113 HR 1468 IH: Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2013
U.S. House of Representatives
2013-04-10
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.
1.Short title; table of
contents
(a)This Act may be cited as the Strengthening and Enhancing Cybersecurity by Using
Research, Education, Information, and Technology Act of
2013
or SECURE
IT
.
(b)The table of contents of this Act is as follows:
Sec. 1. Short title; table of contents.
Title I—Facilitating sharing of cyber threat
information
Sec. 101. Definitions.
Sec. 102. Authorization to share cyber threat
information.
Sec. 103. Information sharing by the Federal
Government.
Sec. 104. Construction.
Sec. 105. Report on implementation.
Sec. 106. Inspector General review.
Sec. 107. Technical amendments.
Sec. 108. Access to classified information.
Title II—Coordination of Federal information security
policy
Sec. 201. Coordination of Federal information security
policy.
Sec. 202. Management of information technology.
Sec. 203. No new funding.
Sec. 204. Technical and conforming amendments.
Sec. 205. Clarification of authorities.
Title III—Criminal penalties
Sec. 301. Penalties for fraud and related activity in
connection with computers.
Sec. 302. Trafficking in passwords.
Sec. 303. Conspiracy and attempted computer fraud
offenses.
Sec. 304. Criminal and civil forfeiture for fraud and related
activity in connection with computers.
Sec. 305. Damage to critical infrastructure
computers.
Sec. 306. Limitation on actions involving unauthorized
use.
Sec. 307. No new funding.
Title IV—Cybersecurity research and development
Sec. 401. National High-Performance Computing Program planning
and coordination.
Sec. 402. Research in areas of national importance.
Sec. 403. Program improvements.
Sec. 404. Improving education of networking and information
technology, including high performance computing.
Sec. 405. Conforming and technical amendments to the
High-Performance Computing Act of 1991.
Sec. 406. Federal cyber scholarship-for-service
program.
Sec. 407. Study and analysis of certification and training of
information infrastructure professionals.
Sec. 408. International cybersecurity technical
standards.
Sec. 409. Identity management research and
development.
Sec. 410. Federal cybersecurity research and
development.
Title V—Data Security and Breach Notification
Sec. 501. Requirements for information security.
Sec. 502. Notification of information security
breach.
Sec. 503. Application and enforcement.
Sec. 504. Definitions.
Sec. 505. Effect on other laws.
Sec. 506. Effective date.
<enum>I</enum><header>Facilitating
sharing of cyber threat information</header>
<section id="HD5B34E727139438F9FCB72E33E995E76" section-type="subsequent-section"><enum>101.</enum><header>Definitions</header><text display-inline="no-display-inline">In this title:</text>
<paragraph id="HA99E8A46E533485393572ABA05D48041"><enum>(1)</enum><header>Agency</header><text>The
term <term>agency</term> has the meaning given the term in section 3502 of
title 44, United States Code.</text>
</paragraph><paragraph id="H89754381D7A94F3C98FD846B18D5E7F4"><enum>(2)</enum><header>Antitrust
laws</header><text>The term <term>antitrust laws</term>—</text>
<subparagraph id="HCF943B4F1C35457CBD76876F5D5FFEA8"><enum>(A)</enum><text>has the meaning
given the term in section 1(a) of the Clayton Act (<external-xref legal-doc="usc" parsable-cite="usc/15/12">15 U.S.C. 12(a)</external-xref>);</text>
</subparagraph><subparagraph id="H486F7FB6941C4A0FB093EDB80DB3D261"><enum>(B)</enum><text>includes section 5
of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45</external-xref>) to the extent that section 5
of that Act applies to unfair methods of competition; and</text>
</subparagraph><subparagraph id="H9452C46911084E2A8F8A7E25C8E65B38"><enum>(C)</enum><text>includes any State
law that has the same intent and effect as the laws under subparagraphs (A) and
(B).</text>
</subparagraph></paragraph><paragraph id="H441EA4EFA78B47F3BF3E3C8A45296095"><enum>(3)</enum><header>Countermeasure</header><text>The
term <term>countermeasure</term> means an automated or a manual action with
defensive intent to mitigate cyber threats.</text>
</paragraph><paragraph id="HE529C1225F004DB1BEE621C0E65B594D"><enum>(4)</enum><header>Cyber threat
information</header><text>The term <term>cyber threat information</term> means
information that indicates or describes—</text>
<subparagraph id="HEA50DC821DE447B788850EAE7EEB3707"><enum>(A)</enum><text>a technical or
operation vulnerability or a cyber threat mitigation measure;</text>
</subparagraph><subparagraph id="H5F15DFA745A04C17ACA0E9B0EF439952"><enum>(B)</enum><text>an action or
operation to mitigate a cyber threat;</text>
</subparagraph><subparagraph id="H65E59106C9934F658904B46A9640F7E1"><enum>(C)</enum><text>malicious
reconnaissance, including anomalous patterns of network activity that appear to
be transmitted for the purpose of gathering technical information related to a
cybersecurity threat;</text>
</subparagraph><subparagraph id="HE4494ECE1DEA44D1AE8CA40C097D9140"><enum>(D)</enum><text>a method of
defeating a technical control;</text>
</subparagraph><subparagraph id="HF99C61B5BDAF4449BD9A02F0F30F878B"><enum>(E)</enum><text>a method of
defeating an operational control;</text>
</subparagraph><subparagraph id="H18A8FC120B8C4E36B3A2792DA6191C77"><enum>(F)</enum><text>network activity
or protocols known to be associated with a malicious cyber actor or that
signify malicious cyber intent;</text>
</subparagraph><subparagraph id="H7FE91E45FDF041F3819C72A7F82E5B7B"><enum>(G)</enum><text>a method of
causing a user with legitimate access to an information system or information
that is stored on, processed by, or transiting an information system to
inadvertently enable the defeat of a technical or operational control;</text>
</subparagraph><subparagraph id="H6060D713F44E459E88E8D03CD4E7CB02"><enum>(H)</enum><text>any other
attribute of a cybersecurity threat or cyber defense information that would
foster situational awareness of the United States cybersecurity posture, if
disclosure of such attribute or information is not otherwise prohibited by
law;</text>
</subparagraph><subparagraph id="HB16CD081D4E14AB4AC7C5E1A60F8820B"><enum>(I)</enum><text>the actual or
potential harm caused by a cyber incident, including information exfiltrated
when it is necessary in order to identify or describe a cybersecurity threat;
or</text>
</subparagraph><subparagraph id="H557F6ADC9E6A41FBA3AE796B769D614D"><enum>(J)</enum><text>any combination of
subparagraphs (A) through (I).</text>
</subparagraph></paragraph><paragraph id="H2D10BA2D2A944E7AB33E109C73AEE7CB"><enum>(5)</enum><header>Cybersecurity
center</header><text>The term <term>cybersecurity center</term> means the
Department of Defense Cyber Crime Center, the Intelligence Community Incident
Response Center, the United States Cyber Command Joint Operations Center, the
National Cyber Investigative Joint Task Force, the National Security
Agency/Central Security Service Threat Operations Center, the National
Cybersecurity and Communications Integration Center, and any successor
center.</text>
</paragraph><paragraph id="H620D5ED0945A4071823A0D1C7D62654E"><enum>(6)</enum><header>Cybersecurity
system</header><text>The term <term>cybersecurity system</term> means a system
designed or employed to ensure the integrity, confidentiality, or availability
of, or to safeguard, a system or network, including measures intended to
protect a system or network from—</text>
<subparagraph id="HA285375A0F434F07AC0E2A00EC59933D"><enum>(A)</enum><text>efforts to
degrade, disrupt, or destroy such system or network; or</text>
</subparagraph><subparagraph id="H604BBF6199CC43D2A71265EDD9A6E75A"><enum>(B)</enum><text>theft or
misappropriations of private or government information, intellectual property,
or personally identifiable information.</text>
</subparagraph></paragraph><paragraph id="H299E5E2C5A494B20B35823D90869AEC7"><enum>(7)</enum><header>Entity</header>
<subparagraph id="HCE53CD2A643E4D339F13E874EE42B331"><enum>(A)</enum><header>In
general</header><text>The term <term>entity</term> means any private entity,
non-Federal Government agency or department, or State, tribal, or local
government agency or department (including an officer, employee, or agent
thereof).</text>
</subparagraph><subparagraph id="HAE55D72A699046C3B4474388AD77F6BB"><enum>(B)</enum><header>Inclusions</header><text>The
term <term>entity</term> includes a government agency or department (including
an officer, employee, or agent thereof) of the District of Columbia, the
Commonwealth of Puerto Rico, the Virgin Islands, Guam, American Samoa, the
Northern Mariana Islands, and any other territory or possession of the United
States.</text>
</subparagraph></paragraph><paragraph id="HE143EEBCFA004C58B6E6E840D62B0911"><enum>(8)</enum><header>Federal
information system</header><text>The term <term>Federal information
system</term> means an information system of a Federal department or agency
used or operated by an executive agency, by a contractor of an executive
agency, or by another organization on behalf of an executive agency.</text>
</paragraph><paragraph id="H47F32BA922CF4BB6A5051D0AD79BE1D2"><enum>(9)</enum><header>Information
security</header><text>The term <term>information security</term> means
protecting information and information systems from disruption or unauthorized
access, use, disclosure, modification, or destruction in order to
provide—</text>
<subparagraph id="H0608508E45DB439380A8CE5C13482526"><enum>(A)</enum><text>integrity, by
guarding against improper information modification or destruction, including by
ensuring information nonrepudiation and authenticity;</text>
</subparagraph><subparagraph id="H452CF0EB8A054E30AE476594134EEEDE"><enum>(B)</enum><text>confidentiality,
by preserving authorized restrictions on access and disclosure, including means
for protecting personal privacy and proprietary information; or</text>
</subparagraph><subparagraph id="H7396FF92C4AC4F9C9445D157406DE5B7"><enum>(C)</enum><text>availability, by
ensuring timely and reliable access to and use of information.</text>
</subparagraph></paragraph><paragraph id="H056C8CF638964D8B9D4976274E9B12FE"><enum>(10)</enum><header>Information
system</header><text>The term <term>information system</term> has the meaning
given the term in <external-xref legal-doc="usc" parsable-cite="usc/44/3502">section 3502</external-xref> of title 44, United States Code.</text>
</paragraph><paragraph id="H733B625221014D2BAFABF5C627F32425"><enum>(11)</enum><header>Local
government</header><text>The term <term>local government</term> means any
borough, city, county, parish, town, township, village, or other general
purpose political subdivision of a State.</text>
</paragraph><paragraph id="H567BB1FEC49D4D17B3D724101EEAEA72"><enum>(12)</enum><header>Malicious
reconnaissance</header><text>The term <term>malicious reconnaissance</term>
means a method for actively probing or passively monitoring an information
system for the purpose of discerning technical vulnerabilities of the
information system, if such method is associated with a known or suspected
cybersecurity threat.</text>
</paragraph><paragraph id="HA366D0D14C5E4D5784DC8EC764393878"><enum>(13)</enum><header>Operational
control</header><text>The term <term>operational control</term> means a
security control for an information system that primarily is implemented and
executed by people.</text>
</paragraph><paragraph id="H134F2D503F1A467B80A67DFA98E401F3"><enum>(14)</enum><header>Operational
vulnerability</header><text>The term <term>operational vulnerability</term>
means any attribute of policy, process, or procedure that could enable or
facilitate the defeat of an operational control.</text>
</paragraph><paragraph id="H0A907BAEABCD442BA1C315C00F3522BE"><enum>(15)</enum><header>Private
entity</header><text>The term <term>private entity</term> means any individual
or any private group, organization, or corporation, including an officer,
employee, or agent thereof.</text>
</paragraph><paragraph id="H129B3DA88C914F9C9186D7AB2B4B2B59"><enum>(16)</enum><header>Significant
cyber incident</header><text>The term <term>significant cyber incident</term>
means a cyber incident resulting in, or an attempted cyber incident that, if
successful, would have resulted in—</text>
<subparagraph id="HF3CB2339D99E4CB99BF4A93AD20BDE56"><enum>(A)</enum><text>the exfiltration
from a Federal information system of data that is essential to the operation of
the Federal information system; or</text>
</subparagraph><subparagraph id="H53726529EE9B4772B55E35D538E4605A"><enum>(B)</enum><text>an incident in
which an operational or technical control essential to the security or
operation of a Federal information system was defeated.</text>
</subparagraph></paragraph><paragraph id="H35E8EA1D76AB4250AC9606567F4219CC"><enum>(17)</enum><header>Technical
control</header><text>The term <term>technical control</term> means a hardware
or software restriction on, or audit of, access or use of an information system
or information that is stored on, processed by, or transiting an information
system that is intended to ensure the confidentiality, integrity, or
availability of that system.</text>
</paragraph><paragraph id="H6C2623FB9B4C44C8907FDEC4201C07EE"><enum>(18)</enum><header>Technical
vulnerability</header><text>The term <term>technical vulnerability</term> means
any attribute of hardware or software that could enable or facilitate the
defeat of a technical control.</text>
</paragraph><paragraph id="HA55BE3107ABB4978A726A4422F964447"><enum>(19)</enum><header>Tribal</header><text>The
term <term>tribal</term> has the meaning given the term <term>Indian
tribe</term> in section 4 of the Indian Self-Determination and Education
Assistance Act (<external-xref legal-doc="usc" parsable-cite="usc/25/450b">25 U.S.C. 450b</external-xref>).</text>
</paragraph></section><section id="HE01F5F211C764797B7DC84CF9B739EA6"><enum>102.</enum><header>Authorization
to share cyber threat information</header>
<subsection id="H212D1F461CDB4F1B8773A96D354AF48A"><enum>(a)</enum><header>Voluntary
disclosure</header>
<paragraph id="H0827523590634D389E6C646AAAAF489C"><enum>(1)</enum><header>Private
entities</header><text>Notwithstanding any other provision of law, a private
entity may, for the purpose of preventing, investigating, or otherwise
mitigating threats to information security, on its own networks, or as
authorized by another entity, on such entity’s networks, employ countermeasures
and use cybersecurity systems in order to obtain, identify, or otherwise
possess cyber threat information.</text>
</paragraph><paragraph id="H95B0D9551DF44D28A027EA1FE3EA61D1"><enum>(2)</enum><header>Entities</header><text>Notwithstanding
any other provision of law, an entity may disclose cyber threat information
to—</text>
<subparagraph id="H562827859B1F4B0E97691B3382BDA4CD"><enum>(A)</enum><text>a cybersecurity
center; or</text>
</subparagraph><subparagraph id="HEF3EE213CE1845C69F7C9652E2436E98"><enum>(B)</enum><text>any other entity
in order to assist with preventing, investigating, or otherwise mitigating
threats to information security.</text>
</subparagraph></paragraph><paragraph id="H5F77B59001D8425DB02DBE788391FAC0"><enum>(3)</enum><header>Information
security providers</header><text>If the cyber threat information described in
paragraph (1) is obtained, identified, or otherwise possessed in the course of
providing information security products or services under contract to another
entity, that entity shall be given, at any time prior to disclosure of such
information, a reasonable opportunity to authorize or prevent such disclosure,
to request anonymization of such information, or to request that reasonable
efforts be made to safeguard such information that identifies specific persons
from unauthorized access or disclosure.</text>
</paragraph></subsection><subsection id="H635CEBCF472B4186ACD00AAFB319C092"><enum>(b)</enum><header>Significant
cyber incidents involving Federal information systems</header>
<paragraph id="HBBD7EDB0CC184179AE001EF01C721A21"><enum>(1)</enum><header>In
general</header><text>An entity providing electronic communication services,
remote computing services, or information security services to a Federal
department or agency shall inform the Federal department or agency of a
significant cyber incident involving the Federal information system of that
Federal department or agency that—</text>
<subparagraph id="HE75D4960848E452AA2A9DBA745F6BF9A"><enum>(A)</enum><text>is directly known
to the entity as a result of providing such services;</text>
</subparagraph><subparagraph id="H6A148BF258D644F2B9956DBBD970E419"><enum>(B)</enum><text>is directly
related to the provision of such services by the entity; and</text>
</subparagraph><subparagraph id="HAD4DEAABD83448BCAC8CBB8A21FFBF07"><enum>(C)</enum><text>as determined by
the entity, has impeded or will impede the performance of a critical mission of
the Federal department or agency.</text>
</subparagraph></paragraph><paragraph id="H7AAAD827ECDD4BA79583C5CAB2B9334B"><enum>(2)</enum><header>Advance
coordination</header><text>A Federal department or agency receiving the
services described in paragraph (1) shall coordinate in advance with an entity
described in paragraph (1) to develop the parameters of any information that
may be provided under paragraph (1), including clarification of the type of
significant cyber incident that will impede the performance of a critical
mission of the Federal department or agency.</text>
</paragraph><paragraph id="HEEF23013F27B47ACB17C7D41F3B1C7C9"><enum>(3)</enum><header>Report</header><text>A
Federal department or agency shall report information provided under this
subsection to a cybersecurity center.</text>
</paragraph><paragraph id="H05EF0741470E47E48B7C7664D0E750C2"><enum>(4)</enum><header>Construction</header><text>Any
information provided to a cybersecurity center under paragraph (3) shall be
treated in the same manner as information provided to a cybersecurity center
under subsection (a).</text>
</paragraph></subsection><subsection id="HC55C8EF39D2C485193DF59EC99D7DC1A"><enum>(c)</enum><header>Information
shared with or provided to a cybersecurity center</header><text>Cyber threat
information provided to a cybersecurity center under this section—</text>
<paragraph id="H4AD287DF722C44179F9E6B0897FD4537"><enum>(1)</enum><text>may be disclosed
to, retained by, and used by, consistent with otherwise applicable Federal law,
any Federal agency or department, component, officer, employee, or agent of the
Federal Government for a cybersecurity purpose, a national security purpose, or
in order to prevent, investigate, or prosecute any of the offenses listed in
<external-xref legal-doc="usc" parsable-cite="usc/18/2516">section 2516</external-xref> of title 18, United States Code, and such information shall not be
disclosed to, retained by, or used by any Federal agency or department for any
use not permitted under this paragraph;</text>
</paragraph><paragraph id="H289FABA450E14301967AD5C24555A005"><enum>(2)</enum><text>may, with the
prior written consent of the entity submitting such information, be disclosed
to and used by a State, tribal, or local government or government agency for
the purpose of protecting information systems, or in furtherance of preventing,
investigating, or prosecuting a criminal act, except that if the need for
immediate disclosure prevents obtaining written consent, such consent may be
provided orally with subsequent documentation of such consent;</text>
</paragraph><paragraph id="H448C26D9E4474235BBA137B49D5B5A63"><enum>(3)</enum><text>shall be
considered the commercial, financial, or proprietary information of the entity
providing such information to the Federal Government and any disclosure outside
the Federal Government may only be made upon the prior written consent by such
entity and shall not constitute a waiver of any applicable privilege or
protection provided by law, except that if the need for immediate disclosure
prevents obtaining written consent, such consent may be provided orally with
subsequent documentation of such consent;</text>
</paragraph><paragraph id="HACEA56642ADC499885936C2CFB1CA2AC"><enum>(4)</enum><text>shall be deemed
voluntarily shared information and exempt from disclosure under section 552 of
title 5, United States Code, and any State, tribal, or local law requiring
disclosure of information or records;</text>
</paragraph><paragraph id="H90EB82655A774A7FB101DA90C26A651C"><enum>(5)</enum><text>shall be, without
discretion, withheld from the public under <external-xref legal-doc="usc" parsable-cite="usc/5/552">section 552(b)(3)(B)</external-xref> of title 5,
United States Code, and any State, tribal, or local law requiring disclosure of
information or records;</text>
</paragraph><paragraph id="HD0F281F0B3044CF996A3E1CC2508A344"><enum>(6)</enum><text>shall not be
subject to the rules of any Federal agency or department or any judicial
doctrine regarding ex parte communications with a decisionmaking
official;</text>
</paragraph><paragraph id="HC0E8E5610D9348EF93A9A2F5FC2088EB"><enum>(7)</enum><text>shall not, if
subsequently provided to a State, tribal, or local government or government
agency, otherwise be disclosed or distributed to any entity by such State,
tribal, or local government or government agency without the prior written
consent of the entity submitting such information, notwithstanding any State,
tribal, or local law requiring disclosure of information or records, except
that if the need for immediate disclosure prevents obtaining written consent,
such consent may be provided orally with subsequent documentation of such
consent; and</text>
</paragraph><paragraph id="HAD76B2F200494B9F99B5A5F3F7E0EA1F"><enum>(8)</enum><text>shall not be
directly used by any Federal, State, tribal, or local department or agency to
regulate the lawful activities of an entity, including activities relating to
obtaining, identifying, or otherwise possessing cyber threat information,
except that the procedures required to be developed and implemented under this
title shall not be considered regulations within the meaning of this
paragraph.</text>
</paragraph></subsection><subsection id="HDA8145D69A714087ADF9C27AE18B1FEC"><enum>(d)</enum><header>Procedures
relating to information sharing with a cybersecurity center</header><text>Not
later than 60 days after the date of enactment of this Act, the heads of each
department or agency containing a cybersecurity center shall jointly develop,
promulgate, and submit to Congress procedures to ensure that cyber threat
information shared with or provided to—</text>
<paragraph id="HBEB3C042CE454EA4A3BBE46B26AD2C88"><enum>(1)</enum><text>a
cybersecurity center under this section—</text>
<subparagraph id="H1ED2E87EAC4C41ED864F352841777B37"><enum>(A)</enum><text>may be submitted
to a cybersecurity center by an entity, to the greatest extent possible,
through a uniform, publicly available process or format that is easily
accessible on the website of such cybersecurity center, and that includes the
ability to provide relevant details about the cyber threat information and
written consent to any subsequent disclosures authorized by this
paragraph;</text>
</subparagraph><subparagraph id="H017CDEBFA06B4F7F9FED39E610FBF53B"><enum>(B)</enum><text>shall immediately
be further shared with each cybersecurity center in order to prevent,
investigate, or otherwise mitigate threats to information security across the
Federal Government;</text>
</subparagraph><subparagraph id="HDB70D57830C9468AB6A78E5727FFF14C"><enum>(C)</enum><text>is handled by the
Federal Government in a reasonable manner, including consideration of the need
to protect the privacy and civil liberties of individuals through anonymization
or other appropriate methods, while fully accomplishing the objectives of this
title, and the Federal Government may undertake efforts consistent with this
subparagraph to limit the impact on privacy and civil liberties of the sharing
of cyber threat information with the Federal Government; and</text>
</subparagraph><subparagraph id="H2576AE7267414BCDB99DA524EC97CA9D"><enum>(D)</enum><text>except as provided
in this section, shall only be used, disclosed, or handled in accordance with
the provisions of subsection (c); and</text>
</subparagraph></paragraph><paragraph id="HC4A93C788D2F4211BE869501BE05F959"><enum>(2)</enum><text>a
Federal agency or department under subsection (b) is provided immediately to a
cybersecurity center in order to prevent, investigate, or otherwise mitigate
threats to information security across the Federal Government.</text>
</paragraph></subsection><subsection id="H9B99444018AF4BACBF10AD040E8B3232"><enum>(e)</enum><header>Information
shared between entities</header>
<paragraph id="H8893C93C355F42A7B2AF5C6DB8E2FFA7"><enum>(1)</enum><header>In
general</header><text>An entity sharing cyber threat information with another
entity under this title may restrict the use or sharing of such information by
such other entity.</text>
</paragraph><paragraph id="H3B35E1F606454C8986F206430399440E"><enum>(2)</enum><header>Further
sharing</header><text>Cyber threat information shared by any entity with
another entity under this title—</text>
<subparagraph id="HA4FCBFF898FA48EDB71879CDDE483126"><enum>(A)</enum><text>shall only be
further shared in accordance with any restrictions placed on the sharing of
such information by the entity authorizing such sharing, such as appropriate
anonymization of such information; and</text>
</subparagraph><subparagraph id="H37CB81F6CFD24F068C6923A420D29CB6"><enum>(B)</enum><text>may not be used by
any entity to gain an unfair competitive advantage to the detriment of the
entity authorizing the sharing of such information, except that the conduct
described in paragraph (3) shall not constitute unfair competitive
conduct.</text>
</subparagraph></paragraph><paragraph id="H00B614987D01483B9D05592758B886C8"><enum>(3)</enum><header>Information
shared with State, tribal, or local government or government
agency</header><text>Cyber threat information shared with a State, tribal, or
local government or government agency under this title—</text>
<subparagraph id="HD8E12B2F29D14BEFB9B39ADBB30628DE"><enum>(A)</enum><text>may, with the
prior written consent of the entity sharing such information, be disclosed to
and used by a State, tribal, or local government or government agency for the
purpose of protecting information systems, or in furtherance of preventing,
investigating, or prosecuting a criminal act, except if the need for immediate
disclosure prevents obtaining written consent, consent may be provided orally
with subsequent documentation of the consent;</text>
</subparagraph><subparagraph id="H4DC5789D259C4A5084943C4297A3A91F"><enum>(B)</enum><text>shall be deemed
voluntarily shared information and exempt from disclosure under any State,
tribal, or local law requiring disclosure of information or records;</text>
</subparagraph><subparagraph id="HEBFDCDCFE6A04054AD5AF238FB3F21CC"><enum>(C)</enum><text>shall not be
disclosed or distributed to any entity by the State, tribal, or local
government or government agency without the prior written consent of the entity
submitting such information, notwithstanding any State, tribal, or local law
requiring disclosure of information or records, except if the need for
immediate disclosure prevents obtaining written consent, consent may be
provided orally with subsequent documentation of the consent; and</text>
