bb"><enum>(1)</enum><text>assess the
effectiveness of agency information security policies, procedures, and
practices;</text>
</paragraph><paragraph id="IDd569919b7be24cdea06a78ea5572bd9b"><enum>(2)</enum><text>provide an
assessment of the status of agency information system security for the Federal
Government as a whole; and</text>
</paragraph><paragraph id="ID2c37240188d4409ea21924f330a000c6"><enum>(3)</enum><text>include
recommendations for improving information system security for an agency or the
Federal Government as a whole.</text>
</paragraph></subsection><subsection id="ID9c656c30cea8482292a5e8eed0593ea9"><enum>(c)</enum><header>Certain
information systems</header>
<paragraph id="IDf04f825400ec49de8bafc884d486bb7c"><enum>(1)</enum><header>National
security systems</header><text>A periodic assessment conducted under subsection
(a) relating to a national security system shall be prepared as directed by the
President.</text>
</paragraph><paragraph id="ID6f1c862f05ce455c8de9a9b3eee73080"><enum>(2)</enum><header>Specific
agencies</header><text>Periodic assessments conducted under subsection (a)
shall be prepared in accordance with governmentwide reporting requirements
by—</text>
<subparagraph id="ID70bb1d9d224d4c848df0da1eb3e25a02"><enum>(A)</enum><text>the Secretary of
Defense for information systems under the control of the Department of
Defense;</text>
</subparagraph><subparagraph id="ID7af86be455534ba0864d21e622fe2fc0"><enum>(B)</enum><text>the Director of
the Central Intelligence Agency for information systems under the control of
the Central Intelligence Agency; and</text>
</subparagraph><subparagraph id="IDd53de144e1b24837bf755c1e7880e7b0"><enum>(C)</enum><text>the Director of
National Intelligence for information systems under the control of the Office
of the Director of National Intelligence.</text>
</subparagraph></paragraph></subsection><subsection id="IDc4975445bf9e413c99e64ceb8085f477"><enum>(d)</enum><header>Agency-specific
assessments</header><text>Each assessment conducted under subsection (a) that
relates, in whole or in part, to the information systems of an agency shall be
made available to the head of the agency.</text>
</subsection><subsection id="ID16ef3afe21654948bc45ebe4508095e4"><enum>(e)</enum><header>Protection of
information</header><text>In conducting assessments under subsection (a), the
Secretary shall take appropriate actions to ensure the protection of
information which, if disclosed, may adversely affect information security.
Such protections shall be commensurate with the risk and comply with all
applicable laws and policies.</text>
</subsection><subsection id="ID39656c0f57b94c6ea38edf1f1795b177"><enum>(f)</enum><header>Report to
congress</header><text>The Secretary, in coordination with the Secretary of
Defense, the Director of the Central Intelligence Agency, and the Director of
National Intelligence, shall evaluate and submit to Congress an annual report
on the adequacy and effectiveness of the information security programs and
practices assessed under this section.</text>
</subsection></section><section id="ID03d93c20de7c43a48ba87e09ec8aa5c2"><enum>3556.</enum><header>Independent
evaluations</header>
<subsection id="ID9471a957e4f1424dabb130797e416477"><enum>(a)</enum><header>In
general</header><text>Not less than once every 2 years, an independent
evaluation shall be performed of the information security program and practices
of each agency in accordance with the guidance developed under subsection (d)
to determine the effectiveness of the programs and practices in addressing
risk.</text>
</subsection><subsection id="ID2cc56bfc0d0e41acaed1444fa62e9849"><enum>(b)</enum><header>Contents</header><text>Each
evaluation performed under subsection (a) shall include—</text>
<paragraph id="ID3b298c4c76ce4882854b5513bbd6d58a"><enum>(1)</enum><text>testing of the
effectiveness of information security policies, procedures, and practices of a
representative subset of the information systems of the agency;</text>
</paragraph><paragraph id="IDd9571f878c7d426ea9a1b4fae9cc58bb"><enum>(2)</enum><text>an assessment of
compliance with this subchapter and any significant deficiencies; and</text>
</paragraph><paragraph id="ID94cc15589df0440897db9a9f05316614"><enum>(3)</enum><text>a conclusion as
to the effectiveness of the information security policies, procedures, and
practices of the agency in addressing risk based on a determination of the
aggregate effect of identified deficiencies.</text>
</paragraph></subsection><subsection id="ID276d746845ea4a04b5a642ec5dd8396a"><enum>(c)</enum><header>Conduct of
independent evaluations</header><text>An evaluation of an agency under
subsection (a) shall be performed by—</text>
<paragraph id="ID98aee25b47a74ddd8e1063dd63490cfe"><enum>(1)</enum><text>the Inspector
General of the agency;</text>
</paragraph><paragraph id="ID019699dfe974414585300e9d9f6eb6f6"><enum>(2)</enum><text>at the discretion
of the Inspector General of the agency, an independent entity entering a
contract with the Inspector General to perform the evaluation; or</text>
</paragraph><paragraph id="ID6db210b63cd149949d632694f6d648f3"><enum>(3)</enum><text>if the agency
does not have an Inspector General, an independent entity selected by the head
of the agency, in consultation with the Secretary.</text>
</paragraph></subsection><subsection id="ID1946f4397aba4b21b01ce7d1ae93d86c"><enum>(d)</enum><header>Guidance</header><text>The
Council of Inspectors General on Integrity and Efficiency, in consultation with
the Secretary, the Comptroller General of the United States, and the Director
of the National Institute of Standards and Technology, shall issue and maintain
guidance for performing timely, cost-effective, and risk-based evaluations
under subsection (a).</text>
</subsection><subsection id="ID8ffee42b26ef4052bad51de38954563e"><enum>(e)</enum><header>Reports</header><text>The
official or entity performing an evaluation of an agency under subsection (a)
shall submit to Congress, the agency, and the Comptroller General of the United
States a report regarding the evaluation. The head of the agency shall provide
to the Secretary a report received under this subsection.</text>
</subsection><subsection id="ID348a290585e447b8a585b07c59c6f547"><enum>(f)</enum><header>National
security systems</header><text>An evaluation under subsection (a) of a national
security system shall be performed as directed by the President.</text>
</subsection><subsection id="ID9019289093794ebfb2f19b058b8eec5c"><enum>(g)</enum><header>Comptroller
general</header><text>The Comptroller General of the United States shall
periodically evaluate and submit to Congress reports on—</text>
<paragraph id="ID0b9bf035f63e4a40beebf9770df29fb4"><enum>(1)</enum><text>the adequacy and
effectiveness of the information security policies and practices of agencies;
and</text>
</paragraph><paragraph id="ID61df3622c0b84964a31db6ea7e48b3d9"><enum>(2)</enum><text>implementation of
this subchapter.</text>
</paragraph></subsection></section><section id="IDd7071e79ec0447a492633a89459d1e80"><enum>3557.</enum><header>National
security systems</header><text display-inline="no-display-inline">The head of
each agency operating or exercising control of a national security system shall
be responsible for ensuring that the agency—</text>
<paragraph id="IDedc7f9b4fde849a69ae55d3ef1d10c91"><enum>(1)</enum><text>provides
information security protections commensurate with the risk and magnitude of
the harm resulting from the unauthorized use, disclosure, disruption,
modification, or destruction of the information contained in the national
security system;</text>
</paragraph><paragraph id="ID96df8f86d4144de985a154e6ee2ee5b8"><enum>(2)</enum><text>implements
information security policies and practices as required by standards and
guidelines for national security systems issued in accordance with law and as
directed by the President; and</text>
</paragraph><paragraph id="ID136dec63aad2466e8fb106337b7c6206"><enum>(3)</enum><text>complies with
this subchapter.</text>
</paragraph></section><section id="IDe2af7888bdae402b91c105e5a6c32a69"><enum>3558.</enum><header>Effect on
existing law</header><text display-inline="no-display-inline">Nothing in this
subchapter shall be construed to alter or amend any law regarding the authority
of any head of an agency over the
agency.</text>
</section></subchapter><after-quoted-block>.</after-quoted-block></quoted-block>
</subsection><subsection id="ID05b2ea7ab5f041c0a327c6e48865f8d1"><enum>(b)</enum><header>Technical and
conforming amendment</header><text>The table of sections for chapter 35 of
title 44 is amended by striking the matter relating to subchapters II and III
and inserting the following:</text>
<quoted-block id="id73b5657e-9226-4978-b784-a024729e9012" style="USC">
<toc>
<toc-entry idref="id860D576E970C4A0A84DF9DADD66F6212" level="subchapter">SUBCHAPTER II—Information security</toc-entry>
<toc-entry idref="id3BB7B7410F744A88987C767B601D23F2" level="section">Sec. 3551. Purposes.</toc-entry>
<toc-entry idref="ID18c656f7bdd64b6fbe88a4bff412793d" level="section">Sec. 3552. Definitions.</toc-entry>
<toc-entry idref="ID7c9ab5fec0964a36b57f51932d5ca0ad" level="section">Sec. 3553. Federal information security authority and
coordination.</toc-entry>
<toc-entry idref="ID9fd9630e3c2242a3914854923dbbc7f9" level="section">Sec. 3554. Agency responsibilities.</toc-entry>
<toc-entry idref="ID53ad35265c5a4499a1e33cfe60cde922" level="section">Sec. 3555. Annual assessments.</toc-entry>
<toc-entry idref="ID03d93c20de7c43a48ba87e09ec8aa5c2" level="section">Sec. 3556. Independent evaluations.</toc-entry>
<toc-entry idref="IDd7071e79ec0447a492633a89459d1e80" level="section">Sec. 3557. National security systems.</toc-entry>
<toc-entry level="section">Sec. 3558. Effect on existing
law.</toc-entry>
</toc>
<after-quoted-block>.</after-quoted-block></quoted-block>
</subsection></section><section id="ID1f78ed935a9449098664d18aa30aabdc"><enum>202.</enum><header>Management of
information technology</header>
<subsection id="ID4c90e2a581f84d5b82658fdc0adfe100"><enum>(a)</enum><header>In
general</header><text>Section 11331 of title 40, United States Code, is amended
to read as follows:</text>
<quoted-block display-inline="no-display-inline" id="idE8E95DE20C7245A7BEB42F1AE9E7846C" style="USC">
<section id="IDeb3e122ee783446cbdde566265acd246"><enum>11331.</enum><header>Responsibilities
for Federal information systems standards</header>
<subsection id="ID3f2b92796de14245bdc279231271514d"><enum>(a)</enum><header>Definitions</header><text>In
this section:</text>
<paragraph id="IDa0e1b606f8a047b28ff7424dceea767a"><enum>(1)</enum><header>Federal
information system</header><text>The term <term>Federal information
system</term> means an information system used or operated by an executive
agency, by a contractor of an executive agency, or by another entity on behalf
of an executive agency.</text>
</paragraph><paragraph id="IDdf91955cd4b248289515c18d301339e8"><enum>(2)</enum><header>Information
security</header><text>The term <term>information security</term> has the
meaning given that term in section 3552 of title 44.</text>
</paragraph><paragraph id="IDfe9e32530d234f5e8ddddcf86516a389"><enum>(3)</enum><header>National
security system</header><text>The term <term>national security system</term>
has the meaning given that term in section 3552 of title 44.</text>
</paragraph></subsection><subsection id="ID3e9ff20d3c73408cb942e14073531a10"><enum>(b)</enum><header>Standards and
guidelines</header>
<paragraph id="ID0da5acc9d4df45408379df01728e918e"><enum>(1)</enum><header>Authority to
prescribe</header><text>Except as provided under paragraph (2), and based on
the standards and guidelines developed by the National Institute of Standards
and Technology under paragraphs (2) and (3) of section 20(a) of the National
Institute of Standards and Technology Act (15 U.S.C. 278g–3(a)), the Secretary
of Commerce, in consultation with the Secretary of Homeland Security, shall
prescribe standards and guidelines relating to Federal information
systems.</text>
</paragraph><paragraph id="ID64284af07583412eb0d010e8c458464a"><enum>(2)</enum><header>National
security systems</header><text>Standards and guidelines for national security
systems shall be developed, prescribed, enforced, and overseen as otherwise
authorized by law and as directed by the President.</text>
</paragraph></subsection><subsection id="IDfe0d38dc3f824ee795a47a536a1bbc1d"><enum>(c)</enum><header>Mandatory
requirements</header>
<paragraph id="ID93da7a998fab480b86854473c45749dd"><enum>(1)</enum><header>Authority to
make mandatory</header><text>The Secretary of Commerce may require executive
agencies to comply with the standards prescribed under subsection (b)(1) to the
extent determined necessary by the Secretary of Commerce to improve the
efficiency of operation or security of Federal information systems.</text>
</paragraph><paragraph id="ID34cf57b395454210983f0f7f513ad633"><enum>(2)</enum><header>Required
mandatory standards</header>
<subparagraph id="IDa67406418edc4197ab7f310de8716134"><enum>(A)</enum><header>In
general</header><text>The Secretary of Commerce shall require executive
agencies to comply with the standards described in subparagraph (B).</text>
</subparagraph><subparagraph id="ID496f1ae2635f4b438713af50af525d1e"><enum>(B)</enum><header>Contents</header><text>The
standards described in this subparagraph are information security standards
that—</text>
<clause id="ID2bb9db0daae64974a2bf9005e13da6b9"><enum>(i)</enum><text>provide minimum
information security requirements as determined under section 20(b) of the
National Institute of Standards and Technology Act (15 U.S.C. 278g–3(b));
and</text>
</clause><clause id="IDaad90c4f794e46bb8230507cc9427f2b"><enum>(ii)</enum><text>are otherwise
necessary to improve the security of Federal information and Federal
information systems.</text>
</clause></subparagraph></paragraph></subsection><subsection id="IDe7ababd5e3c64c2ba0384e6badc85f29"><enum>(d)</enum><header>Authority To
disapprove or modify</header><text>The President may disapprove or modify the
standards and guidelines prescribed under subsection (b)(1) if the President
determines such action to be in the public interest. The authority of the
President to disapprove or modify the standards and guidelines may be delegated
to the Director of the Office of Management and Budget. Notice of a disapproval
or modification under this subsection shall be published promptly in the
Federal Register. Upon receiving notice of a disapproval or modification, the
Secretary of Commerce shall immediately rescind or modify the standards or
guidelines as directed by the President or the Director of the Office of
Management and Budget.</text>
</subsection><subsection id="ID24e51b9c372e42239272438ae32317fc"><enum>(e)</enum><header>Exercise of
authority</header><text>To ensure fiscal and policy consistency, the Secretary
of Commerce shall exercise the authority under this section subject to
direction by the President and in coordination with the Director of the Office
of Management and Budget.</text>
</subsection><subsection id="IDfda8e14091084f2a9ac760faf2a858b4"><enum>(f)</enum><header>Application of
more stringent standards</header><text>The head of an executive agency may
employ standards for the cost-effective information security for Federal
information systems of that agency that are more stringent than the standards
prescribed by the Secretary of Commerce under subsection (b)(1) if the more
stringent standards—</text>
<paragraph id="ID681bad4457454bc08797f925450b4adf"><enum>(1)</enum><text>contain any
standards with which the Secretary of Commerce has required the agency to
comply; and</text>
</paragraph><paragraph id="ID0a9a3e40e4f4451d84506d805d9ca941"><enum>(2)</enum><text>are otherwise
consistent with the policies and directives issued under section 3553(b) of
title 44.</text>
</paragraph></subsection><subsection id="ID0d5d52686ed24435aba229e8afecd7d4"><enum>(g)</enum><header>Decisions on
promulgation of standards</header><text>The decision by the Secretary of
Commerce regarding the promulgation of any standard under this section shall
occur not later than 6 months after the submission of the proposed standard to
the Secretary of Commerce by the National Institute of Standards and
Technology, as provided under section 20 of the National Institute of Standards
and Technology Act (15 U.S.C.
278g–3).</text>
</subsection></section><after-quoted-block>.</after-quoted-block></quoted-block>
</subsection><subsection id="IDa85bf0bdfc82412f8d30138e5ed3b0f4"><enum>(b)</enum><header>Technical and
conforming amendments</header>
<paragraph id="ID5c9d015d06c546c280849d0ebe891ea7"><enum>(1)</enum><text>Section 3502(8))
of title 44, United States Code, is amended by inserting
<quote>hosting,</quote> after <quote>collection,</quote>;</text>
</paragraph><paragraph id="ID39816510303a45cf9a3d3788361907a0"><enum>(2)</enum><text>The National
Institute of Standards and Technology Act (15 U.S.C. 271 et seq.) is
amended—</text>
<subparagraph id="ID97cf935d97ee4521a115303c17e6a3da"><enum>(A)</enum><text>in section
20(a)(2) (15 U.S.C. 278g–3(a)(2)), by striking <quote>section
3532(b)(2)</quote> and inserting <quote>section 3552(b)</quote>; and</text>
</subparagraph><subparagraph id="IDec29e838c29f491fb895dd39d4ac1299"><enum>(B)</enum><text>in section 21(b)
(15 U.S.C. 278g–4(b))—</text>
<clause id="ID5fa8af68d0c4407783673293d66d9863"><enum>(i)</enum><text>in
paragraph (2), by inserting <quote>, the Secretary of Homeland
Security,</quote> after <quote>the Institute</quote>; and</text>
</clause><clause id="IDcf9c6a219944426785ed135564e9379f"><enum>(ii)</enum><text>in
paragraph (3), by inserting <quote>the Secretary of Homeland Security,</quote>
after <quote>the Secretary of Commerce,</quote>.</text>
</clause></subparagraph></paragraph><paragraph id="ID5d124d9e609341a1b0461201b85f40ca"><enum>(3)</enum><text>Section
1001(c)(1)(A) of the Homeland Security Act of 2002 (6 U.S.C. 511(c)(1)(A)) is
amended by striking <quote>section 3532(3)</quote> and inserting <quote>section
3552(b)</quote>.</text>
</paragraph><paragraph id="IDa2ab6e42fdd8419daf53a097056742c0"><enum>(4)</enum><text>Part IV of title
10, United States Code, is amended—</text>
<subparagraph id="ID65e414186437425da46afaf9667d50b2"><enum>(A)</enum><text>in section
2222(j)(5), by striking <quote>section 3542(b)(2)</quote> and inserting
<quote>section 3552(b)</quote>;</text>
</subparagraph><subparagraph id="ID239a3a3298ea468aab047916def38495"><enum>(B)</enum><text>in section
2223(c)(3), by striking <quote>section 3542(b)(2)</quote> and inserting
<quote>section 3552(b)</quote>; and</text>
</subparagraph><subparagraph id="IDf2dd603eb1224889b1701c331804baf5"><enum>(C)</enum><text>in section 2315,
by striking <quote>section 3542(b)(2)</quote> and inserting <quote>section
3552(b)</quote>.</text>
</subparagraph></paragraph><paragraph id="ID64201ae2e2074f9da38c4951266fa8f8"><enum>(5)</enum><text>Section 8(d)(1)
of the Cyber Security Research and Development Act (15 U.S.C. 7406(d)(1)) is
amended by striking <quote>section 3534(b)</quote> and inserting <quote>section
3554(b)</quote>.</text>
</paragraph></subsection></section><section id="ID0878d5bdfa38404bae793bf89eb098e7"><enum>203.</enum><header>Savings
provisions</header>
<subsection id="IDe25590120a8e4bc2bc71d7049806e1e1"><enum>(a)</enum><header>In
general</header><text>Policies and compliance guidance issued by the Director
of the Office of Management and Budget before the date of enactment of this Act
under section 3543(a)(1) of title 44 (as in effect on the day before the date
of enactment of this Act) shall continue in effect, according to their terms,
until modified, terminated, superseded, or repealed under section 3553(b)(1) of
title 44, as added by this Act.</text>
</subsection><subsection commented="no" display-inline="no-display-inline" id="ID0b2e8a3dc00e42e386f56ee94ac856f2"><enum>(b)</enum><header>Other standards
and guidelines</header><text>Standards and guidelines issued by the Secretary
of Commerce or by the Director of the Office of Management and Budget before
the date of enactment of this Act under section 11331(b)(1) of title 40 (as in
effect on the day before the date of enactment of this Act) shall continue in
effect, according to their terms, until modified, terminated, superseded, or
repealed under section 11331(b)(1), as added by this Act.</text>
</subsection></section><enum>III</enum><header>Clarifying and
Strengthening Existing Roles and Authorities</header>
<section id="ID3d57e7d77d5f46558b466ddec449d31c"><enum>301.</enum><header>Consolidation
of existing departmental cyber resources and authorities</header>
<subsection id="idCE7C8EE8FB324F338D7CD4EA1302120F"><enum>(a)</enum><header>In
general</header><text display-inline="yes-display-inline">Title II of the
Homeland Security Act of 2002 (6 U.S.C. 121 et seq.) is amended by adding at
the end the following:</text>
<quoted-block display-inline="no-display-inline" id="idBE10978979E1467E8313652F244E7ED5" style="OLC">
<subtitle id="id5D00954CBF94409B93D467C1233E5508"><enum>E</enum><header>Cybersecurity</header>
<section id="ID1bda65c3690248ffa8b0f77639df8253"><enum>241.</enum><header>Definitions</header><text display-inline="no-display-inline">In this subtitle:</text>
<paragraph id="id02202901F3154FC0BF3184AA157A58F3"><enum>(1)</enum><header>Agency
information infrastructure</header><text>The term <term>agency information
infrastructure</term> means the Federal information infrastructure of a
particular Federal agency.</text>
</paragraph><paragraph id="idB468F954261844CFA6221A03BB1A1D04"><enum>(2)</enum><header>Center</header><text>The
term <term>Center</term> means the National Center for Cybersecurity and
Communications established under section 242.</text>
</paragraph><paragraph id="id87810956EFDA4F3DAEC8FEDB980192C2"><enum>(3)</enum><header>Covered
critical infrastructure</header><text>The term <term>covered critical
infrastructure</term> means a system or asset designated by the Secretary as
covered critical infrastructure in accordance with the procedure established
under section 103 of the <short-title>Cybersecurity Act of
2012</short-title>.</text>
</paragraph><paragraph id="ID7854f965bc104e7c8ffa4e12833fa965"><enum>(4)</enum><header>Damage</header><text>The
term <term>damage</term> has the meaning given that term in section 1030(e) of
title 18, United States Code.</text>
</paragraph><paragraph id="id7D0F66635A0D4B3286108D5DDA143E3A"><enum>(5)</enum><header>Federal
agency</header><text>The term <term>Federal agency</term> has the meaning given
the term <term>agency</term> in section 3502 of title 44, United States
Code.</text>
</paragraph><paragraph id="id73654BB2B3304CD693D809C8415B6924"><enum>(6)</enum><header>Federal
cybersecurity center</header><text>The term <term>Federal cybersecurity
center</term> has the meaning given that term in section 708 of the
<short-title>Cybersecurity Act of
2012</short-title>.</text>
</paragraph><paragraph id="id9CAA04393F75489C9DE4746DF3E1090E"><enum>(7)</enum><header>Federal
entity</header><text>The term <term>Federal entity</term> has the meaning given
that term in section 708 of the <short-title>Cybersecurity
Act of 2012</short-title>.</text>
</paragraph><paragraph id="idE82410B0D40A4305AA5175F3B32C250D"><enum>(8)</enum><header>Federal
information infrastructure</header><text>The term <term>Federal information
infrastructure</term>—</text>
<subparagraph id="idB5AC58A66E314E4892034439DA6DED8C"><enum>(A)</enum><text>means information
and information systems that are owned, operated, controlled, or licensed for
use by, or on behalf of, any Federal agency, including information systems used
or operated by another entity on behalf of a Federal agency; and</text>
</subparagraph><subparagraph id="idB1A1E510D2C847099CD3B16926F5D521"><enum>(B)</enum><text>does not
include—</text>
<clause id="id7C78A01BB1704874BFADBC2EFBDF0F6C"><enum>(i)</enum><text>a
national security system; or</text>
</clause><clause id="id2A6554911D8F41D69F505672FD2981DD"><enum>(ii)</enum><text>information and
information systems that are owned, operated, controlled, or licensed for use
by, or on behalf of, the Department of Defense, a military department, or
another element of the intelligence community.</text>
</clause></subparagraph></paragraph><paragraph id="idDF37FDF960AE455FAAF01B5E3AB1D1AD"><enum>(9)</enum><header>Incident</header><text>The
term <term>incident</term> has the meaning given that term in section 3552 of
title 44, United States Code.</text>
</paragraph><paragraph id="idF5422385BAE34332995297231CAAB870"><enum>(10)</enum><header>Information
security</header><text>The term <term>information security</term> has the
meaning given that term in section 3552 of title 44, United States Code.</text>
</paragraph><paragraph id="id53280365756148A3863B97BC4133519D"><enum>(11)</enum><header>Information
system</header><text>The term <term>information system</term> has the meaning
given that term in section 3502 of title 44, United States Code.</text>
</paragraph><paragraph id="id3608D0160AF94ED0A5FDE63A6D494B87"><enum>(12)</enum><header>Intelligence
community</header><text>The term <term>intelligence community</term> has the
meaning given that term in section 3(4) of the National Security Act of 1947
(50 U.S.C. 401a(4)).</text>
</paragraph><paragraph id="idDA60533E9A134757AD6238A0A609EAEB"><enum>(13)</enum><header>National
security and emergency preparedness communications
infrastructure</header><text>The term <term>national security and emergency
preparedness communications infrastructure</term> means the systems supported
or covered by the Office of Emergency Communications and the National
Communications System on the date of enactment of the
<short-title>Cybersecurity Act of 2012</short-title> or
otherwise described in Executive Order 12472, or any successor thereto,
relating to national security and emergency preparedness communications
functions.</text>
</paragraph><paragraph id="id914CDDC8FAA44BA496231F1E05C06DB7"><enum>(14)</enum><header>National
information infrastructure</header><text>The term <term>national information
infrastructure</term> means information and information systems—</text>
<subparagraph id="idD9140685ACB94A74BFB809D60D10243A"><enum>(A)</enum><text>that are owned,
operated, or controlled within or from the United States; and</text>
</subparagraph><subparagraph id="id35AB443097134D07AC7AC4E804964BC1"><enum>(B)</enum><text>that are not
owned, operated, controlled, or licensed for use by a Federal agency.</text>
</subparagraph></paragraph><paragraph id="idC5ABA9A7E6F243BCA8AFF76BA588393B"><enum>(15)</enum><header>National
security system</header><text>The term <term>national security system</term>
