[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3696 Engrossed in House (EH)]

113th CONGRESS
  2d Session
                                H. R. 3696

_______________________________________________________________________

                                 AN ACT


 
To amend the Homeland Security Act of 2002 to make certain improvements 
regarding cybersecurity and critical infrastructure protection, and for 
                            other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``National Cybersecurity and Critical 
Infrastructure Protection Act of 2014''.

SEC. 2. TABLE OF CONTENTS.

    The table of contents for this Act is as follows:

Sec. 1. Short title.
Sec. 2. Table of contents.
           TITLE I--SECURING THE NATION AGAINST CYBER ATTACK

Sec. 101. Homeland Security Act of 2002 definitions.
Sec. 102. Enhancement of cybersecurity.
Sec. 103. Protection of critical infrastructure and information 
                            sharing.
Sec. 104. National Cybersecurity and Communications Integration Center.
Sec. 105. Cyber incident response and technical assistance.
Sec. 106. Streamlining of Department cybersecurity organization.
        TITLE II--PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY

Sec. 201. Public-private collaboration on cybersecurity.
Sec. 202. SAFETY Act and qualifying cyber incidents.
Sec. 203. Prohibition on new regulatory authority.
Sec. 204. Prohibition on additional authorization of appropriations.
Sec. 205. Prohibition on collection activities to track individuals' 
                            personally identifiable information.
Sec. 206. Cybersecurity scholars.
Sec. 207. National Research Council study on the resilience and 
                            reliability of the Nation's power grid.
          TITLE III--HOMELAND SECURITY CYBERSECURITY WORKFORCE

Sec. 301. Homeland security cybersecurity workforce.
Sec. 302. Personnel authorities.

           TITLE I--SECURING THE NATION AGAINST CYBER ATTACK

SEC. 101. HOMELAND SECURITY ACT OF 2002 DEFINITIONS.

    Section 2 of the Homeland Security Act of 2002 (6 U.S.C. 101) is 
amended by adding at the end the following new paragraphs:
            ``(19) The term `critical infrastructure' has the meaning 
        given that term in section 1016(e) of the USA Patriot Act (42 
        U.S.C. 5195c(e)).
            ``(20) The term `critical infrastructure owner' means a 
        person that owns critical infrastructure.
            ``(21) The term `critical infrastructure operator' means a 
        critical infrastructure owner or other person that manages, 
        runs, or operates, in whole or in part, the day-to-day 
        operations of critical infrastructure.
            ``(22) The term `cyber incident' means an incident, or an 
        attempt to cause an incident, that, if successful, would--
                    ``(A) jeopardize or imminently jeopardize, without 
                lawful authority, the security, integrity, 
                confidentiality, or availability of an information 
                system or network of information systems or any 
                information stored on, processed on, or transiting such 
                a system or network;
                    ``(B) constitute a violation or imminent threat of 
                violation of law, security policies, security 
                procedures, or acceptable use policies related to such 
                a system or network, or an act of terrorism against 
                such a system or network; or
                    ``(C) result in the denial of access to or 
                degradation, disruption, or destruction of such a 
                system or network, or the defeat of an operations 
                control or technical control essential to the security 
                or operation of such a system or network.
            ``(23) The term `cybersecurity mission' means activities 
        that encompass the full range of threat reduction, 
        vulnerability reduction, deterrence, incident response, 
        resiliency, and recovery activities to foster the security and 
        stability of cyberspace.
            ``(24) The term `cybersecurity purpose' means the purpose 
        of ensuring the security, integrity, confidentiality, or 
        availability of, or safeguarding, an information system or 
        network of information systems, including protecting such a 
        system or network, or data residing on such a system or 
        network, including protection of such a system or network, 
        from--
                    ``(A) a vulnerability of such a system or network;
                    ``(B) a threat to the security, integrity, 
                confidentiality, or availability of such a system or 
                network, or any information stored on, processed on, or 
                transiting such a system or network;
                    ``(C) efforts to deny access to or degrade, 
                disrupt, or destroy such a system or network; or
                    ``(D) efforts to gain unauthorized access to such a 
                system or network, including to gain such unauthorized 
                access for the purpose of exfiltrating information 
                stored on, processed on, or transiting such a system or 
                network.
            ``(25) The term `cyber threat' means any action that may 
        result in unauthorized access to, exfiltration of, manipulation 
        of, harm of, or impairment to the security, integrity, 
        confidentiality, or availability of an information system or 
        network of information systems, or information that is stored 
        on, processed by, or transiting such a system or network.
            ``(26) The term `cyber threat information' means 
        information directly pertaining to--
                    ``(A) a vulnerability of an information system or 
                network of information systems of a government or 
                private entity;
                    ``(B) a threat to the security, integrity, 
                confidentiality, or availability of such a system or 
                network of a government or private entity, or any 
                information stored on, processed on, or transiting such 
                a system or network;
                    ``(C) efforts to deny access to or degrade, 
                disrupt, or destroy such a system or network of a 
                government or private entity;
                    ``(D) efforts to gain unauthorized access to such a 
                system or network, including to gain such unauthorized 
                access for the purpose of exfiltrating information 
                stored on, processed on, or transiting such a system or 
                network; or
                    ``(E) an act of terrorism against an information 
                system or network of information systems.
            ``(27) The term `Federal civilian information systems'--
                    ``(A) means information, information systems, and 
                networks of information systems that are owned, 
                operated, controlled, or licensed for use by, or on 
                behalf of, any Federal agency, including such systems 
                or networks used or operated by another entity on 
                behalf of a Federal agency; but
                    ``(B) does not include--
                            ``(i) a national security system; or
                            ``(ii) information, information systems, 
                        and networks of information systems that are 
                        owned, operated, controlled, or licensed solely 
                        for use by, or on behalf of, the Department of 
                        Defense, a military department, or an element 
                        of the intelligence community.
            ``(28) The term `information security' means the protection 
        of information, information systems, and networks of 
        information systems from unauthorized access, use, disclosure, 
        disruption, modification, or destruction in order to provide--
                    ``(A) integrity, including guarding against 
                improper information modification or destruction, 
                including ensuring nonrepudiation and authenticity;
                    ``(B) confidentiality, including preserving 
                authorized restrictions on access and disclosure, 
                including means for protecting personal privacy and 
                proprietary information; and
                    ``(C) availability, including ensuring timely and 
                reliable access to and use of information.
            ``(29) The term `information system' means the underlying 
        framework and functions used to process, transmit, receive, or 
        store information electronically, including programmable 
        electronic devices, communications networks, and industrial or 
        supervisory control systems and any associated hardware, 
        software, or data.
            ``(30) The term `private entity' means any individual or 
        any private or publically-traded company, public or private 
        utility (including a utility that is a unit of a State or local 
        government, or a political subdivision of a State government), 
        organization, or corporation, including an officer, employee, 
        or agent thereof.
            ``(31) The term `shared situational awareness' means an 
        environment in which cyber threat information is shared in real 
        time between all designated Federal cyber operations centers to 
        provide actionable information about all known cyber 
        threats.''.