</subparagraph><subparagraph id="HA4EEAA5BBE2B4ED9BF6B73A4C99A84D8"><enum>(D)</enum><text>shall not be
directly used by any State, tribal, or local department or agency to regulate
the lawful activities of an entity, including activities relating to obtaining,
identifying, or otherwise possessing cyber threat information, except that the
procedures required to be developed and implemented under this title shall not
be considered regulations within the meaning of this subparagraph.</text>
</subparagraph></paragraph><paragraph id="H46D982BFC12E49A9ACA73061F0135440"><enum>(4)</enum><header>Antitrust
exemption</header><text>The exchange or provision of cyber threat information
or assistance between 2 or more private entities under this title shall not be
considered a violation of any provision of antitrust laws if exchanged or
provided in order to assist with—</text>
<subparagraph id="H2D5B500486B743928AA9AA18CAAA6378"><enum>(A)</enum><text>facilitating the
prevention, investigation, or mitigation of threats to information security;
or</text>
</subparagraph><subparagraph id="H1A032CBFDA154F849B35E9E8A442021E"><enum>(B)</enum><text>communicating or
disclosing of cyber threat information to help prevent, investigate or
otherwise mitigate the effects of a threat to information security.</text>
</subparagraph></paragraph><paragraph id="H8DFB473FB6A249E0AA7FE5B81C098F93"><enum>(5)</enum><header>No right or
benefit</header><text>The provision of cyber threat information to an entity
under this section shall not create a right or a benefit to similar information
by such entity or any other entity.</text>
</paragraph></subsection><subsection id="HE6261ADC1A094E1785BC53894433D83C"><enum>(f)</enum><header>Federal
preemption</header>
<paragraph id="H6CC1C29D82394E8ABB2559C12E7E4341"><enum>(1)</enum><header>In
general</header><text>This section supersedes any statute or other law of a
State or political subdivision of a State that restricts or otherwise expressly
regulates an activity authorized under this section.</text>
</paragraph><paragraph id="H52D3C9B5588545ECB95EA7588A658582"><enum>(2)</enum><header>State law
enforcement</header><text>Nothing in this section shall be construed to
supersede any statute or other law of a State or political subdivision of a
State concerning the use of authorized law enforcement techniques.</text>
</paragraph><paragraph id="H3A39FC2CD7304E78808171D2631CAFEB"><enum>(3)</enum><header>Public
disclosure</header><text>No information shared with or provided to a State,
tribal, or local government or government agency pursuant to this section shall
be made publicly available pursuant to any State, tribal, or local law
requiring disclosure of information or records.</text>
</paragraph></subsection><subsection id="H7D77528AEA6E4ACBB01944D2BF3F2DDF"><enum>(g)</enum><header>Civil and
criminal liability</header>
<paragraph id="HACBC17EF04F14C3FB7F4B1D6B5F85BE4"><enum>(1)</enum><header>General
protections</header>
<subparagraph id="H6C1C200C256E474C872BB575350BDFC1"><enum>(A)</enum><header>Private
entities</header><text>No cause of action shall lie or be maintained in any
court against any private entity for—</text>
<clause id="H1AE6AC91AFE74073A5F85B0BFC39DD25"><enum>(i)</enum><text>the
use of countermeasures and cybersecurity systems as authorized by this
title;</text>
</clause><clause id="H96AD0C244A134CDC8B9AB08E7E53A2B3"><enum>(ii)</enum><text>the
use, receipt, or disclosure of any cyber threat information as authorized by
this title; or</text>
</clause><clause id="H35675CB5A79E4F5090CEB50E565BFE8F"><enum>(iii)</enum><text>the subsequent
actions or inactions of any lawful recipient of cyber threat information
provided by such private entity.</text>
</clause></subparagraph><subparagraph id="H087C704AF20B48EBA90811DD40F579A1"><enum>(B)</enum><header>Entities</header><text>No
cause of action shall lie or be maintained in any court against any entity
for—</text>
<clause id="HCDD4B57E6674470FAAEDE64F3D2A3B94"><enum>(i)</enum><text>the
use, receipt, or disclosure of any cyber threat information as authorized by
this title; or</text>
</clause><clause id="H26D03EFAE440413488EB32C243B0F8E4"><enum>(ii)</enum><text>the
subsequent actions or inactions of any lawful recipient of cyber threat
information provided by such entity.</text>
</clause></subparagraph></paragraph><paragraph id="H86CE93B720C14AB88DEB9C4072D42EB0"><enum>(2)</enum><header>Construction</header><text>Nothing
in this subsection shall be construed as creating any immunity against, or
otherwise affecting, any action brought by the Federal Government, or any
agency or department thereof, to enforce any law, Executive order, or procedure
governing the appropriate handling, disclosure, and use of classified
information.</text>
</paragraph></subsection><subsection id="HE47FB2810FB3473AA06A58B227B0C7F6"><enum>(h)</enum><header>Otherwise lawful
disclosures</header><text>Nothing in this section shall be construed to limit
or prohibit otherwise lawful disclosures of communications, records, or other
information by a private entity to any other governmental or private entity not
covered under this section.</text>
</subsection><subsection id="H127153663E294359B182C2BF2A2E7687"><enum>(i)</enum><header>Whistleblower
protection</header><text>Nothing in this Act shall be construed to preempt or
preclude any employee from exercising rights currently provided under any
whistleblower law, rule, or regulation.</text>
</subsection><subsection id="H90CC7CF7475E4EDF986A4521BA2EA695"><enum>(j)</enum><header>Relationship to
Other Laws</header><text>The submission of cyber threat information under this
section to a cybersecurity center shall not affect any requirement under any
other provision of law for an entity to provide information to the Federal
Government.</text>
</subsection></section><section id="HC00A92DFD0A14170B39944371814BABA"><enum>103.</enum><header>Information
sharing by the Federal Government</header>
<subsection id="HE61375FFB346430D92DB390BEFC13748"><enum>(a)</enum><header>Classified
information</header>
<paragraph id="H4D28B0D051884CE1987673372FC17BCA"><enum>(1)</enum><header>Procedures</header><text>Consistent
with the protection of intelligence sources and methods, and as otherwise
determined appropriate, the Director of National Intelligence and the Secretary
of Defense, in consultation with the heads of the appropriate Federal
departments or agencies, shall develop and promulgate procedures to facilitate
and promote—</text>
<subparagraph id="HC1A9533AD6C64098BF8425855AB71DB4"><enum>(A)</enum><text>the immediate
sharing, through the cybersecurity centers, of classified cyber threat
information in the possession of the Federal Government with appropriately
cleared representatives of any appropriate entity; and</text>
</subparagraph><subparagraph id="HE679F529DA1F41B29076E57823E6D4A9"><enum>(B)</enum><text>the
declassification and immediate sharing, through the cybersecurity centers, with
any entity or, if appropriate, public availability of cyber threat information
in the possession of the Federal Government.</text>
</subparagraph></paragraph><paragraph id="H60D2EA198B5348A6BD898E572CCE8E60"><enum>(2)</enum><header>Handling of
classified information</header><text>The procedures developed under paragraph
(1) shall ensure that each entity receiving classified cyber threat information
pursuant to this section has acknowledged in writing the ongoing obligation to
comply with all laws, Executive orders, and procedures concerning the
appropriate handling, disclosure, or use of classified information.</text>
</paragraph></subsection><subsection id="H6091201D5389406AA0E711C7B676B271"><enum>(b)</enum><header>Unclassified
cyber threat information</header><text>The heads of each department or agency
containing a cybersecurity center shall jointly develop and promulgate
procedures that ensure that, consistent with the provisions of this section,
unclassified, including controlled unclassified, cyber threat information in
the possession of the Federal Government—</text>
<paragraph id="H0FEA353422FB46E5A28694FF59E9D7F6"><enum>(1)</enum><text>is shared, through
the cybersecurity centers, in an immediate and adequate manner with appropriate
entities; and</text>
</paragraph><paragraph id="H3FB21401A816434A9F531B9E497951D8"><enum>(2)</enum><text>if appropriate, is
made publicly available.</text>
</paragraph></subsection><subsection id="HF2F527B5EF8D4ACB8D196FF51080AFC5"><enum>(c)</enum><header>Development of
procedures</header>
<paragraph id="H774647F0CFC54AE496943B511711C377"><enum>(1)</enum><header>In
general</header><text>The procedures developed under this section shall
incorporate, to the greatest extent possible, existing processes utilized by
sector specific information sharing and analysis centers.</text>
</paragraph><paragraph id="HAC61AB8C2C624BDE96C8A5E80941AF1D"><enum>(2)</enum><header>Coordination
with entities</header><text>In developing the procedures required under this
section, the Director of National Intelligence and the heads of each department
or agency containing a cybersecurity center shall coordinate with appropriate
entities to ensure that protocols are implemented that will facilitate and
promote the sharing of cyber threat information by the Federal
Government.</text>
</paragraph></subsection><subsection id="H5A42FD81FC1E45B992E20634ACBEC91E"><enum>(d)</enum><header>Additional
Responsibilities of Cybersecurity Centers</header><text>Consistent with section
102, a cybersecurity center shall—</text>
<paragraph id="HE6A428D23F5A463E9204C98DE5065DE2"><enum>(1)</enum><text>facilitate
information sharing, interaction, and collaboration among and between
cybersecurity centers and—</text>
<subparagraph id="HD47AA4736A1B4F27935A7FAD39F6AA68"><enum>(A)</enum><text>other Federal
entities;</text>
</subparagraph><subparagraph id="HBB4F5B4CCBA340A28DB24F08C1910C46"><enum>(B)</enum><text>any entity;
and</text>
</subparagraph><subparagraph id="H5C93EB1A3EDF4E19B80214C978942441"><enum>(C)</enum><text>international
partners, in consultation with the Secretary of State;</text>
</subparagraph></paragraph><paragraph id="HC39C26654D4848518DD3C5D95342FDE6"><enum>(2)</enum><text>disseminate timely
and actionable cybersecurity threat, vulnerability, mitigation, and warning
information, including alerts, advisories, indicators, signatures, and
mitigation and response measures, to improve the security and protection of
information systems; and</text>
</paragraph><paragraph id="H09F31B48B4704788B3A62D2A9579F31A"><enum>(3)</enum><text>coordinate with
other Federal entities, as appropriate, to integrate information from across
the Federal Government to provide situational awareness of the cybersecurity
posture of the United States.</text>
</paragraph></subsection><subsection id="H25A55F1E065D433BA15AAC6AA6E4CFDD"><enum>(e)</enum><header>Sharing within
the Federal Government</header><text>The heads of appropriate Federal
departments and agencies shall ensure that cyber threat information in the
possession of such Federal departments or agencies that relates to the
prevention, investigation, or mitigation of threats to information security
across the Federal Government is shared effectively with the cybersecurity
centers.</text>
</subsection><subsection id="H8BFEF32B954B43E6ADDF14E2122338CF"><enum>(f)</enum><header>Submission to
Congress</header><text>Not later than 60 days after the date of enactment of
this Act, the Director of National Intelligence, in coordination with the
appropriate head of a department or an agency containing a cybersecurity
center, shall submit the procedures required by this section to
Congress.</text>
</subsection></section><section id="HF014D7C598A7422485EAFD1183278B9F"><enum>104.</enum><header>Construction</header>
<subsection id="H9D06D01E4255475892B9307D40B167AF"><enum>(a)</enum><header>Information
Sharing Relationships</header><text>Nothing in this title shall be
construed—</text>
<paragraph id="H5D755037214F4342A30AB60C7451878D"><enum>(1)</enum><text>to limit or modify
an existing information sharing relationship;</text>
</paragraph><paragraph id="H01BE2D8C968045D78143DEA807CFBD88"><enum>(2)</enum><text>to prohibit a new
information sharing relationship;</text>
</paragraph><paragraph id="HEE6598FDA80C4D0892B9A02B3991F2EE"><enum>(3)</enum><text>to require a new
information sharing relationship between any entity and the Federal Government,
except as specified under section 102(b); or</text>
</paragraph><paragraph id="HC77B408C35344BFBADCD5090C2B6AAAD"><enum>(4)</enum><text>to modify the
authority of a department or agency of the Federal Government to protect
sources and methods and the national security of the United States.</text>
</paragraph></subsection><subsection id="HE0E053F4C02E4158B0249CE52784259B"><enum>(b)</enum><header>Anti-Tasking
Restriction</header><text>Nothing in this title shall be construed to permit
the Federal Government—</text>
<paragraph id="HFACA6221CB9D4F03A3EEB03FE24D2182"><enum>(1)</enum><text>to require an
entity to share information with the Federal Government, except as expressly
provided under section 102(b); or</text>
</paragraph><paragraph id="H33C7A046B7FA48C0BF965263F032EAEF"><enum>(2)</enum><text>to condition the
sharing of cyber threat information with an entity on such entity’s provision
of cyber threat information to the Federal Government.</text>
</paragraph></subsection><subsection id="H9B1E66C9D3E4417FB9D5233394C4BBDE"><enum>(c)</enum><header>No liability for
Non-Participation</header><text>Nothing in this title shall be construed to
subject any entity to liability for choosing not to engage in the voluntary
activities authorized under this title.</text>
</subsection><subsection id="HD811598063E748AC91BC428457F1F992"><enum>(d)</enum><header>Use and
Retention of Information</header><text>Nothing in this title shall be construed
to authorize, or to modify any existing authority of, a department or agency of
the Federal Government to retain or use any information shared under section
102 for any use other than a use permitted under subsection 102(c)(1).</text>
</subsection><subsection id="H4A516E2EB0FB4FF99229E025869B3FC0"><enum>(e)</enum><header>No new
funding</header><text>An applicable Federal agency shall carry out the
provisions of this title with existing facilities and funds otherwise
available, through such means as the head of the agency considers
appropriate.</text>
</subsection></section><section id="H31703E2D0972418A9B72A805E35BC481"><enum>105.</enum><header>Report on
implementation</header>
<subsection id="H6FAD5C691368412491F58E3D46ACC0CF"><enum>(a)</enum><header>Content of
report</header><text>Not later than 1 year after the date of enactment of this
Act, and biennially thereafter, the heads of each department or agency
containing a cybersecurity center shall jointly submit, in coordination with
the privacy and civil liberties officials of such departments or agencies and
the Privacy and Civil Liberties Oversight Board, a detailed report to Congress
concerning the implementation of this title, including—</text>
<paragraph id="HA66A010CB6964C23926095E3DEAD6787"><enum>(1)</enum><text>an assessment of
the sufficiency of the procedures developed under section 103 of this Act in
ensuring that cyber threat information in the possession of the Federal
Government is provided in an immediate and adequate manner to appropriate
entities or, if appropriate, is made publicly available;</text>
</paragraph><paragraph id="HFCDB7D338A584027B7A12E50836747F0"><enum>(2)</enum><text>an assessment of
whether information has been appropriately classified and an accounting of the
number of security clearances authorized by the Federal Government for purposes
of this title;</text>
</paragraph><paragraph id="H1A9EA1E44CF34EABB1D6E2EFCE705B6C"><enum>(3)</enum><text>a
review of the type of cyber threat information shared with a cybersecurity
center under section 102 of this Act, including whether such information meets
the definition of cyber threat information under section 101, the degree to
which such information may impact the privacy and civil liberties of
individuals, any appropriate metrics to determine any impact of the sharing of
such information with the Federal Government on privacy and civil liberties,
and the adequacy of any steps taken to reduce such impact;</text>
</paragraph><paragraph id="HFC90AF5ECF9B4F0BB198CA52F0E3FD88"><enum>(4)</enum><text>a
review of actions taken by the Federal Government based on information provided
to a cybersecurity center under section 102 of this Act, including the
appropriateness of any subsequent use under section 102(c)(1) of this Act and
whether there was inappropriate stovepiping within the Federal Government of
any such information;</text>
</paragraph><paragraph id="HC773807A75404F5386FE84FA5C0CE214"><enum>(5)</enum><text>a
description of any violations of the requirements of this title by the Federal
Government;</text>
</paragraph><paragraph id="H90C1EF48D3E54600B20BED5A1F7447FE"><enum>(6)</enum><text>a
classified list of entities that received classified information from the
Federal Government under section 103 of this Act and a description of any
indication that such information may not have been appropriately
handled;</text>
</paragraph><paragraph id="HC05563DDBF574157ABF57CFC86374082"><enum>(7)</enum><text>a
summary of any breach of information security, if known, attributable to a
specific failure by any entity or the Federal Government to act on cyber threat
information in the possession of such entity or the Federal Government that
resulted in substantial economic harm or injury to a specific entity or the
Federal Government; and</text>
</paragraph><paragraph id="H28C81154A25D425283B593BA5C7E904C"><enum>(8)</enum><text>any recommendation
for improvements or modifications to the authorities under this title.</text>
</paragraph></subsection><subsection id="H20AECCF83D1A4CBB8EABECD7B8DBD9C0"><enum>(b)</enum><header>Form of
report</header><text>The report under subsection (a) shall be submitted in
unclassified form, but shall include a classified annex.</text>
</subsection></section><section id="H2CCA021C23ED4CCBAAFA1E903FD1E84A"><enum>106.</enum><header>Inspector
General review</header>
<subsection id="H7803C2356B3244E88B6D758A211704FD"><enum>(a)</enum><header>In
general</header><text display-inline="yes-display-inline">The Council of the
Inspectors General on Integrity and Efficiency are authorized to review
compliance by the cybersecurity centers, and by any Federal department or
agency receiving cyber threat information from such cybersecurity centers, with
the procedures required under section 102 of this Act.</text>
</subsection><subsection id="H769A60AD8D81460284B4D36EEBC09587"><enum>(b)</enum><header>Scope of
review</header><text display-inline="yes-display-inline">The review under
subsection (a) shall consider whether the Federal Government has handled such
cyber threat information in a reasonable manner, including consideration of the
need to protect the privacy and civil liberties of individuals through
anonymization or other appropriate methods, while fully accomplishing the
objectives of this title.</text>
</subsection><subsection id="HA0D155F64767461C93D9593394D2C1C5"><enum>(c)</enum><header>Report to
Congress</header><text display-inline="yes-display-inline">Each review
conducted under this section shall be provided to Congress not later than 30
days after the date of completion of the review.</text>
</subsection></section><section id="H4BF8FAF993834A3A9ABD79472F016112"><enum>107.</enum><header>Technical
amendments</header><text display-inline="no-display-inline">Section 552(b) of
title 5, United States Code, is amended—</text>
<paragraph id="H972F38FA6CE743DB93050888AE3F78BA"><enum>(1)</enum><text display-inline="yes-display-inline">in paragraph (8), by striking
<quote>or</quote>;</text>
</paragraph><paragraph id="HE6E7C390DD5946B0AFC9E5F30D34B30F"><enum>(2)</enum><text>in paragraph (9),
by striking <quote>wells.</quote> and inserting <quote>wells; or</quote>;
and</text>
</paragraph><paragraph id="H66EABCEA08014488915B62A68E1E82A7"><enum>(3)</enum><text>by adding at the
end the following:</text>
<quoted-block display-inline="no-display-inline" id="HF24D8D8C7FA54803983E5AB2920334D3" style="OLC">
<paragraph id="HDE424C6355AD4AF584B60A89AB6D2548"><enum>(10)</enum><text>information
shared with or provided to a cybersecurity center under section 102 of title I
of the <short-title>Strengthening and Enhancing
Cybersecurity by Using Research, Education, Information, and Technology Act of
2013</short-title>.</text>
</paragraph><after-quoted-block>.</after-quoted-block></quoted-block>
</paragraph></section><section id="HF9918A6A729640CFB13BA65303ED04CE"><enum>108.</enum><header>Access to
classified information</header>
<subsection id="HB66C3ACE49954BBF8C754B15B715F723"><enum>(a)</enum><header>Authorization
required</header><text>No person shall be provided with access to classified
information (as defined in section 6.1 of Executive Order 13526 (50 U.S.C. 435
note; relating to classified national security information)) relating to cyber
security threats or cyber security vulnerabilities under this title without the
appropriate security clearances.</text>
</subsection><subsection id="H7B55EF37D7424B5D9EF78B88D95A0A59"><enum>(b)</enum><header>Security
clearances</header><text>The appropriate Federal agencies or departments shall,
consistent with applicable procedures and requirements, and if otherwise deemed
appropriate, assist an individual in timely obtaining an appropriate security
clearance where such individual has been determined to be eligible for such
clearance and has a need-to-know (as defined in section 6.1 of that Executive
order) classified information to carry out this title.</text>
</subsection></section><enum>II</enum><header>Coordination of
Federal information security policy</header>
<section id="HA2A31AE1657F4D6A83C7FF8373A5265C" section-type="subsequent-section"><enum>201.</enum><header>Coordination of
Federal information security policy</header>
<subsection id="H7FD864507CB4496BA67C7E6777B0B13E"><enum>(a)</enum><header>In
General</header><text display-inline="yes-display-inline">Chapter 35 of title
44, United States Code, is amended by striking subchapters II and III and
inserting the following:</text>
<quoted-block display-inline="no-display-inline" id="H74F88DD4EC4F4FAA8D708E97986E6867" style="USC">
<subchapter id="HE243AF3C3110443E9C32480A4C0EDCEE"><enum>II</enum><header>Information
Security</header>
<section id="H061D3069D95346909FE6B24DBB7C2203" section-type="subsequent-section"><enum>3551.</enum><header>Purposes</header><text display-inline="no-display-inline">The purposes of this subchapter are—</text>
<paragraph id="HC5404EB7136947BA804177DFF0CDA6EA"><enum>(1)</enum><text display-inline="yes-display-inline">to provide a comprehensive framework for
ensuring the effectiveness of information security controls over information
resources that support Federal operations and assets;</text>
</paragraph><paragraph id="HA6E267A261BA42E7BBAEAD3A43BE504E"><enum>(2)</enum><text>to recognize the
highly networked nature of the current Federal computing environment and
provide effective government-wide management of policies, directives,
standards, and guidelines, as well as effective and nimble oversight of and
response to information security risks, including coordination of information
security efforts throughout the Federal civilian, national security, and law
enforcement communities;</text>
</paragraph><paragraph id="HE924475722EF4DAFBF82D40A69B51D62"><enum>(3)</enum><text>to provide for
development and maintenance of controls required to protect agency information
and information systems and contribute to the overall improvement of agency
information security posture;</text>
</paragraph><paragraph id="HE9E5029170BD4A159CC96F57C52516A4"><enum>(4)</enum><text>to provide for the
development of tools and methods to assess and respond to real-time situational
risk for Federal information system operations and assets; and</text>
</paragraph><paragraph id="HCE49CDC36F004339B478C7069E5E3F54"><enum>(5)</enum><text>to provide a
mechanism for improving agency information security programs through continuous
monitoring of agency information systems and streamlined reporting requirements
rather than overly prescriptive manual reporting.</text>
</paragraph></section><section id="HDB095C036B4D488CA8A1C18AA63655DC"><enum>3552.</enum><header>Definitions</header><text display-inline="no-display-inline">In this subchapter:</text>
<paragraph id="HBDD427088D084DFBB6A8A5981EE0D5D9"><enum>(1)</enum><header>Adequate
security</header><text>The term <term>adequate security</term> means security
commensurate with the risk and magnitude of the harm resulting from the
unauthorized access to or loss, misuse, destruction, or modification of
information.</text>
</paragraph><paragraph id="H34BABB89C01F445F8C35CA27500EE2E7"><enum>(2)</enum><header>Agency</header><text>The
term <term>agency</term> has the meaning given the term in section 3502 of
title 44.</text>
</paragraph><paragraph id="HF669074C79724477BDD0B5A8FF7219BA"><enum>(3)</enum><header>Cybersecurity
center</header><text>The term <term>cybersecurity center</term> means the
Department of Defense Cyber Crime Center, the Intelligence Community Incident
Response Center, the United States Cyber Command Joint Operations Center, the
National Cyber Investigative Joint Task Force, the National Security
Agency/Central Security Service Threat Operations Center, the National
Cybersecurity and Communications Integration Center, and any successor
center.</text>
</paragraph><paragraph id="HCA1EA74146A04364BBA8B53FB6256DD9"><enum>(4)</enum><header>Cyber threat
information</header><text>The term <term>cyber threat information</term> means
information that indicates or describes—</text>
<subparagraph id="H690288FBDD634D15B4080434B424A6CD"><enum>(A)</enum><text>a technical or
operation vulnerability or a cyber threat mitigation measure;</text>
</subparagraph><subparagraph id="H1EC3B5AFC20C4FE284408CA9912FE35C"><enum>(B)</enum><text>an action or
operation to mitigate a cyber threat;</text>
</subparagraph><subparagraph id="H7F89772C999A4F6BAC5A888E63E5CD81"><enum>(C)</enum><text>malicious
reconnaissance, including anomalous patterns of network activity that appear to
be transmitted for the purpose of gathering technical information related to a
cybersecurity threat;</text>
</subparagraph><subparagraph id="HA10E27DB90034DB4A7EE87CA8E111A19"><enum>(D)</enum><text>a method of
defeating a technical control;</text>
</subparagraph><subparagraph id="HC82C476BF65E4E48984C1B1E5EB529CC"><enum>(E)</enum><text>a method of
defeating an operational control;</text>
</subparagraph><subparagraph id="H5DF1C460571E42B4AFEF711C8F760EA9"><enum>(F)</enum><text>network activity
or protocols known to be associated with a malicious cyber actor or that
signify malicious cyber intent;</text>
</subparagraph><subparagraph id="H9A763CB923E945DFB5D727FD3F3B1972"><enum>(G)</enum><text>a method of
causing a user with legitimate access to an information system or information
that is stored on, processed by, or transiting an information system to
inadvertently enable the defeat of a technical or operational control;</text>
</subparagraph><subparagraph id="HB4C0E210F9A64669ADE7F46A1614DA3F"><enum>(H)</enum><text>any other
attribute of a cybersecurity threat or cyber defense information that would
foster situational awareness of the United States cybersecurity posture, if