has the meaning given that term in section 3552 of title 44, United States
Code.</text>
</paragraph><paragraph id="idA097E22E45994DBB9E5E2B40B9B2448F"><enum>(16)</enum><header>Non-Federal
entity</header><text>The term <term>non-Federal entity</term> has the meaning
given that term in section 708 of the <short-title>Cybersecurity Act of 2012</short-title>.</text>
</paragraph></section><section id="idA2F947FA68CC42F6AE2E911520EF7FD6"><enum>242.</enum><header>Consolidation
of existing resources</header>
<subsection id="IDd24a2d9203314e438a6f8b4265c8f903"><enum>(a)</enum><header>Establishment</header><text>There
is established within the Department a National Center for Cybersecurity and
Communications.</text>
</subsection><subsection id="idC2539E84D3FE42A697127DDB2673352A"><enum>(b)</enum><header>Transfer of
functions</header><text>There are transferred to the Center the National Cyber
Security Division, the Office of Emergency Communications, and the National
Communications System, including all the functions, personnel, assets,
authorities, and liabilities of the National Cyber Security Division, the
Office of Emergency Communications, and the National Communications
System.</text>
</subsection><subsection id="IDb055cd267e424515bb0e03479ed1e82f"><enum>(c)</enum><header>Director</header><text>The
Center shall be headed by a Director, who shall be appointed by the President,
by and with the advice and consent of the Senate, and who shall report directly
to the Secretary.</text>
</subsection><subsection id="ID73f62147da414b1280ad9c0240a23072"><enum>(d)</enum><header>Duties</header><text>The
Director of the Center shall—</text>
<paragraph id="IDe6881c60ac464b82814d475d54720636"><enum>(1)</enum><text>manage Federal
efforts to secure, protect, and ensure the resiliency of the Federal
information infrastructure, national information infrastructure, and national
security and emergency preparedness communications infrastructure of the United
States, working cooperatively with appropriate government agencies and the
private sector;</text>
</paragraph><paragraph id="IDa74bd8cc0a12446b883ce1f44eafe66f"><enum>(2)</enum><text>support private
sector efforts to secure, protect, and ensure the resiliency of the national
information infrastructure;</text>
</paragraph><paragraph id="IDff82e1ef522a4a6fab394be0fbda8082"><enum>(3)</enum><text>prioritize the
efforts of the Center to address the most significant risks and incidents that
have caused or are likely to cause damage to the Federal information
infrastructure, the national information infrastructure, and national security
and emergency preparedness communications infrastructure of the United
States;</text>
</paragraph><paragraph id="ID29c4433f6f6940c69b39d9df856bffd9"><enum>(4)</enum><text>ensure, in
coordination with the privacy officer designated under subsection (j), the
Privacy Officer appointed under section 222, and the Director of the Office of
Civil Rights and Civil Liberties appointed under section 705, that the
activities of the Center comply with all policies, regulations, and laws
protecting the privacy and civil liberties of United States persons; and</text>
</paragraph><paragraph id="ID103f223636204bc8991e4f10fea882e2"><enum>(5)</enum><text>perform such
other duties as the Secretary may require relating to the security and
resiliency of the Federal information infrastructure, national information
infrastructure, and the national security and emergency preparedness
communications infrastructure of the United States.</text>
</paragraph></subsection><subsection id="ID3a5f38d98dc4433d9d813018caff4a67"><enum>(e)</enum><header>Authorities and
responsibilities of Center</header><text>The Center shall—</text>
<paragraph id="ID9d83ddb6374e4bc1a1bc2cd10bdbb78e"><enum>(1)</enum><text>engage in
activities and otherwise coordinate Federal efforts to identify, protect
against, remediate, and mitigate, respond to, and recover from cybersecurity
threats, consequences, vulnerabilities and incidents impacting the Federal
information infrastructure and the national information infrastructure,
including by providing support to entities that own or operate national
information infrastructure, at their request;</text>
</paragraph><paragraph id="ID5d14bdc10e814caebeaf193046c1c259"><enum>(2)</enum><text>conduct
risk-based assessments of the Federal information infrastructure, and risk
assessments of critical infrastructure;</text>
</paragraph><paragraph id="ID84cd52a5981144d298ca39f7e26c8468"><enum>(3)</enum><text>develop, oversee
the implementation of, and enforce policies, principles, and guidelines on
information security for the Federal information infrastructure, including
exercise of the authorities under the Federal Information Security Management
Act of 2002 (title III of Public Law 107–347; 116 Stat. 2946);</text>
</paragraph><paragraph id="IDc2830bf003894e6a8a66a5a3ca7bef6f"><enum>(4)</enum><text>evaluate and
facilitate the adoption of technologies designed to enhance the protection of
information infrastructure, including making such technologies available to
entities that own or operate national information infrastructure, with or
without reimbursement, as necessary to accomplish the purposes of this
section;</text>
</paragraph><paragraph id="idc7fca3894ea54befa328d56fb237dcd6"><enum>(5)</enum><text>oversee the
responsibilities related to national security and emergency preparedness
communications infrastructure, including the functions of the Office of
Emergency Communications and the National Communications System;</text>
</paragraph><paragraph id="id984080a656a6459fa5e7358b23b9c21b"><enum>(6)</enum><subparagraph commented="no" display-inline="yes-display-inline" id="idA99FDD649C684AF0860D2B8C3610F994"><enum>(A)</enum><text>maintain comprehensive
situational awareness of the security of the Federal information infrastructure
and the national information infrastructure for the purpose of enabling and
supporting activities under subparagraph (e)(1); and</text>
</subparagraph><subparagraph id="id782e3ced85ba40849dd870c0e7fae70e" indent="up1"><enum>(B)</enum><text>provide classified and unclassified
information to entities that own or operate national information infrastructure
to support efforts by such entities to secure such infrastructure and for
enhancing overall situational awareness;</text>
</subparagraph></paragraph><paragraph id="idd6d0a8bd00174857a3e6b0c996970a42"><enum>(7)</enum><text>serve as the
focal point for, and foster collaboration between, the Federal Government,
State and local governments, and private entities on matters relating to the
security of the national information infrastructure;</text>
</paragraph><paragraph id="ide479bd29bc06413abc67a63cd13b64bf"><enum>(8)</enum><text>develop, in
coordination with the Assistant Secretary for Infrastructure Protection, other
Federal agencies, the private sector, and State and local governments a
national incident response plan that details the roles of Federal agencies,
State and local governments, and the private sector, and coordinate national
cyber incident response efforts;</text>
</paragraph><paragraph id="ID646a9f9f340a46b9a51eec1fe9729ddd"><enum>(9)</enum><text>consult, in
coordination with the Secretary of State, with appropriate international
partners to enhance the security of the Federal information infrastructure,
national information infrastructure, and information infrastructure located
outside the United States the disruption of which could result in national or
regional catastrophic damage in the United States; and</text>
</paragraph><paragraph id="ID28db696a01a2462e854d166baa4c8907"><enum>(10)</enum><text>coordinate the
activities undertaken by Federal agencies to—</text>
<subparagraph id="idF5CA0C025FB642B0B956C9626C5F6FAB"><enum>(A)</enum><text>protect Federal
information infrastructure and national information infrastructure; and</text>
</subparagraph><subparagraph id="id9B6659B1D11046779F72A2F4EDDEBCFF"><enum>(B)</enum><text>prepare the
Nation to respond to, recover from, and mitigate against risks of incidents
involving such infrastructure; and</text>
</subparagraph></paragraph><paragraph id="ID4aa98d1b01364be3b143539703379216"><enum>(11)</enum><text>perform such
other duties as the Secretary may require relating to the security and
resiliency of the Federal information infrastructure, national information
infrastructure, and national security and emergency preparedness communications
infrastructure of the United States.</text>
</paragraph></subsection><subsection id="ID2dac4f54b3e34ff4b2b363943ae2c253"><enum>(f)</enum><header>Use of existing
mechanisms for collaboration</header><text>To avoid unnecessary duplication or
waste, in carrying out the authorities and responsibilities of the Center under
this subtitle, to the maximum extent practicable, the Director of the Center
shall make use of existing mechanisms for collaboration and information
sharing, including mechanisms relating to the identification and communication
of cybersecurity threats, vulnerabilities, and associated consequences,
established by other components of the Department or other Federal agencies and
the information sharing mechanisms established under title VII of the
<short-title>Cybersecurity Act of
2012</short-title>.</text>
</subsection><subsection id="IDab0ef478b41d45048ab512ed62640761"><enum>(g)</enum><header>Deputy
directors</header>
<paragraph id="IDfba6ab460fa34f1ebfa2924a6eb88aeb"><enum>(1)</enum><header>In
general</header><text>There shall be a Deputy Director appointed by the
Secretary, who shall—</text>
<subparagraph id="idEB72103A2610443AA6F8A82329495A6F"><enum>(A)</enum><text>have expertise in
infrastructure protection; and</text>
</subparagraph><subparagraph id="id4B05E388412A4E7F95710BBA3486D35A"><enum>(B)</enum><text>ensure that the
operations of the Center and the Office of Infrastructure Protection avoid
duplication and use, to the maximum extent practicable, joint mechanisms for
information sharing and coordination with the private sector.</text>
</subparagraph></paragraph><paragraph id="IDadde2986206e4bf9918e3555df3f7b64"><enum>(2)</enum><header>Intelligence
community</header><text>The Director of National Intelligence, with the
concurrence of the Secretary, shall identify an employee of an element of the
intelligence community to serve as a Deputy Director of the Center. The
employee shall be detailed to the Center on a reimbursable basis for such
period as is agreed to by the Director of the Center and the Director of
National Intelligence, and, while serving as Deputy Director, shall report
directly to the Director of the Center.</text>
</paragraph></subsection><subsection id="ID5910803aacfe4d9b8be2c1ef27fc2aa4"><enum>(h)</enum><header>Cybersecurity
exercise program</header><text>The Director of the Center shall develop and
implement a national cybersecurity exercise program with the participation of
State and local governments, international partners of the United States, and
the private sector.</text>
</subsection><subsection id="ID9a3e95bbf1a1468ab56ccfbc95b31bb4"><enum>(i)</enum><header>Liaison
officers</header>
<paragraph id="ID0497af533e30473a942dda01b4b9757a"><enum>(1)</enum><header>Required detail
of liaison officers</header><text>The Secretary of Defense, the Attorney
General, the Secretary of Commerce, and the Director of National Intelligence
shall assign personnel to the Center to act as full-time liaisons.</text>
</paragraph><paragraph id="ID137b7bee374a45bba591a0a2681eaa7e"><enum>(2)</enum><header>Optional detail
of liaison officers</header><text>The head of any Federal agency not described
in paragraph (1), with the concurrence of the Director of the Center, may
assign personnel to the Center to act as liaisons.</text>
</paragraph><paragraph id="ID96ea22d4b441496087c000eb7cc88e34"><enum>(3)</enum><header>Private sector
liaison</header><text>The Director of the Center shall designate not less than
1 employee of the Center to serve as a liaison with the private sector.</text>
</paragraph></subsection><subsection id="ID72415d2f62e64ec6847848e061e7ee2f"><enum>(j)</enum><header>Privacy
officer</header><text>The Director of the Center, in consultation with the
Secretary, shall designate a full-time privacy officer.</text>
</subsection><subsection id="ID30f3835fc3a5453a849d7d27be16c899"><enum>(k)</enum><header>Sufficiency of
resources plan</header>
<paragraph id="ID46cd8eb686ba4282b3c442edb2ad1693"><enum>(1)</enum><header>Report</header><text>Not
later than 120 days after the date of enactment of the
<short-title>Cybersecurity Act of 2012</short-title>, the
Director of the Office of Management and Budget shall submit to the appropriate
committees of Congress and the Comptroller General of the United States a
report on the resources and staff necessary to carry out fully the
responsibilities under this subtitle, including the availability of existing
resources and staff.</text>
</paragraph><paragraph id="ID9923811ba740441dbf36663bc499eedd"><enum>(2)</enum><header>Comptroller
general review</header><text>The Comptroller General of the United States shall
evaluate the reasonableness and adequacy of the report submitted by the
Director of the Office of Management and Budget under paragraph (1) and submit
to the appropriate committees of Congress a report regarding the same.</text>
</paragraph></subsection><subsection id="id4019B24D17D94879B769F1E197DC2038"><enum>(l)</enum><header>No right or
benefit</header><text>The provision of assistance or information under this
section to governmental or private entities that own or operate critical
infrastructure shall be at the discretion of the Secretary. The provision of
certain assistance or information to a governmental or private entity pursuant
to this section shall not create a right or benefit, substantive or procedural,
to similar assistance or information for any other governmental or private
entity.</text>
</subsection></section><section commented="no" id="ID75908c8914a845419cc2235c95d290a6"><enum>243.</enum><header>Department of
Homeland Security information sharing</header>
<subsection id="IDb417b8d062bc42628ea873eccc310273"><enum>(a)</enum><header>In
general</header>
<paragraph id="ID75c6da25f40846d1b8a1c59531060ceb"><enum>(1)</enum><header>Assessment</header><text>Not
later than 180 days after the date of enactment of the
<short-title>Cybersecurity Act of 2012</short-title>, the
Director of the Center, in consultation with the private sector, relevant
government agencies, and nongovernmental organizations, shall conduct an
assessment of existing and proposed information sharing models to identify best
practices for sharing information across government and with the private
sector, including through cybersecurity exchanges designated pursuant to
section 703 of the <short-title>Cybersecurity Act of
2012</short-title>.</text>
</paragraph><paragraph id="IDfbca5de454a14909853ebadbd9813c2b"><enum>(2)</enum><header>Information
sharing</header><text>The Director of the Center shall periodically review
procedures established under subsection (b) and the program established in
accordance with subsection (c) to ensure that classified and unclassified
cybersecurity information, including information relating to threats,
vulnerabilities, traffic, trends, incidents, and other anomalous activities
affecting the Federal information infrastructure, national information
infrastructure, or information systems, are being appropriately shared between
and among appropriate Federal and non-Federal entities, including Federal
cybersecurity centers, Federal and non-Federal network and security operations
centers, cybersecurity exchanges, and non-Federal entities responsible for such
information systems.</text>
</paragraph></subsection><subsection id="IDd5e28ee3c9f54ed4b28b1494740712b6"><enum>(b)</enum><header>Federal
agencies</header>
<paragraph id="ID615ef4b5c927443991a03655ec2ca879"><enum>(1)</enum><header>Information
sharing program</header><text>The Director of the Center, in consultation with
the members of the Chief Information Officers Council established under section
3603 of title 44, United States Code, shall establish a program for sharing
information with and between the Center and other Federal agencies that
includes processes and procedures—</text>
<subparagraph id="IDa0f9ebb146184fad8d517feef4b1bb07"><enum>(A)</enum><text>under which the
Director of the Center regularly shares with each Federal agency analyses and
reports regarding the security of such agency information infrastructure and on
the overall security of the Federal information infrastructure and information
infrastructure that is owned, operated, controlled, or licensed for use by, or
on behalf of, the Department of Defense, a military department, or another
element of the intelligence community, which shall include means and methods of
preventing, responding to, mitigating, and remediating cybersecurity threats
and vulnerabilities; and</text>
</subparagraph><subparagraph id="ID207d0b1580ea44a1bacd34fc60c3ae82"><enum>(B)</enum><text>under which
Federal agencies provide the Director of the Center, upon request, with
information concerning the security of the Federal information infrastructure,
information infrastructure that is owned, operated, controlled, or licensed for
use by, or on behalf of, the Department of Defense, a military department, or
another element of the intelligence community, or the national information
infrastructure necessary to carry out the duties of the Director of the Center
under this subtitle or any other provision of law.</text>
</subparagraph></paragraph><paragraph id="ID0e003529f8064bd4a3827be9e9b41d76"><enum>(2)</enum><header>Access to
information</header>
<subparagraph id="id4EEACF033B07469991A5694D329ECE91"><enum>(A)</enum><header>In
general</header><text>The Director of the Center shall ensure—</text>
<clause id="id332322D3D61D4A5A827613E504F74AFB"><enum>(i)</enum><text>that the head of
each Federal agency has timely access to data, including appropriate raw and
processed data, regarding the information infrastructure of the Federal agency;
and</text>
</clause><clause id="idF8AF96F4F89147FA97E50DDECF8B7BF4"><enum>(ii)</enum><text>to the greatest
extent possible, that the head of each Federal agency is kept apprised of
common trends in security compliance as well as the likelihood that a
significant cybersecurity risk or incident could cause damage to the agency
information infrastructure.</text>
</clause></subparagraph><subparagraph id="ID1609b74f2b644bb09331c6216c1ba35a"><enum>(B)</enum><header>Compliance</header><text>The
head of a Federal agency shall comply with all processes and procedures
established under this subsection regarding notification to the Director of the
Center relating to incidents.</text>
</subparagraph><subparagraph id="IDbde08cae6170453691eefba845e24c4f"><enum>(C)</enum><header>Immediate
notification required</header><text>Unless otherwise directed by the President,
any Federal agency with a national security system shall, consistent with the
level of the risk, immediately notify the Director of the Center regarding any
incident affecting the security of a national security system.</text>
</subparagraph></paragraph></subsection><subsection id="ID343eec8c6b8c4a4cacc266fc68666910"><enum>(c)</enum><header>Private sector,
State and local governments, and international partners</header>
<paragraph id="IDa579f03973b54f35a1369bdb7cf89561"><enum>(1)</enum><header>Information
sharing program</header><text>The Director of the Center shall establish a
program for sharing cybersecurity threat and vulnerability information in
support of activities under section 242(e)(1) between the Center, cybersecurity
exchanges designated pursuant to section 703 of the
<short-title>Cybersecurity Act of 2012</short-title>,
State and local governments, the private sector, and international partners,
which shall include processes and procedures that—</text>
<subparagraph id="IDf5dd595d66f045979921a21175634b33"><enum>(A)</enum><text>expand and
enhance the sharing of timely and actionable cybersecurity threat and
vulnerability information by the Federal Government with owners and operators
of the national information infrastructure;</text>
</subparagraph><subparagraph id="IDc24b87d1f29c4d8894b1074d953ce3c4"><enum>(B)</enum><text>establish
criteria under which owners or operators of covered critical infrastructure
information systems shall share information about incidents affecting covered
critical infrastructure, and other relevant data with the Federal
Government;</text>
</subparagraph><subparagraph id="IDef482f2ce6d0488e9af8140b00ca3e39"><enum>(C)</enum><text>ensure voluntary
information sharing with and from the private sector, State and local
governments, and international partners of the United States on—</text>
<clause id="ID2b839b97a4b346f29d36db34c84f9094"><enum>(i)</enum><text>cybersecurity
threats, vulnerabilities, incidents, and anomalous activities affecting the
national information infrastructure; and</text>
</clause><clause id="IDdb53c50fd491425a9b285e9d40a33e12"><enum>(ii)</enum><text>means and
methods of identifying, preventing, responding to, mitigating and remediating
cybersecurity threats, and vulnerabilities;</text>
</clause></subparagraph><subparagraph id="IDc7694cc6f8704647b01c06466ca84e76"><enum>(D)</enum><text>establish a
method of accessing classified or unclassified information, as appropriate and
in accordance with applicable laws protecting trade secrets, that will provide
situational awareness of the security of the Federal information infrastructure
and the national information infrastructure relating to cybersecurity threats,
and vulnerabilities, including traffic, trends, incidents, damage, and other
anomalous activities affecting the Federal information infrastructure or the
national information infrastructure;</text>
</subparagraph><subparagraph id="ID3513b30ba47345cd959df41e252adaa1"><enum>(E)</enum><text>establish
guidance on the form, content, and priority of incident reports that shall be
submitted under subsection (c)(1)(B), which shall—</text>
<clause id="IDd63641734625413a849a0b92647e779e"><enum>(i)</enum><text>include
appropriate mechanisms to protect personally identifiable information;
and</text>
</clause><clause id="ID98955b4a3aef44129e98ab8cfdca5a58"><enum>(ii)</enum><text>prioritize the
reporting of incidents based on the risk the incident poses to the disruption
of the reliable operation of the covered critical infrastructure; and</text>
</clause></subparagraph><subparagraph id="IDade2cba03a244baaa7c334823f345c09"><enum>(F)</enum><text>establish a
procedure for notifying an information technology provider if a vulnerability
is detected in the product or service produced by the information technology
provider and, where possible, working with the information technology provider
to remediate the vulnerability before any public disclosure of the
vulnerability so as to minimize the opportunity for the vulnerability to be
exploited.</text>
</subparagraph></paragraph><paragraph id="ID0fed6447e0d148bfb9095ade4725b7b0"><enum>(2)</enum><header>Coordination</header><text>In
carrying out the duties under this subsection, the Director of the Center shall
coordinate, as appropriate, with Federal and non-Federal entities engaged in
similar information sharing efforts.</text>
</paragraph><paragraph id="ID9503f394131f4478b633a1049a2bd306"><enum>(3)</enum><header>Evaluation of
access to classified information</header><text>The Director of the Center, in
coordination with the Director of National Intelligence, shall conduct an
annual evaluation of the sufficiency of access to classified information by
owners and operators of national information infrastructure.</text>
</paragraph><paragraph id="ID4c9d589a46774884a66e11c954aa6b96"><enum>(4)</enum><header>Evaluation</header><text>The
Director of the Center shall create and promote a mechanism for owners and
operators of national information infrastructure to provide feedback about the
operations of the Center and recommendations for improvements of the Center,
including recommendations to improve the sharing of classified and unclassified
information.</text>
</paragraph><paragraph id="IDecb0677292ef4641a4170bdb19ca1120"><enum>(5)</enum><header>Guidelines</header><text>The
Director of the Center, in consultation with the Attorney General, the Director
of National Intelligence, and the Privacy Officer established under section
242(j), shall develop guidelines to protect the privacy and civil liberties of
United States persons and intelligence sources and methods, while carrying out
this subsection.</text>
</paragraph></subsection><subsection id="IDee703c392561448fbcf112bf1571a34f"><enum>(d)</enum><header>Voluntarily
shared information</header><text>Covered information, as defined in section 107
of the <short-title>Cybersecurity Act of
2012</short-title>, submitted to the Center in accordance with this subtitle
shall be treated as voluntarily shared critical infrastructure information
under section 214, except that the requirement of section 214 that the
information be voluntarily submitted, including the requirement for an express
statement, shall not be required for submissions of covered information.</text>
</subsection><subsection id="ID43dbb8e43c7341969cc250d6f46be1fb"><enum>(e)</enum><header>Limitation on
use of voluntarily submitted information for regulatory enforcement
actions</header><text>A Federal entity may not use information submitted under
this subtitle as evidence in a regulatory enforcement action against the
individual or entity that lawfully submitted the information.</text>
</subsection></section><section id="IDba83ea55414d437d8753bc9d977b05e4"><enum>244.</enum><header>Access to
information</header><text display-inline="no-display-inline">Unless otherwise
directed by the President—</text>
<paragraph id="ID58c64f6fc7ba4d6c8b893d878464a133"><enum>(1)</enum><text>the Director of
the Center shall have access to, receive, and analyze law enforcement
information, intelligence information, terrorism information, and any other
information in the possession of Federal agencies relevant to the security of
the Federal information infrastructure, information infrastructure that is
owned, operated, controlled, or licensed for use by, or on behalf of, the
Department of Defense, a military department, or another element of the
intelligence community, or national information infrastructure and, consistent
with applicable law, may also receive such information, from State and local
governments (including law enforcement agencies), and private entities,
including information provided by any contractor to a Federal agency regarding
the security of the agency information infrastructure; and</text>