SEC. 102. ENHANCEMENT OF CYBERSECURITY.

    (a) In General.--Subtitle C of title II of the Homeland Security 
Act of 2002 is amended by adding at the end the following new section:

``SEC. 226. ENHANCEMENT OF CYBERSECURITY.

    ``The Secretary, in collaboration with the heads of other 
appropriate Federal Government entities, shall conduct activities for 
cybersecurity purposes, including the provision of shared situational 
awareness to each other to enable real-time, integrated, and 
operational actions to protect from, prevent, mitigate, respond to, and 
recover from cyber incidents.''.
    (b) Clerical Amendments.--
            (1) Subtitle heading.--The heading for subtitle C of title 
        II of such Act is amended to read as follows:

         ``Subtitle C--Cybersecurity and Information Sharing''.

            (2) Table of contents.--The table of contents in section 
        1(b) of such Act is amended--
                    (A) by adding after the item relating to section 
                225 the following new item:

``Sec. 226. Enhancement of cybersecurity.'';
                and
                    (B) by striking the item relating to subtitle C of 
                title II and inserting the following new item:

         ``Subtitle C--Cybersecurity and Information Sharing''.

SEC. 103. PROTECTION OF CRITICAL INFRASTRUCTURE AND INFORMATION 
              SHARING.

    (a) In General.--Subtitle C of title II of the Homeland Security 
Act of 2002, as amended by section 102, is further amended by adding at 
the end the following new section:

``SEC. 227. PROTECTION OF CRITICAL INFRASTRUCTURE AND INFORMATION 
              SHARING.