disclosure of such attribute or information is not otherwise prohibited by
law;</text>
</subparagraph><subparagraph id="HEF9A5842999641DFA75C4269FFD1AA04"><enum>(I)</enum><text>the actual or
potential harm caused by a cyber incident, including information exfiltrated
when it is necessary in order to identify or describe a cybersecurity threat;
or</text>
</subparagraph><subparagraph id="HA749507D35814684A4615E0C183AB5A8"><enum>(J)</enum><text>any combination of
subparagraphs (A) through (I).</text>
</subparagraph></paragraph><paragraph id="H9EF822DCB3D24F2CB0E21F92FD8FF5FB"><enum>(5)</enum><header>Director</header><text>The
term <term>Director</term> means the Director of the Office of Management and
Budget unless otherwise specified.</text>
</paragraph><paragraph id="HDA3FBB0C05054F108B9118C7A44F559D"><enum>(6)</enum><header>Environment of
operation</header><text>The term <term>environment of operation</term> means
the information system and environment in which those systems operate,
including changing threats, vulnerabilities, technologies, and missions and
business practices.</text>
</paragraph><paragraph id="H9355C779773F4584976F9992E4427291"><enum>(7)</enum><header>Federal
information system</header><text>The term <term>Federal information
system</term> means an information system used or operated by an executive
agency, by a contractor of an executive agency, or by another organization on
behalf of an executive agency.</text>
</paragraph><paragraph id="HF4680191F8834305A91F3E3C2C5812A3"><enum>(8)</enum><header>Incident</header><text>The
term <term>incident</term> means an occurrence that—</text>
<subparagraph id="H6230DFC78EB24C70AA7DC3A6C5A83995"><enum>(A)</enum><text>actually or
imminently jeopardizes the integrity, confidentiality, or availability of an
information system or the information that system controls, processes, stores,
or transmits; or</text>
</subparagraph><subparagraph id="HF52AD4821ACF41B899A3246AB76272E0"><enum>(B)</enum><text>constitutes a
violation of law or an imminent threat of violation of a law, a security
policy, a security procedure, or an acceptable use policy.</text>
</subparagraph></paragraph><paragraph id="HE4779D9A06324676AD9EE0AD97FFF23A"><enum>(9)</enum><header>Information
resources</header><text>The term <term>information resources</term> has the
meaning given the term in <external-xref legal-doc="usc" parsable-cite="usc/44/3502">section 3502</external-xref> of title 44.</text>
</paragraph><paragraph id="H76A8BC3C1539475FB1BFFF07E45BF84D"><enum>(10)</enum><header>Information
security</header><text>The term <term>information security</term> means
protecting information and information systems from disruption or unauthorized
access, use, disclosure, modification, or destruction in order to
provide—</text>
<subparagraph id="H12D23582FDCD4DF9BC99AE6BDD999B3D"><enum>(A)</enum><text>integrity, by
guarding against improper information modification or destruction, including by
ensuring information nonrepudiation and authenticity;</text>
</subparagraph><subparagraph id="H02607B61E14B4CB3B88286F001674BBF"><enum>(B)</enum><text>confidentiality,
by preserving authorized restrictions on access and disclosure, including means
for protecting personal privacy and proprietary information; or</text>
</subparagraph><subparagraph id="H3B735EE2373349E48E670440D001CA9C"><enum>(C)</enum><text>availability, by
ensuring timely and reliable access to and use of information.</text>
</subparagraph></paragraph><paragraph id="H1BF869CD31E142B2A484BEF2D8180171"><enum>(11)</enum><header>Information
system</header><text>The term <term>information system</term> has the meaning
given the term in <external-xref legal-doc="usc" parsable-cite="usc/44/3502">section 3502</external-xref> of title 44.</text>
</paragraph><paragraph id="H90E55DA9061846A292CFEEC61FFB3FE6"><enum>(12)</enum><header>Information
technology</header><text>The term <term>information technology</term> has the
meaning given the term in <external-xref legal-doc="usc" parsable-cite="usc/40/11101">section 11101</external-xref> of title 40.</text>
</paragraph><paragraph id="H731A78B8615D4D44808DBCC90DBCF787"><enum>(13)</enum><header>Malicious
reconnaissance</header><text>The term <term>malicious reconnaissance</term>
means a method for actively probing or passively monitoring an information
system for the purpose of discerning technical vulnerabilities of the
information system, if such method is associated with a known or suspected
cybersecurity threat.</text>
</paragraph><paragraph id="H278299840AFC4880A0F002FAB8A1B762"><enum>(14)</enum><header>National
security system</header>
<subparagraph id="H0AD092E0887B4EF19E5438F9934FBCBA"><enum>(A)</enum><header>In
general</header><text>The term <term>national security system</term> means any
information system (including any telecommunications system) used or operated
by an agency or by a contractor of an agency, or other organization on behalf
of an agency—</text>
<clause id="H9CAFF865BE02448785B2690C444A0D11"><enum>(i)</enum><text>the function,
operation, or use of which—</text>
<subclause id="HBED88B82EA37458F8611F5F1428B8446"><enum>(I)</enum><text>involves
intelligence activities;</text>
</subclause><subclause id="H6A1CDDA146224CE4B13143FAEE2C11CF"><enum>(II)</enum><text>involves
cryptologic activities related to national security;</text>
</subclause><subclause id="HE05786A3740E40E68B951DF0ABD0A93A"><enum>(III)</enum><text>involves command
and control of military forces;</text>
</subclause><subclause id="H19D01BBE6C3645149A43ADA88DE0C421"><enum>(IV)</enum><text>involves
equipment that is an integral part of a weapon or weapons system; or</text>
</subclause><subclause id="HB5E8E6A7D1264893B8AF5B2CE18DEEC9"><enum>(V)</enum><text>subject to
subparagraph (B), is critical to the direct fulfillment of military or
intelligence missions; or</text>
</subclause></clause><clause id="H4EC0F3418D7F432CA67949314E863780"><enum>(ii)</enum><text>is protected at
all times by procedures established for information that have been specifically
authorized under criteria established by an Executive order or an Act of
Congress to be kept classified in the interest of national defense or foreign
policy.</text>
</clause></subparagraph><subparagraph id="H6D048EEE21B0466DBF447AE68A2E5669"><enum>(B)</enum><header>Limitation</header><text>Subparagraph
(A)(i)(V) does not include a system that is to be used for routine
administrative and business applications (including payroll, finance,
logistics, and personnel management applications).</text>
</subparagraph></paragraph><paragraph id="H1DEB0FDEA58A41BBAE096D12CF9BCDAA"><enum>(15)</enum><header>Operational
control</header><text>The term <term>operational control</term> means a
security control for an information system that primarily is implemented and
executed by people.</text>
</paragraph><paragraph id="H719BA93ED9564078A57F6C1D410E1BCE"><enum>(16)</enum><header>Person</header><text>The
term <quote>person</quote> has the meaning given the term in section 3502 of
title 44.</text>
</paragraph><paragraph id="H5D9C5C093D0F416EBDEA78D672CF6057"><enum>(17)</enum><header>Secretary</header><text>The
term <term>Secretary</term> means the Secretary of Commerce unless otherwise
specified.</text>
</paragraph><paragraph id="H7999344E1FA74508B23168CB1EE01FE1"><enum>(18)</enum><header>Security
control</header><text>The term <term>security control</term> means the
management, operational, and technical controls, including safeguards or
countermeasures, prescribed for an information system to protect the
confidentiality, integrity, and availability of the system and its
information.</text>
</paragraph><paragraph id="HFE10E5A2011E4717A4D0E32220A3E533"><enum>(19)</enum><header>Significant
cyber incident</header><text>The term <term>significant cyber incident</term>
means a cyber incident resulting in, or an attempted cyber incident that, if
successful, would have resulted in—</text>
<subparagraph id="H1749719DD4F943F88B06ABE88A4D0EEA"><enum>(A)</enum><text>the exfiltration
from a Federal information system of data that is essential to the operation of
the Federal information system; or</text>
</subparagraph><subparagraph id="H214A0DC7922E47B6B55A8A8FB7702D72"><enum>(B)</enum><text>an incident in
which an operational or technical control essential to the security or
operation of a Federal information system was defeated.</text>
</subparagraph></paragraph><paragraph id="HBBE57C8161694E10B5F2055B464583F3"><enum>(20)</enum><header>Technical
control</header><text>The term <term>technical control</term> means a hardware
or software restriction on, or audit of, access or use of an information system
or information that is stored on, processed by, or transiting an information
system that is intended to ensure the confidentiality, integrity, or
availability of that system.</text>
</paragraph></section><section id="HE1A1915616E3493F8ED607234C3381BE"><enum>3553.</enum><header>Federal
information security authority and coordination</header>
<subsection id="H44117EB654E64E9687F0F3C3B4890240"><enum>(a)</enum><header>In
general</header><text>The Secretary, in consultation with the Secretary of
Homeland Security, shall—</text>
<paragraph id="HDB735AB9997547C28C216A05B703912E"><enum>(1)</enum><text>issue compulsory
and binding policies and directives governing agency information security
operations, and require implementation of such policies and directives,
including—</text>
<subparagraph id="H779567F872964E2183F7A26CB029A8C9"><enum>(A)</enum><text>policies and
directives consistent with the standards and guidelines promulgated under
<external-xref legal-doc="usc" parsable-cite="usc/40/11331">section 11331</external-xref> of title 40 to identify and provide information security
protections prioritized and commensurate with the risk and impact resulting
from the unauthorized access, use, disclosure, disruption, modification, or
destruction of—</text>
<clause id="H568FA8E0B2D341CCB228CEA82EAA34A7"><enum>(i)</enum><text>information
collected or maintained by or on behalf of an agency; or</text>
</clause><clause id="HB940FFA7E2C5410CA5D125B569D4223E"><enum>(ii)</enum><text>information
systems used or operated by an agency or by a contractor of an agency or other
organization on behalf of an agency;</text>
</clause></subparagraph><subparagraph id="H6175495A15E54639A7763978BCB504F5"><enum>(B)</enum><text>minimum
operational requirements for the Federal Government to protect agency
information systems and provide common situational awareness across all agency
information systems;</text>
</subparagraph><subparagraph id="H9F7CE462597D43D3AE95CFDA47DFD7FE"><enum>(C)</enum><text>reporting
requirements, consistent with relevant law, regarding information security
incidents and cyber threat information;</text>
</subparagraph><subparagraph id="H60A7589E06524B129C4C7287FCA11214"><enum>(D)</enum><text>requirements for
agencywide information security programs;</text>
</subparagraph><subparagraph id="HA2F46C05AA714B76A3B5D54C0619B289"><enum>(E)</enum><text>performance
requirements and metrics for the security of agency information systems;</text>
</subparagraph><subparagraph id="H71793AE29F0D4DBDAE94019AEB9D34E0"><enum>(F)</enum><text>training
requirements to ensure that agencies are able to fully and timely comply with
the policies and directives issued by the Secretary under this
subchapter;</text>
</subparagraph><subparagraph id="HCE208649E2E846978C03CE62938DDF44"><enum>(G)</enum><text>training
requirements regarding privacy, civil rights, and civil liberties, and
information oversight for agency information security personnel;</text>
</subparagraph><subparagraph id="HE93D616C563D4F2CBBFDD6F2B04F0E67"><enum>(H)</enum><text>requirements for
the annual reports to the Secretary under section 3554(d);</text>
</subparagraph><subparagraph id="H937529F3084C47559E90EABE6D9D7988"><enum>(I)</enum><text>any other
information security operations or information security requirements as
determined by the Secretary in coordination with relevant agency heads;
and</text>
</subparagraph><subparagraph id="HE7D53987E5D947F397C91D6BF1581ED8"><enum>(J)</enum><text>coordinating the
development of standards and guidelines under section 20 of the National
Institute of Standards and Technology Act (<external-xref legal-doc="usc" parsable-cite="usc/15/278g-3">15 U.S.C. 278g–3</external-xref>) with agencies and
offices operating or exercising control of national security systems (including
the National Security Agency) to assure, to the maximum extent feasible, that
such standards and guidelines are complementary with standards and guidelines
developed for national security systems;</text>
</subparagraph></paragraph><paragraph id="HC7BFBCF390764FB09647CF44765C518F"><enum>(2)</enum><text>review the
agencywide information security programs under section 3554; and</text>
</paragraph><paragraph id="H15F379DC19B44BD28A0BB9CBF3E5AC84"><enum>(3)</enum><text>designate an
individual or an entity at each cybersecurity center, among other
responsibilities—</text>
<subparagraph id="H3E2D4B5F51B948A78ED9DFDC89B8149D"><enum>(A)</enum><text>to receive reports
and information about information security incidents, cyber threat information,
and deterioration of security control affecting agency information systems;
and</text>
</subparagraph><subparagraph id="H1790C3C1BF4B4B9B80EF1BE5262B1D13"><enum>(B)</enum><text>to act on or share
the information under subparagraph (A) in accordance with this
subchapter.</text>
</subparagraph></paragraph></subsection><subsection id="H5BDB0EC0D7664D83A76CD28D3118C496"><enum>(b)</enum><header>Considerations</header><text>When
issuing policies and directives under subsection (a), the Secretary shall
consider any applicable standards or guidelines developed by the National
Institute of Standards and Technology under <external-xref legal-doc="usc" parsable-cite="usc/40/11331">section 11331</external-xref> of title 40.</text>
</subsection><subsection id="HCF88828D371B49FD85E4AD726E7FA0D6"><enum>(c)</enum><header>Limitation of
authority</header><text>The authorities of the Secretary under this section
shall not apply to national security systems. Information security policies,
directives, standards and guidelines for national security systems shall be
overseen as directed by the President and, in accordance with that direction,
carried out under the authority of the heads of agencies that operate or
exercise authority over such national security systems.</text>
</subsection><subsection id="H3D73E42658B040DBA8277860E0577334"><enum>(d)</enum><header>Statutory
construction</header><text>Nothing in this subchapter shall be construed to
alter or amend any law regarding the authority of any head of an agency over
such agency.</text>
</subsection></section><section id="H8B64705F364C4B679B5418C2AA2EA827"><enum>3554.</enum><header>Agency
responsibilities</header>
<subsection id="H978E7CB2F329462299C9B12E5B89845E"><enum>(a)</enum><header>In
general</header><text>The head of each agency shall—</text>
<paragraph id="H2E52761203A54394886E874846588085"><enum>(1)</enum><text>be responsible
for—</text>
<subparagraph id="H7A5CE10FF8304C63971B542D2F0D149C"><enum>(A)</enum><text>complying with the
policies and directives issued under section 3553;</text>
</subparagraph><subparagraph id="H86598F6BCEAA4F21811972663119E30D"><enum>(B)</enum><text>providing
information security protections commensurate with the risk resulting from
unauthorized access, use, disclosure, disruption, modification, or destruction
of—</text>
<clause id="H7E4643E4E9ED4DE68567C23E933197B1"><enum>(i)</enum><text>information
collected or maintained by the agency or by a contractor of an agency or other
organization on behalf of an agency; and</text>
</clause><clause id="H74C64F6B16B04C1E8EB500958D4AAE01"><enum>(ii)</enum><text>information
systems used or operated by an agency or by a contractor of an agency or other
organization on behalf of an agency;</text>
</clause></subparagraph><subparagraph id="H65AF4C20BAFB47A181D96107A7A4D1A4"><enum>(C)</enum><text>complying with the
requirements of this subchapter, including—</text>
<clause id="HDA54B2D305504E689D31C4CD365FB7B8"><enum>(i)</enum><text>information
security standards and guidelines promulgated under section 11331 of title
40;</text>
</clause><clause id="HAB198F69D67847BD8AE635410CDF4EB9"><enum>(ii)</enum><text>for any national
security systems operated or controlled by that agency, information security
policies, directives, standards and guidelines issued as directed by the
President; and</text>
</clause><clause id="H2A10194DE629455B9F66404542845E3C"><enum>(iii)</enum><text>for any
non-national security systems operated or controlled by that agency,
information security policies, directives, standards and guidelines issued
under section 3553;</text>
</clause></subparagraph><subparagraph id="H81AA02892C3949119DBA426FC29549A2"><enum>(D)</enum><text>ensuring that
information security management processes are integrated with agency strategic
and operational planning processes;</text>
</subparagraph><subparagraph id="HA945FD7C6BBB4732AFEC8B50FA52345C"><enum>(E)</enum><text>reporting and
sharing, for an agency operating or exercising control of a national security
system, information about information security incidents, cyber threat
information, and deterioration of security controls to the individual or entity
designated at each cybersecurity center and to other appropriate entities
consistent with policies and directives for national security systems issued as
directed by the President; and</text>
</subparagraph><subparagraph id="H9554E162634D476A95299A705861A605"><enum>(F)</enum><text>reporting and
sharing, for those agencies operating or exercising control of non-national
security systems, information about information security incidents, cyber
threat information, and deterioration of security controls to the individual or
entity designated at each cybersecurity center and to other appropriate
entities consistent with policies and directives for non-national security
systems as prescribed under section 3553(a), including information to assist
the entity designated under section 3555(a) with the ongoing security analysis
under section 3555;</text>
</subparagraph></paragraph><paragraph id="HC6069F7B109D446789AF0EE24F6C32A8"><enum>(2)</enum><text>ensure that each
senior agency official provides information security for the information and
information systems that support the operations and assets under the senior
agency official's control, including by—</text>
<subparagraph id="H08DDC3239152494BA44EF48AF1F60044"><enum>(A)</enum><text>assessing the risk
and impact that could result from the unauthorized access, use, disclosure,
disruption, modification, or destruction of such information or information
systems;</text>
</subparagraph><subparagraph id="HB9EFF2F5736A42119108B2D66C4C5CEB"><enum>(B)</enum><text>determining the
level of information security appropriate to protect such information and
information systems in accordance with policies and directives issued under
section 3553(a), and standards and guidelines promulgated under section 11331
of title 40 for information security classifications and related
requirements;</text>
</subparagraph><subparagraph id="H84205A915A5E44E4BBC6DF78AF132ADC"><enum>(C)</enum><text>implementing
policies, procedures, and capabilities to reduce risks to an acceptable level
in a cost-effective manner;</text>
</subparagraph><subparagraph id="HCFCB1790E38E4F9AB2F9AC93A3B62168"><enum>(D)</enum><text>actively
monitoring the effective implementation of information security controls and
techniques; and</text>
</subparagraph><subparagraph id="H01210CF46B954F9BBC89266274D81106"><enum>(E)</enum><text>reporting
information about information security incidents, cyber threat information, and
deterioration of security controls in a timely and adequate manner to the
entity designated under section 3553(a)(3) in accordance with paragraph
(1);</text>
</subparagraph></paragraph><paragraph id="HD8C1B291C9964239B417D6ED9002DBE5"><enum>(3)</enum><text>assess and
maintain the resiliency of information technology systems critical to agency
mission and operations;</text>
</paragraph><paragraph id="H3A3194D1E4884D6C83F66EB092D367AF"><enum>(4)</enum><text>designate the
agency Inspector General (or an independent entity selected in consultation
with the Director and the Council of Inspectors General on Integrity and
Efficiency if the agency does not have an Inspector General) to conduct the
annual independent evaluation required under section 3556, and allow the agency
Inspector General to contract with an independent entity to perform such
evaluation;</text>
</paragraph><paragraph id="H2B50ED533DA44E248E685D0B5E080B97"><enum>(5)</enum><text>delegate to the
Chief Information Officer or equivalent (or to a senior agency official who
reports to the Chief Information Officer or equivalent)—</text>
<subparagraph id="H4028669E20C34440AD9EFF033D8386C2"><enum>(A)</enum><text>the authority and
primary responsibility to implement an agencywide information security program;
and</text>
</subparagraph><subparagraph id="H705C3D85D4EF43958A3F377BCD10AA05"><enum>(B)</enum><text>the authority to
provide information security for the information collected and maintained by
the agency (or by a contractor, other agency, or other source on behalf of the
agency) and for the information systems that support the operations, assets,
and mission of the agency (including any information system provided or managed
by a contractor, other agency, or other source on behalf of the agency);</text>
</subparagraph></paragraph><paragraph id="H509BE4E60473428D99640EDFDC687C5D"><enum>(6)</enum><text>delegate to the
appropriate agency official (who is responsible for a particular agency system
or subsystem) the responsibility to ensure and enforce compliance with all
requirements of the agency’s agencywide information security program in
coordination with the Chief Information Officer or equivalent (or the senior
agency official who reports to the Chief Information Officer or equivalent)
under paragraph (5);</text>
</paragraph><paragraph id="H8CCBAB1B3B81475493415A3B7C3774C3"><enum>(7)</enum><text>ensure that an
agency has trained personnel who have obtained any necessary security
clearances to permit them to assist the agency in complying with this
subchapter;</text>
</paragraph><paragraph id="HD685B2782FC44EDDBDC97DC85ED7560B"><enum>(8)</enum><text>ensure that the
Chief Information Officer or equivalent (or the senior agency official who
reports to the Chief Information Officer or equivalent) under paragraph (5), in
coordination with other senior agency officials, reports to the agency head on
the effectiveness of the agencywide information security program, including the
progress of any remedial actions; and</text>
</paragraph><paragraph id="HE65206E275C545B98B87C394CA914C4F"><enum>(9)</enum><text>ensure that the
Chief Information Officer or equivalent (or the senior agency official who
reports to the Chief Information Officer or equivalent) under paragraph (5) has
the necessary qualifications to administer the functions described in this
subchapter and has information security duties as a primary duty of that
official.</text>
</paragraph></subsection><subsection id="HC720CF5D71B54B99BFF5B5E8603EC43F"><enum>(b)</enum><header>Chief
Information Officers</header><text>Each Chief Information Officer or equivalent
(or the senior agency official who reports to the Chief Information Officer or
equivalent) under subsection (a)(5) shall—</text>
<paragraph id="H58D2383F31F2489CBA8CBBDCFA185CF9"><enum>(1)</enum><text>establish and
maintain an enterprise security operations capability that on a continuous
basis—</text>
<subparagraph id="H68B73FF867AA46EE8610D2E5C8409ACA"><enum>(A)</enum><text>detects, reports,
contains, mitigates, and responds to information security incidents that impair
adequate security of the agency’s information or information system in a timely
manner and in accordance with the policies and directives under section 3553;
and</text>
</subparagraph><subparagraph id="H93AED120DFEF455EA7695CC4C1FE89FF"><enum>(B)</enum><text>reports any
information security incident under subparagraph (A) to the entity designated
under section 3555;</text>
</subparagraph></paragraph><paragraph id="H01E7399E93704777894C72559358BFE6"><enum>(2)</enum><text>develop, maintain,
and oversee an agencywide information security program;</text>
</paragraph><paragraph id="HD85E7FE4974547FB86035CC7E1AD90F8"><enum>(3)</enum><text>develop, maintain,
and oversee information security policies, procedures, and control techniques
to address applicable requirements, including requirements under section 3553
of this title and <external-xref legal-doc="usc" parsable-cite="usc/40/11331">section 11331</external-xref> of title 40; and</text>
</paragraph><paragraph id="H2A5E09B40D974B24A45B0FAB58D7FD24"><enum>(4)</enum><text>train and oversee
the agency personnel who have significant responsibility for information
security with respect to that responsibility.</text>
</paragraph></subsection><subsection id="H60120995C2064ABEB5F7ED83ADC18570"><enum>(c)</enum><header>Agencywide
information security programs</header>
<paragraph id="H32AE227BCBA643EB91777DBC7B2F2EB5"><enum>(1)</enum><header>In
general</header><text>Each agencywide information security program under
subsection (b)(2) shall include—</text>
<subparagraph id="H9223BE99003D46B3AB44BEA9E215CE25"><enum>(A)</enum><text>relevant security
risk assessments, including technical assessments and others related to the
acquisition process;</text>
</subparagraph><subparagraph id="HE7A28D2F0E1149F09105B37265D180A3"><enum>(B)</enum><text>security testing
commensurate with risk and impact;</text>
</subparagraph><subparagraph id="H07D21FBF5FE3494FB2FB6E576EC17DED"><enum>(C)</enum><text>mitigation of
deterioration of security controls commensurate with risk and impact;</text>
</subparagraph><subparagraph id="H735E0ACCAB3B4AC69937BD2B80F4CB8F"><enum>(D)</enum><text>risk-based
continuous monitoring and threat assessment of the operational status and
security of agency information systems to enable evaluation of the
effectiveness of and compliance with information security policies, procedures,
and practices, including a relevant and appropriate selection of security
controls of information systems identified in the inventory under section
3505(c);</text>
</subparagraph><subparagraph id="HB33F7876719142F0A4D9980A316A6626"><enum>(E)</enum><text>operation of
appropriate technical capabilities in order to detect, mitigate, report, and
respond to information security incidents, cyber threat information, and
deterioration of security controls in a manner that is consistent with the
policies and directives under section 3553, including—</text>
<clause id="H8EA06FA639A34DF488B521F4B2C3D71C"><enum>(i)</enum><text>mitigating risks
associated with such information security incidents;</text>
</clause><clause id="H0446F54DD37640E4BE958FDC589D05F1"><enum>(ii)</enum><text>notifying and
consulting with the entity designated under section 3555; and</text>
</clause><clause id="H4B859A3CD30D4805B58E33742B46F6A1"><enum>(iii)</enum><text>notifying and
consulting with, as appropriate—</text>
<subclause id="H4814E2313A54429593A4CB6DA3B37E70"><enum>(I)</enum><text>law enforcement
and the relevant Office of the Inspector General; and</text>
</subclause><subclause id="H09BB2E2612574EDC9182FA43814AF7FC"><enum>(II)</enum><text>any other entity,
in accordance with law and as directed by the President;</text>