</paragraph><paragraph id="IDbeb2cafb82b34efd9d3f8d463de9d964"><enum>(2)</enum><text>any Federal
agency in possession of law enforcement information, intelligence information,
terrorism information, or any other information relevant to the security of the
Federal information infrastructure, information infrastructure that is owned,
operated, controlled, or licensed for use by, or on behalf of, the Department
of Defense, a military department, or another element of the intelligence
community, or national information infrastructure shall provide that
information to the Director of the Center in a timely manner.</text>
</paragraph></section><section id="IDa6370466ec42458c97b5dc069b8a5d0d"><enum>245.</enum><header>National
Center for Cybersecurity and Communications acquisition authorities</header>
<subsection id="IDed463f7187e14b01b35379013ec8ac63"><enum>(a)</enum><header>In
General</header><text>The National Center for Cybersecurity and Communications
is authorized to use the authorities under subsections (c)(1) and (d)(1)(B) of
section 2304 of title 10, United States Code, instead of the authorities under
subsections (a)(1) and (b)(2) of section 3304 of title 41, United States Code,
subject to all other requirements of sections 3301 and 3304 of title 41, United
States Code.</text>
</subsection><subsection id="IDd3950ca660904db1ac4c4e3c98e01088"><enum>(b)</enum><header>Guidelines</header><text>Not
later than 90 days after the date of enactment of the
<short-title>Cybersecurity Act of 2012</short-title>, the
chief procurement officer of the Department of Homeland Security shall issue
guidelines for use of the authority under subsection (a).</text>
</subsection><subsection id="ID02ac58f3e6af47ceb9cc68860977bf2a"><enum>(c)</enum><header>Termination</header><text>The
National Center for Cybersecurity and Communications may not use the authority
under subsection (a) on and after the date that is 3 years after the date of
enactment of this Act.</text>
</subsection><subsection id="ID17ffad9f0b79415d9ecfc92ccc1ab00e"><enum>(d)</enum><header>Reporting</header>
<paragraph id="ID114e08bf0e46486a932ab0e605568473"><enum>(1)</enum><header>In
General</header><text>On a semiannual basis, the Director of the Center shall
submit a report on use of the authority granted by subsection (a) to—</text>
<subparagraph id="ID5282aaaf87bd4b2794f41c6403d38142"><enum>(A)</enum><text>the Committee on
Homeland Security and Governmental Affairs of the Senate; and</text>
</subparagraph><subparagraph id="ID1bc316884225482fa3ee8faba980b283"><enum>(B)</enum><text>the Committee on
Homeland Security of the House of Representatives.</text>
</subparagraph></paragraph><paragraph id="ID0e7457f9c4f64557bfe0a672a16c8e63"><enum>(2)</enum><header>Contents</header><text>Each
report submitted under paragraph (1) shall include, at a minimum—</text>
<subparagraph id="ID05e0a24a7d1145899b33bb6c86d19071"><enum>(A)</enum><text>the number of
contract actions taken under the authority under subsection (a) during the
period covered by the report; and</text>
</subparagraph><subparagraph id="ID9e208e74ef554f72b90f11a9407335ff"><enum>(B)</enum><text>for each contract
action described in subparagraph (A)—</text>
<clause id="ID15ccc838f68b4cf6ad1167dde0efba24"><enum>(i)</enum><text>the total dollar
value of the contract action;</text>
</clause><clause id="ID69b66121f31b4593a8fa9008497e4f38"><enum>(ii)</enum><text>a summary of the
market research conducted by the National Center for Cybersecurity and
Communications, including a list of all offerors who were considered and those
who actually submitted bids, in order to determine that use of the authority
was appropriate; and</text>
</clause><clause id="ID92133b2466634c60a7b82660944aa362"><enum>(iii)</enum><text>a copy of the
justification and approval documents required by section 3304(e) of title 41,
United States Code.</text>
</clause></subparagraph></paragraph><paragraph id="ID6590bb228d6d4402a9a93c461c228519"><enum>(3)</enum><header>Classified
Annex</header><text>A report submitted under this subsection shall be submitted
in an unclassified form, but may include a classified annex, if
necessary.</text>
</paragraph></subsection></section><section id="IDa333a16355774666892cf4f26261ac50"><enum>246.</enum><header>Recruitment
and retention program for the National Center for Cybersecurity and
Communications</header>
<subsection id="IDbf5fb45f210f48049da5ef99716c3ea0"><enum>(a)</enum><header>Definitions</header><text>In
this section:</text>
<paragraph id="IDf4b3d883827143eabdf96ba54fe6d3a4"><enum>(1)</enum><header>Collective
bargaining agreement</header><text>The term <term>collective bargaining
agreement</term> has the meaning given that term in section 7103(a)(8) of title
5, United States Code.</text>
</paragraph><paragraph id="id10A0D48F59F841E2B272B75720B8191D"><enum>(2)</enum><header>Qualified
Employee</header><text>The term <term>qualified employee</term> means an
employee who performs functions relating to the security of Federal systems and
critical information infrastructure.</text>
</paragraph></subsection><subsection id="IDf42165f09a254f8b977f702f6e7094ca"><enum>(b)</enum><header>General
authority</header>
<paragraph id="IDf123e8e27e604c5abc08066bdc708628"><enum>(1)</enum><header>Establish
positions, appoint personnel, and fix rates of pay</header><text>The Secretary
may exercise with respect to qualified employees of the Department the same
authority of that the Secretary of Defense has with respect to civilian
intelligence personnel under sections 1601, 1602, and 1603 of title 10, United
States Code, to establish as positions in the excepted service, to appoint
individuals to those positions, and fix pay. Such authority shall be exercised
subject to the same conditions and limitations applicable to the Secretary of
Defense with respect to civilian intelligence personnel of the Department of
Defense.</text>
</paragraph><paragraph id="ID8f034ed5cbab4a7db2f98f7e7947b462"><enum>(2)</enum><header>Scholarship
Program</header><text>The Secretary may exercise with respect to qualified
employees of the Department the same authority of the Secretary of Defense has
with respect to civilian personnel under section 2200a of title 10, United
States Code, to the same extent, and subject to the same conditions and
limitations, that the Secretary of Defense may exercise such authority with
respect to civilian personnel of the Department of Defense.</text>
</paragraph><paragraph id="ID23b94957a0014c72ba1ec586697362e1"><enum>(3)</enum><header>Plan for
execution of authorities</header><text>Not later than 120 days after the date
of enactment of this subtitle, the Secretary shall submit a report to the
appropriate committees of Congress with a plan for the use of the authorities
provided under this subsection.</text>
</paragraph><paragraph id="ID3dd8ac4007cd42288ff08e74aa92b0d2"><enum>(4)</enum><header>Collective
bargaining agreements</header><text>Nothing in paragraph (1) may be construed
to impair the continued effectiveness of a collective bargaining agreement with
respect to an office, component, subcomponent, or equivalent of the Department
that is a successor to an office, component, subcomponent, or equivalent of the
Department covered by the agreement before the succession.</text>
</paragraph><paragraph id="ID55244786c58c4439a06e5608c225ddd3"><enum>(5)</enum><header>Required
regulations</header><text>The Secretary, in coordination with the Director of
the Center and the Director of the Office of Personnel Management, shall
prescribe regulations for the administration of this section.</text>
</paragraph></subsection><subsection id="ID39be5ba780ab4e32ae4b65b9641e6a43"><enum>(c)</enum><header>Merit System
Principles And Civil Service Protections: Applicability</header>
<paragraph id="ID9e174027f4ad4372a612123ae9138a68"><enum>(1)</enum><header>Applicability
of merit system principles</header><text>The Secretary shall exercise the
authority under subsection (b) in a manner consistent with the merit system
principles set forth in section 2301 of title 5, United States Code.</text>
</paragraph><paragraph id="ID7876965b8aae4147a73cd2858fcfb016"><enum>(2)</enum><header>Civil service
protections</header><text>Section 1221, section 2302, and chapter 75 of title
5, United States Code, shall apply to the positions established under
subsection (b)(1).</text>
</paragraph></subsection><subsection id="ID779fb9d900cf45d884abc858bae2d107"><enum>(d)</enum><header>Requirements</header><text>Before
the initial exercise of any authority authorized under subsection (b)(1) the
Secretary shall—</text>
<paragraph id="ID039212060f474e9bb6eb448cd67ec6d5"><enum>(1)</enum><text>seek input from
affected employees, and the union representatives of affected employees as
applicable, and Federal manager and professional associations into the design
and implementation of a fair, credible, and transparent system for exercising
any authority under subsection (b)(1);</text>
</paragraph><paragraph id="IDca7ad99024b24c0fac938746316acf27"><enum>(2)</enum><text>make a good faith
attempt to resolve any employee concerns regarding proposed changes in
conditions of employment through discussions with the groups described in
paragraph (1);</text>
</paragraph><paragraph id="ID45ae8ea3cc3e474abcf4374bc44a7e34"><enum>(3)</enum><text>develop a program
to provide training to supervisors of cybersecurity employees at the Department
on the use of the new authorities, including actions, options, and strategies a
supervisor may use in—</text>
<subparagraph id="IDc88c601d31ce463d85caac930d369526"><enum>(A)</enum><text>developing and
discussing relevant goals and objectives with the employee, communicating and
discussing progress relative to performance goals and objectives, and
conducting performance appraisals;</text>
</subparagraph><subparagraph id="ID887b71d858b3493e9629a49c323963e4"><enum>(B)</enum><text>mentoring and
motivating employees, and improving employee performance and
productivity;</text>
</subparagraph><subparagraph id="IDaf9bfdcbeab140018cfae71f9cc102db"><enum>(C)</enum><text>fostering a work
environment characterized by fairness, respect, equal opportunity, and
attention to the quality of work of the employees;</text>
</subparagraph><subparagraph id="ID06bafc6c1c7244f4a220d99aceb22d63"><enum>(D)</enum><text>effectively
managing employees with unacceptable performance;</text>
</subparagraph><subparagraph id="ID62886466e2ad4f99b9467671c6b276e2"><enum>(E)</enum><text>addressing
reports of a hostile work environment, reprisal, or harassment of or by another
supervisor or employee; and</text>
</subparagraph><subparagraph id="IDb758855d70834258969bf4e013904779"><enum>(F)</enum><text>otherwise
carrying out the duties and responsibilities of a supervisor;</text>
</subparagraph></paragraph><paragraph id="ID7cc9f3f3587642a1a7ca80a66f43c57a"><enum>(4)</enum><text>develop a program
to provide training to supervisors of cybersecurity employees at the Department
on the prohibited personnel practices under section 2302 of title 5, United
States Code, (particularly with respect to the practices described in
paragraphs (1) and (8) of section 2302(b) of title 5, United States Code),
employee collective bargaining and union participation rights, and the
procedures and processes used to enforce employee rights; and</text>
</paragraph><paragraph id="ID84408d022f284c4fa59191afbc56c5fd"><enum>(5)</enum><text>develop a program
under which experienced supervisors mentor new supervisors by—</text>
<subparagraph id="ID62764f3357f14c39a933b5b3d084912b"><enum>(A)</enum><text>sharing knowledge
and advice in areas such as communication, critical thinking, responsibility,
flexibility, motivating employees, teamwork, leadership, and professional
development; and</text>
</subparagraph><subparagraph id="ID4db34581c2294c55ba21c93f3f5a092c"><enum>(B)</enum><text>pointing out
strengths and areas for development.</text>
</subparagraph></paragraph></subsection><subsection id="ID1a0e3aebbe094f24a4d8fb1b5171bd23"><enum>(e)</enum><header>Supervisor
requirement</header>
<paragraph id="id2DDA634E62574F9A875A504EC820945A"><enum>(1)</enum><header>In
general</header><text>Except as provided in paragraph (2), not later than 1
year after the date of enactment of the <short-title>Cybersecurity Act of 2012</short-title> and every 3 years
thereafter, every supervisor of cybersecurity employees at the Department shall
complete the programs established under paragraphs (3) and (4) of subsection
(d).</text>
</paragraph><paragraph id="idC5A4D846B15C486F996A39EEFB5629D1"><enum>(2)</enum><header>Exception</header><text>A
supervisor of cybersecurity employees at the Department who is appointed after
the date of enactment of the <short-title>Cybersecurity
Act of 2012</short-title> shall complete the programs established under
paragraphs (3) and (4) of subsection (d) not later than 1 year after the date
on which the supervisor is appointed to the position, and every 3 years
thereafter.</text>
</paragraph><paragraph id="id13DDC3BA983A4ED0BA0707FF486CDE74"><enum>(3)</enum><header>Ongoing
participation</header><text>Participation by supervisors of cybersecurity
employees at the Department in the program established under subsection (d)(5)
shall be ongoing.</text>
</paragraph></subsection><subsection id="ID1b3f3cca420f416e876e82a529a57967"><enum>(f)</enum><header>Conversion to
competitive service</header><text>In consultation with the Director of the
Center, the Secretary may grant competitive civil service status to a qualified
employee appointed to the excepted service under subsection (b) if that
employee is employed in the Center or is transferring to the Center.</text>
</subsection><subsection id="IDef52784b24364fc08c99ed49bfd579c0"><enum>(g)</enum><header>Annual
report</header><text>Not later than 1 year after the date of enactment of this
subtitle, and every year thereafter for 4 years, the Secretary shall submit to
the appropriate committees of Congress a detailed report that—</text>
<paragraph id="ID89aa855523e14381966509c56a542296"><enum>(1)</enum><text>discusses the
process used by the Secretary in accepting applications, assessing candidates,
ensuring adherence to veterans’ preference, and selecting applicants for
vacancies to be filled by a qualified employee;</text>
</paragraph><paragraph id="IDdd07e4eb262e4942844d5c3d00274ba9"><enum>(2)</enum><text>describes—</text>
<subparagraph id="id9D1D5ECE73D44D19AA7F8D5607217423"><enum>(A)</enum><text>how the Secretary
plans to fulfill the critical need of the Department to recruit and retain
qualified employees;</text>
</subparagraph><subparagraph id="id7BF52A11C61D49E9AA6DAC41017896E4"><enum>(B)</enum><text>the measures that
will be used to measure progress; and</text>
</subparagraph><subparagraph id="id8F37747EFE184B45915FB6E029E023C9"><enum>(C)</enum><text>any actions taken
during the reporting period to fulfill such critical need;</text>
</subparagraph></paragraph><paragraph id="ID24ea454d242e4a79a884cc9c778a4880"><enum>(3)</enum><text>discusses how the
planning and actions taken under paragraph (2) are integrated into the
strategic workforce planning of the Department;</text>
</paragraph><paragraph id="ID9f0a4a4ddd26418b99812da89e2804f1"><enum>(4)</enum><text>provides metrics
on actions occurring during the reporting period, including—</text>
<subparagraph id="ID2209babac1ad4b96a3be74c2cf7c4240"><enum>(A)</enum><text>the number of
qualified employees hired by occupation and grade and level or pay band;</text>
</subparagraph><subparagraph id="ID8abaf058019c4495b2537aca506cb8f8"><enum>(B)</enum><text>the total number
of veterans hired;</text>
</subparagraph><subparagraph id="ID43ba7bbefa5a42419ceb76d1bf02e306"><enum>(C)</enum><text>the number of
separations of qualified employees by occupation and grade and level or pay
band;</text>
</subparagraph><subparagraph id="IDac8aec38d6474e47a181257ae81a08ad"><enum>(D)</enum><text>the number of
retirements of qualified employees by occupation and grade and level or pay
band; and</text>
</subparagraph><subparagraph id="ID9a131d1000db4eb4a446957f9b4c2b46"><enum>(E)</enum><text>the number and
amounts of recruitment, relocation, and retention incentives paid to qualified
employees by occupation and grade and level or pay band.</text>
</subparagraph></paragraph></subsection></section><section id="ID5c0cf4ce3d51475281b45d9b441cea20"><enum>247.</enum><header>Prohibited
conduct</header><text display-inline="no-display-inline">None of the
authorities provided under this subtitle shall authorize the Director of the
Center, the Center, the Department, or any other Federal entity to—</text>
<paragraph id="IDc38632db32654daebc84cb794e6b4804"><enum>(1)</enum><text>compel the
disclosure of information from a private entity relating to an incident unless
otherwise authorized by law; or</text>
</paragraph><paragraph id="IDd582dae0099748a499034e44af2206c1"><enum>(2)</enum><text>intercept a wire,
oral, or electronic communication (as those terms are defined in section 2510
of title 18, United States Code), access a stored electronic or wire
communication, install or use a pen register or trap and trace device, or
conduct electronic surveillance (as defined in section 101 of the Foreign
Intelligence Surveillance Act of 1978 (50 U.S.C.1801)) relating to an incident
unless otherwise authorized under chapter 119, chapter 121, or chapter 206 of
title 18, United States Code, or the Foreign Intelligence Surveillance Act of
1978 (50 U.S.C. 1801 et
seq.).</text>
</paragraph></section></subtitle><after-quoted-block>.</after-quoted-block></quoted-block>
</subsection><subsection id="id0A024693C1634757A124899203CC552A"><enum>(b)</enum><header>Technical and
conforming amendment</header><text>The table of contents in section 1(b) of the
Homeland Security Act of 2002 (6 U.S.C. 101 et seq.) is amended by inserting
after the item relating to section 237 the following:</text>
<quoted-block id="id00aa92c6-644e-4d61-bf8f-956e06c46b60" style="OLC">
<toc>
<toc-entry idref="id5D00954CBF94409B93D467C1233E5508" level="subtitle">Subtitle E—Cybersecurity</toc-entry>
<toc-entry idref="ID1bda65c3690248ffa8b0f77639df8253" level="section">Sec. 241. Definitions.</toc-entry>
<toc-entry idref="idA2F947FA68CC42F6AE2E911520EF7FD6" level="section">Sec. 242. Consolidation of existing resources.</toc-entry>
<toc-entry idref="ID75908c8914a845419cc2235c95d290a6" level="section">Sec. 243. Department of Homeland Security information
sharing.</toc-entry>
<toc-entry idref="IDba83ea55414d437d8753bc9d977b05e4" level="section">Sec. 244. Access to information.</toc-entry>
<toc-entry idref="IDa6370466ec42458c97b5dc069b8a5d0d" level="section">Sec. 245. National Center for Cybersecurity and Communications
acquisition authorities.</toc-entry>
<toc-entry idref="IDa333a16355774666892cf4f26261ac50" level="section">Sec. 246. Recruitment and retention program for the National
Center for Cybersecurity and Communications.</toc-entry>
<toc-entry idref="ID5c0cf4ce3d51475281b45d9b441cea20" level="section">Sec. 247. Prohibited
conduct.</toc-entry>
</toc>
<after-quoted-block>.</after-quoted-block></quoted-block>
</subsection></section><enum>IV</enum><header>Education,
recruitment, and workforce development</header>
<section id="id487750F281F54E119BF01E1646D8091A"><enum>401.</enum><header>Definitions</header><text display-inline="no-display-inline">In this title:</text>
<paragraph id="ID72bc56d777914de6a372e5800588fac4"><enum>(1)</enum><header>Cybersecurity
mission</header><text>The term <term>cybersecurity mission</term> means
activities that encompass the full range of threat reduction, vulnerability
reduction, deterrence, international engagement, incident response, resiliency,
and recovery policies and activities, including computer network operations,
information assurance, law enforcement, diplomacy, military, and intelligence
missions as such activities relate to the security and stability of
cyberspace.</text>
</paragraph><paragraph id="ID1dc4728bd74b467cbab4241cd20f9067"><enum>(2)</enum><header>Cybersecurity
mission of a Federal agency</header><text>The term <term>cybersecurity mission
of a Federal agency</term> means the portion of a cybersecurity mission that is
the responsibility of a Federal agency.</text>
</paragraph></section><section id="IDfb4659a308374b9d868dfc85399a75f8"><enum>402.</enum><header>National
education and awareness campaign</header>
<subsection id="IDb1aa383ac5a6465e92a8da621eddf177"><enum>(a)</enum><header>In
general</header><text>The Secretary, in consultation with appropriate Federal
agencies shall develop and implement outreach and awareness programs on
cybersecurity, including—</text>
<paragraph id="ID7b2203cce7014f0ea42018912d377591"><enum>(1)</enum><text>in consultation
with the Director of the National Institute of Standards and Technology—</text>
<subparagraph id="id6C71CC9900B34493B2EC7199096096FD"><enum>(A)</enum><text>a public
education campaign to increase the awareness of cybersecurity, cyber safety,
and cyber ethics, which shall include the use of the Internet, social media,
entertainment, and other media to reach the public; and</text>
</subparagraph><subparagraph id="ID2f25234f03f24443b48b671f849002a2"><enum>(B)</enum><text>an education
campaign to increase the understanding of State and local governments and
private sector entities of the benefits of ensuring effective risk management
of the information infrastructure versus the costs of failure to do so and
methods to mitigate and remediate vulnerabilities; and</text>
</subparagraph></paragraph><paragraph id="ID47ed1e44d38847009204c7275346db75"><enum>(2)</enum><text>in coordination
with the Secretary of Commerce, development of a program to publicly recognize
or identify products, services, and companies, including owners and operators,
that meet the highest standards of cybersecurity.</text>
</paragraph></subsection><subsection id="id8A8D0CD712754A30AB516E9965F6E61C"><enum>(b)</enum><header>Considerations</header><text>In
carrying out the authority described in subsection (a), the Secretary of
Commerce, the Secretary, and the Director of the National Institute of
Standards and Technology shall leverage existing programs designed to inform
the public of safety and security of products or services, including
self-certifications and independently-verified assessments regarding the
quantification and valuation of information security risk.</text>
</subsection></section><section id="IDbf31f9a8885d4e57b1622cc760aba677"><enum>403.</enum><header>National
cybersecurity competition and challenge</header>
<subsection id="IDc57fc2b1afde4ff68a1086d406235fd4"><enum>(a)</enum><header>Talent
competition and challenge</header>
<paragraph id="IDfec912b1ea3149c3a1e91841e9853d9e"><enum>(1)</enum><header>In
general</header><text>The Secretary of Homeland Security and the Secretary of
Commerce shall establish a program to conduct competitions and challenges and
ensure the effective operation of national and statewide competitions and
challenges that seek to identify, develop, and recruit talented individuals to
work in Federal agencies, State and local government agencies, and the private
sector to perform duties relating to the security of the Federal information
infrastructure or the national information infrastructure.</text>
</paragraph><paragraph id="ID53579cf83abc4424b48b4b46209ae06e"><enum>(2)</enum><header>Participation</header><text>Participants
in the competitions and challenges of the program established under paragraph
(1) shall include—</text>
<subparagraph id="ID826ae6e4424d489f8aaf4c3a86938c70"><enum>(A)</enum><text>students enrolled
in grades 9 through 12;</text>
</subparagraph><subparagraph id="ID012dd95daab64a92a38a37c8e1d28ae3"><enum>(B)</enum><text>students enrolled
in a postsecondary program of study leading to a baccalaureate degree at an
institution of higher education;</text>
</subparagraph><subparagraph id="ID48f5d04b05e0498c8f3400b6f06c2ebf"><enum>(C)</enum><text>students enrolled
in a postbaccalaureate program of study leading to an institution of higher
education;</text>
</subparagraph><subparagraph id="ID164f128c21b14bbfa606013a16f341f7"><enum>(D)</enum><text>institutions of
higher education and research institutions;</text>
</subparagraph><subparagraph id="ID3a554405a57548428bb5f14a361a5c4b"><enum>(E)</enum><text>veterans;
and</text>
</subparagraph><subparagraph id="ID6233720abdb94d4cb6ad98b82ff50b0b"><enum>(F)</enum><text>other groups or
individuals as the Secretary of Homeland Security and the Secretary of Commerce
determine appropriate.</text>
</subparagraph></paragraph><paragraph id="ID7c7e997877bf48888a9f2f5fe4acd619"><enum>(3)</enum><header>Support of
other competitions and challenges</header><text>The program established under
paragraph (1) may support other competitions and challenges not established
under this subsection through affiliation and cooperative agreements
with—</text>
<subparagraph id="ID2c5c873844de45c7b71f631457044f22"><enum>(A)</enum><text>Federal
agencies;</text>
</subparagraph><subparagraph id="ID0846b6f627134e17ba7ed8650d194db8"><enum>(B)</enum><text>regional, State,
or school programs supporting the development of cyber professionals;</text>
</subparagraph><subparagraph id="IDa1178ab2ecd840c581d7dd0f3d82a587"><enum>(C)</enum><text>State, local, and
tribal governments; or</text>
</subparagraph><subparagraph id="ID1a8401a077bf4a58aa3acf6b5241571b"><enum>(D)</enum><text>other private
sector organizations.</text>
</subparagraph></paragraph><paragraph id="ID17a8e2d572ca4e8ca6105b379ae189d8"><enum>(4)</enum><header>Areas of
talent</header><text>The program established under paragraph (1) shall seek to
identify, develop, and recruit exceptional talent relating to—</text>
<subparagraph id="ID853dabbdf03f49fe86b18230af104bad"><enum>(A)</enum><text>ethical
hacking;</text>
</subparagraph><subparagraph id="ID39befb93ab074e9a8c16536704f46900"><enum>(B)</enum><text>penetration
testing;</text>
</subparagraph><subparagraph id="IDe09441ec097745479ac422d74d4da085"><enum>(C)</enum><text>vulnerability
assessment;</text>
</subparagraph><subparagraph id="ID146ec76a7b05427eafda1ed4cc2bc331"><enum>(D)</enum><text>continuity of
system operations;</text>
</subparagraph><subparagraph id="ID85d906cbd8d24c09b11ea6c7211bca94"><enum>(E)</enum><text>cyber
forensics;</text>
</subparagraph><subparagraph id="ID4d8a38ead4e54198babcc6ce9368d2e5"><enum>(F)</enum><text>offensive and
defensive cyber operations; and</text>
</subparagraph><subparagraph id="IDc87a764db2c7433e91ee3dabeaef50a0"><enum>(G)</enum><text>other areas to
fulfill the cybersecurity mission as the Director determines
appropriate.</text>
</subparagraph></paragraph><paragraph id="IDdf4178acad9944e7ad1c25b5c7666b36"><enum>(5)</enum><header>Internships</header><text>The