</subclause></clause></subparagraph><subparagraph id="H70CBF082F7C6453DAEE845E5DDCDB1C6"><enum>(F)</enum><text>a process to
ensure that remedial action is taken to address any deficiencies in the
information security policies, procedures, and practices of the agency;
and</text>
</subparagraph><subparagraph id="H386EB65687DE416BA0825F191C3BB2D8"><enum>(G)</enum><text>a plan and
procedures to ensure the continuity of operations for information systems that
support the operations and assets of the agency.</text>
</subparagraph></paragraph><paragraph id="H575C547A346F45719D2CFEDC5E973FCE"><enum>(2)</enum><header>Risk management
strategies</header><text>Each agencywide information security program under
subsection (b)(2) shall include the development and maintenance of a risk
management strategy for information security. The risk management strategy
shall include—</text>
<subparagraph id="HC7D1633CA34A4D3488F495D9E690FC9A"><enum>(A)</enum><text>consideration of
information security incidents, cyber threat information, and deterioration of
security controls; and</text>
</subparagraph><subparagraph id="HD6F9B2B6BEE141D3899EFD11D55BCDC1"><enum>(B)</enum><text>consideration of
the consequences that could result from the unauthorized access, use,
disclosure, disruption, modification, or destruction of information and
information systems that support the operations and assets of the agency,
including any information system provided or managed by a contractor, other
agency, or other source on behalf of the agency.</text>
</subparagraph></paragraph><paragraph id="H902FD6A8DF654749915717C49FEE6B2C"><enum>(3)</enum><header>Policies and
procedures</header><text>Each agencywide information security program under
subsection (b)(2) shall include policies and procedures that—</text>
<subparagraph id="HCDDB35EB0F384734A679590B5CA72CAE"><enum>(A)</enum><text>are based on the
risk management strategy under paragraph (2);</text>
</subparagraph><subparagraph id="H3BE43FA0CFD64AB1B2983106D8C62CE6"><enum>(B)</enum><text>reduce information
security risks to an acceptable level in a cost-effective manner;</text>
</subparagraph><subparagraph id="HD4F2AB6371BD482A910EE17ED38D51D9"><enum>(C)</enum><text>ensure that
cost-effective and adequate information security is addressed as part of the
acquisition and ongoing management of each agency information system;
and</text>
</subparagraph><subparagraph id="H0C7AEEBFAC9A47DB94F46E94AF80DE88"><enum>(D)</enum><text>ensure compliance
with—</text>
<clause id="HF7214E71EF344E53BABC61FDE9024F91"><enum>(i)</enum><text>this subchapter;
and</text>
</clause><clause id="H486CE50B5B504DBDA41A2588A80025CC"><enum>(ii)</enum><text>any other
applicable requirements.</text>
</clause></subparagraph></paragraph><paragraph id="HE1862F4587C74AB9B96585E5168E3C30"><enum>(4)</enum><header>Training
requirements</header><text>Each agencywide information security program under
subsection (b)(2) shall include information security, privacy, civil rights,
civil liberties, and information oversight training that meets any applicable
requirements under section 3553. The training shall inform each information
security personnel that has access to agency information systems (including
contractors and other users of information systems that support the operations
and assets of the agency) of—</text>
<subparagraph id="HA1F1E7D700F34ADA82B93DE55A6CCF0A"><enum>(A)</enum><text>the information
security risks associated with the information security personnel's activities;
and</text>
</subparagraph><subparagraph id="H707281BBE7CC49AA8848A2AD294B72BB"><enum>(B)</enum><text>the individual's
responsibility to comply with the agency policies and procedures that reduce
the risks under subparagraph (A).</text>
</subparagraph></paragraph></subsection><subsection id="H25D7B09BD6B7476993B57418A4E623A6"><enum>(d)</enum><header>Annual
report</header><text>Each agency shall submit a report annually to the
Secretary of Homeland Security on its agencywide information security program
and information systems.</text>
</subsection></section><section id="H8681E05C3D95491CACD0B0B74DF1A365"><enum>3555.</enum><header>Multiagency
ongoing threat assessment</header>
<subsection id="HB46E6F449B4346B1B41273BAC5BB10B3"><enum>(a)</enum><header>Implementation</header><text>The
Director of the Office of Management and Budget, in coordination with the
Secretary of Homeland Security, shall designate an entity to implement ongoing
security analysis concerning agency information systems—</text>
<paragraph id="HAE0E3D936432497685894534E5648ED4"><enum>(1)</enum><text>based on cyber
threat information;</text>
</paragraph><paragraph id="H417DB2ECF2AA4405B450016D7AF9B487"><enum>(2)</enum><text>based on agency
information system and environment of operation changes, including—</text>
<subparagraph id="HF1BCEF0942C44C0CAC7BFCA43ECC4547"><enum>(A)</enum><text>an ongoing
evaluation of the information system security controls; and</text>
</subparagraph><subparagraph id="H7A20D2D371114D8A827FE48F3B79DA9E"><enum>(B)</enum><text>the security
state, risk level, and environment of operation of an agency information
system, including—</text>
<clause id="HD69DEBCA309244A5AF74420971F98103"><enum>(i)</enum><text>a
change in risk level due to a new cyber threat;</text>
</clause><clause id="HEC4C0A53D877454C8BA1337B53E32018"><enum>(ii)</enum><text>a
change resulting from a new technology;</text>
</clause><clause id="H47E635D97A034D68A7151BC3E7F66A7B"><enum>(iii)</enum><text>a change
resulting from the agency's mission; and</text>
</clause><clause id="HD3C8F18993954C9083DDDA6CF764FE85"><enum>(iv)</enum><text>a
change resulting from the business practice; and</text>
</clause></subparagraph></paragraph><paragraph id="HA287E25F78E04237B37A335DAF937BFF"><enum>(3)</enum><text>using automated
processes to the maximum extent possible—</text>
<subparagraph id="H4947ECBE44FB4953976D7C417E65334C"><enum>(A)</enum><text>to increase
information system security;</text>
</subparagraph><subparagraph id="HB4181A10297A4517A64021D3393AB416"><enum>(B)</enum><text>to reduce
paper-based reporting requirements; and</text>
</subparagraph><subparagraph id="H5BC92CF4A1924278A8E97F63BE286C46"><enum>(C)</enum><text>to maintain timely
and actionable knowledge of the state of the information system
security.</text>
</subparagraph></paragraph></subsection><subsection id="H18119BC0A18E43B88AC73AADCFA06B64"><enum>(b)</enum><header>Standards</header><text>The
National Institute of Standards and Technology may promulgate standards, in
coordination with the Secretary of Homeland Security, to assist an agency with
its duties under this section.</text>
</subsection><subsection id="H9F1875EBBF3E4ABB83769E12A64E8E82"><enum>(c)</enum><header>Compliance</header><text>The
head of each appropriate department and agency shall be responsible for
ensuring compliance and implementing necessary procedures to comply with this
section. The head of each appropriate department and agency, in consultation
with the Director of the Office of Management and Budget and the Secretary of
Homeland Security, shall—</text>
<paragraph id="H795629DDB81E4608B7AB815A38ABF2B0"><enum>(1)</enum><text>monitor compliance
under this section;</text>
</paragraph><paragraph id="H03830A7D0AA0477DA976882A75E7AC40"><enum>(2)</enum><text>develop a timeline
and implement for the department or agency—</text>
<subparagraph id="HBB1BAF84B1C34F30A39116CED4130C69"><enum>(A)</enum><text>adoption of any
technology, system, or method that facilitates continuous monitoring and threat
assessments of an agency information system;</text>
</subparagraph><subparagraph id="H00C37EF56AA94D67BEFF046BDBF29EC4"><enum>(B)</enum><text>adoption or
updating of any technology, system, or method that prevents, detects, or
remediates a significant cyber incident to a Federal information system of the
department or agency that has impeded, or is reasonably likely to impede, the
performance of a critical mission of the department or agency; and</text>
</subparagraph><subparagraph id="HC8C942415FEE4AA7AF8BFB52A7626761"><enum>(C)</enum><text>adoption of any
technology, system, or method that satisfies a requirement under this
section.</text>
</subparagraph></paragraph></subsection><subsection id="HA2F432CD068340C1A8F537610152861F"><enum>(d)</enum><header>Limitation of
Authority</header><text>The authorities of the Director of the Office of
Management and Budget and of the Secretary of Homeland Security under this
section shall not apply to national security systems.</text>
</subsection><subsection id="H1A56150CF4AF48469786A33B81809ABC"><enum>(e)</enum><header>Report</header><text>Not
later than 6 months after the date of enactment of the
<short-title>Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2013</short-title>, the Government Accountability Office shall issue a report
evaluating each agency's status toward implementing this section.</text>
</subsection></section><section id="H69E12BB3C88C480A9FCB84DCDAC123AE"><enum>3556.</enum><header>Independent
evaluations</header>
<subsection commented="no" id="H7BC614A03EB340ABB967299F05F2755B"><enum>(a)</enum><header>In
general</header><text display-inline="yes-display-inline">The Council of the
Inspectors General on Integrity and Efficiency, in consultation with the
Director and the Secretary of Homeland Security, the Secretary of Commerce, and
the Secretary of Defense, shall issue and maintain criteria for the timely,
cost-effective, risk-based, and independent evaluation of each agencywide
information security program (and practices) to determine the effectiveness of
the agencywide information security program (and practices). The criteria shall
include measures to assess any conflicts of interest in the performance of the
evaluation and whether the agencywide information security program includes
appropriate safeguards against disclosure of information where such disclosure
may adversely affect information security.</text>
</subsection><subsection commented="no" id="H86F38DEBE6514D578DE990EC7559FE35"><enum>(b)</enum><header>Annual
independent evaluations</header><text display-inline="yes-display-inline">Each
agency shall perform an annual independent evaluation of its agencywide
information security program (and practices) in accordance with the criteria
under subsection (a).</text>
</subsection><subsection commented="no" id="HB2976F7AA14E4C6FB0C72A14FAAA0C31"><enum>(c)</enum><header>Distribution of
reports</header><text display-inline="yes-display-inline">Not later than 30
days after receiving an independent evaluation under subsection (b), each
agency head shall transmit a copy of the independent evaluation to the
Secretary of Homeland Security, the Secretary of Commerce, and the Secretary of
Defense.</text>
</subsection><subsection commented="no" id="HABBFDE7DC6F84EA3B82A55C6607C9F9B"><enum>(d)</enum><header>National
security systems</header><text display-inline="yes-display-inline">Evaluations
involving national security systems shall be conducted as directed by
President.</text>
</subsection></section><section commented="no" id="HBA945ECB87BD4CCE96042A193C4980F6"><enum>3557.</enum><header>National
security systems.</header><text display-inline="no-display-inline">The head of
each agency operating or exercising control of a national security system shall
be responsible for ensuring that the agency—</text>
<paragraph commented="no" id="HDC3906BAA47B443092EAC3BEBFEDE155"><enum>(1)</enum><text display-inline="yes-display-inline">provides information security protections
commensurate with the risk and magnitude of the harm resulting from the
unauthorized access, use, disclosure, disruption, modification, or destruction
of the information contained in such system; and</text>
</paragraph><paragraph commented="no" id="HF722607F98814AFA9493E9E4BE4AABBD"><enum>(2)</enum><text display-inline="yes-display-inline">implements information security policies
and practices as required by standards and guidelines for national security
systems, issued in accordance with law and as directed by the
President.</text>
</paragraph></section></subchapter><after-quoted-block>.</after-quoted-block></quoted-block>
</subsection><subsection id="HFF219649742F45FD94551791419DDCA7"><enum>(b)</enum><header>Savings
Provisions</header>
<paragraph id="H34EC9C156FED4D4E811543F762EBEB67"><enum>(1)</enum><header>Policy and
compliance guidance</header><text display-inline="yes-display-inline">Policy
and compliance guidance issued by the Director before the date of enactment of
this Act under <external-xref legal-doc="usc" parsable-cite="usc/44/3543">section 3543(a)(1)</external-xref> of title 44, United States Code (as in effect
on the day before the date of enactment of this Act), shall continue in effect,
according to its terms, until modified, terminated, superseded, or repealed
pursuant to <external-xref legal-doc="usc" parsable-cite="usc/44/3553">section 3553(a)(1)</external-xref> of title 44, United States Code.</text>
</paragraph><paragraph id="HC937CD5F02F142458989B3B28DABA45E"><enum>(2)</enum><header>Standards and
guidelines</header><text display-inline="yes-display-inline">Standards and
guidelines issued by the Secretary of Commerce or by the Director before the
date of enactment of this Act under <external-xref legal-doc="usc" parsable-cite="usc/40/11331">section 11331(a)(1)</external-xref> of title 40, United
States Code, (as in effect on the day before the date of enactment of this Act)
shall continue in effect, according to their terms, until modified, terminated,
superseded, or repealed pursuant to <external-xref legal-doc="usc" parsable-cite="usc/40/11331">section 11331(a)(1)</external-xref> of title 40, United
States Code, as amended by this Act.</text>
</paragraph></subsection><subsection id="H7F80E3C0B6A34F779087FFE69D688E59"><enum>(c)</enum><header>Technical and
conforming amendments</header>
<paragraph id="H79E6D85645884DB5AC458A7B420A15FB"><enum>(1)</enum><header>Chapter
analysis</header><text display-inline="yes-display-inline">The chapter analysis
for <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">chapter 35</external-xref> of title 44, United States Code, is amended—</text>
<subparagraph id="H0C57A0F8EA764FAC82614490941608B8"><enum>(A)</enum><text display-inline="yes-display-inline">by striking the items relating to sections
3531 through 3538;</text>
</subparagraph><subparagraph id="H2DB46B0A3AD3484DA115480F5103E63F"><enum>(B)</enum><text display-inline="yes-display-inline">by striking the items relating to sections
3541 through 3549; and</text>
</subparagraph><subparagraph id="HBC088D93DCA54F429F4DDCDF0C115FAF"><enum>(C)</enum><text display-inline="yes-display-inline">by inserting the following:</text>
<quoted-block display-inline="no-display-inline" id="H4AB55B16C1DC4A17947FCA3DD10DB794" style="OLC">
<toc>
<toc-entry bold="off" level="section">3551. Purposes.</toc-entry>
<toc-entry bold="off" level="section">3552. Definitions.</toc-entry>
<toc-entry bold="off" level="section">3553. Federal information
security authority and coordination.</toc-entry>
<toc-entry bold="off" level="section">3554. Agency
responsibilities.</toc-entry>
<toc-entry bold="off" level="section">3555. Multiagency ongoing
threat assessment.</toc-entry>
<toc-entry bold="off" level="section">3556. Independent
evaluations.</toc-entry>
<toc-entry bold="off" level="section">3557. National security
systems.</toc-entry>
</toc>
<after-quoted-block>.</after-quoted-block></quoted-block>
</subparagraph></paragraph><paragraph id="H2B8F96A0EB324C918B89A670E20BA4A2"><enum>(2)</enum><header>Other
references</header>
<subparagraph id="H95621C05AB324875ABADDD04DB625FE5"><enum>(A)</enum><text display-inline="yes-display-inline">Section 1001(c)(1)(A) of the Homeland
Security Act of 2002 (<external-xref legal-doc="usc" parsable-cite="usc/6/511">6 U.S.C. 511(1)(A)</external-xref>) is amended by striking <quote>section
3532(3)</quote> and inserting <quote>section 3552</quote>.</text>
</subparagraph><subparagraph id="H097EA2F3B114466F80CA4ED6BA4E6B76"><enum>(B)</enum><text display-inline="yes-display-inline"><external-xref legal-doc="usc" parsable-cite="usc/10/2222">Section 2222(j)(5)</external-xref> of title 10, United
States Code, is amended by striking <quote>section 3542(b)(2)</quote> and
inserting <quote>section 3552</quote>.</text>
</subparagraph><subparagraph id="HF03C1193C7FB474FBA3ED1F1F5BE25D8"><enum>(C)</enum><text display-inline="yes-display-inline"><external-xref legal-doc="usc" parsable-cite="usc/10/2223">Section 2223(c)(3)</external-xref> of title 10, United
States Code, is amended, by striking <quote>section 3542(b)(2)</quote> and
inserting <quote>section 3552</quote>.</text>
</subparagraph><subparagraph id="H120F51A735BB4CBEADBF2BD8F02B909B"><enum>(D)</enum><text display-inline="yes-display-inline"><external-xref legal-doc="usc" parsable-cite="usc/10/2315">Section 2315</external-xref> of title 10, United States
Code, is amended by striking <quote>section 3542(b)(2)</quote> and inserting
<quote>section 3552</quote>.</text>
</subparagraph><subparagraph id="H148513ED870B4F608A5A6154E0F0FE02"><enum>(E)</enum><text display-inline="yes-display-inline">Section 20 of the National Institute of
Standards and Technology Act (<external-xref legal-doc="usc" parsable-cite="usc/15/278g-3">15 U.S.C. 278g–3</external-xref>) is amended—</text>
<clause id="H269E1A2075014DBF9CA301EFBBFAC874"><enum>(i)</enum><text display-inline="yes-display-inline">in subsection (a)(2), by striking
<quote>section 3532(b)(2)</quote> and inserting <quote>section
3552</quote>;</text>
</clause><clause id="H8D178D9CBEC9478695BE8DFC8C271AE3"><enum>(ii)</enum><text>in
subsection (c)(3), by striking <quote>Director of the Office of Management and
Budget</quote> and inserting <quote>Secretary of Commerce</quote>;</text>
</clause><clause id="HA5D08ACDBA404377B132F323531FDB75"><enum>(iii)</enum><text>in
subsection (d)(1), by striking <quote>Director of the Office of Management and
Budget</quote> and inserting <quote>Secretary of Commerce</quote>;</text>
</clause><clause id="HCCC6DBE932B9416ABDD2428494D3E320"><enum>(iv)</enum><text>in
subsection (d)(8) by striking <quote>Director of the Office of Management and
Budget</quote> and inserting <quote>Secretary of Commerce</quote>;</text>
</clause><clause id="HA6CE10F395A740E787A87A0E967834B8"><enum>(v)</enum><text>in
subsection (d)(8), by striking <quote>submitted to the Director</quote> and
inserting <quote>submitted to the Secretary</quote>;</text>
</clause><clause id="H6BE97E50DD9B4181859B2F4269EE4B28"><enum>(vi)</enum><text>in
subsection (e)(2), by striking <quote>section 3532(1) of such title</quote> and
inserting <quote>section 3552 of title 44</quote>; and</text>
</clause><clause id="H8FEAFF81073741A5974E382D7A5EAB00"><enum>(vii)</enum><text>in
subsection (e)(5), by striking <quote>section 3532(b)(2) of such title</quote>
and inserting <quote>section 3552 of title 44</quote>.</text>
</clause></subparagraph><subparagraph id="H0E7C1A11DD0348658C24FBA68198D8D6"><enum>(F)</enum><text display-inline="yes-display-inline">Section 8(d)(1) of the Cyber Security
Research and Development Act (<external-xref legal-doc="usc" parsable-cite="usc/15/7406">15 U.S.C. 7406(d)(1)</external-xref>) is amended by striking
<quote>section 3534(b)</quote> and inserting <quote>section
3554(b)(2)</quote>.</text>
</subparagraph></paragraph></subsection></section><section id="HD327B4960D4647FB98C72DCF684ED759"><enum>202.</enum><header>Management of
information technology</header>
<subsection id="H2F77338AD1A04986AB5431F3BB0303DB"><enum>(a)</enum><header>In
general</header><text display-inline="yes-display-inline">Section 11331 of
title 40, United States Code, is amended to read as follows:</text>
<quoted-block display-inline="no-display-inline" id="HA905A80D35084AAB994B26F31CD563BD" style="USC">
<section id="HD3D8C8B469BA4B94AA61FFBF9C8E6E93"><enum>11331.</enum><header>Responsibilities
for Federal information systems standards</header>
<subsection id="H010901A8BD844DEB8BFE4A5FA4A2995E"><enum>(a)</enum><header>Standards and
guidelines</header>
<paragraph id="H49F2DC5C5FA9451EA331ED8A2FCF559A"><enum>(1)</enum><header>Authority to
prescribe</header><text display-inline="yes-display-inline">Except as provided
under paragraph (2), the Secretary of Commerce shall prescribe standards and
guidelines pertaining to Federal information systems—</text>
<subparagraph id="H7EA24BD3308D48DC936F7457D1FD4686"><enum>(A)</enum><text display-inline="yes-display-inline">in consultation with the Secretary of
Homeland Security; and</text>
</subparagraph><subparagraph id="HCA3F8A1A5AA543E69B9AD65F7C36DD0F"><enum>(B)</enum><text display-inline="yes-display-inline">on the basis of standards and guidelines
developed by the National Institute of Standards and Technology under
paragraphs (2) and (3) of section 20(a) of the National Institute of Standards
and Technology Act (<external-xref legal-doc="usc" parsable-cite="usc/15/278g-3">15 U.S.C. 278g–3(a)(2)</external-xref> and (a)(3)).</text>
</subparagraph></paragraph><paragraph id="HCAC3A1CCBD254261AAC3125A1FE2754E"><enum>(2)</enum><header>National
security systems</header><text display-inline="yes-display-inline">Standards
and guidelines for national security systems shall be developed, prescribed,
enforced, and overseen as otherwise authorized by law and as directed by the
President.</text>
</paragraph></subsection><subsection id="HBB1C1FF625004350BF1F0FB662ADBA66"><enum>(b)</enum><header>Mandatory
standards and guidelines</header>
<paragraph id="H908209405E184E0681976E493866B86D"><enum>(1)</enum><header>Authority to
make mandatory standards and guidelines</header><text display-inline="yes-display-inline">The Secretary of Commerce shall make
standards and guidelines under subsection (a)(1) compulsory and binding to the
extent determined necessary by the Secretary of Commerce to improve the
efficiency of operation or security of Federal information systems.</text>
</paragraph><paragraph id="H149552E35B454EE2A58A740811512E60"><enum>(2)</enum><header>Required
mandatory standards and guidelines</header>
<subparagraph id="H8C24F422D49D4AAFBE14DCF7ED334A0F"><enum>(A)</enum><header>In
general</header><text display-inline="yes-display-inline">Standards and
guidelines under subsection (a)(1) shall include information security standards
that—</text>
<clause id="HA89D20E3A22E4187822205C4DDEA4DF4"><enum>(i)</enum><text display-inline="yes-display-inline">provide minimum information security
requirements as determined under section 20(b) of the National Institute of
Standards and Technology Act (<external-xref legal-doc="usc" parsable-cite="usc/15/278g-3">15 U.S.C. 278g–3(b)</external-xref>); and</text>
</clause><clause id="H99E69ECF8D9E40ECA06A278F98DB8673"><enum>(ii)</enum><text display-inline="yes-display-inline">are otherwise necessary to improve the
security of Federal information and information systems.</text>
</clause></subparagraph><subparagraph id="H25131E7850684B0FB9AA0AB938070996"><enum>(B)</enum><header>Binding
effect</header><text display-inline="yes-display-inline">Information security
standards under subparagraph (A) shall be compulsory and binding.</text>
</subparagraph></paragraph></subsection><subsection id="H4F4722BDAA84488D9E32F2E739FAA253"><enum>(c)</enum><header>Exercise of
authority</header><text display-inline="yes-display-inline">To ensure fiscal
and policy consistency, the Secretary of Commerce shall exercise the authority
conferred by this section subject to direction by the President and in
coordination with the Director.</text>
</subsection><subsection id="HD8A825231A864B7FA894CC805D42250E"><enum>(d)</enum><header>Application of
more stringent standards and guidelines</header><text display-inline="yes-display-inline">The head of an executive agency may employ
standards for the cost-effective information security for information systems
within or under the supervision of that agency that are more stringent than the
standards and guidelines the Secretary of Commerce prescribes under this
section if the more stringent standards and guidelines—</text>
<paragraph id="HEF38F8D0904D482C8919411669BFB88C"><enum>(1)</enum><text display-inline="yes-display-inline">contain at least the applicable standards
and guidelines made compulsory and binding by the Secretary of Commerce;
and</text>
</paragraph><paragraph id="H44B9003B908C49FE9D0AAC2A015CB537"><enum>(2)</enum><text display-inline="yes-display-inline">are otherwise consistent with the policies,
directives, and implementation memoranda issued under section 3553(a) of title
44.</text>
</paragraph></subsection><subsection id="H7122D20DD9064842A7883B94A9AC253A"><enum>(e)</enum><header>Decisions on
promulgation of standards and guidelines</header><text display-inline="yes-display-inline">The decision by the Secretary of Commerce
regarding the promulgation of any standard or guideline under this section
shall occur not later than 6 months after the date of submission of the
proposed standard to the Secretary of Commerce by the National Institute of
Standards and Technology under section 20 of the National Institute of
Standards and Technology Act (<external-xref legal-doc="usc" parsable-cite="usc/15/278g-3">15 U.S.C. 278g–3</external-xref>).</text>
</subsection><subsection commented="no" id="HCAD8D6977AEA49D8A2D5E4B043DC1087"><enum>(f)</enum><header>Notice and
comment</header><text display-inline="yes-display-inline">A decision by the
Secretary of Commerce to significantly modify, or not promulgate, a proposed
standard submitted to the Secretary by the National Institute of Standards and
Technology under section 20 of the National Institute of Standards and
Technology Act (<external-xref legal-doc="usc" parsable-cite="usc/15/278g-3">15 U.S.C. 278g–3</external-xref>) shall be made after the public is given an
opportunity to comment on the Secretary’s proposed decision.</text>
</subsection><subsection id="H72CBEDDC86224370AAD123CDDA22598A"><enum>(g)</enum><header>Definitions</header><text display-inline="yes-display-inline">In this section:</text>
<paragraph id="HA4712C15EF864912BDE541E70A2B9CBA"><enum>(1)</enum><header>Federal
information system</header><text display-inline="yes-display-inline">The term
<term>Federal information system</term> has the meaning given the term in
<external-xref legal-doc="usc" parsable-cite="usc/44/3552">section 3552</external-xref> of title 44.</text>
</paragraph><paragraph id="HBE301DAEBD714E1EB813932B22C6B3C9"><enum>(2)</enum><header>Information
security</header><text display-inline="yes-display-inline">The term
<term>information security</term> has the meaning given the term in section
3552 of title 44.</text>
</paragraph><paragraph id="H0BCA42784D2840A98DD6FBFA1EBCF496"><enum>(3)</enum><header>National
security system</header><text display-inline="yes-display-inline">The term
<term>national security system</term> has the meaning given the term in section
3552 of title
44.</text>
</paragraph></subsection></section><after-quoted-block>.</after-quoted-block></quoted-block>
</subsection></section><section id="H818C6E0CAE724E3EA721689DC387C7E3"><enum>203.</enum><header>No new
funding</header><text display-inline="no-display-inline">An applicable Federal
agency shall carry out the provisions of this title with existing facilities
and funds otherwise available, through such means as the head of the agency
considers appropriate.</text>
</section><section id="HB4678208BD97403BA0BF2E2933CAA97B"><enum>204.</enum><header>Technical and
conforming amendments</header><text display-inline="no-display-inline">Section
21(b) of the National Institute of Standards and Technology Act (15 U.S.C.