Director of the Office of Personnel Management shall establish, in coordination
with the Director of the National Center for Cybersecurity and Communications,
a program to provide, where appropriate, internships or other work experience
in the Federal government to the winners of the competitions and
challenges.</text>
</paragraph></subsection><subsection id="IDc760bfdb9bbd433bb2574ba04466d5e6"><enum>(b)</enum><header>National
research and development competition and challenge</header>
<paragraph id="IDaa5de590cb444083a21f4f40e1149f14"><enum>(1)</enum><header>In
general</header><text>The Director of the National Science Foundation, in
consultation with appropriate Federal agencies, shall establish a program of
cybersecurity competitions and challenges to stimulate innovation in basic and
applied cybersecurity research, technology development, and prototype
demonstration that has the potential for application to the information
technology activities of the Federal Government.</text>
</paragraph><paragraph id="id08F60C3C523B418CB0A1E9A2F6E8BC72"><enum>(2)</enum><header>Participation</header><text>Participants
in the competitions and challenges of the program established under paragraph
(1) shall include—</text>
<subparagraph id="idF5AE95D47E444D2597A946662E7675F2"><enum>(A)</enum><text>students enrolled
in grades 9 through 12;</text>
</subparagraph><subparagraph id="idE1F6CA52182E4F3B846F2E1D57C65C5B"><enum>(B)</enum><text>students enrolled
in a postsecondary program of study leading to a baccalaureate degree at an
institution of higher education;</text>
</subparagraph><subparagraph id="id9B080AB9E67245388BAC18978D30387C"><enum>(C)</enum><text>students enrolled
in a postbaccalaureate program of study leading to an institution of higher
education;</text>
</subparagraph><subparagraph id="id3F6012E0924248DCB5DAF9634C46F991"><enum>(D)</enum><text>institutions of
higher education and research institutions;</text>
</subparagraph><subparagraph id="idD801B8B66EE34180942A9936AD03CDDE"><enum>(E)</enum><text>veterans;
and</text>
</subparagraph><subparagraph id="id9E36101B1C514BB19FA12ABBA78B94CC"><enum>(F)</enum><text>other groups or
individuals as the Director of the National Science Foundation determines
appropriate.</text>
</subparagraph></paragraph><paragraph id="IDdb8b8544f5b14d57b26f3dca1b7956bd"><enum>(3)</enum><header>Topics</header><text>In
selecting topics for competitions and challenges held as part of the program
established under paragraph (1), the Director—</text>
<subparagraph id="idB4250E35AA564FEFA72C6B4F39C178DE"><enum>(A)</enum><text>shall consult
widely both within and outside the Federal Government; and</text>
</subparagraph><subparagraph id="idBBF1B32E971E4C8EA0CA3CF3EC28A39E"><enum>(B)</enum><text>may empanel
advisory committees.</text>
</subparagraph></paragraph><paragraph id="ID1e15db9f9d454d73a5a021543eb7596c"><enum>(4)</enum><header>Internships</header><text>The
Director of the Office of Personnel Management shall establish, in coordination
with the Director of the National Science Foundation, a program to provide,
where appropriate, internships or other work experience in the Federal
government to the winners of the competitions and challenges held as part of
the program established under paragraph (1).</text>
</paragraph></subsection></section><section id="ID8843459fc57a44ceba9b4e24983fa9e0"><enum>404.</enum><header>Federal cyber
scholarship-for-service program</header>
<subsection id="ID2cf51a6a0590402ba466c5bade151969"><enum>(a)</enum><header>In
general</header><text>The Director of the National Science Foundation, in
coordination with the Secretary, shall establish a Federal Cyber
Scholarship-for-Service program to recruit and train the next generation of
information technology professionals, industry control system security
professionals, and security managers to meet the needs of the cybersecurity
mission for the Federal Government and State, local, and tribal
governments.</text>
</subsection><subsection id="ID96be30c9159c421a835251fdeb0a1932"><enum>(b)</enum><header>Program
description and components</header><text>The program established under
subsection (a) shall—</text>
<paragraph id="ID8a15b1748aee4456b389c2d33ec0bbc1"><enum>(1)</enum><text>incorporate
findings from the assessment and development of the strategy under section
405;</text>
</paragraph><paragraph id="ID22346ebac3a44b6cb953eb3a3b6d196f"><enum>(2)</enum><text>provide not more
than 1,000 scholarships per year, to students who are enrolled in a program of
study at an institution of higher education leading to a degree or specialized
program certification in the cybersecurity field, in an amount that covers each
student's tuition and fees at the institution and provides the student with an
additional stipend;</text>
</paragraph><paragraph id="ID2eb9e443013d47b7ad76540c19062577"><enum>(3)</enum><text>require each
scholarship recipient, as a condition of receiving a scholarship under the
program, to enter into an agreement under which the recipient agrees to work in
the cybersecurity mission of a Federal, State, local, or tribal agency for a
period equal to the length of the scholarship following receipt of the
student's degree if offered employment in that field by a Federal, State,
local, or tribal agency;</text>
</paragraph><paragraph id="IDa242417ac2794232b6e895851d52ca7a"><enum>(4)</enum><text>provide a
procedure by which the National Science Foundation or a Federal agency may,
consistent with regulations of the Office of Personnel Management, request and
fund security clearances for scholarship recipients, including providing for
clearances during summer internships and after the recipient receives the
degree; and</text>
</paragraph><paragraph id="ID73266856659e482e9201d45a0150da5a"><enum>(5)</enum><text>provide
opportunities for students to receive temporary appointments for meaningful
employment in the cybersecurity mission of a Federal agency during school
vacation periods and for internships.</text>
</paragraph></subsection><subsection id="IDadba0c5765094a83901d801396ed02b3"><enum>(c)</enum><header>Hiring
authority</header>
<paragraph id="id6EDE2E46E43547D8906D360D609BD206"><enum>(1)</enum><header>In
general</header><text>For purposes of any law or regulation governing the
appointment of individuals in the Federal civil service, upon receiving a
degree for which an individual received a scholarship under this section, the
individual shall be—</text>
<subparagraph id="id3BCB14C907E8468FA39A3A5A93E338F4"><enum>(A)</enum><text>hired under the
authority provided for in section 213.3102(r) of title 5, Code of Federal
Regulations; and</text>
</subparagraph><subparagraph id="id53FC59061C8347F1B003313F9F83A4E3"><enum>(B)</enum><text>exempt from
competitive service.</text>
</subparagraph></paragraph><paragraph id="idAEC7CB4903D2464486500C6F7981FB43"><enum>(2)</enum><header>Competitive
service position</header><text>Upon satisfactory fulfillment of the service
term of an individual hired under paragraph (1), the individual may be
converted to a competitive service position without competition if the
individual meets the requirements for that position.</text>
</paragraph></subsection><subsection id="IDba3b62081b134affb2d6760a0138634d"><enum>(d)</enum><header>Eligibility</header><text>To
be eligible to receive a scholarship under this section, an individual
shall—</text>
<paragraph id="IDcad799fa0be3462396a5c4e60147780b"><enum>(1)</enum><text>be a citizen or
lawful permanent resident of the United States;</text>
</paragraph><paragraph id="IDe221614c5f604b82904589cb93e72284"><enum>(2)</enum><text>demonstrate a
commitment to a career in improving the security of information infrastructure;
and</text>
</paragraph><paragraph id="ID20fd0ce2cfff4ee59de69fce094513fd"><enum>(3)</enum><text>have demonstrated
a high level of proficiency in mathematics, engineering, or computer
sciences.</text>
</paragraph></subsection><subsection commented="no" id="id0DD15613169B4D6EB9FCB68F858ED05B"><enum>(e)</enum><header>Repayment</header><text>If
a recipient of a scholarship under this section does not meet the terms of the
scholarship program, the recipient shall refund the scholarship payments in
accordance with rules established by the Director of the National Science
Foundation, in coordination with the Secretary.</text>
</subsection><subsection id="ID7ed57dd598ce4d658192e2172c621b62"><enum>(f)</enum><header>Evaluation and
report</header><text>The Director of the National Science Foundation shall
evaluate and report periodically to Congress on the success of recruiting
individuals for the scholarships and on hiring and retaining those individuals
in the public sector workforce.</text>
</subsection></section><section id="ID39f44a12e75e48818bb922681689b254"><enum>405.</enum><header>Assessment of
cybersecurity Federal workforce</header>
<subsection id="ID2ef51f40a82741c6b64b06838eae1b6e"><enum>(a)</enum><header>In
general</header><text>The Director of the Office of Personnel Management and
the Secretary, in coordination with the Director of National Intelligence, the
Secretary of Defense, and the Chief Information Officers Council established
under section 3603 of title 44, United States Code, shall assess the readiness
and capacity of the Federal workforce to meet the needs of the cybersecurity
mission of the Federal Government.</text>
</subsection><subsection id="ID5bcf77d962d54c84b83343a22041bd22"><enum>(b)</enum><header>Strategy</header>
<paragraph id="ID5d6738e6c32340a59816bf6130d5a158"><enum>(1)</enum><header>In
general</header><text>Not later than 180 days after the date of enactment of
this Act, the Director of the Office of Personnel Management, in consultation
with the Director of the National Center for Cybersecurity and Communications
and the Director of the Office of Management and Budget, shall develop a
comprehensive workforce strategy that enhances the readiness, capacity,
training, and recruitment and retention of cybersecurity personnel of the
Federal Government.</text>
</paragraph><paragraph id="IDb74869beb4ec49b4af6712550ca08de2"><enum>(2)</enum><header>Contents</header><text>The
strategy developed under paragraph (1) shall include—</text>
<subparagraph id="IDbb92e1327a594c8f86dcadd1297bbd75"><enum>(A)</enum><text>a 5-year plan on
recruitment of personnel for the Federal workforce; and</text>
</subparagraph><subparagraph id="ID5f22185a8a9b4c62ba70eaca50ecb7ac"><enum>(B)</enum><text>a 10-year
projections of Federal workforce needs.</text>
</subparagraph></paragraph></subsection><subsection id="ID4ef37a5201ce43d48d42830a3e8fdaea"><enum>(c)</enum><header>Updates</header><text>The
Director of the Office of Personnel Management, in consultation with the
Director of the National Center for Cybersecurity and Communications and the
Director of the Office of Management and Budget, shall update the strategy
developed under subsection (b) as needed.</text>
</subsection></section><section id="ID9331158723ab46b3a429bd52095920d4"><enum>406.</enum><header>Federal
cybersecurity occupation classifications</header>
<subsection id="ID5d8d8edfb6a14f38b01a3e6bfb6331b9"><enum>(a)</enum><header>In
general</header><text>Not later than 1 year after the date of enactment of this
Act, the Director of the Office of Personnel Management, in coordination with
the Director of the National Center for Cybersecurity and Communications, shall
develop and issue comprehensive occupation classifications for Federal
employees engaged in cybersecurity missions.</text>
</subsection><subsection id="ID7fd00451991344dd90918efc7f26a54e"><enum>(b)</enum><header>Applicability
of classifications</header><text>The Director of the Office of Personnel
Management shall ensure that the comprehensive occupation classifications
issued under subsection (a) may be used throughout the Federal
Government.</text>
</subsection></section><section id="ID1d3b542c748c4c3e988d293e2aba0f61"><enum>407.</enum><header>Training and
education</header>
<subsection id="ID8f5cde339dfb4aa8bad100dffb7f89d7"><enum>(a)</enum><header>Definition</header><text>In
this section, the term <term>agency information infrastructure</term> means the
Federal information infrastructure of a Federal agency.</text>
</subsection><subsection id="idC9A4A90B586649B9908C03D02D5B4FB4"><enum>(b)</enum><header>Training</header>
<paragraph id="ID1dbc65e17ecb474b949619d5cbda0fd7"><enum>(1)</enum><header>Federal
government employees and federal contractors</header><text>The Director of the
Office of Personnel Management, in coordination with the Secretary, the
Director of National Intelligence, the Secretary of Defense, and the Chief
Information Officers Council established under section 3603 of title 44, United
States Code, shall establish a cybersecurity awareness and education curriculum
that shall be required for all Federal employees and contractors engaged in the
design, development, or operation of an agency information infrastructure or
the Federal information infrastructure.</text>
</paragraph><paragraph id="ID39b23111861142a284f2062f9249f2ec"><enum>(2)</enum><header>Contents</header><text>The
curriculum established under paragraph (1) shall include, at a minimum—</text>
<subparagraph id="ID2abddb265d6e44f49f05a2652d944fc9"><enum>(A)</enum><text>role-based
security awareness training;</text>
</subparagraph><subparagraph id="IDe6647bdcc2fa48cebfb3c9c3dd475c63"><enum>(B)</enum><text>recommended
cybersecurity practices;</text>
</subparagraph><subparagraph id="ID445d6e0495584a648542ac65dd45cd1b"><enum>(C)</enum><text>cybersecurity
recommendations for traveling abroad;</text>
</subparagraph><subparagraph id="ID0f5048a4ce724c2d85c7e9619bcfd2f9"><enum>(D)</enum><text>unclassified
counterintelligence information;</text>
</subparagraph><subparagraph id="IDf6a2b2d5182e4bc3bb09915c168a90c8"><enum>(E)</enum><text>information
regarding industrial espionage;</text>
</subparagraph><subparagraph id="ID979ce1c4ac0f4147a8298bff9f68cc4d"><enum>(F)</enum><text>information
regarding malicious activity online;</text>
</subparagraph><subparagraph id="ID9b675ab3dab844feaf3b305338f342d7"><enum>(G)</enum><text>information
regarding cybersecurity and law enforcement;</text>
</subparagraph><subparagraph id="ID7f24940890284c16a0af38d7e71c66fe"><enum>(H)</enum><text>identity
management information;</text>
</subparagraph><subparagraph id="ID4e44280d1b8c4634a0d85b6e915886ea"><enum>(I)</enum><text>information
regarding supply chain security;</text>
</subparagraph><subparagraph id="IDdaf8add576ae46fcbb15efb87cdf55ac"><enum>(J)</enum><text>information
security risks associated with the activities of Federal employees and
contractors; and</text>
</subparagraph><subparagraph id="ID89d22cb948c54db5a90d868d25929285"><enum>(K)</enum><text>the
responsibilities of Federal employees and contractors in complying with
policies and procedures designed to reduce information security risks
identified under subparagraph (J).</text>
</subparagraph></paragraph><paragraph id="ID7d95ea6212f040b69f7b2ffd0f7e72cd"><enum>(3)</enum><header>Federal
cybersecurity professionals</header><text>The Director of the Office of
Personnel Management in conjunction with the Secretary, the Director of
National Intelligence, the Secretary of Defense, the Director of the Office of
Management and Budget, and, as appropriate, colleges, universities, and
nonprofit organizations with cybersecurity training expertise, shall develop a
program to provide training to improve and enhance the skills and capabilities
of Federal employees engaged in the cybersecurity mission, including training
specific to the acquisition workforce.</text>
</paragraph><paragraph id="ID56b508f56bec4306a509621230dcb40d"><enum>(4)</enum><header>Heads of
Federal agencies</header><text>Not later than 30 days after the date on which
an individual is appointed to a position at level I or II of the Executive
Schedule, the Secretary and the Director of National Intelligence shall provide
that individual with a cybersecurity threat briefing.</text>
</paragraph><paragraph id="ID5e33edefb9b54c66b774bf6a681e943b"><enum>(5)</enum><header>Certification</header><text>The
head of each Federal agency shall include in the annual report required under
section 3554(c) of title 44, United States Code, as amended by this Act, a
certification regarding whether all employees and contractors of the Federal
agency have completed the training required under this subsection.</text>
</paragraph></subsection><subsection id="IDae9c4f85483c4bebb55a133634bc72c2"><enum>(c)</enum><header>Education</header>
<paragraph id="ID0c3b2e6ccac64b95853fb612a7b0685d"><enum>(1)</enum><header>Federal
employees</header><text>The Director of the Office of Personnel Management, in
coordination with the Secretary of Education, the Director of the National
Science Foundation, and the Director of the National Center for Cybersecurity
and Communications, shall develop and implement a strategy to provide Federal
employees who work in cybersecurity missions with the opportunity to obtain
additional education.</text>
</paragraph><paragraph id="ID5ed47afd5b874bd5ae7ae9fc9b98b0a2"><enum>(2)</enum><header>K through 12
education</header><text>The Secretary of Education, in coordination with the
Director of the National Center for Cybersecurity and Communications and State
and local governments, shall develop model curriculum standards, guidelines,
and recommended courses to address cyber safety, cybersecurity, and cyber
ethics for students in kindergarten through grade 12.</text>
</paragraph><paragraph id="IDc979471041a148df893f3647574f4e2b"><enum>(3)</enum><header>Institutions of
higher education and career and technical institutions</header>
<subparagraph id="IDb44d436298c240ed977c8d161955e290"><enum>(A)</enum><header>Secretary of
education</header><text>The Secretary of Education, in coordination with the
Secretary, and after consultation with appropriate private entities,
shall—</text>
<clause id="IDad56ee5985c94767b2b3961a0aa78ae7"><enum>(i)</enum><text>develop model
curriculum standards and guidelines to address cyber safety, cybersecurity, and
cyber ethics for all students enrolled in institutions of higher education, and
all students enrolled in career and technical institutions, in the United
States; and</text>
</clause><clause id="IDb741992e1a2942faa1b8a64f076f1afc"><enum>(ii)</enum><text>analyze and
develop recommended courses for students interested in pursuing careers in
information technology, communications, computer science, engineering,
mathematics, and science, as those subjects relate to cybersecurity.</text>
</clause></subparagraph><subparagraph id="ID275de5d16cbd48a09c90fac47fb0be83"><enum>(B)</enum><header>Office of
personnel management</header><text>The Director of the Office of Personnel
Management, in coordination with the Director of the National Center for
Cybersecurity and Communications, shall develop strategies and programs—</text>
<clause id="IDd57d686062614422914eaf1484c0b293"><enum>(i)</enum><text>to
recruit students enrolled in institutions of higher education, and students
enrolled in career and technical institutions in the United States to serve as
Federal employees engaged in cybersecurity missions; and</text>
</clause><clause id="ID32b48d57f0dc4c759759cbb405e773d4"><enum>(ii)</enum><text>that provide
internship and part-time work opportunities with the Federal Government for
students enrolled in institutions of higher education and career and technical
institutions in the United States.</text>
</clause></subparagraph></paragraph></subsection></section><section id="IDc7e79c42d8cc4adfa63b0d24b52299b3"><enum>408.</enum><header>Cybersecurity
incentives</header><text display-inline="no-display-inline">The head of each
Federal agency shall adopt best practices, developed by the Office of Personnel
Management, regarding effective ways to educate and motivate employees of the
Federal Government to demonstrate leadership in cybersecurity,
including—</text>
<paragraph id="idDDA9434D75B64550B1F194CCC9E4B731"><enum>(1)</enum><text>promotions and
other nonmonetary awards; and</text>
</paragraph><paragraph commented="no" display-inline="no-display-inline" id="id2B892DBE034F4CFF887E7A3EC24B729C"><enum>(2)</enum><text>publicizing
information sharing accomplishments by individual employees and, if
appropriate, the tangible benefits that resulted.</text>
</paragraph></section><enum>V</enum><header>Research and
development</header>
<section id="idEEC57A3DCAF148769074670062EBE0B9"><enum>501.</enum><header>Federal
cybersecurity research and development</header>
<subsection id="id8E726D8005E34FB1A59C9F6320DD1FAE"><enum>(a)</enum><header>Fundamental
cybersecurity research</header><text>The Director of the Office of Science and
Technology Policy (referred to in this section as the <term>Director</term>),
in coordination with the Secretary and the head of any relevant Federal agency,
shall develop a national cybersecurity research and development plan.</text>
</subsection><subsection id="id6F6D304833C844F9910129B4B67EC392"><enum>(b)</enum><header>Requirements</header><text>The
plan required to be developed under subsection (a) shall encourage computer and
information science and engineering research to meet challenges in
cybersecurity, including—</text>
<paragraph id="ID843ab44af9de4c5fb9e7e0187a75ab76"><enum>(1)</enum><text>how to design and
build complex software-intensive systems that are secure and reliable when
first deployed;</text>
</paragraph><paragraph id="ID5f9e5f09980d42d892bf42377858bd42"><enum>(2)</enum><text>how to test and
verify that software, whether developed locally or obtained from a third party,
is free of significant known security flaws;</text>
</paragraph><paragraph id="ID4915495f8d30404b99cbd4e82b9831f4"><enum>(3)</enum><text>how to test and
verify that software obtained from a third party correctly implements stated
functionality, and only that functionality;</text>
</paragraph><paragraph id="ID78135b5875ad4f3b90a11ddccb35a54b"><enum>(4)</enum><text>how to guarantee
the privacy of the identity, information, or lawful transactions of an
individual when stored in distributed systems or transmitted over
networks;</text>
</paragraph><paragraph id="ID64b95672d7b44c29a822b5d2ad3e80e9"><enum>(5)</enum><text>how to build new
protocols to enable the Internet to have robust security as one of the key
capabilities of the Internet;</text>
</paragraph><paragraph id="ID05a3bb88e94f4d948d0d2c39bc53f540"><enum>(6)</enum><text>how to determine
the origin of a message transmitted over the Internet;</text>
</paragraph><paragraph id="IDb578e3fad7944fc9b067148562fc9743"><enum>(7)</enum><text>how to support
privacy in conjunction with improved security;</text>
</paragraph><paragraph id="ID59512de672f84d1491d59a068d03ad3f"><enum>(8)</enum><text>how to address
the growing problem of insider threat; and</text>
</paragraph><paragraph id="IDce5b53be6f5c4c0a99ff12612e927bcd"><enum>(9)</enum><text>how improved
consumer education and digital literacy initiatives can address human factors
that contribute to cybersecurity.</text>
</paragraph></subsection><subsection id="ID3b790cf724fc490995f4bb4d2830b671"><enum>(c)</enum><header>Secure coding
research</header><text>The Director shall support research—</text>
<paragraph id="id9611C458828F4081B1BA97E83C6AE700"><enum>(1)</enum><text>that evaluates
selected secure coding education and improvement programs; and</text>
</paragraph><paragraph id="id494E132E3C744293893384999D63F014"><enum>(2)</enum><text>of new methods of
integrating secure coding improvement into the core curriculum of computer
science programs and of other programs where graduates of such programs have a
substantial probability of developing software after graduation.</text>
</paragraph></subsection><subsection id="ID31ca80805f214e26b3842371e9c5ca45"><enum>(d)</enum><header>Assessment of
secure coding education in colleges and universities</header>
<paragraph id="id47C1A44EC1884D1F9A27DA4093CDA5C6"><enum>(1)</enum><header>Report</header><text>Not
later than 1 year after the date of enactment of this Act, the Director shall
submit to the Committee on Commerce, Science, and Transportation of the Senate
and the Committee on Science and Technology of the House of Representatives a
report on the state of secure coding education in institutions of higher
education of the United States for each institution that received National
Science Foundation funding in excess of $1,000,000 during fiscal year
2011.</text>
</paragraph><paragraph id="idF2D4EE8E5BA84B80872DF9A9014ED02C"><enum>(2)</enum><header>Contents of
report</header><text>The report required under paragraph (1) shall
include—</text>
<subparagraph id="IDb295e875377646c78fbb087b016589a7"><enum>(A)</enum><text>the number of
students who earned baccalaureate degrees in computer science or in each other
program where graduates have a substantial probability of being engaged in
software design or development after graduation;</text>
</subparagraph><subparagraph id="ID24356f72018c4baba58100ec4bfe969b"><enum>(B)</enum><text>the percentage of
the students described in subparagraph (A) who completed substantive secure
coding education or improvement programs during their undergraduate experience;
and</text>
</subparagraph><subparagraph id="ID4d17cb2e70c64c3ab48531f3f3ab1657"><enum>(C)</enum><text>descriptions of
the length and content of the education and improvement programs and an
evaluation of the effectiveness of those programs based on the students' scores
on standard tests of secure coding and design skills.</text>
</subparagraph></paragraph></subsection><subsection id="ID111014632884401b90b27262b4f217f4"><enum>(e)</enum><header>Cybersecurity
modeling and test beds</header>
<paragraph id="idF16463A906D745F5A4771FECB1AFD341"><enum>(1)</enum><header>Review</header><text>Not
later than 1 year after the date of enactment of this Act, the Director shall
conduct a review of cybersecurity test beds in existence on the date of
enactment of this Act.</text>
</paragraph><paragraph id="id87C9A62267A7440CAEBBDC0FA14A5541"><enum>(2)</enum><header>Establishment
of program</header>
<subparagraph id="idE2096F3058D3432187F37D40E8FDE671"><enum>(A)</enum><header>In
general</header><text>Based on the results of the review conducted under
paragraph (1), the Director shall establish a program to award grants to
institutions of higher education to establish cybersecurity test beds capable
of realistic modeling of real-time cyber attacks and defenses.</text>
</subparagraph><subparagraph id="idBC0DBA45C5464C19980C15797FB502E7"><enum>(B)</enum><header>Requirement</header><text>The
test beds established under subparagraph (A) shall be sufficiently large in
order to model the scale and complexity of real world networks and
environments.</text>
</subparagraph></paragraph><paragraph id="id9F535A40932A4F72A9ECC2F8CA99F71F"><enum>(3)</enum><header>Purpose</header><text>The
purpose of the program established under paragraph (2) shall be to support the
rapid development of new cybersecurity defenses, techniques, and processes by
improving understanding and assessing the latest technologies in a real-world
environment.</text>
</paragraph></subsection><subsection id="ID2a252ee596b241d28da1fc448b50d100"><enum>(f)</enum><header>Coordination
with other research initiatives</header><text>The Director shall—</text>
<paragraph id="IDacb9b25317de43259319cd9d60ce7db2"><enum>(1)</enum><text>ensure that the
research and development program carried out under this section is consistent
with any strategy to increase the security and resilience of cyberspace;
and</text>
</paragraph><paragraph id="IDe71558b8f8e74318b816d4de9e33cd3c"><enum>(2)</enum><text>to the extent
practicable, coordinate research and development activities with other ongoing
research and development security-related initiatives, including research being
conducted by—</text>
<subparagraph id="ID89363ac10de847e88cd2a13b2e81f9d8"><enum>(A)</enum><text>the National
Institute of Standards and Technology;</text>
</subparagraph><subparagraph id="IDbe9c4106b79d4eaab645857a7232ed6a"><enum>(B)</enum><text>the
Department;</text>
</subparagraph><subparagraph id="IDe62af3bf478b4944a4c0edc0176d29b6"><enum>(C)</enum><text>the National
Academy of Sciences;</text>
</subparagraph><subparagraph id="IDb63fe4e1bbbb4de48cb80017ae41c72b"><enum>(D)</enum><text>other Federal
agencies;</text>
</subparagraph><subparagraph id="ID135321f5529d4d418236dbbd1066b803"><enum>(E)</enum><text>other Federal and
private research laboratories, research entities, and universities and
institutions of higher education, and relevant nonprofit organizations;
and</text>
</subparagraph><subparagraph id="ID646ca2fce56e40aea7035850a72a9409"><enum>(F)</enum><text>international
partners of the United States.</text>
</subparagraph></paragraph></subsection><subsection id="ID21471d798bf44173833d85f48ae07834"><enum>(g)</enum><header>NSF computer
and network security research grant areas</header><text>Section 4(a)(1) of the
Cyber Security Research and Development Act (15 U.S.C. 7403(a)(1)) is
amended—</text>
<paragraph id="IDc6fd9817701f4c1f9d51727cfb8053ca"><enum>(1)</enum><text>in subparagraph
(H), by striking <quote>and</quote> at the end;</text>
</paragraph><paragraph id="ID985bd282064748d7a3c5cdf66258eee7"><enum>(2)</enum><text>in subparagraph
(I), by striking the period at the end and inserting a semicolon; and</text>
</paragraph><paragraph id="ID89b226f5f32d40138afe9aa5745e2d7a"><enum>(3)</enum><text>by adding at the
end the following:</text>
<quoted-block display-inline="no-display-inline" id="id9C20512255B9457595CB3CD45EAAC8CE" style="OLC">
<subparagraph id="IDa2e059fb527c486eb9b9dae7a1a90eaf"><enum>(J)</enum><text>secure
fundamental protocols that are at the heart of inter-network communications and
data exchange;</text>
</subparagraph><subparagraph id="IDf82b8e4d3ba841559f73aa2a2246d5d0"><enum>(K)</enum><text>secure software
engineering and software assurance, including—</text>
<clause id="IDec3d95622afb4c20880522ee5fa1ad2f"><enum>(i)</enum><text>programming
languages and systems that include fundamental security features;</text>
</clause><clause id="IDcb64a00630ab4eb5aad3fc2e32166791"><enum>(ii)</enum><text>portable or
reusable code that remains secure when deployed in various environments;</text>
</clause><clause id="ID860ad74b696940a182a32e391839c9fb"><enum>(iii)</enum><text>verification
and validation technologies to ensure that requirements and specifications have
been implemented; and</text>
</clause><clause id="IDef348faa010241ca9a6f5c0c14e51bc5"><enum>(iv)</enum><text>models for
comparison and metrics to assure that required standards have been met;</text>
</clause></subparagraph><subparagraph id="IDae628e651a3748a3aa0dcd1686b7034e"><enum>(L)</enum><text>holistic system
security that—</text>
<clause id="ID43ac629532354dc0a57e6eb86f555468"><enum>(i)</enum><text>addresses the
building of secure systems from trusted and untrusted components;</text>
</clause><clause id="IDb2d2b9c5af32485287ff87f7a6ce7865"><enum>(ii)</enum><text>proactively
reduces vulnerabilities;</text>
</clause><clause id="IDcb20818837364e9c83828535d9d864dd"><enum>(iii)</enum><text>addresses
insider threats; and</text>
</clause><clause id="IDed6db707368946a0946ab39d626f9467"><enum>(iv)</enum><text>supports privacy
in conjunction with improved security;</text>
</clause></subparagraph><subparagraph id="ID0b7f68da7d094c8b9c50dba29869ed7a"><enum>(M)</enum><text>monitoring and
detection; and</text>
</subparagraph><subparagraph id="ID06ab930278ca4cb4ba0af4c04d6c746e"><enum>(N)</enum><text>mitigation and
rapid recovery
methods.</text>
</subparagraph><after-quoted-block>.</after-quoted-block></quoted-block>
</paragraph></subsection><subsection id="ID6b7af1138eb74e479a645d761a43ea0b"><enum>(h)</enum><header>Cybersecurity
faculty development traineeship program</header><text>Section 5(e)(9) of the
Cyber Security Research and Development Act (15 U.S.C. 7404(e)(9)) is amended
by striking <quote>2003 through 2007</quote> and inserting <quote>2012 through
2014</quote>.</text>
</subsection><subsection id="ID6557a9a487f74628b219d328d408074a"><enum>(i)</enum><header>Networking and
information technology research and development program</header><text>Section
204(a)(1) of the High-Performance Computing Act of 1991 (15 U.S.C. 5524(a)(1))
is amended—</text>
<paragraph id="IDec37c3d7065e4d1e8a1a5ddedf958bb6"><enum>(1)</enum><text>in subparagraph
(B), by striking <quote>and</quote> at the end; and</text>
</paragraph><paragraph id="ID59129442e3584e68902d392578950de2"><enum>(2)</enum><text>by adding at the
end the following:</text>
<quoted-block display-inline="no-display-inline" id="idC9B74A3E005B42BE83322261D8438826" style="OLC">
<subparagraph id="ID198979cd7156497fa498c1f37cf048e9"><enum>(D)</enum><text>develop and
propose standards and guidelines, and develop measurement techniques and test
methods, for enhanced cybersecurity for computer networks and common user
interfaces to systems;
and</text>
</subparagraph><after-quoted-block>.</after-quoted-block></quoted-block>
</paragraph></subsection></section><section id="ID9ee2fd4672574299b51e684815da9286"><enum>502.</enum><header>Homeland
security cybersecurity research and development</header><text display-inline="no-display-inline">Subtitle D of title II of the Homeland
Security Act of 2002 (6 U.S.C. 161 et seq.) is amended by adding at the end the
following:</text>
<quoted-block display-inline="no-display-inline" id="idC0646C9A5116486DA01B04C7E1BB0AB4" style="OLC">
<section id="id69A4E6C6685B4B87BC4E8F6731B5B24A"><enum>238.</enum><header>Cybersecurity
research and development</header>
<subsection id="ID5c8a737a423d4d9e87543c88555ef8ef"><enum>(a)</enum><header>Establishment
of research and development program</header><text>The Under Secretary for
Science and Technology, in coordination with the Director of the National
Center for Cybersecurity and Communications, shall carry out a research and
development program for the purpose of improving the security of information
infrastructure.</text>
</subsection><subsection id="ID9b7b21bf678e4f32b23c9147c107ba96"><enum>(b)</enum><header>Eligible
projects</header><text>The research and development program carried out under
subsection (a) may include projects to—</text>
<paragraph id="ID80efa595661b47edaf7fddec4d487910"><enum>(1)</enum><text>advance the
development and accelerate the deployment of more secure versions of
fundamental Internet protocols and architectures, including for the secure
domain name addressing system and routing security;</text>
</paragraph><paragraph id="ID95418540365749d7a4bf838fcb6c96b4"><enum>(2)</enum><text>improve and
create technologies for detecting and analyzing attacks or intrusions,
including analysis of malicious software;</text>
</paragraph><paragraph id="IDbfc44b3ff7934f1d93c034bde334583c"><enum>(3)</enum><text>improve and
create mitigation and recovery methodologies, including techniques for
containment of attacks and development of resilient networks and
systems;</text>
</paragraph><paragraph id="ID00bd44138a8744c7869c51a76cb24b8b"><enum>(4)</enum><text>develop and
support infrastructure and tools to support cybersecurity research and
development efforts, including modeling, test beds, and data sets for
assessment of new cybersecurity technologies;</text>
</paragraph><paragraph id="IDa52ef082a01b499eadfb362e19365281"><enum>(5)</enum><text>assist the
development and support of technologies to reduce vulnerabilities in process
control systems;</text>
</paragraph><paragraph id="ID8e4edd20301542a29ba7fad8b7fe0419"><enum>(6)</enum><text>understand human
behavioral factors that can affect cybersecurity technology and
practices;</text>
</paragraph><paragraph id="IDcb415d2977794b069c2c5f93c72a9590"><enum>(7)</enum><text>test, evaluate,
and facilitate, with appropriate protections for any proprietary information
concerning the technologies, the transfer of technologies associated with the
engineering of less vulnerable software and securing the information technology
software development lifecycle;</text>
</paragraph><paragraph id="ID136fb2eadf4d4720bbf63cf0f16748de"><enum>(8)</enum><text>assist the
development of identity management and attribution technologies;</text>
</paragraph><paragraph id="ID5f48f66c4cf243999f2ed2eab8a84f8b"><enum>(9)</enum><text>assist the
development of technologies designed to increase the security and resiliency of
telecommunications networks;</text>
</paragraph><paragraph id="ID84e91df64d9f42a49c3fdc8e62dd05d8"><enum>(10)</enum><text>advance the
protection of privacy and civil liberties in cybersecurity technology and
practices; and</text>
</paragraph><paragraph id="IDc9f955f3d8224bf4a4828b04aacd3ccd"><enum>(11)</enum><text>address other
risks identified by the Director of the National Center for Cybersecurity and
Communications.</text>
</paragraph></subsection><subsection id="ID993a574bebc546ba955a8ce617f8fa75"><enum>(c)</enum><header>Coordination
with other research initiatives</header><text>The Under Secretary for Science
and Technology—</text>
<paragraph id="IDa7b61a65ed3e494c8ca4eedf9a3bb955"><enum>(1)</enum><text>shall ensure that
the research and development program carried out under subsection (a) is
consistent with any strategy to increase the security and resilience of
cyberspace;</text>
</paragraph><paragraph id="ID126dced0c7a84f83952204ecb45124b3"><enum>(2)</enum><text>shall, to the
extent practicable, coordinate the research and development activities of the
Department with other ongoing research and development security-related
initiatives, including research being conducted by—</text>
<subparagraph id="IDe322d49094714067a9cf1fa581240e6e"><enum>(A)</enum><text>the National
Institute of Standards and Technology;</text>
</subparagraph><subparagraph id="IDe1784f45e6704976aa39c3e2844d42b3"><enum>(B)</enum><text>the National
Science Foundation;</text>
</subparagraph><subparagraph id="IDb86ec1ac875a4a4b9272900d1c14a1e9"><enum>(C)</enum><text>the National
Academy of Sciences;</text>
</subparagraph><subparagraph id="ID11a8b2b792e544259421d3755a47949b"><enum>(D)</enum><text>other Federal
agencies;</text>
</subparagraph><subparagraph id="IDc245d777197f41328ddf3a478e3c18a7"><enum>(E)</enum><text>other Federal and
private research laboratories, research entities, and universities and
institutions of higher education, and relevant nonprofit organizations;
and</text>
</subparagraph><subparagraph id="ID718622795bff4984914f6aff4bd2d955"><enum>(F)</enum><text>international
partners of the United States;</text>
</subparagraph></paragraph><paragraph id="ID400c1546660646039a1ce525916b42c6"><enum>(3)</enum><text>shall carry out
any research and development project under subsection (a) through a
reimbursable agreement with an appropriate Federal agency, if the Federal
agency—</text>
<subparagraph id="IDcdc60cc8ad6f4a009024044c843ecccd"><enum>(A)</enum><text>is sponsoring a
research and development project in a similar area; or</text>
</subparagraph><subparagraph id="ID2e3a8339c8314b8db863ba68212928c6"><enum>(B)</enum><text>has a unique
facility or capability that would be useful in carrying out the project;</text>
</subparagraph></paragraph><paragraph id="IDb6379368aad94813a556bd6a1756eca8"><enum>(4)</enum><text>may make grants
to, or enter into cooperative agreements, contracts, other transactions, or
reimbursable agreements with, the entities described in paragraph (2);
and</text>
</paragraph><paragraph id="ID61759d7788014965b4756b128e12714d"><enum>(5)</enum><text>shall submit a
report to the appropriate committees of Congress on a review of the
cybersecurity activities, and the capacity, of the national laboratories and
other research entities available to the Department to determine if the
establishment of a national laboratory dedicated to cybersecurity research and
development is
necessary.</text>
</paragraph></subsection></section><after-quoted-block>.</after-quoted-block></quoted-block>
</section><enum>VI</enum><header>Federal
acquisition risk management strategy</header>
<section id="IDa6fe930650cb41c7a95bfae9aae079a0"><enum>601.</enum><header>Federal
acquisition risk management strategy</header>
<subsection id="IDbb6fe11a07954b81962dcaae0cf6c41e"><enum>(a)</enum><header>In
general</header><text>The Secretary, in coordination with relevant private
sector and academic experts and each Federal entity described in paragraphs (1)
through (9) of subsection (b), shall develop and periodically update an
acquisition risk management strategy designed to ensure, based on mission
criticality and cost effectiveness, the security of the Federal information
infrastructure.</text>
</subsection><subsection id="IDd522db4f0eb0403fb73f41a33cc25a24"><enum>(b)</enum><header>Coordination</header><text>In
developing the acquisition risk management strategy required under subsection
(a), the Secretary shall coordinate with—</text>
<paragraph id="id32ED2161741246E083418C8615EF938B"><enum>(1)</enum><text>the Secretary of
Defense;</text>
</paragraph><paragraph id="idCCE057E3268941059299C50C23763EF6"><enum>(2)</enum><text>the Secretary of
Commerce;</text>
</paragraph><paragraph id="idB169F25D006344E286104478DE8F3F18"><enum>(3)</enum><text>the Secretary of
State;</text>
</paragraph><paragraph id="idA92232FD1DB847288D56CF038E0B4F0F"><enum>(4)</enum><text>the Director of
National Intelligence;</text>
</paragraph><paragraph id="idC3FDCDC8D28942A98BD74B2FFC85D80C"><enum>(5)</enum><text>the Administrator
of General Services;</text>
</paragraph><paragraph id="idB88906C17D8642FDA42663DFCD9E8D1D"><enum>(6)</enum><text>the Administrator
for Federal Procurement Policy;</text>
</paragraph><paragraph id="id1518E37DC8434AA481E037D86784337C"><enum>(7)</enum><text>the members of
the Chief Information Officers Council established under section 3603 of title
44, United States Code;</text>
</paragraph><paragraph id="id703840DB62EB4F53B96887246DD3CCC7"><enum>(8)</enum><text>the Chief
Acquisition Officers Council established under section 1311 of title 41, United
States Code; and</text>
</paragraph><paragraph id="id48A3895E0E2F44C1999991A73EBD4836"><enum>(9)</enum><text>the Chief
Financial Officers Council established under section 302 of the Chief Financial
Officers Act of 1990 (31 U.S.C. 901 note).</text>
</paragraph></subsection><subsection id="IDcc0c8d21d1a5487698492e16b309a9b1"><enum>(c)</enum><header>Elements</header><text>The
risk management strategy developed under subsection (a) shall—</text>
<paragraph id="idF7A97705DD984CBC9B3ADCD6745029D6"><enum>(1)</enum><text>address risks in
the acquisition of any part of the Federal information infrastructure;
and</text>
</paragraph><paragraph id="id407D1060252B4B63B1A5B60204C1F3E3"><enum>(2)</enum><text>include
developing processes that—</text>
<subparagraph id="ID6efed1c652c74bfc826fb4a9f420824e"><enum>(A)</enum><text>incorporate
all-source intelligence analysis into assessments of the integrity of the
supply chain for the Federal information infrastructure;</text>
</subparagraph><subparagraph id="ID6eac3d96ed0a49419021bf793b6e5702"><enum>(B)</enum><text>incorporate
internationally recognized standards, guidelines, and best practices, including
those developed by the private sector, for supply chain integrity;</text>
</subparagraph><subparagraph id="ID7817d53df5a14540ae966b335230f7a7"><enum>(C)</enum><text>enhance
capabilities to test and evaluate software and hardware within or for use in
the Federal information infrastructure, and, where appropriate, make the
capabilities available for use by the private sector;</text>
</subparagraph><subparagraph id="IDf50a5441c24947e29be6909e3293730b"><enum>(D)</enum><text>protect the
intellectual property and trade secrets of suppliers of information and
communications technology products and services;</text>
</subparagraph><subparagraph id="ID5ce6f7483d4b462ebaa904ddfa8fcff1"><enum>(E)</enum><text>share with the
private sector, to the fullest extent possible, the risks identified in the
supply chain and working with the private sector to mitigate those threats as
identified;</text>
</subparagraph><subparagraph id="IDdd0eb69ae1b14c39b2162cb2a89dfab5"><enum>(F)</enum><text>identify specific
acquisition practices of Federal agencies that increase risks to the supply
chain and develop a process to provide recommendations for revisions to those
processes; and</text>
</subparagraph><subparagraph id="ID5c36209747af4b2aa434c92df53e8c31"><enum>(G)</enum><text>to the maximum
extent practicable, promote the ability of Federal agencies to procure
authentic commercial off-the-shelf information and communications technology
products and services from a diverse pool of suppliers, consistent with the
preferences for the acquisition of commercial items under section 2377 of title
10, United States Code, and section 3307 of title 41, United States
Code.</text>
</subparagraph></paragraph></subsection></section><section id="ID2174a7c4b179421490defd3b4352ce5b"><enum>602.</enum><header>Amendments to
Clinger-Cohen provisions to enhance agency planning for information security
needs</header><text display-inline="no-display-inline">Chapter 113 of title 40,
United States Code, is amended—</text>
<paragraph id="ID66eb54361c2e4fe18b6cf175542fe08c"><enum>(1)</enum><text>in section
11302—</text>
<subparagraph id="id2D5AE9569A9F44C8A9507BE3FDA21C3B"><enum>(A)</enum><text>in subsection
(f), by striking <quote>technology.</quote> and inserting <quote>technology,
including information technology or network information security
requirements.</quote>;</text>
</subparagraph><subparagraph id="ID2da6711797594b15958e5bbac9b94f89"><enum>(B)</enum><text>in subsection
(i)—</text>
<clause id="id891D3023C5ED41EBAE22313988DECC18"><enum>(i)</enum><text>by
inserting <quote>, including information security requirements,</quote> after
<quote>information resources management</quote>; and</text>
</clause><clause id="id067B1F4833914DD697A0417EC177768E"><enum>(ii)</enum><text>by
adding at the end the following: <quote>The Administrator for Federal
Procurement Policy, in coordination with the Chief Information Officers Council
and the Federal Acquisition Institute, shall ensure that contracting officers
and the individuals preparing descriptions of the Government requirements and
statements of work have adequate training in information security requirements,
including in information technology security contracts.</quote>;</text>
</clause></subparagraph><subparagraph commented="no" id="id23675DAE563646169654313FF147D938"><enum>(C)</enum><text>in subsection
(j), by adding at the end the following: <quote>The Director shall review and
report on possible impediments in the acquisition process or elsewhere that are
acting to slow agency uptake of the newest, most secure technologies.</quote>;
and</text>
</subparagraph><subparagraph commented="no" id="idFE3865D63DAD48568AF130BA052097F7"><enum>(D)</enum><text>by adding at the
end the following:</text>
<quoted-block display-inline="no-display-inline" id="id93C9A5DA07BB418E9FD02BDF3761A597" style="OLC">
<subsection id="ID25d8901d6fba4b089161aa3a2891d8cc"><enum>(l)</enum><header>Multiple award
schedule for information security</header><text>The Administrator of General
Services shall develop a special item number under Schedule 70 for information
security products and services and consolidate those products and services
under that special item number to promote acquisition.</text>
</subsection><subsection id="ID15ef654932e7467284882782f502711b"><enum>(m)</enum><header>Reducing the
use of counterfeit products</header><text>Not later than 180 days after the
date of enactment of the <short-title>Cybersecurity Act of
2012</short-title>, the Director shall issue guidance requiring, to the extent
practicable, Federal agencies to purchase information technology products only
through the authorized channels or distributors of a
supplier.</text>
</subsection><after-quoted-block>;
and</after-quoted-block></quoted-block>
</subparagraph></paragraph><paragraph id="ID7bd28bb4a9014e45be5265056c286052"><enum>(2)</enum><text>in section
11312(b)(3), by inserting <quote>, information security improvement,</quote>
after <quote>risk-adjusted return on investment</quote>.</text>
</paragraph></section><enum>VII</enum><header>Information
Sharing</header>
<section id="idA0A27571D229485BA78B38FEE76E032F"><enum>701.</enum><header>Affirmative
authority to monitor and defend against cybersecurity threats</header><text display-inline="no-display-inline">Notwithstanding chapter 119, 121, or 206 of
title 18, United States Code, the Foreign Intelligence Surveillance Act of 1978
(50 U.S.C. 1801 et seq.), and the Communications Act of 1934 (47 U.S.C. 151 et
seq.), any private entity may—</text>
<paragraph id="ID93ff0074a66e4392ba2929628b63791f"><enum>(1)</enum><text>monitor
information systems of the entity and information that is stored on, processed
by, or transiting the information systems for cybersecurity threats;</text>
</paragraph><paragraph id="ID80afe0c56eb74eb2941ec9ac90c07fa6"><enum>(2)</enum><text>monitor a third
party’s information systems and information that is stored on, processed by, or
transiting the information systems for cybersecurity threats, if the third
party lawfully authorizes the monitoring;</text>
</paragraph><paragraph id="ID379ab3ac541f439fa029b3f6479f8662"><enum>(3)</enum><text>operate
countermeasures on information systems of the entity to protect the information
systems and information that is stored on, processed by, or transiting the
information systems; and</text>
</paragraph><paragraph id="ID8eb4bcc05e4a4b2b9e2de4cdf03a8814"><enum>(4)</enum><text>operate
countermeasures on a third party’s information systems to protect the third
party’s information systems and information that is stored on, processed by, or
transiting the information systems, if the third party lawfully authorizes the
countermeasures.</text>
</paragraph></section><section id="idA5E451C2F6494FDEB5934FED47CA6928"><enum>702.</enum><header>Voluntary
disclosure of cybersecurity threat indicators among private entities</header>
<subsection id="id4290F8DA250A4B11A889324791E7A8C7"><enum>(a)</enum><header>Authority to
disclose</header><text>Notwithstanding any other provision of law, any private
entity may disclose lawfully obtained cybersecurity threat indicators to any
other private entity.</text>
</subsection><subsection id="id322D0EE9C1CD41DA82167108EC6A2F45"><enum>(b)</enum><header>Use and
protection of information</header><text>A private entity disclosing or
receiving cybersecurity threat indicators under subsection (a)—</text>
<paragraph id="ID11dbcce3e59e4621be7459c68e2d5f78"><enum>(1)</enum><text>shall make
reasonable efforts to safeguard communications, records, system traffic, or
other information that can be used to identify specific persons from
unauthorized access or acquisition;</text>
</paragraph><paragraph id="IDa2c999b4eb4446eabf26b5dac05c5cea"><enum>(2)</enum><text>shall comply with
any lawful restrictions placed on the disclosure or use of cybersecurity threat
indicators by the disclosing entity, including, if requested, the removal of
information that can be used to identify specific persons from such
indicators;</text>
</paragraph><paragraph id="ID5ac50e784acf4af7993fccba21696694"><enum>(3)</enum><text>may not use the
cybersecurity threat indicators to gain an unfair competitive advantage to the
detriment of the entity that authorized such sharing; and</text>
</paragraph><paragraph id="ID09827a15ad444c6abee8e24b81db7e84"><enum>(4)</enum><text>may only use,
retain, or further disclose the cybersecurity threat indicators for the purpose
of protecting an information system or information that is stored on, processed
by, or transiting an information system from cybersecurity threats or
mitigating the threats.</text>
</paragraph></subsection></section><section id="idCCBB8433C5E34215B971C8307A3EBD52"><enum>703.</enum><header>Cybersecurity
exchanges</header>
<subsection id="id02940C3787F44AB492DDC7633AEC6B8E"><enum>(a)</enum><header>Designation of
cybersecurity exchanges</header><text>The Secretary, in consultation with the
Director of National Intelligence, the Attorney General, and the Secretary of
Defense, shall establish—</text>
<paragraph id="ID6b58d058ec374005ac5b6b380b854799"><enum>(1)</enum><text>a process for
designating appropriate Federal entities (such as 1 or more Federal
cybersecurity centers) and non-Federal entities as cybersecurity
exchanges;</text>
</paragraph><paragraph id="ID14030f2d8ce64292b19ef7876856de1d"><enum>(2)</enum><text>procedures to
facilitate and encourage the sharing of classified and unclassified
cybersecurity threat indicators with designated cybersecurity exchanges and
other appropriate Federal entities and non-Federal entities; and</text>
</paragraph><paragraph id="IDc73188bedf7444f8ad7d114f84a98d71"><enum>(3)</enum><text>a process for
identifying certified entities authorized to receive classified cybersecurity
threat indicators in accordance with paragraph (2).</text>
</paragraph></subsection><subsection id="id8781C9B4ED594EB2B3E80C389FB2F1F2"><enum>(b)</enum><header>Purpose</header><text>The
purpose of a cybersecurity exchange is to efficiently receive and distribute
cybersecurity threat indicators in accordance with this title.</text>
</subsection><subsection id="idEC97561FFFFD432BBF4112E64DB692C5"><enum>(c)</enum><header>Requirement for
a lead Federal cybersecurity exchange</header>
<paragraph id="idDF2668C669624CE0B56867C82E9F3D4D"><enum>(1)</enum><header>In
general</header><text>The Secretary, in consultation with the Director of