278g–4(b)) is amended—</text>
<paragraph id="HE318F9A5E854469082DC2F37630AE272"><enum>(1)</enum><text display-inline="yes-display-inline">in paragraph (2), by striking <quote>and
the Director of the Office of Management and Budget</quote> and inserting
<quote>, the Secretary of Commerce, and the Secretary of Homeland
Security</quote>; and</text>
</paragraph><paragraph id="HD12350DFBE4E432281D7071F9872A955"><enum>(2)</enum><text>in paragraph (3),
by inserting <quote>, the Secretary of Homeland Security,</quote> after
<quote>the Secretary of Commerce</quote>.</text>
</paragraph></section><section id="H1087D63803EF4765A7C43A7E709BB813"><enum>205.</enum><header>Clarification
of authorities</header><text display-inline="no-display-inline">Nothing in this
title shall be construed to convey any new regulatory authority to any
government entity implementing or complying with any provision of this
title.</text>
</section><enum>III</enum><header>Criminal
penalties</header>
<section id="HEEDBB0494EA64273A7E4E1B50F47F39E"><enum>301.</enum><header>Penalties for
fraud and related activity in connection with computers</header><text display-inline="no-display-inline"><external-xref legal-doc="usc" parsable-cite="usc/18/1030">Section 1030(c)</external-xref> of title 18, United States
Code, is amended to read as follows:</text>
<quoted-block display-inline="no-display-inline" id="HB4AA101EDD4F45C6BD65298301838C03" style="USC">
<subsection id="H80F1AC7D9EF74E768BFDD5AC00DF1D13"><enum>(c)</enum><text display-inline="yes-display-inline">The punishment for an offense under
subsection (a) or (b) of this section is—</text>
<paragraph id="H35AB59E4846741EDACF3E5A8F458ED22"><enum>(1)</enum><text display-inline="yes-display-inline">a fine under this title or imprisonment for
not more than 20 years, or both, in the case of an offense under subsection
(a)(1) of this section;</text>
</paragraph><paragraph id="HFE611B84D8984F428DF9B8C407DC6C34"><enum>(2)</enum><subparagraph commented="no" display-inline="yes-display-inline" id="HE651F5676AD64276AF2642846E546DCD"><enum>(A)</enum><text display-inline="yes-display-inline">except as provided in subparagraph (B), a
fine under this title or imprisonment for not more than 3 years, or both, in
the case of an offense under subsection (a)(2); or</text>
</subparagraph><subparagraph id="H84C888AE9F264DEF8FDE999ED3340145"><enum>(B)</enum><text display-inline="yes-display-inline">a fine under this title or imprisonment for
not more than ten years, or both, in the case of an offense under subsection
(a)(2) of this section, if—</text>
<clause id="HAF4436BA79254F9B82A12C3506ADE6F5"><enum>(i)</enum><text display-inline="yes-display-inline">the offense was committed for purposes of
commercial advantage or private financial gain;</text>
</clause><clause id="HD69888E9B4B84C35B79C688592A6FECE"><enum>(ii)</enum><text display-inline="yes-display-inline">the offense was committed in the
furtherance of any criminal or tortious act in violation of the Constitution or
laws of the United States, or of any State; or</text>
</clause><clause id="HFD511BAE753245459C5857C925631CE3"><enum>(iii)</enum><text display-inline="yes-display-inline">the value of the information obtained, or
that would have been obtained if the offense was completed, exceeds
$5,000;</text>
</clause></subparagraph></paragraph><paragraph id="H940FE32FFA944BFAA451482D1E2B83B8"><enum>(3)</enum><text display-inline="yes-display-inline">a fine under this title or imprisonment for
not more than 10 years, or both, in the case of an offense under subsection
(a)(3) of this section;</text>
</paragraph><paragraph id="H63EBEB298CBF4999BC8B70D5C62486D6"><enum>(4)</enum><text display-inline="yes-display-inline">a fine under this title or imprisonment of
not more than 20 years, or both, in the case of an offense under subsection
(a)(4) of this section;</text>
</paragraph><paragraph id="H210BF701A9244877896255EBC8F63D29"><enum>(5)</enum><subparagraph commented="no" display-inline="yes-display-inline" id="H068E0D2D598943B5B87FF51EC9E76D40"><enum>(A)</enum><text display-inline="yes-display-inline">except as provided in subparagraph (C), a
fine under this title, imprisonment for not more than 20 years, or both, in the
case of an offense under subsection (a)(5)(A) of this section, if the offense
caused—</text>
<clause id="HE57D0AEC1ED040B98D198A0B81D8D510"><enum>(i)</enum><text display-inline="yes-display-inline">loss to 1 or more persons during any 1-year
period (and, for purposes of an investigation, prosecution, or other proceeding
brought by the United States only, loss resulting from a related course of
conduct affecting 1 or more other protected computers) aggregating at least
$5,000 in value;</text>
</clause><clause id="HBF7BF6A681A64A65871075E3E47343B8"><enum>(ii)</enum><text display-inline="yes-display-inline">the modification or impairment, or
potential modification or impairment, of the medical examination, diagnosis,
treatment, or care of 1 or more individuals;</text>
</clause><clause id="HCEE12F1B93604D22B9115A5D9A72A257"><enum>(iii)</enum><text display-inline="yes-display-inline">physical injury to any person;</text>
</clause><clause id="H77FA49067D594744A854071BC3D11E87"><enum>(iv)</enum><text display-inline="yes-display-inline">a threat to public health or safety;</text>
</clause><clause id="H12B328ED3D2E414CB597BBF5AD5ADF05"><enum>(v)</enum><text display-inline="yes-display-inline">damage affecting a computer used by, or on
behalf of, an entity of the United States Government in furtherance of the
administration of justice, national defense, or national security; or</text>
</clause><clause id="H78A4C3AA304643B485177BD1800D2093"><enum>(vi)</enum><text display-inline="yes-display-inline">damage affecting 10 or more protected
computers during any 1-year period;</text>
</clause></subparagraph><subparagraph id="HD298EBE3B77E4BEFAF48746C6E34F99C"><enum>(B)</enum><text display-inline="yes-display-inline">a fine under this title, imprisonment for
not more than 20 years, or both, in the case of an offense under subsection
(a)(5)(B), if the offense caused a harm provided in clause (i) through (vi) of
subparagraph (A) of this subsection;</text>
</subparagraph><subparagraph id="HAA381E43D78D4AF2809C07F64C4C6D21"><enum>(C)</enum><text display-inline="yes-display-inline">if the offender attempts to cause or
knowingly or recklessly causes death from conduct in violation of subsection
(a)(5)(A), a fine under this title, imprisonment for any term of years or for
life, or both;</text>
</subparagraph><subparagraph id="HC8E48B6896A948A9A4A37C43A4722E93"><enum>(D)</enum><text display-inline="yes-display-inline">a fine under this title, imprisonment for
not more than 10 years, or both, for any other offense under subsection
(a)(5);</text>
</subparagraph><subparagraph id="H981180AD3F7144A7B41460C368926903"><enum>(E)</enum><text display-inline="yes-display-inline">a fine under this title or imprisonment for
not more than 10 years, or both, in the case of an offense under subsection
(a)(6) of this section; or</text>
</subparagraph><subparagraph id="H9847BD5ACD064D03824B7C257892535A"><enum>(F)</enum><text display-inline="yes-display-inline">a fine under this title or imprisonment for
not more than 10 years, or both, in the case of an offense under subsection
(a)(7) of this
section.</text>
</subparagraph></paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block>
</section><section id="H81308686D1C3472E82BE57F12A8A8512"><enum>302.</enum><header>Trafficking in
passwords</header><text display-inline="no-display-inline">Section 1030(a)(6)
of title 18, United States Code, is amended to read as follows:</text>
<quoted-block display-inline="no-display-inline" id="H99D4BD57AE1A464C898131011A0C56BA" style="OLC">
<paragraph id="H9F7FDEE1CE354C02AD0844960BD7C15B"><enum>(6)</enum><text display-inline="yes-display-inline">knowingly and with intent to defraud
traffics (as defined in section 1029) in any password or similar information or
means of access through which a protected computer (as defined in subparagraphs
(A) and (B) of subsection (e)(2)) may be accessed without
authorization.</text>
</paragraph><after-quoted-block>.</after-quoted-block></quoted-block>
</section><section id="H8E537A25C07F4042B0063F51287EA97E"><enum>303.</enum><header>Conspiracy and
attempted computer fraud offenses</header><text display-inline="no-display-inline"><external-xref legal-doc="usc" parsable-cite="usc/18/1030">Section 1030(b)</external-xref> of title 18, United States
Code, is amended by inserting <quote>as if for the completed offense</quote>
after <quote>punished as provided</quote>.</text>
</section><section id="H5FB1FEE654EB489BBE057FA15CC5D9EA"><enum>304.</enum><header>Criminal and
civil forfeiture for fraud and related activity in connection with
computers</header><text display-inline="no-display-inline">Section 1030 of
title 18, United States Code, is amended by striking subsections (i) and (j)
and inserting the following:</text>
<quoted-block display-inline="no-display-inline" id="H8B4306AFDD0943ED86B972D70518D3F8" style="USC">
<subsection id="HE9FB0EECE069487D883CDA405669A51C"><enum>(i)</enum><header>Criminal
forfeiture</header>
<paragraph id="H77319B4DADCA49C4915513EEBC7FF0B2"><enum>(1)</enum><text display-inline="yes-display-inline">The court, in imposing sentence on any
person convicted of a violation of this section, or convicted of conspiracy to
violate this section, shall order, in addition to any other sentence imposed
and irrespective of any provision of State law, that such person forfeit to the
United States—</text>
<subparagraph id="H50547E51CF564D5AA4011A4EE074EC41"><enum>(A)</enum><text display-inline="yes-display-inline">such persons interest in any property, real
or personal, that was used, or intended to be used, to commit or facilitate the
commission of such violation; and</text>
</subparagraph><subparagraph id="HFFD3125C85744E9A8F0FE4FC5C443848"><enum>(B)</enum><text display-inline="yes-display-inline">any property, real or personal,
constituting or derived from any gross proceeds, or any property traceable to
such property, that such person obtained, directly or indirectly, as a result
of such violation.</text>
</subparagraph></paragraph><paragraph id="H869513B23E24432E8A5353C304BD2D14"><enum>(2)</enum><text display-inline="yes-display-inline">The criminal forfeiture of property under
this subsection, including any seizure and disposition of the property, and any
related judicial or administrative proceeding, shall be governed by the
provisions of section 413 of the Comprehensive Drug Abuse Prevention and
Control Act of 1970 (<external-xref legal-doc="usc" parsable-cite="usc/21/853">21 U.S.C. 853</external-xref>), except subsection (d) of that
section.</text>
</paragraph></subsection><subsection id="HB47E6C83C61F4DD5982CAAB2A844F500"><enum>(j)</enum><header>Civil
forfeiture</header>
<paragraph id="H5A125C49C2D34843AC3331141E9943B3"><enum>(1)</enum><text display-inline="yes-display-inline">The following shall be subject to
forfeiture to the United States and no property right, real or personal, shall
exist in them:</text>
<subparagraph id="H4D1475E8C4404CC6A53FC2046497C024"><enum>(A)</enum><text display-inline="yes-display-inline">Any property, real or personal, that was
used, or intended to be used, to commit or facilitate the commission of any
violation of this section, or a conspiracy to violate this section.</text>
</subparagraph><subparagraph id="HD38F498BD95F4A35A565DE71B53C209C"><enum>(B)</enum><text display-inline="yes-display-inline">Any property, real or personal,
constituting or derived from any gross proceeds obtained directly or
indirectly, or any property traceable to such property, as a result of the
commission of any violation of this section, or a conspiracy to violate this
section.</text>
</subparagraph></paragraph><paragraph id="HF90CC74FE6F849168D1CCCF2F31F364C"><enum>(2)</enum><text display-inline="yes-display-inline">Seizures and forfeitures under this
subsection shall be governed by the provisions in chapter 46 relating to civil
forfeitures, except that such duties as are imposed on the Secretary of the
Treasury under the customs laws described in section 981(d) shall be performed
by such officers, agents and other persons as may be designated for that
purpose by the Secretary of Homeland Security or the Attorney
General.</text>
</paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block>
</section><section id="H33309847DD2F448697129522C180815B"><enum>305.</enum><header>Damage to
critical infrastructure computers</header>
<subsection id="HDDCCE1E7F71F49B2AACF592C27FDAD5D"><enum>(a)</enum><header>In
general</header><text><external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/18/47">Chapter 47</external-xref> of title 18, United States Code, is amended by
inserting after section 1030 the following:</text>
<quoted-block display-inline="no-display-inline" id="HD375738C90D747BCA32A0807CAB28372" style="USC">
<section id="HEDC024C41C464016BF4FE79899F1987E"><enum>1030A.</enum><header>Aggravated
damage to a critical infrastructure computer</header>
<subsection id="H28DBF95B1DF1461186E0B8281903DC22"><enum>(a)</enum><header>Definitions</header><text>In
this section—</text>
<paragraph id="H709A85C1478A436F96C5E8D7B71E0F90"><enum>(1)</enum><text>the term
<term>computer</term> has the meaning given the term in section 1030;</text>
</paragraph><paragraph id="HD03CFF7B35AC4D3DAA154F7A0B985161"><enum>(2)</enum><text>the term
<term>critical infrastructure computer</term> means a computer that manages or
controls systems or assets vital to national defense, national security,
national economic security, public health or safety, or any combination of
those matters, whether publicly or privately owned or operated,
including—</text>
<subparagraph id="HD2D084383F3A4465BCB790B1096427DD"><enum>(A)</enum><text>oil and gas
production, storage, conversion, and delivery systems;</text>
</subparagraph><subparagraph id="H3F9C7439EC094CF199DF999573F5AFBF"><enum>(B)</enum><text>water supply
systems;</text>
</subparagraph><subparagraph id="H19B7B91F90894F8E83FE9FE11637C0F0"><enum>(C)</enum><text>telecommunication
networks;</text>
</subparagraph><subparagraph id="HBBAB6D67B1554B7381F4F8AB7E179F98"><enum>(D)</enum><text>electrical power
generation and delivery systems;</text>
</subparagraph><subparagraph id="H05D2E2FB474149F986F0D82CCC41CFC7"><enum>(E)</enum><text>finance and
banking systems;</text>
</subparagraph><subparagraph id="H1E53B0EA4BAF4328B13AA011985BEDF3"><enum>(F)</enum><text>emergency
services;</text>
</subparagraph><subparagraph id="HD1722E9BA5C64914A1DD015E9CCDE461"><enum>(G)</enum><text>transportation
systems and services; and</text>
</subparagraph><subparagraph id="H7398DA7BBE6944D3BEC2D6EEB814C0AB"><enum>(H)</enum><text>government
operations that provide essential services to the public; and</text>
</subparagraph></paragraph><paragraph id="H758CE51EEC1943C19B3512ED27BB3868"><enum>(3)</enum><text>the term
<term>damage</term> has the meaning given the term in section 1030.</text>
</paragraph></subsection><subsection id="HBC389DCAD2854E76A6BBE0E25DFD1E92"><enum>(b)</enum><header>Offense</header><text>It
shall be unlawful, during and in relation to a felony violation of section
1030, to knowingly cause or attempt to cause damage to a critical
infrastructure computer if the damage results in (or, in the case of an
attempt, if completed, would have resulted in) the substantial
impairment—</text>
<paragraph id="H2605EC6ED62B402A8CFEB8AD69029034"><enum>(1)</enum><text>of the operation
of the critical infrastructure computer; or</text>
</paragraph><paragraph id="H3C50165A76514759BD2690B1992DBF89"><enum>(2)</enum><text>of the critical
infrastructure associated with the computer.</text>
</paragraph></subsection><subsection id="H283B7DC16C3042139075B7779F5ECE29"><enum>(c)</enum><header>Penalty</header><text>Any
person who violates subsection (b) shall be—</text>
<paragraph id="H93C1DFF2DA1E4D8DA64A5CA70F774959"><enum>(1)</enum><text>fined under this
title;</text>
</paragraph><paragraph id="HDE74C7FC371F49B18D124B118D7D3156"><enum>(2)</enum><text>imprisoned for not
less than 3 years but not more than 20 years; or</text>
</paragraph><paragraph id="HDE400DC6BD874D27AE697AF38F8648D1"><enum>(3)</enum><text>penalized under
paragraphs (1) and (2).</text>
</paragraph></subsection><subsection id="H8B9FDF7DDF6C4F819FCEB43F65DB9816"><enum>(d)</enum><header>Consecutive
sentence</header><text>Notwithstanding any other provision of law—</text>
<paragraph id="HC5AD1BE675F44E3A85759714ADA3C3F1"><enum>(1)</enum><text>a court shall not
place on probation any person convicted of a violation of this section;</text>
</paragraph><paragraph id="H8EAD785D371A4266843B1E8E08C5C1FD"><enum>(2)</enum><text>except as provided
in paragraph (4), no term of imprisonment imposed on a person under this
section shall run concurrently with any other term of imprisonment, including
any term of imprisonment imposed on the person under any other provision of
law, including any term of imprisonment imposed for a felony violation of
section 1030;</text>
</paragraph><paragraph id="H46327E9C60214C97BE9D1959E376A642"><enum>(3)</enum><text>in determining any
term of imprisonment to be imposed for a felony violation of section 1030, a
court shall not in any way reduce the term to be imposed for such crime so as
to compensate for, or otherwise take into account, any separate term of
imprisonment imposed or to be imposed for a violation of this section;
and</text>
</paragraph><paragraph id="HA30DB27CAE614EBFAE70BDC9D025EDA2"><enum>(4)</enum><text>a term of
imprisonment imposed on a person for a violation of this section may, in the
discretion of the court, run concurrently, in whole or in part, only with
another term of imprisonment that is imposed by the court at the same time on
that person for an additional violation of this section, provided that such
discretion shall be exercised in accordance with any applicable guidelines and
policy statements issued by the United States Sentencing Commission pursuant to
section 994 of title
28.</text>
</paragraph></subsection></section><after-quoted-block>.</after-quoted-block></quoted-block>
</subsection><subsection id="H54AFCAB9D6714DBE9D3A4498AE7C2680"><enum>(b)</enum><header>Technical and
conforming amendment</header><text>The chapter analysis for chapter 47 of title
18, United States Code, is amended by inserting after the item relating to
section 1030 the following:</text>
<quoted-block display-inline="no-display-inline" id="H0C931C2869FF468DB6829573E9103C64" style="OLC">
<toc>
<toc-entry bold="off" level="section">1030A. Aggravated damage to a
critical infrastructure
computer.</toc-entry>
</toc>
<after-quoted-block>.</after-quoted-block></quoted-block>
</subsection></section><section id="H7E535A2F417C4AAEA8D8575376DBD55D"><enum>306.</enum><header>Limitation on
actions involving unauthorized use</header><text display-inline="no-display-inline"><external-xref legal-doc="usc" parsable-cite="usc/18/1030">Section 1030(e)(6)</external-xref> of title 18, United
States Code, is amended by striking <quote>alter;</quote> and inserting
<quote>alter, but does not include access in violation of a contractual
obligation or agreement, such as an acceptable use policy or terms of service
agreement, with an Internet service provider, Internet website, or
non-government employer, if such violation constitutes the sole basis for
determining that access to a protected computer is
unauthorized;</quote>.</text>
</section><section id="HF91E00A8A7B145139B8F83E6BC01FFBD"><enum>307.</enum><header>No new
funding</header><text display-inline="no-display-inline">An applicable Federal
agency shall carry out the provisions of this title with existing facilities
and funds otherwise available, through such means as the head of the agency
considers appropriate.</text>
</section><enum>IV</enum><header>Cybersecurity
research and development</header>
<section id="H94B60307E08B4D6AA2CC4988FD305701"><enum>401.</enum><header>National
High-Performance Computing Program planning and coordination</header>
<subsection id="H4BF0CCE3E8F6468F9DD6736554887B83"><enum>(a)</enum><header>Goals and
priorities</header><text>Section 101 of the High-Performance Computing Act of
1991 (<external-xref legal-doc="usc" parsable-cite="usc/15/5511">15 U.S.C. 5511</external-xref>) is amended by adding at the end the following:</text>
<quoted-block display-inline="no-display-inline" id="H3C4429CB98C4421A822A043E00DE0591" style="OLC">
<subsection id="H259AF52963B146F188DCEDD086C860BD"><enum>(d)</enum><header>Goals and
priorities</header><text>The goals and priorities for Federal high-performance
computing research, development, networking, and other activities under
subsection (a)(2)(A) shall include—</text>
<paragraph id="H34CF95BDEAF44F0BBCC5352DD6444738"><enum>(1)</enum><text>encouraging and
supporting mechanisms for interdisciplinary research and development in
networking and information technology, including—</text>
<subparagraph id="H0E8A6149208340958DEFC07350EFB1B0"><enum>(A)</enum><text>through
collaborations across agencies;</text>
</subparagraph><subparagraph id="HBD06FF9C65294E69893F087C3AA56C5D"><enum>(B)</enum><text>through
collaborations across Program Component Areas;</text>
</subparagraph><subparagraph id="H36FFAC6B4CFD479B8F8006853F7BE6BE"><enum>(C)</enum><text>through
collaborations with industry;</text>
</subparagraph><subparagraph id="H5065387D33D04982B3BD956727E29931"><enum>(D)</enum><text>through
collaborations with institutions of higher education;</text>
</subparagraph><subparagraph id="HB873A64DD7F142E1A497A62F574DC553"><enum>(E)</enum><text>through
collaborations with Federal laboratories (as defined in section 4 of the
Stevenson-Wydler Technology Innovation Act of 1980 (<external-xref legal-doc="usc" parsable-cite="usc/15/3703">15 U.S.C. 3703</external-xref>));
and</text>
</subparagraph><subparagraph id="H794FE82E27874392AABC2CD7A75F5CEE"><enum>(F)</enum><text>through
collaborations with international organizations;</text>
</subparagraph></paragraph><paragraph id="H064B52C286D64A56BCCF05CE9D015705"><enum>(2)</enum><text>addressing
national, multi-agency, multi-faceted challenges of national importance;
and</text>
</paragraph><paragraph id="HEE735300082340D7B307B26260EEE5F8"><enum>(3)</enum><text>fostering the
transfer of research and development results into new technologies and
applications for the benefit of
society.</text>
</paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block>
</subsection><subsection id="HC7C3AE461EE74188BFAD0324B9D9CB18"><enum>(b)</enum><header>Development of
strategic plan</header><text>Section 101 of the High-Performance Computing Act
of 1991 (<external-xref legal-doc="usc" parsable-cite="usc/15/5511">15 U.S.C. 5511</external-xref>) is amended by adding at the end the following:</text>
<quoted-block display-inline="no-display-inline" id="HF033F43E1FA2406D99264B2DE1204A71" style="OLC">
<subsection id="H462A86A2B4FE4301AA3DD0C83114264D"><enum>(e)</enum><header>Strategic
plan</header>
<paragraph id="H6576DE029527468E801A014BC478DBE0"><enum>(1)</enum><header>In
general</header><text>Not later than 1 year after the date of enactment of the
<short-title>Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2013</short-title>, the agencies under subsection (a)(3)(B), working through
the National Science and Technology Council and with the assistance of the
Office of Science and Technology Policy shall develop a 5-year strategic plan
to guide the activities under subsection (a)(1).</text>
</paragraph><paragraph id="H0AC79735821647BFBB4A8A8E83B5A1E8"><enum>(2)</enum><header>Contents</header><text>The
strategic plan shall specify—</text>
<subparagraph id="HB8D71DB99B114882A6966D7305474ACF"><enum>(A)</enum><text>the near-term
objectives for the Program;</text>
</subparagraph><subparagraph id="H78EF26DA304D46D686358F3F3FD1E1BC"><enum>(B)</enum><text>the long-term
objectives for the Program;</text>
</subparagraph><subparagraph id="HBA8DE810269C4DFB8BC33F19FDF3C3F5"><enum>(C)</enum><text>the anticipated
time frame for achieving the near-term objectives;</text>
</subparagraph><subparagraph id="H554A5ABF08E54F718B5206622515015C"><enum>(D)</enum><text>the metrics that
will be used to assess any progress made toward achieving the near-term
objectives and the long-term objectives; and</text>
</subparagraph><subparagraph id="H0DFADD2819564A279BBECCC8EC7B0EBD"><enum>(E)</enum><text>how the Program
will achieve the goals and priorities under subsection (d).</text>
</subparagraph></paragraph><paragraph id="HB2C92CE2C7734A59BBCFD1B3D9D44DF0"><enum>(3)</enum><header>Implementation
roadmap</header>
<subparagraph id="H29891F74A8304BC2BFAE733E34222A43"><enum>(A)</enum><header>In
general</header><text>The agencies under subsection (a)(3)(B) shall develop and
annually update an implementation roadmap for the strategic plan.</text>
</subparagraph><subparagraph id="HACB0F40816784E7F8F79BE4C5AE33400"><enum>(B)</enum><header>Requirements</header><text>The
information in the implementation roadmap shall be coordinated with the
database under section 102(c) and the annual report under section 101(a)(3).
The implementation roadmap shall—</text>
<clause id="HB84D65840ACB4B5A97B10326536E0F2B"><enum>(i)</enum><text>specify the role
of each Federal agency in carrying out or sponsoring research and development
to meet the research objectives of the strategic plan, including a description
of how progress toward the research objectives will be evaluated, with
consideration of any relevant recommendations of the advisory committee;</text>
</clause><clause id="H399545F63DC441BD8FF2315E366FE2EE"><enum>(ii)</enum><text>specify the
funding allocated to each major research objective of the strategic plan and
the source of funding by agency for the current fiscal year; and</text>
</clause><clause id="HCCAB0730B7B24989BC9ED14FE794DACB"><enum>(iii)</enum><text>estimate the
funding required for each major research objective of the strategic plan for
the next 3 fiscal years.</text>
</clause></subparagraph></paragraph><paragraph id="HEB832A95ECC44C009BFCD1DFDB5E96C5"><enum>(4)</enum><header>Recommendations</header><text>The
agencies under subsection (a)(3)(B) shall take into consideration when
developing the strategic plan under paragraph (1) the recommendations
of—</text>
<subparagraph id="H5292E24DDBC94B3A82BB9E325E963042"><enum>(A)</enum><text>the advisory
committee under subsection (b); and</text>
</subparagraph><subparagraph id="HD2225B3F05734D219FC661B25497A58A"><enum>(B)</enum><text>the stakeholders
under section 102(a)(3).</text>
</subparagraph></paragraph><paragraph id="HEA94F5EB2E9C40668B350679A9963646"><enum>(5)</enum><header>Report to
Congress</header><text>The Director of the Office of Science and Technology
Policy shall transmit the strategic plan under this subsection, including the
implementation roadmap and any updates under paragraph (3), to—</text>
<subparagraph id="HD972673BFC8842CAB23D50DF4A592D27"><enum>(A)</enum><text>the advisory
committee under subsection (b);</text>
</subparagraph><subparagraph id="HA1A44688659D4759866B6F94F92874AE"><enum>(B)</enum><text>the Committee on
Commerce, Science, and Transportation of the Senate; and</text>
</subparagraph><subparagraph id="H9E013D32FEC54918A55F06A9E30A75AD"><enum>(C)</enum><text>the Committee on
Science and Technology of the House of
Representatives.</text>
</subparagraph></paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block>
</subsection><subsection id="H9CE3F28DB6FB481F80ACE4AB2A727B44"><enum>(c)</enum><header>Periodic
reviews</header><text>Section 101 of the High-Performance Computing Act of 1991
(<external-xref legal-doc="usc" parsable-cite="usc/15/5511">15 U.S.C. 5511</external-xref>) is amended by adding at the end the following:</text>
<quoted-block display-inline="no-display-inline" id="H74C3129643E246B2A66CF8BD9EC9C35A" style="OLC">
<subsection id="HF189B06FD60A4FC2BAC7D02923B8C907"><enum>(f)</enum><header>Periodic
reviews</header><text>The agencies under subsection (a)(3)(B) shall—</text>
<paragraph id="H3C6496D58A93423B8E5518819C148DC4"><enum>(1)</enum><text>periodically
assess the contents and funding levels of the Program Component Areas and
restructure the Program when warranted, taking into consideration any relevant
recommendations of the advisory committee under subsection (b); and</text>
</paragraph><paragraph id="HC28DFFF297EA41C381D34946F18DA90B"><enum>(2)</enum><text>ensure that the
Program includes national, multi-agency, multi-faceted research and development
activities, including activities described in section
104.</text>
</paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block>
</subsection><subsection id="H6E3E160A7A10467BA08C27171C5B9051"><enum>(d)</enum><header>Additional
responsibilities of Director</header><text>Section 101(a)(2) of the
High-Performance Computing Act of 1991 (<external-xref legal-doc="usc" parsable-cite="usc/15/5511">15 U.S.C. 5511(a)(2)</external-xref>) is
amended—</text>
<paragraph id="H5B3F4B5D6B9C41399A71724E0F825409"><enum>(1)</enum><text>by redesignating
subparagraphs (E) and (F) as subparagraphs (G) and (H), respectively;
and</text>
</paragraph><paragraph id="H355ABF3312A349CF87A83FBD0A612640"><enum>(2)</enum><text>by inserting after
subparagraph (D) the following:</text>
<quoted-block display-inline="no-display-inline" id="H3014788EC9304CC6A98A720B89BB4D83" style="OLC">
<subparagraph id="H5A6DC79256864CFD8CE10986E939DF94"><enum>(E)</enum><text>encourage and
monitor the efforts of the agencies participating in the Program to allocate
the level of resources and management attention necessary—</text>
<clause id="HB9A13D1CD50A4D7B95AFF93C8518CA21"><enum>(i)</enum><text>to
ensure that the strategic plan under subsection (e) is developed and executed
effectively; and</text>
</clause><clause id="H6DCC208577354807B25AC35E82992A52"><enum>(ii)</enum><text>to ensure that
the objectives of the Program are met;</text>
</clause></subparagraph><subparagraph id="H4D51FF1059934EF9BE66B092D619B614"><enum>(F)</enum><text>working with the
Office of Management and Budget and in coordination with the creation of the
database under section 102(c), direct the Office of Science and Technology
Policy and the agencies participating in the Program to establish a mechanism
(consistent with existing law) to track all ongoing and completed research and
development projects and associated
funding;</text>
</subparagraph><after-quoted-block>.</after-quoted-block></quoted-block>
</paragraph></subsection><subsection id="H50E9CEF0A45E4CF98E266983F6AF1D9D"><enum>(e)</enum><header>Advisory
committee</header><text>Section 101(b) of the High-Performance Computing Act of
1991 (<external-xref legal-doc="usc" parsable-cite="usc/15/5511">15 U.S.C. 5511(b)</external-xref>) is amended—</text>
<paragraph id="HFA695F288B484DDC8BBE3D564E3F4C2D"><enum>(1)</enum><text>in paragraph
(1)—</text>
<subparagraph id="HC4CEE23A19214D6181E631BE66664568"><enum>(A)</enum><text>by inserting after
the first sentence the following: <quote>The co-chairs of the advisory
committee shall meet the qualifications of committee members and may be members
of the Presidents Council of Advisors on Science and Technology.</quote>;
and</text>
</subparagraph><subparagraph id="H5E3AF7DBCCE84F6683FC167E91B7B30C"><enum>(B)</enum><text>by striking
<quote>high-performance</quote> in subparagraph (D) and inserting
<quote>high-end</quote>; and</text>
</subparagraph></paragraph><paragraph id="H7658D11E288D49668CA6CD9B684E7E7F"><enum>(2)</enum><text>by amending
paragraph (2) to read as follows:</text>
<quoted-block display-inline="no-display-inline" id="H3D1710F0AD664E55BD5804CD0C9B8DB0" style="OLC">
<paragraph id="HAC6ED8D354884A8A85AB4030850897A0"><enum>(2)</enum><text>In addition to the
duties under paragraph (1), the advisory committee shall conduct periodic
evaluations of the funding, management, coordination, implementation, and
activities of the Program. The advisory committee shall report its findings and
recommendations not less frequently than once every 3 fiscal years to the
Committee on Commerce, Science, and Transportation of the Senate and the
Committee on Science and Technology of the House of Representatives. The report
shall be submitted in conjunction with the update of the strategic
plan.</text>
</paragraph><after-quoted-block>.</after-quoted-block></quoted-block>
</paragraph></subsection><subsection id="H976819208399469B9552A80754ECFFB4"><enum>(f)</enum><header>Report</header><text>Section
101(a)(3) of the High-Performance Computing Act of 1991 (<external-xref legal-doc="usc" parsable-cite="usc/15/5511">15 U.S.C. 5511(a)(3)</external-xref>)
is amended—</text>
<paragraph id="H451A203E4F044D48B69B93BA63FBF341"><enum>(1)</enum><text>in subparagraph
(C)—</text>
<subparagraph id="H82BE7DFCBAEA4D22911AEB82C69C381A"><enum>(A)</enum><text>by striking
<quote>is submitted,</quote> and inserting <quote>is submitted, the levels for
the previous fiscal year,</quote>; and</text>
</subparagraph><subparagraph id="HD3D985A86C4049A3B399A84B9C686C13"><enum>(B)</enum><text>by striking
<quote>each Program Component Area</quote> and inserting <quote>each Program
Component Area and each research area supported in accordance with section
104</quote>;</text>
</subparagraph></paragraph><paragraph id="HD247A73409E84DCA8AC086B7DD1FF94D"><enum>(2)</enum><text>in subparagraph
(D)—</text>
<subparagraph id="H62234647D2974FA398AAD09416488624"><enum>(A)</enum><text>by striking
<quote>each Program Component Area,</quote> and inserting <quote>each Program
Component Area and each research area supported in accordance with section
104,</quote>;</text>
</subparagraph><subparagraph id="HDB2F4BD51FFE4649B461458AD0661C3E"><enum>(B)</enum><text>by striking
<quote>is submitted,</quote> and inserting <quote>is submitted, the levels for
the previous fiscal year,</quote>; and</text>
</subparagraph><subparagraph id="HA4A55DD0AD94448AB33FF640015BABD8"><enum>(C)</enum><text>by striking
<quote>and</quote> after the semicolon;</text>
</subparagraph></paragraph><paragraph id="H3EC14D79A1C046DAAB2321663CF15609"><enum>(3)</enum><text>by redesignating
subparagraph (E) as subparagraph (G); and</text>
</paragraph><paragraph id="H576F746433BB4C488AE073D2F4789BD9"><enum>(4)</enum><text>by inserting after
subparagraph (D) the following:</text>
<quoted-block display-inline="no-display-inline" id="HDF295E9638C747C4BB65654A72358323" style="OLC">
<subparagraph id="HBD1D1E983CDA4C0DABD5B4FFAF973707"><enum>(E)</enum><text>include a
description of how the objectives for each Program Component Area, and the
objectives for activities that involve multiple Program Component Areas, relate
to the objectives of the Program identified in the strategic plan under
subsection (e);</text>
</subparagraph><subparagraph id="H94FC53BB12DD4E5F8D44F400F2B9685A"><enum>(F)</enum><text>include—</text>
<clause id="H2EE8608E25764DF887E3115C2125B24E"><enum>(i)</enum><text>a
description of the funding required by the Office of Science and Technology
Policy to perform the functions under subsections (a) and (c) of section 102
for the next fiscal year by category of activity;</text>
</clause><clause id="HA9E260393D6A4B718C14BE6F5BBD1C12"><enum>(ii)</enum><text>a
description of the funding required by the Office of Science and Technology
Policy to perform the functions under subsections (a) and (c) of section 102
for the current fiscal year by category of activity; and</text>
</clause><clause id="HE588D33852CF47C98F7CB69AAED9D94C"><enum>(iii)</enum><text>the amount of
funding provided for the Office of Science and Technology Policy for the
current fiscal year by each agency participating in the Program;
and</text>
</clause></subparagraph><after-quoted-block>.</after-quoted-block></quoted-block>
</paragraph></subsection><subsection id="H1F72C23CD15149D69D7C943944E2C45E"><enum>(g)</enum><header>Definitions</header><text>Section
4 of the High-Performance Computing Act of 1991 (<external-xref legal-doc="usc" parsable-cite="usc/15/5503">15 U.S.C. 5503</external-xref>) is
amended—</text>
<paragraph id="HA712E18DC12E406B86FE58FC2BB8EB47"><enum>(1)</enum><text>by redesignating
paragraphs (1) and (2) as paragraphs (2) and (3), respectively;</text>
</paragraph><paragraph id="HEAA64CB9B8AB42EAB154E5D3C7C3D540"><enum>(2)</enum><text>by redesignating
paragraph (3) as paragraph (6);</text>
</paragraph><paragraph id="HFDC3671C2A464A60BDF27853B9585CA5"><enum>(3)</enum><text>by redesignating
paragraphs (6) and (7) as paragraphs (7) and (8), respectively;</text>
</paragraph><paragraph id="H5A7098141D274F84A1DB25C85B5B5DA1"><enum>(4)</enum><text>by inserting
before paragraph (2), as redesignated, the following:</text>
<quoted-block display-inline="no-display-inline" id="HEE8506A2CBD14E43B34A3C3AF2B524B1" style="OLC">
<paragraph id="H830CADFCBDEC4A0E91D26750964631BA"><enum>(1)</enum><text><term>cyber-physical
systems</term> means physical or engineered systems whose networking and
information technology functions and physical elements are deeply integrated
and are actively connected to the physical world through sensors, actuators, or
other means to perform monitoring and control
functions;</text>
</paragraph><after-quoted-block>;</after-quoted-block></quoted-block>
</paragraph><paragraph id="HE6A3CBA8D66B4E6D9E7882200BEC23D8"><enum>(5)</enum><text>in paragraph (3),
as redesignated, by striking <quote>high-performance computing</quote> and
inserting <quote>networking and information technology</quote>;</text>
</paragraph><paragraph id="HF6533076423A4B228F1C846C5A45FC73"><enum>(6)</enum><text>in paragraph (6),
as redesignated—</text>
<subparagraph id="H54FC69EB235B46DEAC3707BCF5B146E1"><enum>(A)</enum><text>by striking
<quote>high-performance computing</quote> and inserting <quote>networking and
information technology</quote>; and</text>
</subparagraph><subparagraph id="H0FC03299B542458798A8ABA056C17654"><enum>(B)</enum><text>by striking
<quote>supercomputer</quote> and inserting <quote>high-end
computing</quote>;</text>
</subparagraph></paragraph><paragraph id="H45CE830B795B46C79C4EFF7714CCC35E"><enum>(7)</enum><text>in paragraph (5),
by striking <quote>network referred to as</quote> and all that follows through
the semicolon and inserting <quote>network, including advanced computer
networks of Federal agencies and departments</quote>; and</text>
</paragraph><paragraph id="H8E470B1A84CB456F82D137982D4B9598"><enum>(8)</enum><text>in paragraph (7),
as redesignated, by striking <quote>National High-Performance Computing
Program</quote> and inserting <quote>networking and information technology
research and development program</quote>.</text>
</paragraph></subsection></section><section id="H85FE3A6EAABC471FBCE936FC9714C3E8"><enum>402.</enum><header>Research in
areas of national importance</header>
<subsection id="HAD652B59016A4CD78169185F56E0B262"><enum>(a)</enum><header>Research in
areas of national importance</header><text>Title I of the High-Performance
Computing Act of 1991 (<external-xref legal-doc="usc" parsable-cite="usc/15/5511">15 U.S.C. 5511 et seq.</external-xref>) is amended by adding at the end
the following:</text>
<quoted-block display-inline="no-display-inline" id="H3808AF076B774B1FACC303B172C73023" style="OLC">
<section id="H68AD4EADEDDE47B8A06199491D150623"><enum>104.</enum><header>Research in
areas of national importance</header>
<subsection id="HD2203DAC1C7A4651B44A6533FF29F4CE"><enum>(a)</enum><header>In
general</header><text>The Program shall encourage agencies under section
101(a)(3)(B) to support, maintain, and improve national, multi-agency,
multi-faceted, research and development activities in networking and
information technology directed toward application areas that have the
potential for significant contributions to national economic competitiveness
and for other significant societal benefits.</text>
</subsection><subsection id="H031B7FC8D0E547D6BD0133186611EC71"><enum>(b)</enum><header>Technical
solutions</header><text>An activity under subsection (a) shall be designed to
advance the development of research discoveries by demonstrating technical
solutions to important problems in areas including—</text>
<paragraph id="H4EDBC7DC0E5846F3BD8890E2396DA35B"><enum>(1)</enum><text>cybersecurity;</text>
</paragraph><paragraph id="H4FE52CE1D3494BBD8467B1185CBE947B"><enum>(2)</enum><text>health
care;</text>
</paragraph><paragraph id="H61F61AFCA88A4C36988CB8254662B3EC"><enum>(3)</enum><text>energy management
and low-power systems and devices;</text>
</paragraph><paragraph id="H79032464DFAB45918BFFA45828E54879"><enum>(4)</enum><text>transportation,
including surface and air transportation;</text>
</paragraph><paragraph id="H843828EE6ADE459CB1DC37807D5F962C"><enum>(5)</enum><text>cyber-physical
systems;</text>
</paragraph><paragraph id="HAE0AE04A13104F23A7B85E212FFB69F5"><enum>(6)</enum><text>large-scale data
analysis and modeling of physical phenomena;</text>
</paragraph><paragraph id="H0D29E42BEC774B7CBEE3E0B4C94C5AED"><enum>(7)</enum><text>large scale data
analysis and modeling of behavioral phenomena;</text>
</paragraph><paragraph id="H8D7144657F3E4A0BB078394962CDBBC9"><enum>(8)</enum><text>supply chain
quality and security; and</text>
</paragraph><paragraph id="H7C4B1F28599042009797D8C2ADF1BF9E"><enum>(9)</enum><text>privacy protection
and protected disclosure of confidential data.</text>
</paragraph></subsection><subsection id="HF9E545A68A6A42AABFA509458EEEB5B7"><enum>(c)</enum><header>Recommendations</header><text>The
advisory committee under section 101(b) shall make recommendations to the
Program for candidate research and development areas for support under this
section.</text>
</subsection><subsection id="H51B2759E3A0543C29AA6B46A264E5DA0"><enum>(d)</enum><header>Characteristics</header>
<paragraph id="H051E72BF33C541B6B6585B89A21ACEBF"><enum>(1)</enum><header>In
general</header><text>Research and development activities under this
section—</text>
<subparagraph id="H1D68B090012E4468A4BDEDB93298B32E"><enum>(A)</enum><text>shall include
projects selected on the basis of applications for support through a
competitive, merit-based process;</text>
</subparagraph><subparagraph id="H60B0DE82CCE94857B2A2DC2C7DD8D3A2"><enum>(B)</enum><text>shall leverage,
when possible, Federal investments through collaboration with related State
initiatives;</text>
</subparagraph><subparagraph id="H57F7A041412149328D94CB0E7F6C9B6C"><enum>(C)</enum><text>shall include a
plan for fostering the transfer of research discoveries and the results of
technology demonstration activities, including from institutions of higher
education and Federal laboratories, to industry for commercial
development;</text>
</subparagraph><subparagraph id="H3E9BE7CE6D1E470FBC10EB963C38A0F6"><enum>(D)</enum><text>shall involve
collaborations among researchers in institutions of higher education and
industry; and</text>
</subparagraph><subparagraph id="HDF5B1D77224B4980B0FB83DB6731D481"><enum>(E)</enum><text>may involve
collaborations among nonprofit research institutions and Federal laboratories,
as appropriate.</text>
</subparagraph></paragraph><paragraph id="HD6604FB1381A454ABB38E1742107800C"><enum>(2)</enum><header>Cost-sharing</header><text>In
selecting applications for support, the agencies under section 101(a)(3)(B)
shall give special consideration to projects that include cost sharing from
non-Federal sources.</text>
</paragraph><paragraph commented="no" id="HA2099BC3BDF04262B1739236C5D8FF61"><enum>(3)</enum><header>Multidisciplinary
research centers</header><text>Research and development activities under this
section shall be supported through multidisciplinary research centers,
including Federal laboratories, that are organized to investigate basic
research questions and carry out technology demonstration activities in areas
described in subsection (a). Research may be carried out through existing
multidisciplinary centers, including those authorized under section 7024(b)(2)
of the America COMPETES Act (42 U.S.C.
1862o–10(2)).</text>
</paragraph></subsection></section><after-quoted-block>.</after-quoted-block></quoted-block>
</subsection><subsection id="H389D32511877408AA1F27968BD990687"><enum>(b)</enum><header>Cyber-Physical
systems</header><text>Section 101(a)(1) of the High-Performance Computing Act
of 1991 (<external-xref legal-doc="usc" parsable-cite="usc/15/5511">15 U.S.C. 5511(a)(1)</external-xref>) is amended—</text>
<paragraph id="H9BDD09F8B3F641D8AE5AD6837618ED89"><enum>(1)</enum><text>in subparagraph
(H), by striking <quote>and</quote> after the semicolon;</text>
</paragraph><paragraph id="H310F23D3A34A4A358590CE0A679A58EA"><enum>(2)</enum><text>in subparagraph
(I), by striking the period at the end and inserting a semicolon; and</text>
</paragraph><paragraph id="HF7CB51748CE542008E77754B6FE29291"><enum>(3)</enum><text>by adding at the
end the following:</text>
<quoted-block display-inline="no-display-inline" id="H50E329EC6CB8465F84C8D2AC73A08656" style="OLC">
<subparagraph id="HEB9AAE1D885648F1AD4E1823D600C4F4"><enum>(J)</enum><text>provide for
increased understanding of the scientific principles of cyber-physical systems
and improve the methods available for the design, development, and operation of
cyber-physical systems that are characterized by high reliability, safety, and
security; and</text>
</subparagraph><subparagraph id="HD1DB5715DEFF4F8AAABCC7598939FB4F"><enum>(K)</enum><text>provide for
research and development on human-computer interactions, visualization, and big
data.</text>
</subparagraph><after-quoted-block>.</after-quoted-block></quoted-block>
</paragraph></subsection><subsection id="H91ADE278FB5F496E8F0BDB1AAA6A20A4"><enum>(c)</enum><header>Task
force</header><text>Title I of the High-Performance Computing Act of 1991 (15
U.S.C. 5511 et seq.), as amended by section 402(a) of this Act, is amended by
adding at the end the following:</text>
<quoted-block display-inline="no-display-inline" id="H3C8D250C73434408B17A44C8C3CB1FE0" style="OLC">
<section id="H1734A52CBC0440EF965047EED85D05CA"><enum>105.</enum><header>Task
force</header>
<subsection id="H253FF02247C144359B59E55BCF056002"><enum>(a)</enum><header>Establishment</header><text>Not
later than 180 days after the date of enactment the
<short-title>Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2013</short-title>, the Director of the Office of Science and Technology Policy
under section 102 shall convene a task force to explore mechanisms for carrying
out collaborative research and development activities for cyber-physical
systems (including the related technologies required to enable these systems)
through a consortium or other appropriate entity with participants from
institutions of higher education, Federal laboratories, and industry.</text>
</subsection><subsection id="HBDE1E0763EE943DA83A8BBF4EE3EB076"><enum>(b)</enum><header>Functions</header><text>The
task force shall—</text>
<paragraph id="H9E56E357515641D191B441B4A32297D0"><enum>(1)</enum><text>develop options
for a collaborative model and an organizational structure for such entity under
which the joint research and development activities could be planned, managed,
and conducted effectively, including mechanisms for the allocation of resources
among the participants in such entity for support of such activities;</text>
</paragraph><paragraph id="H098CEDFCC4824973B8500B37AD2B25CF"><enum>(2)</enum><text>propose a process
for developing a research and development agenda for such entity, including
guidelines to ensure an appropriate scope of work focused on nationally
significant challenges and requiring collaboration and to ensure the
development of related scientific and technological milestones;</text>
</paragraph><paragraph id="H97BEDF6AC9DD4F7086E0D1408316BC74"><enum>(3)</enum><text>define the roles
and responsibilities for the participants from institutions of higher
education, Federal laboratories, and industry in such entity;</text>
</paragraph><paragraph id="H85A498CE0C524908AFAAAED9E4C1C61C"><enum>(4)</enum><text>propose guidelines
for assigning intellectual property rights and for transferring research
results to the private sector; and</text>
</paragraph><paragraph id="HF36E41EF67604BECB2A76BE875BE237E"><enum>(5)</enum><text>make
recommendations for how such entity could be funded from Federal, State, and
non-governmental sources.</text>
</paragraph></subsection><subsection id="HA375139F80DA4FBABFCBDB29CC7271C4"><enum>(c)</enum><header>Composition</header><text>In
establishing the task force under subsection (a), the Director of the Office of
Science and Technology Policy shall appoint an equal number of individuals from
institutions of higher education and from industry with knowledge and expertise
in cyber-physical systems, and may appoint not more than 2 individuals from
Federal laboratories.</text>
</subsection><subsection id="H313A42345C914D26B21E27BE545A7B05"><enum>(d)</enum><header>Report</header><text>Not
later than 1 year after the date of enactment of the
<short-title>Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2013</short-title>, the Director of the Office of Science and Technology Policy
shall transmit to the Committee on Commerce, Science, and Transportation of the
Senate and the Committee on Science and Technology of the House of
Representatives a report describing the findings and recommendations of the
task force.</text>
</subsection><subsection id="H210EE0F7D05B467E8A7DE47AF84C03A5"><enum>(e)</enum><header>Termination</header><text>The
task force shall terminate upon transmittal of the report required under
subsection (d).</text>
</subsection><subsection id="HAE4E7EED22FB4AC8B51F6FF2F3D11ACE"><enum>(f)</enum><header>Compensation and
expenses</header><text>Members of the task force shall serve without
compensation.</text>
</subsection></section><after-quoted-block>.</after-quoted-block></quoted-block>
</subsection></section><section id="HE0CD1109CA38429DB4F254630F1D7A85"><enum>403.</enum><header>Program
improvements</header><text display-inline="no-display-inline">Section 102 of
the High-Performance Computing Act of 1991 (<external-xref legal-doc="usc" parsable-cite="usc/15/5512">15 U.S.C. 5512</external-xref>) is amended to read
as follows:</text>
<quoted-block display-inline="no-display-inline" id="H239533E77FFC44DE9B9B495EFA5ADA91" style="OLC">
<section id="H25DEAE3DB9D04713ABFCE9D734C0DA6B"><enum>102.</enum><header>Program
improvements</header>
<subsection id="H32B44A30D5984D94915C7BFD304231BD"><enum>(a)</enum><header>Functions</header><text>The
Director of the Office of Science and Technology Policy shall continue—</text>
<paragraph id="HB9A1EF13B0544B32865B792107926DB0"><enum>(1)</enum><text>to provide
technical and administrative support to—</text>
<subparagraph id="HB685BFC3438745BBBC4079DD283FE858"><enum>(A)</enum><text>the agencies
participating in planning and implementing the Program, including support
needed to develop the strategic plan under section 101(e); and</text>
</subparagraph><subparagraph id="HEB03E6E5845348FDA7FE3DDBEB6761C2"><enum>(B)</enum><text>the advisory
committee under section 101(b);</text>
</subparagraph></paragraph><paragraph id="HE0B9042E49474E388EE6E9916F39DEC9"><enum>(2)</enum><text>to serve as the
primary point of contact on Federal networking and information technology
activities for government agencies, academia, industry, professional societies,
State computing and networking technology programs, interested citizen groups,
and others to exchange technical and programmatic information;</text>
</paragraph><paragraph id="H870316B37F5542998ADC3AC74574BD76"><enum>(3)</enum><text>to solicit input
and recommendations from a wide range of stakeholders during the development of
each strategic plan under section 101(e) by convening at least 1 workshop with
invitees from academia, industry, Federal laboratories, and other relevant
organizations and institutions;</text>
</paragraph><paragraph id="H5416872163504CFFA790E964125D95C6"><enum>(4)</enum><text>to conduct public
outreach, including the dissemination of the advisory committee's findings and
recommendations, as appropriate;</text>
</paragraph><paragraph id="H067084B5801348C6901F6824F4DC44CF"><enum>(5)</enum><text>to promote access
to and early application of the technologies, innovations, and expertise
derived from Program activities to agency missions and systems across the
Federal Government and to United States industry;</text>
</paragraph><paragraph id="HD3D1D1286BC74E1190452DF725A30465"><enum>(6)</enum><text>to ensure accurate
and detailed budget reporting of networking and information technology research
and development investment; and</text>
</paragraph><paragraph id="H8D3229C60D6B4FD7A3A8DD7A3992DE32"><enum>(7)</enum><text>to encourage
agencies participating in the Program to use existing programs and resources to
strengthen networking and information technology education and training, and
increase participation in such fields, including by women and underrepresented
minorities.</text>
</paragraph></subsection><subsection id="H812E87A6FF644A82952C885B9A9B9B1F"><enum>(b)</enum><header>Source of
funding</header>
<paragraph id="H700EE62F9C7D42F4A8CBD77444220DDA"><enum>(1)</enum><header>In
general</header><text>The functions under this section shall be supported by
funds from each agency participating in the Program.</text>
</paragraph><paragraph id="H7044B11A7EBD402EB29963C748CBD8A5"><enum>(2)</enum><header>Specifications</header><text>The
portion of the total budget of the Office of Science and Technology Policy that
is provided by each agency participating in the Program for each fiscal year
shall be in the same proportion as each agency's share of the total budget for
the Program for the previous fiscal year, as specified in the database under
section 102(c).</text>
</paragraph></subsection><subsection id="H95CFBFD57D504818A9D1FA47E04D362D"><enum>(c)</enum><header>Database</header>
<paragraph id="HD067EEC158764F32A320ABB632F45290"><enum>(1)</enum><header>In
general</header><text>The Director of the Office of Science and Technology
Policy shall develop and maintain a database of projects funded by each agency
for the fiscal year for each Program Component Area.</text>
</paragraph><paragraph id="HA55F1ED95ECC45DC87F1E61E7CAB1878"><enum>(2)</enum><header>Public
accessibility</header><text>The Director of the Office of Science and
Technology Policy shall make the database accessible to the public.</text>
</paragraph><paragraph id="HBDF8523D6F3447FE9399B7CFC707D80D"><enum>(3)</enum><header>Database
contents</header><text>The database shall include, for each project in the
database—</text>
<subparagraph id="H91DD7590217345A89E3B24B21B4B29AF"><enum>(A)</enum><text>a description of
the project;</text>
</subparagraph><subparagraph id="HA2C3F3F559054D518D8C336A7CBA9A7C"><enum>(B)</enum><text>each agency,
industry, institution of higher education, Federal laboratory, or international
institution involved in the project;</text>
</subparagraph><subparagraph id="H05A118AFDE574383AA60B64391958AC9"><enum>(C)</enum><text>the source funding
of the project (set forth by agency);</text>
</subparagraph><subparagraph id="HC7A4503DCCA842FB8DD2C0AC57C5B30A"><enum>(D)</enum><text>the funding
history of the project; and</text>
</subparagraph><subparagraph id="H5DA16868527E47E58804054EB9720FA2"><enum>(E)</enum><text>whether the
project has been
completed.</text>
</subparagraph></paragraph></subsection></section><after-quoted-block>.</after-quoted-block></quoted-block>
</section><section id="H3DAEFF3598CB4865BF9A45AF65C9412C"><enum>404.</enum><header>Improving
education of networking and information technology, including high performance
computing</header><text display-inline="no-display-inline">Section 201(a) of
the High-Performance Computing Act of 1991 (<external-xref legal-doc="usc" parsable-cite="usc/15/5521">15 U.S.C. 5521(a)</external-xref>) is
amended—</text>
<paragraph id="H51DEF4D16E2F43EAAC3958852BF483B1"><enum>(1)</enum><text>by redesignating
paragraphs (2) through (4) as paragraphs (3) through (5), respectively;
and</text>
</paragraph><paragraph id="HD52F4C71039F44CF9D5AA8CD9F72AF6C"><enum>(2)</enum><text>by inserting after
paragraph (1) the following:</text>
<quoted-block display-inline="no-display-inline" id="H96DF0DFC87414FA5A489DBDBCEA334C4" style="OLC">
<paragraph id="H9FB2CAABA79E4B9BBD64897A3E434BD6"><enum>(2)</enum><text>the National
Science Foundation shall use its existing programs, in collaboration with other
agencies, as appropriate, to improve the teaching and learning of networking
and information technology at all levels of education and to increase
participation in networking and information technology
fields;</text>
</paragraph><after-quoted-block>.</after-quoted-block></quoted-block>
</paragraph></section><section id="H33819573CD73443FA676B41F32F1A953"><enum>405.</enum><header>Conforming and
technical amendments to the High-Performance Computing Act of 1991</header>
<subsection id="HC2E6C9F436814B1EA7C8D3946C8764BD"><enum>(a)</enum><header>Section
3</header><text>Section 3 of the High-Performance Computing Act of 1991 (15
U.S.C. 5502) is amended—</text>
<paragraph id="HDC820CBB2D4046C4807EA4403FF16008"><enum>(1)</enum><text>in the matter
preceding paragraph (1), by striking <quote>high-performance computing</quote>
and inserting <quote>networking and information technology</quote>;</text>
</paragraph><paragraph id="HD9B5669BEC5A4A569A4BF1B047360629"><enum>(2)</enum><text>in paragraph
(1)—</text>
<subparagraph id="H9276EE683EE845AA94750CB078C14391"><enum>(A)</enum><text>in the matter
preceding subparagraph (A), by striking <quote>high-performance
computing</quote> and inserting <quote>networking and information
technology</quote>;</text>
</subparagraph><subparagraph id="H877AAA37631A46CC9A065A0E0904EF2B"><enum>(B)</enum><text>in subparagraphs
(A), (F), and (G), by striking <quote>high-performance computing</quote> each
place it appears and inserting <quote>networking and information