National Intelligence, the Attorney General, and the Secretary of Defense,
shall designate a Federal entity as the lead cybersecurity exchange to serve as
the focal point within the Federal Government for cybersecurity information
sharing among Federal entities and with non-Federal entities.</text>
</paragraph><paragraph id="id8F66BE617E864C45A37EED0C7C4F79E7"><enum>(2)</enum><header>Responsibilities</header><text>The
lead cybersecurity exchange designated under paragraph (1) shall—</text>
<subparagraph id="ID37b5f7685f5f443eb7e9c238c1f37214"><enum>(A)</enum><text>receive and
distribute cybersecurity threat indicators in accordance with this
title;</text>
</subparagraph><subparagraph id="ID23e25ccd8b3d456689e730145f19b753"><enum>(B)</enum><text>facilitate
information sharing, interaction, and collaboration among and between—</text>
<clause id="IDa1636da5429945708e79d49d9267e1a0"><enum>(i)</enum><text>Federal
entities;</text>
</clause><clause id="ID944f9006b77549a6b03967033479ca48"><enum>(ii)</enum><text>State, local,
tribal, and territorial governments;</text>
</clause><clause id="IDea3cec5083654df398b353df5a21711c"><enum>(iii)</enum><text>private
entities;</text>
</clause><clause id="IDa539310f80f742418525fc6cf201cf45"><enum>(iv)</enum><text>academia;</text>
</clause><clause id="ID78970ed66a32439ba7a5e0fc147c0d3a"><enum>(v)</enum><text>international
partners, in consultation with the Secretary of State; and</text>
</clause><clause id="ID776f38f3a3e6461c9cc5696d41255788"><enum>(vi)</enum><text>other
cybersecurity exchanges;</text>
</clause></subparagraph><subparagraph id="ID9ec3dffc3a5d4ed5b7cd091e198f4aaf"><enum>(C)</enum><text>disseminate
timely and actionable cybersecurity threat, vulnerability, mitigation, and
warning information, including alerts, advisories, indicators, signatures, and
mitigation and response measures, to improve the security and protection of
information systems;</text>
</subparagraph><subparagraph id="IDc455f5056e5347fe9d720076ca1a0280"><enum>(D)</enum><text>coordinate with
other Federal and non-Federal entities, as appropriate, to integrate
information from Federal and non-Federal entities, including Federal
cybersecurity centers, non-Federal network or security operation centers, other
cybersecurity exchanges, and non-Federal entities that disclose cybersecurity
threat indicators under section 704(a) to provide situational awareness of the
United States information security posture and foster information security
collaboration among information system owners and operators;</text>
</subparagraph><subparagraph id="ID346770c279e143a6896faecc478059f0"><enum>(E)</enum><text>conduct, in
consultation with private entities and relevant Federal and other governmental
entities, regular assessments of existing and proposed information sharing
models to eliminate bureaucratic obstacles to information sharing and identify
best practices for such information sharing; and</text>
</subparagraph><subparagraph id="IDdd7c8aebe1cc4be8947f1683ea02bf77"><enum>(F)</enum><text>coordinate with
other Federal entities, as appropriate, to compile and analyze information
about risks and incidents that threaten information systems, including
information voluntarily submitted in accordance with section 704(a) or
otherwise in accordance with applicable laws.</text>
</subparagraph></paragraph><paragraph id="id2C3A6D4FF9AF4BE2A9C78F35FCD2CD41"><enum>(3)</enum><header>Schedule for
designation</header>
<subparagraph id="id8B023C4215294A7DA4B64CDCE01E310A"><enum>(A)</enum><header>Initial
designation</header><text>Not later than 60 days after the date of enactment of
this Act, the Secretary shall designate a lead cybersecurity exchange under
paragraph (1).</text>
</subparagraph><subparagraph id="idB55BCA93C05746178F566C7FE56E0C8A"><enum>(B)</enum><header>Interim
designation</header><text>The National Cybersecurity and Communications
Integration Center of the Department shall serve as the interim lead
cybersecurity exchange until the Secretary designates a lead cybersecurity
exchange under paragraph (1).</text>
</subparagraph></paragraph></subsection><subsection id="id920A96AD5D554EA0A780FCCF9DE03B78"><enum>(d)</enum><header>Additional
Federal cybersecurity exchanges</header><text>In accordance with the process
and procedures established under subsection (a), the Secretary, in consultation
with the Director of National Intelligence, the Attorney General, and the
Secretary of Defense, may designate additional existing Federal entities as
cybersecurity exchanges, if the cybersecurity exchanges are subject to the
requirements for use, retention, and disclosure of information by a
cybersecurity exchange under section 704(b) and the special requirements for
Federal entities under section 704(g).</text>
</subsection><subsection id="idAB9DF757D86C4C8D8E33FB5438442802"><enum>(e)</enum><header>Requirements
for non-Federal cybersecurity exchanges</header>
<paragraph id="idFCE5678AFCBD4F07B35F6BC46A0EB937"><enum>(1)</enum><header>In
general</header><text>In considering whether to designate a non-Federal entity
as a cybersecurity exchange to receive cybersecurity threat indicators under
section 704(a), and what entity to designate, the Secretary shall consider the
following factors:</text>
<subparagraph id="ID089ff874d06146d3ab3bfeaab66ff43c"><enum>(A)</enum><text>The net effect
that an additional cybersecurity exchange would have on the overall
cybersecurity of the United States.</text>
</subparagraph><subparagraph id="ID497ee4f69c6b4e6fa9f2c6e0abb84818"><enum>(B)</enum><text>Whether the
designation could substantially improve the overall cybersecurity of the United
States by serving as a hub for receiving and sharing cybersecurity threat
indicators, including the capacity of the non-Federal entity for performing
those functions.</text>
</subparagraph><subparagraph id="ID4512ada0ca77450e9fe078f3a8151576"><enum>(C)</enum><text>The capacity of
the non-Federal entity to safeguard cybersecurity threat indicators from
unauthorized disclosure and use.</text>
</subparagraph><subparagraph id="ID8d141f6160224842a136cb1b1c42b981"><enum>(D)</enum><text>The adequacy of
the policies and procedures of the non-Federal entity to protect personally
identifiable information from unauthorized disclosure and use.</text>
</subparagraph><subparagraph id="ID805cdf4202644505b45e1759d791e9ff"><enum>(E)</enum><text>The ability of
the non-Federal entity to sustain operations using entirely non-Federal sources
of funding.</text>
</subparagraph></paragraph><paragraph id="idA7DDD9DDCEDD4ED292A146B31D9D6934"><enum>(2)</enum><header>Regulations</header><text>The
Secretary may promulgate regulations as may be necessary to carry out this
subsection.</text>
</paragraph></subsection><subsection id="id02F403B660CE45768533DA0917C52A72"><enum>(f)</enum><header>Construction
with other authorities</header><text>Nothing in this section may be construed
to alter the authorities of a Federal cybersecurity center, unless such
cybersecurity center is acting in its capacity as a designated cybersecurity
exchange.</text>
</subsection><subsection id="idBC3AB03D6FCB43749E480343FA3A9750"><enum>(g)</enum><header>No new
bureaucracies</header><text>Nothing in this section may be construed to
authorize additional layers of Federal bureaucracy for the receipt and
disclosure of cybersecurity threat indicators.</text>
</subsection><subsection id="idA75F553F7E33446A98AF4C3DADF08E3D"><enum>(h)</enum><header>Report on
designation of cybersecurity exchange</header><text>Not later than 90 days
after the date on which the Secretary designates the initial cybersecurity
exchange under this section, the Secretary, the Director of National
Intelligence, the Attorney General, and the Secretary of Defense shall jointly
submit to Congress a written report that—</text>
<paragraph id="IDfc31a5f39cbd4da2b1555ba348cff0f9"><enum>(1)</enum><text>describes the
processes established to designate cybersecurity exchanges under subsection
(a);</text>
</paragraph><paragraph id="IDdb754edfd5464898b92902de0646b01b"><enum>(2)</enum><text>summarizes the
policies and procedures established under section 704(g); and</text>
</paragraph><paragraph id="ID134fb26ceab443688569eb0990af2ecf"><enum>(3)</enum><text>if the Secretary
has not designated any non-Federal entities as a cybersecurity exchange,
provides recommendations concerning the advisability of designating non-Federal
entities as cybersecurity exchanges.</text>
</paragraph></subsection></section><section id="id8E8B31A7F5D0455086DD53BC725B9D84"><enum>704.</enum><header>Voluntary
disclosure of cybersecurity threat indicators to a cybersecurity
exchange</header>
<subsection id="id26FC6F24E251494B9214A3897040F25F"><enum>(a)</enum><header>Authority to
disclose</header><text>Notwithstanding any other provision of law, a
non-Federal entity may disclose lawfully obtained cybersecurity threat
indicators to a cybersecurity exchange.</text>
</subsection><subsection id="id86C58E051EA64395BDCA91F4DE8C9C90"><enum>(b)</enum><header>Use, retention,
and disclosure of information by a cybersecurity exchange</header><text>Except
as provided in subsection (g), a cybersecurity exchange may only use, retain,
or further disclose information provided under subsection (a) in order to
protect information systems from cybersecurity threats or mitigate
cybersecurity threats.</text>
</subsection><subsection id="IDd5595804b78744df858280d7e1f05274"><enum>(c)</enum><header>Use and
protection of information received from a cybersecurity
exchange</header><text>A non-Federal entity receiving cybersecurity threat
indicators from a cybersecurity exchange—</text>
<paragraph id="ID2865b7b5c87246a290634b8948f3f33b"><enum>(1)</enum><text>shall make
reasonable efforts to safeguard communications, records, system traffic, and
other information that can be used to identify specific persons from
unauthorized access or acquisition;</text>
</paragraph><paragraph id="IDb9e4975041554de6b9196b2e8178533a"><enum>(2)</enum><text>shall comply with
any lawful restrictions placed on the disclosure or use of cybersecurity threat
indicators by the cybersecurity exchange or a third party, if the cybersecurity
exchange received the information from the third party, including, if
requested, the removal of information that can be used to identify specific
persons from the indicators;</text>
</paragraph><paragraph id="ID90acdd25334a47e7a14bfabd8e376a5f"><enum>(3)</enum><text>may not use the
cybersecurity threat indicators to gain an unfair competitive advantage to the
detriment of the third party that authorized the sharing; and</text>
</paragraph><paragraph id="ID9871ae1a403e4542a68cf1e32ed47430"><enum>(4)</enum><text>may only use,
retain, or further disclose the cybersecurity threat indicators for the purpose
of protecting an information system or information that is stored on, processed
by, or transiting an information system from cybersecurity threats or
mitigating such threats.</text>
</paragraph></subsection><subsection id="idB9A71CA848A74329BB89EFDFE332E703"><enum>(d)</enum><header>Exemption from
public disclosure</header><text>Any cybersecurity threat indicator disclosed by
a non-Federal entity to a cybersecurity exchange under subsection (a) shall
be—</text>
<paragraph id="ID69520d6bf7014c08b4494ed522fdfd5e"><enum>(1)</enum><text>exempt from
disclosure under section 552(b)(3) of title 5, United States Code, or any
comparable State law; and</text>
</paragraph><paragraph id="IDf8c0d9df514f42b09af8b2ad0ce851ef"><enum>(2)</enum><text>treated as
voluntarily shared information under section 552 of title 5, United States
Code, or any comparable State law.</text>
</paragraph></subsection><subsection id="id5B22FB05A20B43A7BD9970B35C14246A"><enum>(e)</enum><header>Exemption from
ex parte limitations</header><text>Any cybersecurity threat indicator disclosed
by a non-Federal entity to a cybersecurity exchange under subsection (a) shall
not be subject to the rules of any governmental entity or judicial doctrine
regarding ex parte communications with a decision making official.</text>
</subsection><subsection id="id4E8B6358782C410C84356DB57F96190A"><enum>(f)</enum><header>Exemption from
waiver of privilege</header><text>Any cybersecurity threat indicator disclosed
by a non-Federal entity to a cybersecurity exchange under subsection (a) may
not be construed to be a waiver of any applicable privilege or protection
provided under Federal, State, tribal, or territorial law, including any trade
secret protection.</text>
</subsection><subsection id="idC7447AD04AB8429CA82CAE05C733F78C"><enum>(g)</enum><header>Special
requirements for Federal entities</header>
<paragraph id="id884125CCC9D84C37A43EF8373522513E"><enum>(1)</enum><header>Permitted
disclosures</header><text>Notwithstanding any other provision of law and
consistent with the requirements of this subsection, a Federal entity that
lawfully intercepts, acquires, or otherwise obtains or possesses any
communication, record, or other information from its electronic communications
system, may disclose that communication, record, or other information
if—</text>
<subparagraph id="id99D6DCC5CD8E4D699226DCA6CF1A2B4C"><enum>(A)</enum><text>the disclosure is
made for the purpose of—</text>
<clause id="ID26c2f597237e4790b5c3acae48f588a1"><enum>(i)</enum><text>protecting the
information system of a Federal entity from cybersecurity threats; or</text>
</clause><clause id="ID10ccba8c199e4998b7f42f428d1d3614"><enum>(ii)</enum><text>mitigating
cybersecurity threats to—</text>
<subclause id="ID6391e7b01e47486f94c3fa548e5fdb63"><enum>(I)</enum><text>another
component, officer, employee, or agent of the Federal entity with cybersecurity
responsibilities;</text>
</subclause><subclause id="ID2afa5b1a3d2548eda3912e0fcaec5df7"><enum>(II)</enum><text>any
cybersecurity exchange; or</text>
</subclause><subclause id="IDa60634d7856b49bca1c97f7042b09d70"><enum>(III)</enum><text>a private
entity that is acting as a provider of electronic communication services,
remote computing service, or cybersecurity services to a Federal entity;
and</text>
</subclause></clause></subparagraph><subparagraph id="ID446c25b328bb403a8607666f6f79fe46"><enum>(B)</enum><text>the recipient of
the communication, record, or other information agrees to comply with the
Federal entity’s lawful requirements regarding the protection and further
disclosure of the information, except to the extent the requirements are
inconsistent with the policies and procedures developed by the Secretary and
approved by the Attorney General under paragraph (4).</text>
</subparagraph></paragraph><paragraph id="idED6EE67870424E66ABDD5D51939183C4"><enum>(2)</enum><header>Disclosure to
law enforcement</header><text>A cybersecurity exchange that is a Federal entity
may disclose cybersecurity threat indicators received under subsection (a) to a
law enforcement entity if—</text>
<subparagraph id="IDab71987b61104bcab47152398641174a"><enum>(A)</enum><text>the information
appears to relate to a crime which has been, is being, or is about to be
committed; and</text>
</subparagraph><subparagraph id="IDf7f5013e5709496d8894aff111293930"><enum>(B)</enum><text>the disclosure is
permitted under the procedures developed by the Secretary and approved by the
Attorney General under paragraph (4).</text>
</subparagraph></paragraph><paragraph id="id29C0EB24ED6B4E70AFFC1E3B7D0F578B"><enum>(3)</enum><header>Further
disclosure and use of information by a Federal entity</header>
<subparagraph id="id7738527F06124A45A6261F3611D4A07A"><enum>(A)</enum><header>Authority to
receive cybersecurity threat indicators</header><text>A Federal entity that is
not a cybersecurity exchange may receive cybersecurity threat indicators from a
cybersecurity exchange under section 703, but shall only use or retain the
cybersecurity threat indicators in a manner that is consistent with this
subsection in order—</text>
<clause id="IDcc5284409abe4e358b54a5de182d9679"><enum>(i)</enum><text>to
protect information systems from cybersecurity threats and to mitigate
cybersecurity threats; or</text>
</clause><clause id="IDab8add743ae547a7aff1871467d04686"><enum>(ii)</enum><text>to
disclose the cybersecurity threat indicators to a law enforcement agency under
paragraph (2).</text>
</clause></subparagraph><subparagraph id="id72C2093A39484DD8834E06E47FCA160B"><enum>(B)</enum><header>Authority to
use cybersecurity threat indicators</header><text>A Federal entity that is not
a cybersecurity exchange shall ensure, by written agreement, that when
disclosing cybersecurity threat indicators to a non-Federal entity under this
section, the non-Federal entity shall use or retain the cybersecurity threat
indicators in a manner that is consistent with the requirements under section
702(b) on the use and protection of information and paragraph (2) of this
subsection.</text>
</subparagraph></paragraph><paragraph id="id2AA3679A937C4F49B7952DDFE2359AC4"><enum>(4)</enum><header>Privacy and
civil liberties</header>
<subparagraph id="idC2D24602D8EB418CB6EB787B7686568B"><enum>(A)</enum><header>Requirement for
policies and procedures</header><text>In consultation with privacy and civil
liberties experts, the Director of National Intelligence, and the Secretary of
Defense, the Secretary shall develop and periodically review policies and
procedures governing the receipt, retention, use, and disclosure of
cybersecurity threat indicators by a Federal entity obtained in connection with
activities authorized under this title, which shall—</text>
<clause id="ID9f39fa07a4984a4cb1ebc0521a384c86"><enum>(i)</enum><text>minimize the
impact on privacy and civil liberties, consistent with the need to protect
information systems from cybersecurity threats and mitigate cybersecurity
threats;</text>
</clause><clause id="ID9365e3b2f3e4419586f51027ab14ff67"><enum>(ii)</enum><text>reasonably limit
the receipt, retention, use and disclosure of cybersecurity threat indicators
associated with specific persons consistent with the need to carry out the
responsibilities of this title, including establishing a process for the timely
destruction of cybersecurity threat indicators that are received under this
section that do not reasonably appear to be related to protecting information
systems from cybersecurity threats and mitigating cybersecurity threats, unless
the indicators appear to relate to a crime which has been, is being, or is
about to be committed;</text>
</clause><clause id="ID0fe41abe9ab04c47a4038ad8094342d8"><enum>(iii)</enum><text>include
requirements to safeguard cybersecurity threat indicators that can be used to
identify specific persons from unauthorized access or acquisition; and</text>
</clause><clause id="IDbd686c0a33794b43958b6dd0fa68fbe3"><enum>(iv)</enum><text>protect the
confidentiality of cybersecurity threat indicators associated with specific
persons to the greatest extent practicable and require recipients to be
informed that such indicators may only be used for protecting information
systems against cybersecurity threats, mitigating against cybersecurity
threats, or disclosed to law enforcement under paragraph (2).</text>
</clause></subparagraph><subparagraph id="id1E1D465755754C40B5FBBD6461F0AF43"><enum>(B)</enum><header>Adoption of
policies and procedures</header><text>The head of a Federal agency responsible
for a Federal entity designated as a cybersecurity exchange under section 703
shall adopt and comply with the policies and procedures developed under this
subsection.</text>
</subparagraph><subparagraph id="id61A5356C8E714AE895A405B0F203F125"><enum>(C)</enum><header>Review by the
Attorney General</header><text>Not later than 1 year after the date of the
enactment of this Act, the Attorney General shall review and approve policies
and procedures developed under this subsection.</text>
</subparagraph><subparagraph id="idD8165E63A52144598D0C915F319943EB"><enum>(D)</enum><header>Provision to
Congress</header><text>The policies and procedures issued under this subsection
and any amendments to such policies and procedures shall be provided to
Congress.</text>
</subparagraph></paragraph><paragraph id="idA14FFEE318174EDBA06D2481A8953255"><enum>(5)</enum><header>Oversight</header>
<subparagraph id="IDe5bd35655ba4465f81ef409172c53c10"><enum>(A)</enum><header>Requirement for
oversight</header><text>The Secretary and the Attorney General shall establish
a mandatory program to monitor and oversee compliance with the policies and
procedures issued under this subsection.</text>
</subparagraph><subparagraph id="idF15858ED08914DDD88F9246DDE5E1E9B"><enum>(B)</enum><header>Notification of
the Attorney General</header><text>The head of each Federal entity that
receives information under this title shall—</text>
<clause id="IDe3973adcb4154fadb0833321df0a15ef"><enum>(i)</enum><text>comply with the
policies and procedures developed by the Secretary and approved by the Attorney
General under paragraph (4);</text>
</clause><clause id="IDcc6c082af9a3460f85bdaa63c92e4a67"><enum>(ii)</enum><text>promptly notify
the Attorney General of significant violations of the policies and procedures;
and</text>
</clause><clause id="IDaad772c9382d4d549a1b652f924e8d64"><enum>(iii)</enum><text>provide the
Attorney General with any information relevant to the violation that any
Attorney General requires.</text>
</clause></subparagraph><subparagraph id="idC03D3B9263B74730A0580F4E19533927"><enum>(C)</enum><header>Annual
report</header><text>On an annual basis, the Chief Privacy and Civil Liberties
Officer of the Department of Justice and the Department of Homeland Security,
in consultation with the most senior privacy and civil liberties officer or
officers of any appropriate agencies, shall jointly submit to Congress a report
assessing the privacy and civil liberties impact of the activities of the
Federal Government conducted under this title.</text>
</subparagraph></paragraph><paragraph id="id1A4CACD9CBE8438EA8E5B157B537F996"><enum>(6)</enum><header>Privacy and
Civil Liberties Oversight Board</header><text>Not later than 2 years after the
date of enactment of this Act, the Privacy and Civil Liberties Oversight Board
shall submit to Congress and the President a report providing—</text>
<subparagraph id="ID8c94b3a33a2d4e41ac78c74fef578937"><enum>(A)</enum><text>an assessment of
the privacy and civil liberties impact of the activities carried out by the
Federal entities under this title; and</text>
</subparagraph><subparagraph id="ID0cda80afc58b40c199d9fecaae644199"><enum>(B)</enum><text>recommendations
for improvements to or modifications of the law to address privacy and civil
liberties concerns.</text>
</subparagraph></paragraph><paragraph id="ID627f1df959544fab8c4fbfa34e321d0b"><enum>(7)</enum><header>Sanctions</header><text>The
heads of Federal entities shall develop and enforce appropriate sanctions for
officers, employees, or agents of the Federal entities who conduct activities
under this title—</text>
<subparagraph id="IDb4ee30ce130e464aab7c7bc6ea5a5c45"><enum>(A)</enum><text>outside the
normal course of their specified duties;</text>
</subparagraph><subparagraph id="IDeb9ff2a3edd0464ea7e5fabaac44b54f"><enum>(B)</enum><text>in a manner
inconsistent with the discharge of the responsibilities of the Federal
entities; or</text>
</subparagraph><subparagraph id="ID592f6898c760482293feea3c69920321"><enum>(C)</enum><text>in contravention
of the requirements, policies and procedures required under this
subsection.</text>
</subparagraph></paragraph></subsection></section><section id="idC6521B395C904940A5E755AAF5A8F256"><enum>705.</enum><header>Sharing of
classified cybersecurity threat indicators</header>
<subsection id="id9E72FAB61269489BB3D4B547A88A013D"><enum>(a)</enum><header>Sharing of
classified cybersecurity threat indicators</header><text>The procedures
established under section 703(a)(2) shall provide that classified cybersecurity
threat indicators may only be—</text>
<paragraph id="ID4e4c7db8478e4c77992cc88a2920bace"><enum>(1)</enum><text>shared with
certified entities;</text>
</paragraph><paragraph id="IDe79b040c7c88481b843ca2c69b717e16"><enum>(2)</enum><text>shared in a
manner that is consistent with the need to protect the national security of the
United States;</text>
</paragraph><paragraph id="ID92666024d21e4f2a9277b996173b2dc3"><enum>(3)</enum><text>shared with a
person with an appropriate security clearance to receive the cybersecurity
threat indicators; and</text>
</paragraph><paragraph id="ID23e0aa3c1da647a88083eedaafbb171f"><enum>(4)</enum><text>used by a
certified entity in a manner that protects the cybersecurity threat indicators
from unauthorized disclosure.</text>
</paragraph></subsection><subsection id="id07CB737C840E495488BF05940920C09F"><enum>(b)</enum><header>Requirement for
guidelines</header><text>Not later than 60 days after the date of enactment of
this Act, the Director of National Intelligence shall issue guidelines
providing that appropriate Federal officials may, as the Director considers
necessary to carry out this title—</text>
<paragraph id="IDdac83655a4094eb8b4e7dc6afb48d053"><enum>(1)</enum><text>grant a security
clearance on a temporary or permanent basis to an employee of a certified
entity;</text>
</paragraph><paragraph id="IDa33c78c9915949738655ec8e05893eea"><enum>(2)</enum><text>grant a security
clearance on a temporary or permanent basis to a certified entity and approval
to use appropriate facilities; or</text>
</paragraph><paragraph id="IDf6f079aadd2748d0b31cfdb998040ed3"><enum>(3)</enum><text>expedite the
security clearance process for a certified entity or employee of a certified
entity, if appropriate, in a manner consistent with the need to protect the
national security of the United States.</text>
</paragraph></subsection><subsection id="IDf4b87028451f49128f91c5fb5e938e3b"><enum>(c)</enum><header>Distribution of
procedures and guidelines</header><text>Following the establishment of the
procedures under section 703(a)(2) and the issuance of the guidelines under
subsection (b), the Secretary and the Director of National Intelligence shall
expeditiously distribute the procedures and guidelines to—</text>
<paragraph id="IDc6b31b30ce844f6baa498d4f0d5e7c5f"><enum>(1)</enum><text>appropriate
governmental entities and private entities;</text>
</paragraph><paragraph id="ID68e3cba5adfd42e898c29f72c15c4f77"><enum>(2)</enum><text>the Committee on
Armed Services, the Committee on Commerce, Science, and Transportation, the
Committee on Homeland Security and Governmental Affairs, the Committee on the
Judiciary, and the Select Committee on Intelligence of the Senate; and</text>
</paragraph><paragraph id="IDa3761dba71ef401889128e56226cf021"><enum>(3)</enum><text>the Committee on
Armed Services, the Committee on Energy and Commerce, the Committee on Homeland