technology</quote>; and</text>
</subparagraph><subparagraph id="H94F13BD8ECF942BBB84AD96B765B9748"><enum>(C)</enum><text>in subparagraph
(H), by striking <quote>high-performance</quote> and inserting
<quote>high-end</quote>; and</text>
</subparagraph></paragraph><paragraph id="HA5E5CFEC0CAB427C8996755B66311D9E"><enum>(3)</enum><text>in paragraph
(2)—</text>
<subparagraph id="HCE2638A243B842B993136529D9E47F9E"><enum>(A)</enum><text>by striking
<quote>high-performance computing and</quote> and inserting <quote>networking
and information technology, and</quote>; and</text>
</subparagraph><subparagraph id="HDA5EC12D215B4A84B85693CE5D9C1A01"><enum>(B)</enum><text>by striking
<quote>high-performance computing network</quote> and inserting
<quote>networking and information technology</quote>.</text>
</subparagraph></paragraph></subsection><subsection id="HDF93B6D4B875475CBE3ADAAC0624BC21"><enum>(b)</enum><header>Title
heading</header><text>The heading of title I of the High-Performance Computing
Act of 1991 (105 Stat. 1595) is amended by striking <quote><header-in-text level="title" style="OLC">High-performance computing</header-in-text></quote>
and inserting <quote><header-in-text level="title" style="OLC">Networking and
information technology</header-in-text></quote>.</text>
</subsection><subsection id="H4E8E0437E536458F8D61ADBA22B00E9F"><enum>(c)</enum><header>Section
101</header><text>Section 101 of the High-Performance Computing Act of 1991 (15
U.S.C. 5511) is amended—</text>
<paragraph id="HB79AEB84DB344AF4B9F3B9032F73FAF1"><enum>(1)</enum><text>in the section
heading, by striking <quote><header-in-text level="section" style="OLC">high-performance computing</header-in-text></quote> and inserting
<quote><header-in-text level="section" style="OLC">networking and information
technology research and development</header-in-text></quote>;</text>
</paragraph><paragraph id="H14C5DD6B3DFD43F9A0F47C0DAAF7CE1D"><enum>(2)</enum><text>in subsection
(a)—</text>
<subparagraph id="H776A3BCDA0644E99B95F64819F3BB7B4"><enum>(A)</enum><text>in the subsection
heading, by striking <quote><header-in-text level="subsection" style="OLC">National High-Performance Computing</header-in-text></quote> and
inserting <quote><header-in-text level="subsection" style="OLC">Networking and
Information Technology Research and
Development</header-in-text></quote>;</text>
</subparagraph><subparagraph id="HB01619304B934569A28A8EE3EDD179F0"><enum>(B)</enum><text>in paragraph
(1)—</text>
<clause id="H6892996D55484190849AF30CA280AA9E"><enum>(i)</enum><text>by
striking <quote>National High-Performance Computing Program</quote> and
inserting <quote>networking and information technology research and development
program</quote>;</text>
</clause><clause id="H82CBD9DB55A046269E2CE9B47A0EC0AA"><enum>(ii)</enum><text>in
subparagraph (A), by striking <quote>high-performance computing, including
networking</quote> and inserting <quote>networking and information
technology</quote>;</text>
</clause><clause id="HAB4B202B9FED4B4D959AC52C89FDA8A6"><enum>(iii)</enum><text>in
subparagraphs (B) and (G), by striking <quote>high-performance</quote> each
place it appears and inserting <quote>high-end</quote>; and</text>
</clause><clause id="H5D3D49F32D4E4737B5C70C7BE68E2AFD"><enum>(iv)</enum><text>in
subparagraph (C), by striking <quote>high-performance computing and
networking</quote> and inserting <quote>high-end computing, distributed, and
networking</quote>; and</text>
</clause></subparagraph><subparagraph id="H161842B0FA9C490BA3D8E7171826E3B7"><enum>(C)</enum><text>in paragraph
(2)—</text>
<clause id="HD9C518CC4EAB4288A818BDFBF2B3D099"><enum>(i)</enum><text>in
subparagraphs (A) and (C)—</text>
<subclause id="H8F3364361AE54CF284902D87556B237F"><enum>(I)</enum><text>by striking
<quote>high-performance computing</quote> each place it appears and inserting
<quote>networking and information technology</quote>; and</text>
</subclause><subclause id="H700D707D05314E5A83646C16EFA99E34"><enum>(II)</enum><text>by striking
<quote>development, networking,</quote> each place it appears and inserting
<quote>development,</quote>; and</text>
</subclause></clause><clause id="HBA2037C3B62A4C83B57A6224E2B99159"><enum>(ii)</enum><text>in
subparagraphs (G) and (H), as redesignated by section 401(d) of this Act, by
striking <quote>high-performance</quote> each place it appears and inserting
<quote>high-end</quote>;</text>
</clause></subparagraph></paragraph><paragraph id="H26272DB3AA0D443787C60180AC15B410"><enum>(3)</enum><text>in subsection
(b)(1), in the matter preceding subparagraph (A), by striking
<quote>high-performance computing</quote> each place it appears and inserting
<quote>networking and information technology</quote>; and</text>
</paragraph><paragraph id="HE229BE462F2547D89A9618A67C0FA8CB"><enum>(4)</enum><text>in subsection
(c)(1)(A), by striking <quote>high-performance computing</quote> and inserting
<quote>networking and information technology</quote>.</text>
</paragraph></subsection><subsection id="HDA1B03B222FD444597AADFB951153F0F"><enum>(d)</enum><header>Section
201</header><text>Section 201(a)(1) of the High-Performance Computing Act of
1991 (<external-xref legal-doc="usc" parsable-cite="usc/15/5521">15 U.S.C. 5521(a)(1)</external-xref>) is amended by striking <quote>high-performance
computing and advanced high-speed computer networking</quote> and inserting
<quote>networking and information technology research and
development</quote>.</text>
</subsection><subsection id="H837186FACB6A4159A3345359D8452E4F"><enum>(e)</enum><header>Section
202</header><text>Section 202(a) of the High-Performance Computing Act of 1991
(<external-xref legal-doc="usc" parsable-cite="usc/15/5522">15 U.S.C. 5522(a)</external-xref>) is amended by striking <quote>high-performance
computing</quote> and inserting <quote>networking and information
technology</quote>.</text>
</subsection><subsection id="HA3B4D8F70CD84BB6802F7B084399BC9E"><enum>(f)</enum><header>Section
203</header><text>Section 203(a) of the High-Performance Computing Act of 1991
(<external-xref legal-doc="usc" parsable-cite="usc/15/5523">15 U.S.C. 5523(a)</external-xref>) is amended—</text>
<paragraph id="H4D225DEE60AF406183973D8DF35FAADA"><enum>(1)</enum><text>in paragraph (1),
by striking <quote>high-performance computing and networking</quote> and
inserting <quote>networking and information technology</quote>; and</text>
</paragraph><paragraph id="H531C50C7404B4607953722E66DF0ADF0"><enum>(2)</enum><text>in paragraph
(2)(A), by striking <quote>high-performance</quote> and inserting
<quote>high-end</quote>.</text>
</paragraph></subsection><subsection id="HB1E22B9B9A7F41569024CA5ACCC54D70"><enum>(g)</enum><header>Section
204</header><text>Section 204 of the High-Performance Computing Act of 1991 (15
U.S.C. 5524) is amended—</text>
<paragraph id="HD0FD6BEC73AF462F93E3474B314879DC"><enum>(1)</enum><text>in subsection
(a)(1)—</text>
<subparagraph id="H4E888BF881704CE8B8A8C9005E8D78C1"><enum>(A)</enum><text>in subparagraph
(A), by striking <quote>high-performance computing systems and networks</quote>
and inserting <quote>networking and information technology systems and
capabilities</quote>;</text>
</subparagraph><subparagraph id="H01BF9E9CB80443A58703D92C24575444"><enum>(B)</enum><text>in subparagraph
(B), by striking <quote>interoperability of high-performance computing systems
in networks and for common user interfaces to systems</quote> and inserting
<quote>interoperability and usability of networking and information technology
systems</quote>; and</text>
</subparagraph><subparagraph id="H7D71A884E38149DA814ABDD8C5DFF0EA"><enum>(C)</enum><text>in subparagraph
(C), by striking <quote>high-performance computing</quote> and inserting
<quote>networking and information technology</quote>; and</text>
</subparagraph></paragraph><paragraph id="H5790E196448F4C3CA9F9554749EA4BF3"><enum>(2)</enum><text>in subsection
(b)—</text>
<subparagraph id="H6EBF9E94BD08477D931F60195B80165D"><enum>(A)</enum><text>by striking
<quote><header-in-text level="subsection" style="OLC">High-Performance
Computing and Network</header-in-text></quote> in the heading and inserting
<quote><header-in-text level="subsection" style="OLC">Networking and
Information Technology</header-in-text></quote>; and</text>
</subparagraph><subparagraph id="H1E62E33127F24AD5833A1596DEDD289B"><enum>(B)</enum><text>by striking
<quote>sensitive</quote>.</text>
</subparagraph></paragraph></subsection><subsection id="H09A09E3909FF4A80B1E9085EDAAEAC8D"><enum>(h)</enum><header>Section
205</header><text>Section 205(a) of the High-Performance Computing Act of 1991
(<external-xref legal-doc="usc" parsable-cite="usc/15/5525">15 U.S.C. 5525(a)</external-xref>) is amended by striking <quote>computational</quote> and
inserting <quote>networking and information technology</quote>.</text>
</subsection><subsection id="HF7325145A86549B7A92439A2FCAEE809"><enum>(i)</enum><header>Section
206</header><text>Section 206(a) of the High-Performance Computing Act of 1991
(<external-xref legal-doc="usc" parsable-cite="usc/15/5526">15 U.S.C. 5526(a)</external-xref>) is amended by striking <quote>computational
research</quote> and inserting <quote>networking and information technology
research</quote>.</text>
</subsection><subsection id="H60A9B7365CC5465E9BE959AC7B1D8496"><enum>(j)</enum><header>Section
207</header><text>Section 207 of the High-Performance Computing Act of 1991 (15
U.S.C. 5527) is amended by striking <quote>high-performance computing</quote>
and inserting <quote>networking and information technology</quote>.</text>
</subsection><subsection id="HC3CBDF27D2E54833BDFF60AE5718E89C"><enum>(k)</enum><header>Section
208</header><text>Section 208 of the High-Performance Computing Act of 1991 (15
U.S.C. 5528) is amended—</text>
<paragraph id="H30E735FF750F421E93443CF22BE816C4"><enum>(1)</enum><text>in the section
heading, by striking <quote><header-in-text level="section" style="OLC">high-performance computing</header-in-text></quote> and inserting
<quote><header-in-text level="section" style="OLC">networking and information
technology</header-in-text></quote>; and</text>
</paragraph><paragraph id="HF4698819FA514E62AE53699666F86AE0"><enum>(2)</enum><text>in subsection
(a)—</text>
<subparagraph id="H06CBDA8FAE2A4C9982125C0F4AE5754B"><enum>(A)</enum><text>in paragraph (1),
by striking <quote>High-performance computing and associated</quote> and
inserting <quote>Networking and information</quote>;</text>
</subparagraph><subparagraph id="H09C4046B41F345F1BAEAA59A000F2098"><enum>(B)</enum><text>in paragraph (2),
by striking <quote>high-performance computing</quote> and inserting
<quote>networking and information technologies</quote>;</text>
</subparagraph><subparagraph id="H14039C21AC9940CBA53A794457AEF4DA"><enum>(C)</enum><text>in paragraph (3),
by striking <quote>high-performance</quote> and inserting
<quote>high-end</quote>;</text>
</subparagraph><subparagraph id="HDC6B879B64A6413083C0606A50B109B3"><enum>(D)</enum><text>in paragraph (4),
by striking <quote>high-performance computers and associated</quote> and
inserting <quote>networking and information</quote>; and</text>
</subparagraph><subparagraph id="H05CDC513104A4D4E8F8B1BB955CD9BED"><enum>(E)</enum><text>in paragraph (5),
by striking <quote>high-performance computing and associated</quote> and
inserting <quote>networking and information</quote>.</text>
</subparagraph></paragraph></subsection></section><section id="HAE28CD8883D7441E810397D09817621F"><enum>406.</enum><header>Federal cyber
scholarship-for-service program</header>
<subsection id="HDED54E272A91486BB7D4D60A472C3B9F"><enum>(a)</enum><header>In
general</header><text>The Director of the National Science Foundation, in
coordination with the Secretary of Homeland Security, shall carry out a Federal
cyber scholarship-for-service program to recruit and train the next generation
of information technology professionals and security managers to meet the needs
of the cybersecurity mission for the Federal Government.</text>
</subsection><subsection id="H44D9BFC42ED143998D49EE03BF22D122"><enum>(b)</enum><header>Program
description and components</header><text>The program shall—</text>
<paragraph id="H98F3245658734C37A85845A1B93DA202"><enum>(1)</enum><text>annually assess
the workforce needs of the Federal Government for cybersecurity professionals,
including network engineers, software engineers, and other experts in order to
determine how many scholarships should be awarded annually to ensure that the
workforce needs following graduation match the number of scholarships
awarded;</text>
</paragraph><paragraph id="H8559A1843BCC48C482E4C1698CAE061C"><enum>(2)</enum><text>provide
scholarships for up to 1,000 students per year in their pursuit of
undergraduate or graduate degrees in the cybersecurity field, in an amount that
may include coverage for full tuition, fees, and a stipend;</text>
</paragraph><paragraph id="H02E884AD69FC4CA187683F08E5FEA69B"><enum>(3)</enum><text>require each
scholarship recipient, as a condition of receiving a scholarship under the
program, to serve in a Federal information technology workforce for a period
equal to one and one-half times each year, or partial year, of scholarship
received, in addition to an internship in the cybersecurity field, if
applicable, following graduation;</text>
</paragraph><paragraph id="HC3E66D8C28C34CC0A10E8C63D56AA233"><enum>(4)</enum><text>provide a
procedure for the National Science Foundation or a Federal agency, consistent
with regulations of the Office of Personnel Management, to request and fund a
security clearance for a scholarship recipient, including providing for
clearance during a summer internship and upon graduation; and</text>
</paragraph><paragraph id="H18E4586866614B7E83558DD2E26010B5"><enum>(5)</enum><text>provide
opportunities for students to receive temporary appointments for meaningful
employment in the Federal information technology workforce during school
vacation periods and for internships.</text>
</paragraph></subsection><subsection id="H6914314A511F457EA688D6A06FC7F24F"><enum>(c)</enum><header>Hiring
authority</header>
<paragraph id="HE0C2AFAC5951495782A6AE5FA9568860"><enum>(1)</enum><header>In
general</header><text>For purposes of any law or regulation governing the
appointment of an individual in the Federal civil service, upon the successful
completion of the student's studies, a student receiving a scholarship under
the program may—</text>
<subparagraph id="HF69A1CEA623E49C2BE0C19BD6123D6B4"><enum>(A)</enum><text>be hired under
<external-xref legal-doc="regulation" parsable-cite="cfr/5/213.3102">section 213.3102(r)</external-xref> of title 5, Code of Federal Regulations; and</text>
</subparagraph><subparagraph id="H66A1F5E255FD4C45A70811F88B94390E"><enum>(B)</enum><text>be exempt from
competitive service.</text>
</subparagraph></paragraph><paragraph id="HA6049AEE4F584B3EACC7C93A4A7A47FC"><enum>(2)</enum><header>Competitive
service</header><text>Upon satisfactory fulfillment of the service term under
paragraph (1), an individual may be converted to a competitive service position
without competition if the individual meets the requirements for that
position.</text>
</paragraph></subsection><subsection id="HA0E263A62AD4442088FDB76DAE6E634A"><enum>(d)</enum><header>Eligibility</header><text>The
eligibility requirements for a scholarship under this section shall include
that a scholarship applicant—</text>
<paragraph id="H83EFED4ABEFE4674B432EE35B8B56E96"><enum>(1)</enum><text>be a citizen of
the United States;</text>
</paragraph><paragraph id="H17F1FF1F49E744A99CB6F462095438B9"><enum>(2)</enum><text>be eligible to be
granted a security clearance;</text>
</paragraph><paragraph id="H6B2423E34F504FEA88BE8F3B10A742C8"><enum>(3)</enum><text>maintain a grade
point average of 3.2 or above on a 4.0 scale for undergraduate study or a 3.5
or above on a 4.0 scale for postgraduate study;</text>
</paragraph><paragraph id="HC1AE74AF0B4E4E568A877B893FA50E25"><enum>(4)</enum><text>demonstrate a
commitment to a career in improving the security of the information
infrastructure; and</text>
</paragraph><paragraph id="H6BB369EDCDFE4810A845F1F346090F06"><enum>(5)</enum><text>has demonstrated a
level of proficiency in math or computer sciences.</text>
</paragraph></subsection><subsection id="HBAC966B218E047FC84B6A87F2A4C6DD5"><enum>(e)</enum><header>Failure To
complete service obligation</header>
<paragraph id="HD7579F87C47B4969954244AB9E387307"><enum>(1)</enum><header>In
general</header><text>A scholarship recipient under this section shall be
liable to the United States under paragraph (2) if the scholarship
recipient—</text>
<subparagraph id="H1E74B2FD62A44E24A9CD9E4F17E1D071"><enum>(A)</enum><text>fails to maintain
an acceptable level of academic standing in the educational institution in
which the individual is enrolled, as determined by the Director;</text>
</subparagraph><subparagraph id="H5EEE5BF2388949A994504B052691E74B"><enum>(B)</enum><text>is dismissed from
such educational institution for disciplinary reasons;</text>
</subparagraph><subparagraph id="H68863CDB006E42BDA3988E91D7CA3D2C"><enum>(C)</enum><text>withdraws from the
program for which the award was made before the completion of such
program;</text>
</subparagraph><subparagraph id="H06BE7FCC29F548F4B66D74BE6DC5069E"><enum>(D)</enum><text>declares that the
individual does not intend to fulfill the service obligation under this
section;</text>
</subparagraph><subparagraph id="H671D6338D8DA4FCAB36BEFF53EDA9414"><enum>(E)</enum><text>fails to fulfill
the service obligation of the individual under this section; or</text>
</subparagraph><subparagraph id="H3FE47C1F6A454222931BDCE88A1ABB73"><enum>(F)</enum><text>loses a security
clearance or becomes ineligible for a security clearance.</text>
</subparagraph></paragraph><paragraph id="HBEE37C1444C2485697382547E3C524BE"><enum>(2)</enum><header>Repayment
amounts</header>
<subparagraph id="HB8ED3ABD38F74D0B9A539CB481454E54"><enum>(A)</enum><header>Less than 1 year
of service</header><text>If a circumstance under paragraph (1) occurs before
the completion of 1 year of a service obligation under this section, the total
amount of awards received by the individual under this section shall be
repaid.</text>
</subparagraph><subparagraph id="H0CA0A5C9209B435A99D62EE01DFF635C"><enum>(B)</enum><header>One or more
years of service</header><text>If a circumstance described in subparagraph (D)
or (E) of paragraph (1) occurs after the completion of 1 year of a service
obligation under this section, the total amount of scholarship awards received
by the individual under this section, reduced by the ratio of the number of
years of service completed divided by the number of years of service required,
shall be repaid.</text>
</subparagraph></paragraph></subsection><subsection id="H55D67159DE4F45508038FD18F44E253A"><enum>(f)</enum><header>Evaluation and
report</header><text>The Director of the National Science Foundation
shall—</text>
<paragraph id="H92306400257146218A0F955D36E863F7"><enum>(1)</enum><text>evaluate the
success of recruiting individuals for scholarships under this section and of
hiring and retaining those individuals in the public sector workforce,
including the annual cost and an assessment of how the program actually
improves the Federal workforce; and</text>
</paragraph><paragraph id="H483689F0BBA2498192C4906306DDC77E"><enum>(2)</enum><text>periodically
report the findings under paragraph (1) to Congress.</text>
</paragraph></subsection><subsection id="H478B1EAB61754888BB358F5B295A391F"><enum>(g)</enum><header>Authorization of
appropriations</header><text>From amounts made available under section 503 of
the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), the
Secretary may use funds to carry out the requirements of this section for
fiscal years 2014 through 2015.</text>
</subsection></section><section id="H024FE3E136F14A6D9D90D3EBC87801FD"><enum>407.</enum><header>Study and
analysis of certification and training of information infrastructure
professionals</header>
<subsection id="H90636230A3FF4F349B331B8447B5783D"><enum>(a)</enum><header>Study</header><text>The
President shall enter into an agreement with the National Academies to conduct
a comprehensive study of government, academic, and private-sector
accreditation, training, and certification programs for personnel working in
information infrastructure. The agreement shall require the National Academies
to consult with sector coordinating councils and relevant governmental
agencies, regulatory entities, and nongovernmental organizations in the course
of the study.</text>
</subsection><subsection id="H9B4FE427E9CB482B9FBFC6CD873F007F"><enum>(b)</enum><header>Scope</header><text>The
study shall include—</text>
<paragraph id="H6E27F0D627134DB899AC7A99FD2508CA"><enum>(1)</enum><text>an evaluation of
the body of knowledge and various skills that specific categories of personnel
working in information infrastructure should possess in order to secure
information systems;</text>
</paragraph><paragraph id="HB6F4A42C005446EAB28D3D17217D796B"><enum>(2)</enum><text>an assessment of
whether existing government, academic, and private-sector accreditation,
training, and certification programs provide the body of knowledge and various
skills described in paragraph (1);</text>
</paragraph><paragraph id="HB5E3EA5A0686476D954D73F486C233E2"><enum>(3)</enum><text>an analysis of any
barriers to the Federal Government recruiting and hiring cybersecurity talent,
including barriers relating to compensation, the hiring process, job
classification, and hiring flexibility; and</text>
</paragraph><paragraph id="HA02FF69C58B4476687803BBA08885933"><enum>(4)</enum><text>an analysis of the
sources and availability of cybersecurity talent, a comparison of the skills
and expertise sought by the Federal Government and the private sector, an
examination of the current and future capacity of United States institutions of
higher education, including community colleges, to provide current and future
cybersecurity professionals, through education and training activities, with
those skills sought by the Federal Government, State and local entities, and
the private sector.</text>
</paragraph></subsection><subsection id="H0DF6436CB26A44D494E8402CBBDD36CD"><enum>(c)</enum><header>Report</header><text>Not
later than 1 year after the date of enactment of this Act, the National
Academies shall submit to the President and Congress a report on the results of
the study. The report shall include—</text>
<paragraph id="H7C28FC46992546E79BBFF8C655E589DF"><enum>(1)</enum><text>findings regarding
the state of information infrastructure accreditation, training, and
certification programs, including specific areas of deficiency and demonstrable
progress; and</text>
</paragraph><paragraph id="H9283028D1DCB4D9B97D10654404BCB94"><enum>(2)</enum><text>recommendations
for the improvement of information infrastructure accreditation, training, and
certification programs.</text>
</paragraph></subsection></section><section id="H908A996D68454C2AA99DDF2405986149"><enum>408.</enum><header>International
cybersecurity technical standards</header>
<subsection id="HF60707022C27453D9F8B9DE0061E56CE"><enum>(a)</enum><header>In
general</header><text display-inline="yes-display-inline">The Director of the
National Institute of Standards and Technology, in coordination with
appropriate Federal authorities, shall—</text>
<paragraph id="HB8B4E240A64543B7AD3D8BFB5BAD121E"><enum>(1)</enum><text display-inline="yes-display-inline">as appropriate, ensure coordination of
Federal agencies engaged in the development of international technical
standards related to information system security; and</text>
</paragraph><paragraph id="H40003E4C2D8541FB98495A48EC25E9AE"><enum>(2)</enum><text display-inline="yes-display-inline">not later than 1 year after the date of
enactment of this Act, develop and transmit to Congress a plan for ensuring
such Federal agency coordination.</text>
</paragraph></subsection><subsection id="H1B5F1B6A8A8845F08A7E99A73588E3C7"><enum>(b)</enum><header>Consultation
with the private sector</header><text display-inline="yes-display-inline">In
carrying out the activities under subsection (a)(1), the Director shall ensure
consultation with appropriate private sector stakeholders.</text>
</subsection></section><section id="H463291C02E3E498E877FA9AB1A53116D"><enum>409.</enum><header>Identity
management research and development</header><text display-inline="no-display-inline">The Director of the National Institute of
Standards and Technology shall continue a program to support the development of
technical standards, metrology, testbeds, and conformance criteria, taking into
account appropriate user concerns—</text>
<paragraph id="HAD2284D32DDC40F8842C493E2A9126BD"><enum>(1)</enum><text display-inline="yes-display-inline">to improve interoperability among identity
management technologies;</text>
</paragraph><paragraph id="H6E011443601747E5B35D73D0FD58138A"><enum>(2)</enum><text display-inline="yes-display-inline">to strengthen authentication methods of
identity management systems;</text>
</paragraph><paragraph id="H2A656876C32A43669AE0CDF526BE1AC0"><enum>(3)</enum><text display-inline="yes-display-inline">to improve privacy protection in identity
management systems, including health information technology systems, through
authentication and security protocols; and</text>
</paragraph><paragraph id="HDA1984EDB8454CDB993E743978759941"><enum>(4)</enum><text display-inline="yes-display-inline">to improve the usability of identity
management systems.</text>
</paragraph></section><section id="H43CDC0FFF475498FACD9D3174DB09C3F"><enum>410.</enum><header>Federal
cybersecurity research and development</header>
<subsection id="HE19FC21B57D944E58EA291F100F5240B"><enum>(a)</enum><header>National Science
Foundation computer and network security research grant
areas</header><text>Section 4(a)(1) of the Cyber Security Research and
Development Act (<external-xref legal-doc="usc" parsable-cite="usc/15/7403">15 U.S.C. 7403(a)(1)</external-xref>) is amended—</text>
<paragraph id="H332E995E43674BEFA8BCA8CEFA0FE93E"><enum>(1)</enum><text>in subparagraph
(H), by striking <quote>and</quote> after the semicolon;</text>
</paragraph><paragraph id="HB70D109DAD0D40A68CEF7A7175DBA2E7"><enum>(2)</enum><text>in subparagraph
(I), by striking <quote>property.</quote> and inserting
<quote>property;</quote>; and</text>
</paragraph><paragraph id="H5E090966E47D463089CE143888A064CF"><enum>(3)</enum><text>by adding at the
end the following:</text>
<quoted-block display-inline="no-display-inline" id="H6789632EBF7C4074807654B242302120" style="OLC">
<subparagraph id="HCD9B4A6A6E8746D898E2AFB3B4CA75D2"><enum>(J)</enum><text>secure fundamental
protocols that are at the heart of inter-network communications and data
exchange;</text>
</subparagraph><subparagraph id="HDD41FE072D97424EB60B1103968B698E"><enum>(K)</enum><text>system security
that addresses the building of secure systems from trusted and untrusted
components;</text>
</subparagraph><subparagraph id="HF0924FF48F164D67BDC47AD330B6F025"><enum>(L)</enum><text>monitoring and
detection; and</text>
</subparagraph><subparagraph id="H36F83F2787D3480A889382820609C934"><enum>(M)</enum><text>resiliency and
rapid recovery
methods.</text>
</subparagraph><after-quoted-block>.</after-quoted-block></quoted-block>
</paragraph></subsection><subsection id="H6A2FDBC4963240E29671C1CEC81B3394"><enum>(b)</enum><header>National Science
Foundation computer and network security grants</header><text>Section 4(a)(3)
of the Cyber Security Research and Development Act (<external-xref legal-doc="usc" parsable-cite="usc/15/7403">15 U.S.C. 7403(a)(3)</external-xref>) is
amended—</text>
<paragraph id="H9A3EF96929304071A6ABBEA3F5F0C653"><enum>(1)</enum><text>in subparagraph
(D), by striking <quote>and</quote>;</text>
</paragraph><paragraph id="H80CE795154C9433FB6C6C67EE07567AB"><enum>(2)</enum><text>in subparagraph
(E), by striking <quote>2007.</quote> and inserting <quote>2007;</quote>;
and</text>
</paragraph><paragraph id="H63372EE285F24AC9AF362EDC37168BB5"><enum>(3)</enum><text>by adding at the
end the following:</text>
<quoted-block display-inline="no-display-inline" id="H870F339ECFE946F0B4214BBD4E4A9BB8" style="OLC">
<subparagraph id="H1A8B991021A24E3794399BD05E750720"><enum>(F)</enum><text>such funds from
amounts made available under section 503 of the America COMPETES
Reauthorization Act of 2010 (124 Stat. 4005), as the Secretary finds necessary
to carry out the requirements of this subsection for fiscal years 2014 through
2015.</text>
</subparagraph><after-quoted-block>.</after-quoted-block></quoted-block>
</paragraph></subsection><subsection id="HED46354A95D546B6870920C31A2BAF1E"><enum>(c)</enum><header>Computer and
network security centers</header><text>Section 4(b)(7) of the Cyber Security
Research and Development Act (<external-xref legal-doc="usc" parsable-cite="usc/15/7403">15 U.S.C. 7403(b)(7)</external-xref>) is amended—</text>
<paragraph id="H40C8C434DFBF4A889A3093604B3EC247"><enum>(1)</enum><text>in subparagraph
(D), by striking <quote>and</quote>;</text>
</paragraph><paragraph id="H1E646B1AD412441489F4BF583CC3236F"><enum>(2)</enum><text>in subparagraph
(E), by striking <quote>2007.</quote> and inserting <quote>2007;</quote>;
and</text>
</paragraph><paragraph id="HCAD8C9AC0493499985B0D38597689B24"><enum>(3)</enum><text>by adding at the
end the following:</text>
<quoted-block display-inline="no-display-inline" id="H442980E7C2E24CEFBB707437B05DCA02" style="OLC">
<subparagraph id="H9B8DB1A9AF394E8493475C1C19FE033D"><enum>(F)</enum><text>such funds from
amounts made available under section 503 of the America COMPETES
Reauthorization Act of 2010 (124 Stat. 4005), as the Secretary finds necessary
to carry out the requirements of this subsection for fiscal years 2014 through
2015.</text>
</subparagraph><after-quoted-block>.</after-quoted-block></quoted-block>
</paragraph></subsection><subsection id="H6319763EA0474F37AB44A0ACFAC7C448"><enum>(d)</enum><header>Computer and
network security capacity building grants</header><text>Section 5(a)(6) of the
Cyber Security Research and Development Act (<external-xref legal-doc="usc" parsable-cite="usc/15/7404">15 U.S.C. 7404(a)(6)</external-xref>) is
amended—</text>
<paragraph id="HB51CDC4B925F43AA8CC3EDD736B52E4A"><enum>(1)</enum><text>in subparagraph
(D), by striking <quote>and</quote>;</text>
</paragraph><paragraph id="HCBDFAA8F71EF4A89AD65960C644C2967"><enum>(2)</enum><text>in subparagraph
(E), by striking <quote>2007.</quote> and inserting <quote>2007;</quote>;
and</text>
</paragraph><paragraph id="H9B2555943D2642F280129B27E8CDCBD2"><enum>(3)</enum><text>by adding at the
end the following:</text>
<quoted-block display-inline="no-display-inline" id="H086BF50FBA8545109489751C17A52365" style="OLC">
<subparagraph id="HFACFCDE97CB94343A2DF06D9D8F2F3F4"><enum>(F)</enum><text>such funds from
amounts made available under section 503 of the America COMPETES
Reauthorization Act of 2010 (124 Stat. 4005), as the Secretary finds necessary
to carry out the requirements of this subsection for fiscal years 2014 through
2015.</text>
</subparagraph><after-quoted-block>.</after-quoted-block></quoted-block>
</paragraph></subsection><subsection id="H23C732FF94B24542854E31313C85D77C"><enum>(e)</enum><header>Scientific and
advanced technology Act grants</header><text>Section 5(b)(2) of the Cyber
Security Research and Development Act (<external-xref legal-doc="usc" parsable-cite="usc/15/7404">15 U.S.C. 7404(b)(2)</external-xref>) is amended—</text>
<paragraph id="HDCEB1E78A5B9417191B6CCEEC1D62644"><enum>(1)</enum><text>in subparagraph
(D), by striking <quote>and</quote>;</text>
</paragraph><paragraph id="HB957E94E52AF4174A984CB44C11EA5F9"><enum>(2)</enum><text>in subparagraph
(E), by striking <quote>2007. </quote> and inserting <quote>2007;</quote>;
and</text>
</paragraph><paragraph id="H4AD36A46426C4B049DE43458DDDD9AB3"><enum>(3)</enum><text>by adding at the
end the following:</text>
<quoted-block display-inline="no-display-inline" id="HC212A1014FF7453D9364E14A1E1DF22A" style="OLC">
<subparagraph id="HDB3039373A384B46A5DBC5C3687DBC16"><enum>(F)</enum><text>such funds from
amounts made available under section 503 of the America COMPETES
Reauthorization Act of 2010 (124 Stat. 4005), as the Secretary finds necessary
to carry out the requirements of this subsection for fiscal years 2014 through
2015.</text>
</subparagraph><after-quoted-block>.</after-quoted-block></quoted-block>
</paragraph></subsection><subsection id="H2F2FE5E63D6D49329275A74FD1FDAA7F"><enum>(f)</enum><header>Graduate
traineeships in computer and network security research</header><text>Section
5(c)(7) of the Cyber Security Research and Development Act (15 U.S.C.