Security, the Committee on the Judiciary, and the Permanent Select Committee on
Intelligence of the House of Representatives.</text>
</paragraph></subsection></section><section id="idB5F23E0931FE4B87B747F03227C5D4F4"><enum>706.</enum><header>Limitation on
liability and good faith defense for cybersecurity activities</header>
<subsection id="id69BC4067180E4E2E8EEDE0231600B2D8"><enum>(a)</enum><header>In
general</header><text>No civil or criminal cause of action shall lie or be
maintained in any Federal or State court against any entity, and any such
action shall be dismissed promptly, based on—</text>
<paragraph id="ID704405db0f8149a68e1c2891ac4b8bc4"><enum>(1)</enum><text>the cybersecurity
monitoring activities authorized by paragraphs (1) and (2) of section 701;
or</text>
</paragraph><paragraph id="ID8a94532313194e5aad632a9e2a54f555"><enum>(2)</enum><text>the voluntary
disclosure of a lawfully obtained cybersecurity threat indicator—</text>
<subparagraph id="IDfe9388eebee34ba49277cf30d1d67f41"><enum>(A)</enum><text>to a
cybersecurity exchange under section 704(a);</text>
</subparagraph><subparagraph id="ID277899fd5adb42ee97bd896947b33ea1"><enum>(B)</enum><text>by a provider of
cybersecurity services to a customer of the provider;</text>
</subparagraph><subparagraph id="ID00568c38b14b4a84a13b4dc297579e29"><enum>(C)</enum><text>to a private
entity or governmental entity that provides or manages critical infrastructure;
or</text>
</subparagraph><subparagraph id="ID4046909b80054f34a065a79ceb4bf8f7"><enum>(D)</enum><text>to any other
private entity under section 702(a), if the cybersecurity threat indicator is
also disclosed within a reasonable time to a cybersecurity exchange.</text>
</subparagraph></paragraph></subsection><subsection id="id65A54599CCE643549CA1DEC35D0FB6AA"><enum>(b)</enum><header>Good faith
defense</header><text>If a civil or criminal cause of action is not barred
under subsection (a), good faith reliance that this title permitted the conduct
complained of is a complete defense against any civil or criminal action
brought under this title or any other law.</text>
</subsection><subsection id="id8232A5C1A98549539598E6511A99DDAE"><enum>(c)</enum><header>Limitation on
use of cybersecurity threat indicators for regulatory enforcement
actions</header><text>No Federal entity may use a cybersecurity threat
indicator received under this title as evidence in a regulatory enforcement
action against the entity that lawfully shared the cybersecurity threat
indicator with a cybersecurity exchange that is a Federal entity.</text>
</subsection><subsection id="id5556F7B1CF4E4F968D1D4D6938BAC812"><enum>(d)</enum><header>Delay of
notification authorized for law enforcement or national security
purposes</header><text>No civil or criminal cause of action shall lie or be
maintained in any Federal or State court against any entity, and any such
action shall be dismissed promptly, for a failure to disclose a cybersecurity
threat indicator if—</text>
<paragraph id="IDbfa26ba38c5047b7aca4b51558663100"><enum>(1)</enum><text>the Attorney
General determines that disclosure of a cybersecurity threat indicator would
impede a civil or criminal investigation and submits a written request to delay
notification for up to 30 days, except that the Attorney General may, by a
subsequent written request, revoke such delay or extend the period of time set
forth in the original request made under this paragraph if further delay is
necessary; or</text>
</paragraph><paragraph id="ID20b3c034f2714a9ba9b0445e92970e5b"><enum>(2)</enum><text>the Secretary,
the Attorney General, or the Director of National Intelligence determines that
disclosure of a cybersecurity threat indicator would threaten national or
homeland security and submits a written request to delay notification, except
that the Secretary, the Attorney General or the Director of National
Intelligence may, by a subsequent written request, revoke such delay or extend
the period of time set forth in the original request made under this paragraph
if further delay is necessary.</text>
</paragraph></subsection><subsection id="id4F0B95B3A8694222A698D53072457A98"><enum>(e)</enum><header>Limitation on
liability for failure to Act</header><text>No civil or criminal cause of action
shall lie or be maintained in any Federal or State court against any private
entity, or any officer, employee, or agent of such an entity, and any such
action shall be dismissed promptly, for the reasonable failure to act on
information received under this title.</text>
</subsection><subsection id="idE30EA97B40E24BE4936F26CEFB5198E2"><enum>(f)</enum><header>Limitation on
protections</header><text>Any person who knowingly and willfully violates
restrictions under this title shall not receive the protections under this
title.</text>
</subsection><subsection id="id461E1270B1344D50B49AFBB7D232D024"><enum>(g)</enum><header>Private right
of action</header><text>Nothing in this title may be construed to limit
liability for a failure to comply with the requirements of section 702(b) and
section 704(c) on the use and protection of information.</text>
</subsection><subsection id="idC7F8636FFB3744C3864ACB69C89E0767"><enum>(h)</enum><header>Defense for
breach of contract</header><text>Compliance with lawful restrictions placed on
the disclosure or use of cybersecurity threat indicators is a complete defense
to any tort or breach of contract claim originating in a failure to disclose
cybersecurity threat indicators to a third party.</text>
</subsection></section><section id="id3385682338BF4D3B823253566DBBB305"><enum>707.</enum><header>Construction;
Federal preemption</header>
<subsection id="idD62D80F9BCBC4A54852613CF2C78C59F"><enum>(a)</enum><header>Construction</header><text>Nothing
in this title may be construed—</text>
<paragraph id="ID8f92c9898cc5428686abcd3efa5c5b7e"><enum>(1)</enum><text>to permit the
unauthorized disclosure of—</text>
<subparagraph id="IDa4c58f7a77494a1bbea5117537274c75"><enum>(A)</enum><text>information that
has been determined by the Federal Government pursuant to an Executive Order or
statute to require protection against unauthorized disclosure for reasons of
national defense or foreign relations;</text>
</subparagraph><subparagraph id="ID4407a603337448eda45f8a519295de37"><enum>(B)</enum><text>any restricted
data (as that term is defined in paragraph (y) of section 11 of the Atomic
Energy Act of 1954 (42 U.S.C. 2014));</text>
</subparagraph><subparagraph id="id27CF1F049E7B454DA0C1181FF3A43ECD"><enum>(C)</enum><text>information
related to intelligence sources and methods; or</text>
</subparagraph><subparagraph id="ID43223f2401f94d5985288da03e38e511"><enum>(D)</enum><text>information that
is specifically subject to a court order or a certification, directive, or
other authorization by the Attorney General precluding such disclosure;</text>
</subparagraph></paragraph><paragraph id="IDb4257dcf93dc4a43a5b35e295124443f"><enum>(2)</enum><text>to limit or
prohibit otherwise lawful disclosures of communications, records, or
information by a private entity to a cybersecurity exchange or any other
governmental or private entity not conducted under this title;</text>
</paragraph><paragraph id="IDaae79271572c4c2d8b0098770209b4dc"><enum>(3)</enum><text>to limit the
ability of a private entity or governmental entity to receive data about the
information systems of the entity, including lawfully obtained cybersecurity
threat indicators;</text>
</paragraph><paragraph id="IDb59f8eb64902409fba18fd2d71de3aca"><enum>(4)</enum><text>to authorize or
prohibit any law enforcement, homeland security, or intelligence activities not
otherwise authorized or prohibited under another provision of law;</text>
</paragraph><paragraph id="IDaefcc9947d9445138747a75d748f5119"><enum>(5)</enum><text>to permit
price-fixing, allocating a market between competitors, monopolizing or
attempting to monopolize a market, boycotting, or exchanges of price or cost
information, customer lists, or information regarding future competitive
planning; or</text>
</paragraph><paragraph id="IDcaf1d3bb17ed4521a8b81a275c6badc3"><enum>(6)</enum><text>to prevent a
governmental entity from using information not acquired through a cybersecurity
exchange for regulatory purposes.</text>
</paragraph></subsection><subsection id="id3CA77984B3F744E59B6CDADF23234F8E"><enum>(b)</enum><header>Federal
preemption</header><text>This title supersedes any law or requirement of a
State or political subdivision of a State that restricts or otherwise expressly
regulates the provision of cybersecurity services or the acquisition,
interception, retention, use or disclosure of communications, records, or other
information by private entities to the extent such law contains requirements
inconsistent with this title.</text>
</subsection><subsection id="idB1191ABF838245638C0C6FD3E6F2BD99"><enum>(c)</enum><header>Preservation of
other State law</header><text>Except as expressly provided, nothing in this
title shall be construed to preempt the applicability of any other State law or
requirement.</text>
</subsection><subsection id="ID30fb9caf741f4a6ea274bf94513f1a0b"><enum>(d)</enum><header>No creation of
a right to information</header><text>The provision of information to a
non-Federal entity under this title shall not create a right or benefit to
similar information by any other non-Federal entity.</text>
</subsection><subsection id="id0557EE5832CA40E89970FFB8ADEA400E"><enum>(e)</enum><header>Prohibition on
requirement to provide information to the Federal
Government</header><text>Nothing in this title, except as expressly stated, may
be construed to permit a Federal entity—</text>
<paragraph id="IDe9d9ca3cc2fc41aabeed4fbe8eab8c89"><enum>(1)</enum><text>to require a
non-Federal entity to share information with the Federal Government; or</text>
</paragraph><paragraph id="IDca93a8632cdd4776a671ad80c0d4566f"><enum>(2)</enum><text>to condition the
disclosure of unclassified or classified cybersecurity threat indicators under
this title with a non-Federal entity on the provision of cybersecurity threat
information to the Federal Government.</text>
</paragraph></subsection><subsection id="id16FBB956AE9F4DFAB5F11A8CA4091656"><enum>(f)</enum><header>Limitation on
use of information</header><text>No cybersecurity threat indicators obtained
under this title may be used, retained, or disclosed by a Federal entity or
non-Federal entity, except as authorized under this title.</text>
</subsection><subsection id="id247C345CA1EE40D5A7F1C27379C33E3C"><enum>(g)</enum><header>Declassification
and sharing of information</header><text>Consistent with the exemptions from
public disclosure of section 704(d), the Director of National Intelligence, in
consultation with the Secretary, shall facilitate the declassification and
sharing of information in the possession of a Federal entity that is related to
cybersecurity threats, as the Director of National Intelligence determines
appropriate.</text>
</subsection><subsection id="id269270662DFC49DCB416FDB472FB296C"><enum>(h)</enum><header>Report on
implementation</header><text>Not later than 2 years after the date of enactment
of this Act, the Secretary, the Director of National Intelligence, the Attorney
General, and the Secretary of Defense shall jointly submit to Congress a report
that—</text>
<paragraph id="ID702edaba234c45e78502d84ab427e658"><enum>(1)</enum><text>describes the
extent to which the authorities conferred by this title have enabled the
Federal Government and the private sector to mitigate cybersecurity
threats;</text>
</paragraph><paragraph id="ID6d7688848afb45be974d942cfd8d8f40"><enum>(2)</enum><text>discloses any
significant acts of noncompliance by a non-Federal entity with this title, with
special emphasis on privacy and civil liberties, and any measures taken by the
Federal Government to uncover such noncompliance;</text>
</paragraph><paragraph id="ID3104703285e34b129d5024bc55af84d9"><enum>(3)</enum><text>describes in
general terms the nature and quantity of information disclosed and received by
governmental entities and private entities under this title; and</text>
</paragraph><paragraph id="ID0e105ebc0d2a40e184b1fc7abf0dee90"><enum>(4)</enum><text>proposes changes
to the law, including the definitions, authorities and requirements under this
title, that are necessary to ensure the law keeps pace with the threat while
protecting privacy and civil liberties.</text>
</paragraph></subsection><subsection id="id1FB25A5AFCAF46B0B4EDD574EA6DDC25"><enum>(i)</enum><header>Requirement for
annual report</header><text>On an annual basis, the Director of National
Intelligence shall provide a report to the Select Committee on Intelligence of
the Senate and the Permanent Select Committee on Intelligence of the House of
Representatives on the implementation of section 705. Each report under this
subsection, which shall be submitted in an unclassified form, but may include a
classified annex, shall include a list of private entities that receive
classified cybersecurity threat indicators under this title, except that the
unclassified report shall not contain information that may be used to identify
specific private entities unless such private entities consent to such
identification.</text>
</subsection></section><section id="id3D1DE53987B24858A113B0F475818F2F"><enum>708.</enum><header>Definitions</header><text display-inline="no-display-inline">In this title:</text>
<paragraph id="ID13f820c4f6484858b1bcbc41c13c5175"><enum>(1)</enum><header>Certified
entity</header><text>The term <term>certified entity</term> means a protected
entity, a self-protected entity, or a provider of cybersecurity services
that—</text>
<subparagraph id="ID65e20b67f5b0483ba795436562a0baf5"><enum>(A)</enum><text>possesses or is
eligible to obtain a security clearance, as determined by the Director of
National Intelligence; and</text>
</subparagraph><subparagraph id="ID2c480fd44028408192d4dbcc3117ea9c"><enum>(B)</enum><text>is able to
demonstrate to the Director of National Intelligence that the provider or
entity can appropriately protect and use classified cybersecurity threat
indicators.</text>
</subparagraph></paragraph><paragraph id="id5D084ACEA7244CD0B759EDC518D92AB1"><enum>(2)</enum><header>Countermeasure</header><text>The
term <term>countermeasure</term> means automated or manual actions with
defensive intent to modify or block data packets associated with electronic or
wire communications, internet traffic, program code, or other system traffic
transiting to or from or stored on an information system for the purpose of
protecting the information system from cybersecurity threats, conducted on an
information system owned or operated by or on behalf of the party to be
protected or operated by a private entity acting as a provider of electronic
communication services, remote computing services, or cybersecurity services to
the party to be protected.</text>
</paragraph><paragraph id="idDB50BA2FA3284A389A4F56CC61474DA5"><enum>(3)</enum><header>Cybersecurity
exchange</header><text>The term <term>cybersecurity exchange</term> means any
governmental entity or private entity designated by the Secretary as a
cybersecurity exchange under section 703(a).</text>
</paragraph><paragraph id="ID4a8e6d3a9a3b4263bb796707b53e33e6"><enum>(4)</enum><header>Cybersecurity
services</header><text>The term <term>cybersecurity services</term> means
products, goods, or services intended to detect, mitigate, or prevent
cybersecurity threats.</text>
</paragraph><paragraph id="IDc86a5c2e17324b829d4a271451fdfbc7"><enum>(5)</enum><header>Cybersecurity
threat</header><text>The term <term>cybersecurity threat</term> means any
action that may result in unauthorized access to, exfiltration of, manipulation
of, or impairment to the integrity, confidentiality, or availability of an
information system or information that is stored on, processed by, or
transiting an information system.</text>
</paragraph><paragraph id="IDe524728bedd847ba9fc0906e7b6ef5c5"><enum>(6)</enum><header>Cybersecurity
threat indicator</header><text>The term <term>cybersecurity threat
indicator</term> means information—</text>
<subparagraph id="IDc555a9d64874402a9629656e89b7a5b8"><enum>(A)</enum><text>that may be
indicative of or describe—</text>
<clause id="IDed6236d23bf04d07a48535fcccac4e3d"><enum>(i)</enum><text>malicious
reconnaissance, including anomalous patterns of communications that reasonably
appear to be transmitted for the purpose of gathering technical information
related to a cybersecurity threat;</text>
</clause><clause id="ID9282ca7eebb9462e82978c9e4742e235"><enum>(ii)</enum><text>a
method of defeating a technical control;</text>
</clause><clause id="ID314538b22faf49d28d1c389588f2932b"><enum>(iii)</enum><text>a
technical vulnerability;</text>
</clause><clause id="ID55515f1caf99434992ff2909affe63b5"><enum>(iv)</enum><text>a
method of defeating an operational control;</text>
</clause><clause id="IDa63626a5264b41cbb007f17a5a7546af"><enum>(v)</enum><text>a
method of causing a user with legitimate access to an information system or
information that is stored on, processed by, or transiting an information
system to unwittingly enable the defeat of a technical control or an
operational control;</text>
</clause><clause id="IDa90f0ca6095f4738af0eff86190b2cd4"><enum>(vi)</enum><text>malicious cyber
command and control;</text>
</clause><clause id="ID817a175af86a4adcb132e27dc7bcec7d"><enum>(vii)</enum><text>the actual or
potential harm caused by an incident, including information exfiltrated as a
result of subverting a technical control when it is necessary in order to
identify or describe a cybersecurity threat;</text>
</clause><clause id="ID692b4d4aa4fc450aaee148c7797e52f3"><enum>(viii)</enum><text>any other
attribute of a cybersecurity threat, if disclosure of such attribute is not
otherwise prohibited by law; or</text>
</clause><clause id="ID630f313946fe4c5e8f6011b27b294701"><enum>(ix)</enum><text>any combination
thereof; and</text>
</clause></subparagraph><subparagraph id="IDb5c8c055f11d43a18cdf70aa82823554"><enum>(B)</enum><text>from which
reasonable efforts have been made to remove information that can be used to
identify specific persons unrelated to the cybersecurity threat.</text>
</subparagraph></paragraph><paragraph id="IDcc449f4b25a04d058348294209dd19bb"><enum>(7)</enum><header>Federal
cybersecurity center</header><text>The term <quote>Federal cybersecurity
center</quote> means the Department of Defense Cyber Crime Center, the
Intelligence Community Incident Response Center, the United States Cyber
Command Joint Operations Center, the National Cyber Investigative Joint Task
Force, the National Security Agency/Central Security Service Threat Operations
Center, or the United States Computer Emergency Readiness Team, or any
successor to such a center.</text>
</paragraph><paragraph id="id07EC9A05DE114A83B2BCAE02BD498AF8"><enum>(8)</enum><header>Federal
entity</header><text>The term <term>Federal entity</term> means a Federal
agency, or any component, officer, employee, or agent of a Federal
agency.</text>
</paragraph><paragraph id="id170ED05C66154E34BFF7978F653A399A"><enum>(9)</enum><header>Governmental
entity</header><text>The term <quote>governmental entity</quote> means any
Federal entity and agency or department of a State, local, tribal, or
territorial government other than an educational institution, or any component,
officer, employee, or agent of such an agency or department.</text>
</paragraph><paragraph id="ID742b384a16154fd9ba0c9985be18273d"><enum>(10)</enum><header>Information
system</header><text>The term <quote>information system</quote> means a
discrete set of information resources organized for the collection, processing,
maintenance, use, sharing, dissemination, or disposition of information,
including communications with, or commands to, specialized systems such as
industrial and process control systems, telephone switching and private branch
exchange, and environmental control systems.</text>
</paragraph><paragraph id="IDdd248449939c4ade8fbf40858ff9b5f9"><enum>(11)</enum><header>Malicious
cybercommand and control</header><text>The term <quote>malicious cyber command
and control</quote> means a method for remote identification of, access to, or
use of, an information system or information that is stored on, processed by,
or transiting an information system associated with a known or suspected
cybersecurity threat.</text>
</paragraph><paragraph id="ID124909fd8f8c4dc7a4c9561551a0f6b0"><enum>(12)</enum><header>Malicious
reconnaissance</header><text>The term <quote>malicious reconnaissance</quote>
means a method for actively probing or passively monitoring an information
system for the purpose of discerning technical vulnerabilities of the
information system, if such method is associated with a known or suspected
cybersecurity threat.</text>
</paragraph><paragraph id="ID6f2e8401b45b499795a13fc433e1a0a3"><enum>(13)</enum><header>Monitor</header><text>The
term <quote>monitor</quote> means the interception, acquisition, or collection
of information that is stored on, processed by, or transiting an information
system for the purpose of identifying cybersecurity threats.</text>
</paragraph><paragraph id="ID01ad7c7cb45c496083d913c7697af5af"><enum>(14)</enum><header>Non-Federal
entity</header><text>The term <quote>non-Federal entity</quote> means a private
entity or a governmental entity other than a Federal entity.</text>
</paragraph><paragraph id="id9808BBE1E56E4971BA0575AB6E811823"><enum>(15)</enum><header>Operational
control</header><text>The term <quote>operational control</quote> means a
security control for an information system that primarily is implemented and
executed by people.</text>
</paragraph><paragraph id="ID1d7b780348664928841e6bd953223b4a"><enum>(16)</enum><header>Private
entity</header><text>The term <quote>private entity</quote> has the meaning
given the term <quote>person</quote> in section 1 of title 1, United States
Code, and does not include a governmental entity.</text>
</paragraph><paragraph id="ID503470554a9b4e6b9006f5d378ef1a91"><enum>(17)</enum><header>Protect</header><text>The
term <quote>protect</quote> means actions undertaken to secure, defend, or
reduce the vulnerabilities of an information system, mitigate cybersecurity
threats, or otherwise enhance information security or the resiliency of
information systems or assets.</text>
</paragraph><paragraph id="ID630b253ce53d410294f9da9f4a36bf36"><enum>(18)</enum><header>Protected
entity</header><text>The term <quote>protected entity</quote> means an entity,
other than an individual, that contracts with a provider of cybersecurity
services for goods or services to be used for cybersecurity purposes.</text>
</paragraph><paragraph id="ID89e736e063c64c25868cb2b47f437d55"><enum>(19)</enum><header>Self-protected
entity</header><text>The term <quote>self-protected entity</quote> means an
entity, other than an individual, that provides cybersecurity services to
itself.</text>
</paragraph><paragraph id="IDe6bc57b0596242aeb86cebb5168b8340"><enum>(20)</enum><header>Technical
control</header><text>The term <quote>technical control</quote> means a
hardware or software restriction on, or audit of, access or use of an
information system or information that is stored on, processed by, or
transiting an information system that is intended to ensure the
confidentiality, integrity, or availability of that system.</text>
</paragraph><paragraph id="IDd07c8fed3fe14304a9f79e9c19abed93"><enum>(21)</enum><header>Technical
vulnerability</header><text>The term <quote>technical vulnerability</quote>
means any attribute of hardware or software that could enable or facilitate the
defeat of a technical control.</text>
</paragraph><paragraph id="IDf557af75559d491f92f08a39483fe577"><enum>(22)</enum><header>Third
party</header><text>The term <quote>third party</quote> includes Federal
entities and non-Federal entities.</text>
</paragraph></section><enum>VIII</enum><header>Public
Awareness Reports</header>
<section id="id9621A9B421A34504A2397658D10ED9C9"><enum>801.</enum><header>Findings</header><text display-inline="no-display-inline">Congress finds the following:</text>
<paragraph id="idAB8258E9D21B4D198CE0D1FF3C2B3ADB"><enum>(1)</enum><text display-inline="yes-display-inline">Information technology is central to the
effectiveness, efficiency, and reliability of the industry and commercial
services, Armed Forces and national security systems, and the critical
infrastructure of the United States.</text>
</paragraph><paragraph id="ID7daac19c27bb43a3a313463b8b73cbe2"><enum>(2)</enum><text>Cyber criminals,
terrorists, and agents of foreign powers have taken advantage of the
connectivity of the United States to inflict substantial damage to the economic
and national security interests of the Nation.</text>
</paragraph><paragraph id="ID04ba0c7c09f7415bb49da6404523551e"><enum>(3)</enum><text>The cybersecurity
threat is sophisticated, relentless, and massive, exposing all consumers in the
United States to the risk of substantial harm.</text>
</paragraph><paragraph id="ID51bd4811ef7545028f777fe588f6c654"><enum>(4)</enum><text>Businesses in the
United States are bearing enormous losses as a result of criminal cyber
attacks, depriving businesses of hard-earned profits that could be reinvested
in further job-producing innovation.</text>
</paragraph><paragraph id="ID9daf783ed3e34023b74ab0987f318896"><enum>(5)</enum><text>Hackers
continuously probe the networks of Federal and State agencies, the Armed
Forces, and the commercial industrial base of the Armed Forces, and already
have caused substantial damage and compromised sensitive and classified
information.</text>
</paragraph><paragraph id="ID41d4e613046b473a8a4826cb3352f9cb"><enum>(6)</enum><text>Severe
cybersecurity threats will continue, and will likely grow, as the economy of
the United States grows more connected, criminals become increasingly
sophisticated in efforts to steal from consumers, industries, and businesses in
the United States, and terrorists and foreign nations continue to use
cyberspace as a means of attack against the national and economic security of
the United States.</text>
</paragraph><paragraph id="ID8ddd3975b9ae415eb7a63114cf8733ad"><enum>(7)</enum><text>Public awareness
of cybersecurity threats is essential to cybersecurity defense. Only a
well-informed public and Congress can make the decisions necessary to protect
consumers, industries, and the national and economic security of the United
States.</text>
</paragraph><paragraph id="IDcc677a67bef147d9ab8a86caa8a9f285"><enum>(8)</enum><text>As of 2012, the
level of public awareness of cybersecurity threats is unacceptably low. Only a
tiny portion of relevant cybersecurity information is released to the public.
Information about attacks on Federal Government systems is usually classified.
Information about attacks on private systems is ordinarily kept confidential.
Sufficient mechanisms do not exist to provide meaningful threat reports to the
public in unclassified and anonymized form.</text>
</paragraph></section><section id="id1DFB1422EDC8475EB1A76115940EBFE0"><enum>802.</enum><header>Report on
cyber incidents against Government networks</header>
<subsection id="idC3125B2F8AD94E638914F1EC15EB502C"><enum>(a)</enum><header>Department of
Homeland Security</header><text>Not later than 180 days after the date of
enactment of this Act, and annually thereafter, the Secretary shall submit to
Congress a report that—</text>
<paragraph id="id7D24CB6F40AD4970BE82227BF0CE5DAC"><enum>(1)</enum><text>summarizes major
cyber incidents involving networks of Executive agencies (as defined in section
105 of title 5, United States Code), except for the Department of
Defense;</text>
</paragraph><paragraph id="idFC49F36878CE4E33B4C806DEDAE48813"><enum>(2)</enum><text>provides
aggregate statistics on the number of breaches of networks of Executive
agencies, the volume of data exfiltrated, and the estimated cost of remedying
the breaches; and</text>
</paragraph><paragraph id="IDc360fd504e6a4bef91c12f1483872f05"><enum>(3)</enum><text>discusses the
risk of cyber sabotage.</text>
</paragraph></subsection><subsection id="id4B4E2B67640442C882AC4B1795679046"><enum>(b)</enum><header>Department of
Defense</header><text>Not later than 180 days after the date of enactment of
this Act, and annually thereafter, the Secretary of Defense shall submit to
Congress a report that—</text>
<paragraph id="IDea267cbd08374b428fbb184e8eb3a79c"><enum>(1)</enum><text>summarizes major
cyber incidents against networks of the Department of Defense and the military
departments;</text>
</paragraph><paragraph id="ID710a25d198a748978bf860c62556c3af"><enum>(2)</enum><text>provides
aggregate statistics on the number of breaches against networks of the
Department of Defense and the military departments, the volume of data
exfiltrated, and the estimated cost of remedying the breaches; and</text>
</paragraph><paragraph id="ID9aa00fe667b34ac3899cab5fb5d7ca98"><enum>(3)</enum><text>discusses the
risk of cyber sabotage.</text>
</paragraph></subsection><subsection id="id8F618495E3F44733B6D4D758EA4E1658"><enum>(c)</enum><header>Form of
reports</header><text>Each report submitted under this section shall be in
unclassified form, but may include a classified annex as necessary to protect
sources, methods, and national security.</text>
</subsection></section><section id="id9DD9775D1FD24DF3933B951C3DDD0A4C"><enum>803.</enum><header>Reports on
prosecution for cybercrime</header>
<subsection id="id6A2E58BBBF4D47A8886D23CBEE9337FF"><enum>(a)</enum><header>In
general</header><text>Not later than 180 days after the date of enactment of
this Act, the Attorney General and the Director of the Federal Bureau of
Investigation shall submit to Congress reports—</text>
<paragraph id="ID7104228c72d74b93a2c10f3ead49c383"><enum>(1)</enum><text>describing
investigations and prosecutions by the Department of Justice relating to cyber
intrusions or other cybercrimes the preceding year, including—</text>
<subparagraph id="ID150bddfb6eca4936bf1ef18a8ae4055a"><enum>(A)</enum><text>the number of
investigations initiated relating to such crimes;</text>
</subparagraph><subparagraph id="ID325a16d3b64e4079aa20adebe327432a"><enum>(B)</enum><text>the number of
arrests relating to such crimes;</text>
</subparagraph><subparagraph id="IDef31994656c64b288ce901c4a1d21c68"><enum>(C)</enum><text>the number and
description of instances in which investigations or prosecutions relating to
such crimes have been delayed or prevented because of an inability to extradite
a criminal defendant in a timely manner; and</text>
</subparagraph><subparagraph id="ID31488c80d4334412a54ce4297cfff8c3"><enum>(D)</enum><text>the number of
prosecutions for such crimes, including—</text>
<clause id="ID066e7fc285ef4d57b189ac7abc265829"><enum>(i)</enum><text>the
number of defendants prosecuted;</text>
</clause><clause id="IDd08535ed6ef4480ab247c17dbbcace6a"><enum>(ii)</enum><text>whether the
prosecutions resulted in a conviction;</text>
</clause><clause id="ID78a855ffc8c64d968e0778b00a571821"><enum>(iii)</enum><text>the sentence
imposed and the statutory maximum for each such crime for which a defendant was
convicted; and</text>
</clause><clause id="IDcf76802edfbc452cbcb5c68b2f9b4b21"><enum>(iv)</enum><text>the average
sentence imposed for a conviction of such crimes;</text>
</clause></subparagraph></paragraph><paragraph id="IDcc70b594f5314d40a91cac28ef8f7d72"><enum>(2)</enum><text>identifying the
number of employees, financial resources, and other resources (such as
technology and training) devoted to the enforcement, investigation, and
prosecution of cyber intrusions or other cybercrimes, including the number of
investigators, prosecutors, and forensic specialists dedicated to investigating
and prosecuting cyber intrusions or other cybercrimes; and</text>
</paragraph><paragraph id="IDbb2b7a5c5fc3425282107691010ddf9e"><enum>(3)</enum><text>discussing any
impediments under the laws of the United States or international law to
prosecutions for cyber intrusions or other cybercrimes.</text>
</paragraph></subsection><subsection id="ID3f0bf460455745be8f83ac9dcc6d60ec"><enum>(b)</enum><header>Updates</header><text>The
Attorney General and the Director of the Federal Bureau of Investigation shall
annually submit to Congress reports updating the reports submitted under
subsection (a) at the same time the Attorney General and Director submit annual
reports under section 404 of the Prioritizing Resources and Organization for
Intellectual Property Act of 2008 (42 U.S.C. 3713d).</text>
</subsection></section><section id="IDec6b15807a434a079aadc4ba2fec9c12"><enum>804.</enum><header>Report on
research relating to secure domain</header>
<subsection id="id8A320A52F74F41808C1AE08BC14381B4"><enum>(a)</enum><header>In
general</header><text>The Secretary shall enter into a contract with the
National Research Council, or another federally funded research and development
corporation, under which the Council or corporation shall submit to Congress
reports on available technical options, consistent with constitutional and
statutory privacy rights, for enhancing the security of the information
networks of entities that own or manage critical infrastructure through—</text>
<paragraph id="ID3c00c6b405f84461822215f1d8c94c6f"><enum>(1)</enum><text>technical
improvements, including developing a secure domain; or</text>
</paragraph><paragraph id="ID01840b8e42e048dc98e79ccd9fcbc100"><enum>(2)</enum><text>increased notice
of and consent to the use of technologies to scan for, detect, and defeat cyber
security threats, such as technologies used in a secure domain.</text>
</paragraph></subsection><subsection id="IDa233691f672843f085f4dba945168621"><enum>(b)</enum><header>Timing</header><text>The
contract entered into under subsection (a) shall require that the report
described in subsection (a) be submitted—</text>
<paragraph id="ID7ed54efb81b5437d8c77b56f40b21a25"><enum>(1)</enum><text>not later than
180 days after the date of enactment of this Act;</text>
</paragraph><paragraph id="IDc5e811611b554e61bbaa4acb8d3543be"><enum>(2)</enum><text>annually, after
the first report submitted under subsection (a), for 3 years; and</text>
</paragraph><paragraph id="IDcb95b3aeaa0c4f61a819f475e8821d9f"><enum>(3)</enum><text>more frequently,
as determined appropriate by the Secretary in response to new risks or
technologies that emerge.</text>
</paragraph></subsection></section><section id="id816DAE20CBF14533927D138F96B9DFB2"><enum>805.</enum><header>Report on
preparedness of Federal courts to promote cybersecurity</header><text display-inline="no-display-inline">Not later than 180 days after the date of
enactment of this Act, the Attorney General, in coordination with the
Administrative Office of the United States Courts, shall submit to Congress a
report—</text>
<paragraph id="ID01c82e59322b4e889b928013dd398705"><enum>(1)</enum><text>on whether
Federal courts have granted timely relief in matters relating to botnets and
other cybercrime and cyber security threats; and</text>
</paragraph><paragraph id="IDb132241eb9cd4ed59f518dfafdaf130d"><enum>(2)</enum><text>that includes, as
appropriate, recommendations on changes or improvements to—</text>
<subparagraph id="IDd8344460c1a749688365f89cd92eef32"><enum>(A)</enum><text>the Federal Rules
of Civil Procedure or the Federal Rules of Criminal Procedure;</text>
</subparagraph><subparagraph id="ID4edcc91c637b4cde9d2c0b0d593cddab"><enum>(B)</enum><text>the training and
other resources available to support the Federal judiciary;</text>
</subparagraph><subparagraph id="ID23b26843c19a4d04a68d28adde7959bb"><enum>(C)</enum><text>the capabilities
and specialization of courts to which such cases may be assigned; and</text>
</subparagraph><subparagraph id="ID85cc2ca510b147629451bbf1355be17e"><enum>(D)</enum><text>Federal civil and
criminal laws.</text>
</subparagraph></paragraph></section><section id="id92FC6DCE76264D6EACED8FD07B5549F0"><enum>806.</enum><header>Report on
impediments to public awareness</header><text display-inline="no-display-inline">Not later than 180 days after the date of
enactment of this Act, and annually thereafter for 3 years (or more frequently
if determined appropriate by the Secretary) the Secretary shall submit to
Congress a report on—</text>
<paragraph id="IDd794e0f47dab434aae53c9edc37baf19"><enum>(1)</enum><text>legal or other
impediments to appropriate public awareness of—</text>
<subparagraph id="ID4b6cd7288af84603bf417c06ab3d8b91"><enum>(A)</enum><text>the nature of,
methods of propagation of, and damage caused by common cyber security threats
such as computer viruses, phishing techniques, and malware;</text>
</subparagraph><subparagraph id="ID77f1bb1e1ae94a9c819551f961d7e6c6"><enum>(B)</enum><text>the minimal
standards of computer security necessary for responsible Internet use;
and</text>
</subparagraph><subparagraph id="IDd66e75a39d954ff18c37cc97cd37baba"><enum>(C)</enum><text>the availability
of commercial off the shelf technology that allows consumers to meet such
levels of computer security;</text>
</subparagraph></paragraph><paragraph id="IDcdbcce7df0d44a74bd602db913835457"><enum>(2)</enum><text>a summary of the
plans of the Secretary to enhance public awareness of common cyber security
threats, including a description of the metrics used by the Department for
evaluating the efficacy of public awareness campaigns; and</text>
</paragraph><paragraph id="ID2b59a83021f44f4c8642b7832591299c"><enum>(3)</enum><text>recommendations
for congressional actions to address these impediments to appropriate public
awareness of common cyber security threats.</text>
</paragraph></section><section id="idB800AA73B89A4703842A6653E02578C8"><enum>807.</enum><header>Report on
protecting the electrical grid of the United States</header><text display-inline="no-display-inline">Not later than 180 days after the date of
enactment of this Act, the Secretary, in consultation with the Secretary of
Defense and the Director of National Intelligence, shall submit to Congress a
report on—</text>
<paragraph id="ID516197ba03e34b5f9a242510c9f1b858"><enum>(1)</enum><text>the threat of a
cyber attack disrupting the electrical grid of the United States;</text>
</paragraph><paragraph id="IDb426153aa60b42f8aa85cb4edafd7c1e"><enum>(2)</enum><text>the implications
for the national security of the United States if the electrical grid is
disrupted;</text>
</paragraph><paragraph id="ID6b7ebd60eeeb4eaaaf5ba1bd4eb41e18"><enum>(3)</enum><text>the options
available to the United States and private sector entities to quickly
reconstitute electrical service to provide for the national security of the
United States, and, within a reasonable time frame, the reconstitution of all
electrical service within the United States; and</text>
</paragraph><paragraph id="ID18c26082a8d846b4b8a5c0b3e1f700a1"><enum>(4)</enum><text>a plan to prevent
disruption of the electric grid of the United States caused by a cyber
attack.</text>
</paragraph></section><enum>IX</enum><header>International
cooperation</header>
<section id="id688CC43888544A3FAB7B7DFAA329DFED"><enum>901.</enum><header>Definitions</header><text display-inline="no-display-inline">In this title:</text>
<paragraph id="ID41f3175a64e741f38151519ee99aec17"><enum>(1)</enum><header>Computer
system; computer data</header><text>The terms <quote>computer system</quote>
and <quote>computer data</quote> have the meanings given those terms in chapter
I of the Convention on Cybercrime.</text>
</paragraph><paragraph id="IDd2e3748f39da4d499681fddc01cedef1"><enum>(2)</enum><header>Convention on
Cybercrime</header><text>The term <quote>Convention on Cybercrime</quote> means
the Council of Europe’s Convention on Cybercrime, done at Budapest November 23,
2001 as ratified by the United States Senate on August 3, 2006 (Treaty 108–11)
with any relevant reservations of declarations.</text>
</paragraph><paragraph id="IDf1da690785684aeebb04fcbc74bbe09c"><enum>(3)</enum><header>Cyber
issues</header><text>The term <term>cyber issues</term> means the full range of
international policies designed to ensure an open, interoperable, secure, and
reliable global information and communications infrastructure.</text>
</paragraph><paragraph id="ID8ef61f58e5ce4720ba150a168d1eeab3"><enum>(4)</enum><header>Cybercrime</header><text>The
term <quote>cybercrime</quote> refers to criminal offenses relating to computer
systems of computer data described in the Convention of Cybercrime.</text>
</paragraph><paragraph id="IDb471fe89b90742378935e9ba7f1bc122"><enum>(5)</enum><header>Relevant
Federal agencies</header><text>The term <quote>relevant Federal
agencies</quote> means any Federal agency that has responsibility for combating
cybercrime globally, including the Department of Commerce, the Department of
Homeland Security, the Department of Justice, the Department of State, the
Department of the Treasury, and the Office of the United States Trade
Representative.</text>
</paragraph></section><section id="idAF0CC11AC02742A5A2EBFFF09E085AB1"><enum>902.</enum><header>Findings</header><text display-inline="no-display-inline">Congress finds the following:</text>
<paragraph id="IDcd8b990edd964769b5b045900ae2c095"><enum>(1)</enum><text>On February 2,
2010, Admiral Dennis C. Blair, the Director of National Intelligence, testified
before the Select Committee on Intelligence of the Senate regarding the Annual
Threat Assessment of the U.S. Intelligence Community, stating <quote>The
national security of the United States, our economic prosperity, and the daily
functioning of our government are dependent on a dynamic public and private
information infrastructure, which includes tele-communications, computer
networks and systems, and the information residing within. This critical
infrastructure is severely threatened. . . . We cannot protect cyberspace
without a coordinated and collaborative effort that incorporates both the US
private sector and our international partners.</quote></text>
</paragraph><paragraph id="ID9989c6c194974ee2905dd8855a4cf93b"><enum>(2)</enum><text>In a January 2010
speech on Internet freedom, Secretary of State Hillary Clinton stated:
<quote>Those who disrupt the free flow of information in our society, or any
other, pose a threat to our economy, our government, and our civil society.
Countries or individuals that engage in cyber attacks should face consequences
and international condemnation. In an Internet-connected world, an attack on
one nation’s networks can be an attack on all. And by reinforcing that message,
we can create norms of behavior among states and encourage respect for the
global networked commons.</quote></text>
</paragraph><paragraph id="ID6116496704e8479bb18443f5eca7b863"><enum>(3)</enum><text>November 2011
marked the tenth anniversary of the Convention on Cybercrime, the only
multilateral agreement on cybercrime, to which the Senate provided advice and
consent on August 3, 2006, and is currently ratified by over 30
countries.</text>
</paragraph><paragraph id="IDf4fd04fa1e0340f7a835d366e68ce33e"><enum>(4)</enum><text>The May 2009
White House Cyberspace Policy Review asserts <quote>[t]he Nation also needs a
strategy for cybersecurity designed to shape the international environment and
bring like-minded nations together on a host of issues, such as technical
standards and acceptable legal norms regarding territorial jurisdiction,
sovereign responsibility, and use of force. International norms are critical to
establishing a secure and thriving digital infrastructure.</quote></text>
</paragraph></section><section id="idEBD16752E8F446E9B457FBC3362383AF"><enum>903.</enum><header>Sense of
Congress</header><text display-inline="no-display-inline">It is the sense of
Congress that—</text>
<paragraph id="ID0fdf15ef5efa4b17862f708430272322"><enum>(1)</enum><text>engagement with
other countries to advance the cyberspace objectives of the United States
should be an integral part of the conduct of United States foreign relations
and diplomacy;</text>
</paragraph><paragraph id="ID162cfbda15304a60aaadc6030e4305df"><enum>(2)</enum><text>the cyberspace
objectives of the United States include the full range of cyber issues,
including issues related to governance, standards, cybersecurity, cybercrime,
international security, human rights, and the free flow of information;</text>
</paragraph><paragraph id="ID6afe8b9c94bc497e84e6fbd7079b7adf"><enum>(3)</enum><text>it is in the
interest of the United States to work with other countries to build consensus
on principles and standards of conduct that protect computer systems and users
that rely on them, prevent and punish acts of cybercrime, and promote the free
flow of information;</text>
</paragraph><paragraph id="ID89e8815523ec41f785d29c169423eec3"><enum>(4)</enum><text>a comprehensive
national cyberspace strategy must include tools for addressing threats to
computer systems and acts of cybercrime from sources and by persons outside the
United States;</text>
</paragraph><paragraph id="IDbc788f8addcc40e9938a6c4d32854b30"><enum>(5)</enum><text>developing
effective solutions to international cyberspace threats requires engagement
with foreign countries on a bilateral basis and through relevant regional and
multilateral fora;</text>
</paragraph><paragraph id="ID216dacbad047465fae5e16f5487d7216"><enum>(6)</enum><text>it is in the
interest of the United States to encourage the development of effective
frameworks for international cooperation to combat cyberthreats, and the
development of foreign government capabilities to combat cyberthreats;
and</text>
</paragraph><paragraph id="ID176a301b4d71432d96f8c75c948682af"><enum>(7)</enum><text>the Secretary of
State, in consultation with other relevant Federal agencies, should develop and
lead Federal Government efforts to engage with other countries to advance the
cyberspace objectives of the United States, including efforts to bolster an
international framework of cyber norms, governance and deterrence.</text>
</paragraph></section><section id="id4793D0AB051E4C1DA85AA8168938AC34"><enum>904.</enum><header>Coordination
of international cyber issues within the United States Government</header><text display-inline="no-display-inline">The Secretary of State is authorized to
designate a senior level official at the Department of State, to carry out the
Secretary’s responsibilities to—</text>
<paragraph id="IDf600982b379f4ee7bcbaf9ebf4f4537b"><enum>(1)</enum><text>coordinate the
United States global diplomatic engagement on the full range of international
cyber issues, including building multilateral cooperation and developing
international norms, common policies, and responses to secure the integrity of
cyberspace;</text>
</paragraph><paragraph id="IDfeee435a507849a7bb79ec82b9ab2ad0"><enum>(2)</enum><text>provide strategic
direction and coordination for United States Government policy and programs
aimed at addressing and responding to cyber issues overseas, especially in
relation to issues that affect United States foreign policy and related
national security concerns;</text>
</paragraph><paragraph id="ID8f537d8548574abd8a00c272b246bdf1"><enum>(3)</enum><text>coordinate with
relevant Federal agencies, including the Department, the Department of Defense,
the Department of the Treasury, the Department of Justice, the Department of
Commerce, and the intelligence community to develop interagency plans regarding
international cyberspace, cybersecurity, and cybercrime issues; and</text>
</paragraph><paragraph id="ID51780e3aa494448085145a1474daff09"><enum>(4)</enum><text>ensure that cyber
issues, including cybersecurity and cybercrime, are included in the
responsibilities of overseas Embassies and consulates of the United States, as
appropriate.</text>
</paragraph></section><section id="IDbcf1e8b7f0244650b2fa209f60e39942"><enum>905.</enum><header>Consideration
of cybercrime in foreign policy and foreign assistance programs</header>
<subsection id="IDc4c234dcb746460e8a852b974822868a"><enum>(a)</enum><header>Briefing</header>
<paragraph id="IDd018ac8bf5b4490a81e6de71ba4001b8"><enum>(1)</enum><header>In
general</header><text>Not later than 1 year after the date of enactment of this
Act, the Secretary of State, after consultation with the heads of the relevant
Federal agencies, shall provide a comprehensive briefing to relevant
congressional committees—</text>
<subparagraph id="ID4d8f051bf9244d41b2b91917cb1ff4a0"><enum>(A)</enum><text>assessing global
issues, trends, and actors considered to be significant with respect to
cybercrime;</text>
</subparagraph><subparagraph id="IDa544c7e93144456f811bee748f4a7c71"><enum>(B)</enum><text>assessing, after
consultation with private industry groups, civil society organizations, and
other relevant domestic or multilateral organizations, which shall be selected
by the President based on an interest in combating cybercrime, means of
enhancing multilateral or bilateral efforts in areas of significance—</text>
<clause id="ID3d0a7f8b161e40de8b07f2149485df69"><enum>(i)</enum><text>to
prevent and investigate cybercrime;</text>
</clause><clause id="ID4bc358f81b2b4af2a4dd0dc2fa723594"><enum>(ii)</enum><text>to
develop and share best practices with respect to directly or indirectly
combating cybercrime; and</text>
</clause><clause id="ID5abb1a93bad54455b54f7691e64e8af9"><enum>(iii)</enum><text>to cooperate
and take action with respect to the prevention, investigation, and prosecution
of cybercrime; and</text>
</clause></subparagraph><subparagraph id="ID288a2e1094e04811baf4bafed9b51ebc"><enum>(C)</enum><text>describing the
steps taken by the United States to promote the multilateral or bilateral
efforts described in subparagraph (B).</text>
</subparagraph></paragraph><paragraph id="IDdd0f80b4d12e4f65ac9beed6c0f9439c"><enum>(2)</enum><header>Contributions
from relevant Federal agencies</header><text>Not later than 30 days before the
date on which the briefing is to be provided under paragraph (1), the head of
each relevant Federal agency shall consult with and provide to the Secretary of
State relevant information appropriate for the briefing.</text>
</paragraph></subsection><subsection id="IDfd00a8abab27468f8a88262b103a896e"><enum>(b)</enum><header>Periodic
updates</header><text>The Secretary of State shall provide updated information
highlighting significant developments relating to the issues described in
subsection (a), through periodic briefings to Congress.</text>
</subsection><subsection id="ID80ce3ef7ddcf41c39da36394a182cb19"><enum>(c)</enum><header>Use of foreign
assistance programs</header>
<paragraph id="ID65326d4ef36449e7869a233e653b1afb"><enum>(1)</enum><header>Foreign
assistance programs to combat cybercrime</header><text>The Secretary of State
is authorized to accord priority in foreign assistance to programs designed to
combat cybercrime in a region or program of significance in order to better
combat cybercrime by, among other things, improving the effectiveness and
capacity of the legal and judicial systems and the capabilities of law
enforcement agencies with respect to cybercrime.</text>
</paragraph><paragraph id="IDbcc926f74c2f4e88a05717940e9ad93d"><enum>(2)</enum><header>Sense of the
Congress with respect to bilateral and multilateral assistance</header><text>It
is the sense of Congress that the Secretary of State should include programs
designed to combat cybercrime in relevant bilateral or multilateral assistance
programs administered or supported by the United States Government.</text>
</paragraph></subsection></section>
February 15, 2012
Read the second time and placed on the
calendar