7404(c)(7)) is amended—</text>
<paragraph id="HF5C4F37DBDB744CCA950933172B44E06"><enum>(1)</enum><text>in subparagraph
(D), by striking <quote>and</quote>;</text>
</paragraph><paragraph id="H446303E97D6B448BA43AD90CB2659769"><enum>(2)</enum><text>in subparagraph
(E), by striking <quote>2007.</quote> and inserting <quote>2007;</quote>;
and</text>
</paragraph><paragraph id="H14EB9DDF900940C49300A18EF5F6DD1D"><enum>(3)</enum><text>by adding at the
end the following:</text>
<quoted-block display-inline="no-display-inline" id="H347E130A892C4E3EA01594FA1E8FBCBF" style="OLC">
<subparagraph id="H304431E466F74F7EB41D537AD3CF0E46"><enum>(F)</enum><text>such funds from
amounts made available under section 503 of the America COMPETES
Reauthorization Act of 2010 (124 Stat. 4005), as the Secretary finds necessary
to carry out the requirements of this subsection for fiscal years 2014 through
2015.</text>
</subparagraph><after-quoted-block>.</after-quoted-block></quoted-block>
</paragraph></subsection></section><enum>V</enum><header>Data
Security and Breach Notification</header>
<section id="HCCB88B6DED094D64BB51B180FCA2ED4C"><enum>501.</enum><header>Requirements
for information security</header><text display-inline="no-display-inline">Each
covered entity shall take reasonable measures to protect and secure data in
electronic form containing personal information.</text>
</section><section id="H0573721C07C5439AB4E59C3D96A2ABE2"><enum>502.</enum><header>Notification of
information security breach</header>
<subsection id="HFAE774339F0347B0BB462AAD0702818A"><enum>(a)</enum><header>Notification</header>
<paragraph id="H2589A0180E344CBCAF1CB68C19A8B163"><enum>(1)</enum><header>In
general</header><text>A covered entity that owns or licenses data in electronic
form containing personal information shall give notice of any breach of the
security of the system following discovery by the covered entity of the breach
of the security of the system to each individual who is a citizen or resident
of the United States whose personal information was or that the covered entity
reasonably believes to have been accessed and acquired by an unauthorized
person and that the covered entity reasonably believes has caused or will
cause, identity theft or other financial harm.</text>
</paragraph><paragraph id="HC4EAF93762F344DEA53D1A4253B5704B"><enum>(2)</enum><header>Law
enforcement</header><text>A covered entity shall notify the Secret Service or
the Federal Bureau of Investigation of the fact that a breach of security has
occurred if the number of individuals whose personal information the covered
entity reasonably believes to have been accessed and acquired by an
unauthorized person exceeds 10,000.</text>
</paragraph></subsection><subsection id="H7F3C5C5922904BF1A479E2875A634F66"><enum>(b)</enum><header>Special
notification requirements</header>
<paragraph id="H77BBFAFD96924AD79476C1018610952C"><enum>(1)</enum><header>Third-party
agents</header>
<subparagraph id="H906CD26A350D4C3F9AEFC914CB8C9802"><enum>(A)</enum><header>In
general</header><text>In the event of a breach of security of a system
maintained by a third-party entity that has been contracted to maintain, store,
or process data in electronic form containing personal information on behalf of
a covered entity who owns or possesses such data, such third-party entity shall
notify such covered entity of the breach of security.</text>
</subparagraph><subparagraph id="HBB8E9231B9F44D4DB78BDF4066EF4835"><enum>(B)</enum><header>Covered entities
who receive notice from third parties</header><text>Upon receiving notification
from a third party under subparagraph (A), a covered entity shall provide
notification as required under subsection (a).</text>
</subparagraph><subparagraph id="H2383CD6DC6AE4D5296334299D77B23BC"><enum>(C)</enum><header>Exception for
service providers</header><text>A service provider shall not be considered a
third-party agent for purposes of this paragraph.</text>
</subparagraph></paragraph><paragraph id="HAF1CC29D1CC042AE8ED3B5A570797292"><enum>(2)</enum><header>Service
providers</header>
<subparagraph id="HED85E72DFB4E4DD09B49C4809495F458"><enum>(A)</enum><header>In
general</header><text>If a service provider becomes aware of a breach of
security involving data in electronic form containing personal information that
is owned or possessed by a covered entity that connects to or uses a system or
network provided by the service provider for the purpose of transmitting,
routing, or providing intermediate or transient storage of such data, such
service provider shall notify the covered entity who initiated such connection,
transmission, routing, or storage if such covered entity can be reasonably
identified.</text>
</subparagraph><subparagraph id="H270C2E6992EE45F7B45ADEF0F8A81036"><enum>(B)</enum><header>Covered entities
who receive notice from service providers</header><text>Upon receiving
notification from a service provider under subparagraph (A), a covered entity
shall provide notification as required under subsection (a).</text>
</subparagraph></paragraph></subsection><subsection id="H1902453002AB4C6F91A433C52ADE4F19"><enum>(c)</enum><header>Timeliness of
notification</header>
<paragraph id="HEEE7484BF7E8446E8286981C7A161BE8"><enum>(1)</enum><header>In
general</header><text>Unless subject to a delay authorized under paragraph (2),
a notification required under subsection (a) with respect to a security breach
shall be made as expeditiously as practicable and without unreasonable delay,
consistent with any measures necessary to determine the scope of the security
breach and restore the reasonable integrity of the data system that was
breached.</text>
</paragraph><paragraph id="H60D24CEDAFBE45AE9FF2146861E77A0F"><enum>(2)</enum><header>Delay of
notification authorized for law enforcement or national security
purposes</header>
<subparagraph id="H2BDDB4F6006F4EE4B5775DE297BA8BCC"><enum>(A)</enum><header>Law
enforcement</header><text>If a Federal law enforcement agency determines that
the notification required under subsection (a) would impede a civil or criminal
investigation, such notification shall be delayed upon the written request of
the law enforcement agency for any period which the law enforcement agency
determines is reasonably necessary. A law enforcement agency may, by a
subsequent written request, revoke such delay or extend the period set forth in
the original request made under this subparagraph by a subsequent request if
further delay is necessary.</text>
</subparagraph><subparagraph id="HBAB7B7C2162C458AB7708668942F7E90"><enum>(B)</enum><header>National
security</header><text>If a Federal national security agency or homeland
security agency determines that the notification required under this section
would threaten national or homeland security, such notification may be delayed
upon the written request of the national security agency or homeland security
agency for any period which the national security agency or homeland security
agency determines is reasonably necessary. A Federal national security agency
or homeland security agency may revoke such delay or extend the period set
forth in the original request made under this subparagraph by a subsequent
written request if further delay is necessary.</text>
</subparagraph></paragraph></subsection><subsection id="H6F19AA16D59042919C476C82FD1C9FC9"><enum>(d)</enum><header>Method and
content of notification</header>
<paragraph id="H360C9B351D2149519732B4D960417F62"><enum>(1)</enum><header>Direct
notification</header>
<subparagraph id="H73A29B3224BB45E4B069A14617A2D081"><enum>(A)</enum><header>Method of
notification</header><text>A covered entity required to provide notification to
an individual under subsection (a) shall be in compliance with such requirement
if the covered entity provides such notice by one of the following
methods:</text>
<clause id="H746C0BF39F9646AA947482A8466E406F"><enum>(i)</enum><text>Written
notification, sent to the postal address of the individual in the records of
the covered entity.</text>
</clause><clause id="HF92A66854EAD4C179E6C160EB99CE2C8"><enum>(ii)</enum><text>Telephone.</text>
</clause><clause id="HCC771046BC5B4B189CAD11819A2F393F"><enum>(iii)</enum><text>Email or other
electronic means.</text>
</clause></subparagraph><subparagraph id="H07D9348B88F64AD787F0736D48475102"><enum>(B)</enum><header>Content of
notification</header><text>Regardless of the method by which notification is
provided to an individual under subparagraph (A) with respect to a security
breach, such notification, to the extent practicable, shall include—</text>
<clause id="H95AED6DD93704BD1A3469FBA482AF75F"><enum>(i)</enum><text>the
date, estimated date, or estimated date range of the breach of security;</text>
</clause><clause id="H9F22AC84EAD945CA86B538FE122D7762"><enum>(ii)</enum><text>a
description of the personal information that was accessed and acquired, or
reasonably believed to have been accessed and acquired, by an unauthorized
person as a part of the security breach; and</text>
</clause><clause id="H2563B021408A41FC9D70CFC65C0E26B9"><enum>(iii)</enum><text>information that
the individual can use to contact the covered entity to inquire about—</text>
<subclause id="H9DD96D3975384BB6A17D2B30BD918D78"><enum>(I)</enum><text>the breach of
security; or</text>
</subclause><subclause id="H75ADD15A89ED473DA8A1277C130AD2E7"><enum>(II)</enum><text>the information
the covered entity maintained about that individual.</text>
</subclause></clause></subparagraph></paragraph><paragraph id="HBF05FE030D1F49DCA7FE75072F70DB81"><enum>(2)</enum><header>Substitute
notification</header>
<subparagraph id="H5A683E1F758D416B823136E3DFB34675"><enum>(A)</enum><header>Circumstances
giving rise to substitute notification</header><text>A covered entity required
to provide notification to an individual under subsection (a) may provide
substitute notification in lieu of the direct notification required by
paragraph (1) if such direct notification is not feasible due to—</text>
<clause id="HC635B63465F74436A502BFAFB9C1A879"><enum>(i)</enum><text>excessive cost to
the covered entity required to provide such notification relative to the
resources of such covered entity; or</text>
</clause><clause id="H99D3759A742F400E864126F14197B8EA"><enum>(ii)</enum><text>lack of
sufficient contact information for the individual required to be
notified.</text>
</clause></subparagraph><subparagraph id="HB867D6C212134199B140ADF4B1CCAE13"><enum>(B)</enum><header>Form of
substitute notification</header><text>Such substitute notification shall
include at least one of the following:</text>
<clause id="H74B721AC90BF48FA82762A281C405F3C"><enum>(i)</enum><text>A
conspicuous notice on the Internet website of the covered entity (if such
covered entity maintains such a website).</text>
</clause><clause id="H0A8240D4187547BCBC38B3D5C42D375D"><enum>(ii)</enum><text>Notification in
print and to broadcast media, including major media in metropolitan and rural
areas where the individuals whose personal information was acquired
reside.</text>
</clause></subparagraph></paragraph></subsection><subsection id="HBE22C15D24DB45F98B58C9CE652FA11D"><enum>(e)</enum><header>Treatment of
persons governed by other Federal law</header><text>Except as provided in
section 503(b), a covered entity who is in compliance with any other Federal
law that requires such covered entity to provide notification to individuals
following a breach of security shall be deemed to be in compliance with this
section.</text>
</subsection></section><section id="H650982ADC884457BA69BF0A912CE68D5"><enum>503.</enum><header>Application and
enforcement</header>
<subsection id="HE429EBFC865F4F1287E51D06DBB4B9F5"><enum>(a)</enum><header>General
application</header><text>The requirements of sections 501 and 502 apply
to—</text>
<paragraph id="HC2D5A76A9344484E8A96CFAC494A1CD9"><enum>(1)</enum><text>those persons,
partnerships, or corporations over which the Commission has authority pursuant
to section 5(a)(2) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45(a)(2)</external-xref>);
and</text>
</paragraph><paragraph id="HA359479FA19B4AF59A1F329436EB37FB"><enum>(2)</enum><text>notwithstanding
section 5(a)(2) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45(a)(2)</external-xref>),
common carriers subject to the Communications Act of 1934 (47 U.S.C. 151 et
seq.).</text>
</paragraph></subsection><subsection id="HFA46316AB724419B9C4342FC3CAFD1CA"><enum>(b)</enum><header>Application to
cable operators, satellite operators, and telecommunications
carriers</header><text>Sections 222, 338, and 631 of the Communications Act of
1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/222">47 U.S.C. 222</external-xref>, 338, and 551), and any regulations promulgated thereunder,
shall not apply with respect to the information security practices, including
practices relating to the notification of unauthorized access to data in
electronic form, of any covered entity otherwise subject to those
sections.</text>
</subsection><subsection id="HC3BCD42F0AE14C1896280A0EC85E0CEE"><enum>(c)</enum><header>Enforcement by
Federal Trade Commission</header>
<paragraph id="HADDB68553B6940788F152D42E7D0607B"><enum>(1)</enum><header>Unfair or
deceptive acts or practices</header><text>A violation of section 501 or 502
shall be treated as an unfair or deceptive act or practice in violation of a
regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15
U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.</text>
</paragraph><paragraph id="H4A055AF06D91438387E94E9A2731C936"><enum>(2)</enum><header>Powers of
commission</header>
<subparagraph id="H121B7FBDC2AB400CBEDA07EEE82C9E6D"><enum>(A)</enum><header>In
general</header><text>Except as provided in subsection (a), the Commission
shall enforce this title in the same manner, by the same means, and with the
same jurisdiction, powers, and duties as though all applicable terms and
provisions of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>) were
incorporated into and made a part of this title.</text>
</subparagraph><subparagraph id="H18875E29DD374BF5AE2B7D32CB4670AA"><enum>(B)</enum><header>Privileges and
immunities</header><text>Any person who violates section 502 or 503 shall be
subject to the penalties and entitled to the privileges and immunities provided
in such Act.</text>
</subparagraph></paragraph><paragraph id="H7741B291E7F94E258AB8F44CBC007BBF"><enum>(3)</enum><header>Maximum total
liability</header><text>Notwithstanding the number of actions which may be
brought against a covered entity under this subsection, the maximum civil
penalty for which any covered entity may be liable under this subsection for
all actions shall not exceed—</text>
<subparagraph id="H3D98E88C10AE4E9BBE630C915E0CEF82"><enum>(A)</enum><text>$500,000 for all
violations of section 501 resulting from the same related act or omission;
and</text>
</subparagraph><subparagraph id="H35CB623EFC2246B2B57895D8C6C432E4"><enum>(B)</enum><text>$500,000 for all
violations of section 502 resulting from a single breach of security.</text>
</subparagraph></paragraph></subsection><subsection id="H17E7C8063CF542F7A78DD60B1C0BD6D6"><enum>(d)</enum><header>No private cause
of action</header><text>Nothing in this title shall be construed to establish a
private cause of action against a person for a violation of this title.</text>
</subsection></section><section id="H23EEDAD46B6D49C5AD8ADA7DBAE9CEF2"><enum>504.</enum><header>Definitions</header><text display-inline="no-display-inline">In this title:</text>
<paragraph id="H395F5198BC3A4D0CA12759493E56AC01"><enum>(1)</enum><header>Breach of
security</header><text>The term <term>breach of security</term> means
unauthorized access and acquisition of data in electronic form containing
personal information.</text>
</paragraph><paragraph id="H9640A6A3972A494D9A36575CDA169343"><enum>(2)</enum><header>Commission</header><text>The
term <term>Commission</term> means the Federal Trade Commission.</text>
</paragraph><paragraph id="H9CC6701D0F384B9AB7F9665DACD4142B"><enum>(3)</enum><header>Covered
entity</header>
<subparagraph id="H49BC3B4DA89F425D997FD9C46F937F6F"><enum>(A)</enum><header>In
general</header><text>The term <term>covered entity</term> means a sole
proprietorship, partnership, corporation, trust, estate, cooperative,
association, or other commercial entity that acquires, maintains, stores, or
utilizes personal information.</text>
</subparagraph><subparagraph id="H87DA8B1CE58D44F48097D76F5DA0A084"><enum>(B)</enum><header>Exemptions</header><text>The
term <term>covered entity</term> does not include the following:</text>
<clause id="H04AC16D681F5453CB3700904715A5187"><enum>(i)</enum><text>Financial
institutions subject to title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801
et seq.).</text>
</clause><clause id="HAACA151D5A644CB0B3B72937555301C1"><enum>(ii)</enum><text>An
entity covered by the regulations issued under section 264(c) of the Health
Insurance Portability and Accountability Act of 1996 (<external-xref legal-doc="public-law" parsable-cite="pl/104/191">Public Law 104–191</external-xref>) to
the extent that such entity is subject to the requirements of such regulations
with respect to protected health information.</text>
</clause></subparagraph></paragraph><paragraph id="H9A90F9FE807F4E3B984747F7D9710DDC"><enum>(4)</enum><header>Data in
electronic form</header><text>The term <term>data in electronic form</term>
means any data stored electronically or digitally on any computer system or
other database and includes recordable tapes and other mass storage
devices.</text>
</paragraph><paragraph id="H672F7FD7254E43AC80676B72A22B6B38"><enum>(5)</enum><header>Personal
information</header>
<subparagraph id="H119C50AB77B24ABA9063431D2DB9D77A"><enum>(A)</enum><header>In
general</header><text>The term <term>personal information</term> means an
individual's first name or first initial and last name in combination with any
1 or more of the following data elements for that individual:</text>
<clause id="HA3E64ED8891D480BB38930E1A044DF41"><enum>(i)</enum><text>Social Security
number.</text>
</clause><clause id="H94AF02E517CA42D29316E724CA479502"><enum>(ii)</enum><text>Driver’s license
number, passport number, military identification number, or other similar
number issued on a government document used to verify identity.</text>
</clause><clause id="H8E9A02CBD8A5479CB051B31CADD4AD5E"><enum>(iii)</enum><text>Financial
account number, or credit or debit card number, and any required security code,
access code, or password that is necessary to permit access to an individual’s
financial account.</text>
</clause></subparagraph><subparagraph id="HEE347B432D81418F923B57AB602EC541"><enum>(B)</enum><header>Exclusions</header>
<clause id="HB2343072CC12477C9899346B0A21DB9E"><enum>(i)</enum><header>public record
information</header><text>Personal information does not include information
obtained about an individual which has been lawfully made publicly available by
a Federal, State, or local government entity or widely distributed by
media.</text>
</clause><clause id="HCC41069F26E94AF083F279684E5C7DF0"><enum>(ii)</enum><header>Encrypted,
redacted, or secured data</header><text>Personal information does not include
information that is encrypted, redacted, or secured by any other method or
technology that renders the data elements unusable.</text>
</clause></subparagraph></paragraph><paragraph commented="no" display-inline="no-display-inline" id="H14858EA08DE64488A6600C5047639647"><enum>(6)</enum><header>Service
provider</header><text>The term <term>service provider</term> means an entity
that provides electronic data transmission, routing, intermediate, and
transient storage, or connections to its system or network, where such entity
providing such services does not select or modify the content of the electronic
data, is not the sender or the intended recipient of the data, and does not
differentiate personal information from other information that such entity
transmits, routes, stores, or for which such entity provides connections. Any
such entity shall be treated as a service provider under this title only to the
extent that it is engaged in the provision of such transmission, routing,
intermediate and transient storage, or connections.</text>
</paragraph></section><section id="H67C988E68C0F4530919F900B36E29B0C"><enum>505.</enum><header>Effect on other
laws</header><text display-inline="no-display-inline">This title preempts any
law, rule, regulation, requirement, standard, or other provision having the
force and effect of law of any State, or political subdivision of a State,
relating to the protection or security of data in electronic form containing
personal information or the notification of a breach of security.</text>
</section><section id="HF1B8A979162743A984917EC6EBE594F8"><enum>506.</enum><header>Effective
date</header><text display-inline="no-display-inline">This title shall take
effect on the date that is 1 year after the date of enactment of this
Act.</text>
</section>