    ``(a) Protection of Critical Infrastructure.--
            ``(1) In general.--The Secretary shall coordinate, on an 
        ongoing basis, with Federal, State, and local governments, 
        national laboratories, critical infrastructure owners, critical 
        infrastructure operators, and other cross sector coordinating 
        entities to--
                    ``(A) facilitate a national effort to strengthen 
                and maintain secure, functioning, and resilient 
                critical infrastructure from cyber threats;
                    ``(B) ensure that Department policies and 
                procedures enable critical infrastructure owners and 
                critical infrastructure operators to receive real-time, 
                actionable, and relevant cyber threat information;
                    ``(C) seek industry sector-specific expertise to--
                            ``(i) assist in the development of 
                        voluntary security and resiliency strategies; 
                        and
                            ``(ii) ensure that the allocation of 
                        Federal resources are cost effective and reduce 
                        any burden on critical infrastructure owners 
                        and critical infrastructure operators;
                    ``(D) upon request of entities, facilitate and 
                assist risk management efforts of such entities to 
                reduce vulnerabilities, identify and disrupt threats, 
                and minimize consequences to their critical 
                infrastructure;
                    ``(E) upon request of critical infrastructure 
                owners or critical infrastructure operators, provide 
                education and assistance to such owners and operators 
                on how they may use protective measures and 
                countermeasures to strengthen the security and 
                resilience of the Nation's critical infrastructure; and
                    ``(F) coordinate a research and development 
                strategy to facilitate and promote advancements and 
                innovation in cybersecurity technologies to protect 
                critical infrastructure.
            ``(2) Additional responsibilities.--The Secretary shall--
                    ``(A) manage Federal efforts to secure, protect, 
                and ensure the resiliency of Federal civilian 
                information systems using a risk-based and performance-
                based approach, and, upon request of critical 
                infrastructure owners or critical infrastructure 
                operators, support such owners' and operators' efforts 
                to secure, protect, and ensure the resiliency of 
                critical infrastructure from cyber threats;
                    ``(B) direct an entity within the Department to 
                serve as a Federal civilian entity by and among 
                Federal, State, and local governments, private 
                entities, and critical infrastructure sectors to 
                provide multi-directional sharing of real-time, 
                actionable, and relevant cyber threat information;
                    ``(C) build upon existing mechanisms to promote a 
                national awareness effort to educate the general public 
                on the importance of securing information systems;
                    ``(D) upon request of Federal, State, and local 
                government entities and private entities, facilitate 
                expeditious cyber incident response and recovery 
                assistance, and provide analysis and warnings related 
                to threats to and vulnerabilities of critical 
                information systems, crisis and consequence management 
                support, and other remote or on-site technical 
                assistance with the heads of other appropriate Federal 
                agencies to Federal, State, and local government 
                entities and private entities for cyber incidents 
                affecting critical infrastructure;
                    ``(E) engage with international partners to 
                strengthen the security and resilience of domestic 
                critical infrastructure and critical infrastructure 
                located outside of the United States upon which the 
                United States depends; and
                    ``(F) conduct outreach to educational institutions, 
                including historically black colleges and universities, 
                Hispanic serving institutions, Native American 
                colleges, and institutions serving persons with 
                disabilities, to encourage such institutions to promote 
                cybersecurity awareness.
            ``(3) Rule of construction.--Nothing in this section may be 
        construed to require any private entity to request assistance 
        from the Secretary, or require any private entity requesting 
        such assistance to implement any measure or recommendation 
        suggested by the Secretary.
    ``(b) Critical Infrastructure Sectors.--The Secretary, in 
collaboration with the heads of other appropriate Federal agencies, 
shall designate critical infrastructure sectors (that may include 
subdivisions of sectors within a sector as the Secretary may determine 
appropriate). The critical infrastructure sectors designated under this 
subsection may include the following:
            ``(1) Chemical.
            ``(2) Commercial facilities.
            ``(3) Communications.
            ``(4) Critical manufacturing.
            ``(5) Dams.
            ``(6) Defense Industrial Base.
            ``(7) Emergency services.
            ``(8) Energy.
            ``(9) Financial services.
            ``(10) Food and agriculture.
            ``(11) Government facilities.
            ``(12) Healthcare and public health.
            ``(13) Information technology.
            ``(14) Nuclear reactors, materials, and waste.
            ``(15) Transportation systems.
            ``(16) Water and wastewater systems.
            ``(17) Such other sectors as the Secretary determines 
        appropriate.
    ``(c) Sector Specific Agencies.--The Secretary, in collaboration 
with the relevant critical infrastructure sector and the heads of other 
appropriate Federal agencies, shall recognize the Federal agency 
designated as of November 1, 2013, as the `Sector Specific Agency' for 
each critical infrastructure sector designated under subsection (b). If 
the designated Sector Specific Agency for a particular critical 
infrastructure sector is the Department, for the purposes of this 
section, the Secretary shall carry out this section. The Secretary, in 
coordination with the heads of each such Sector Specific Agency shall--
            ``(1) support the security and resilience activities of the 
        relevant critical infrastructure sector in accordance with this 
        subtitle; and
            ``(2) provide institutional knowledge and specialized 
        expertise to the relevant critical infrastructure sector.
    ``(d) Sector Coordinating Councils.--
            ``(1) Recognition.--The Secretary, in collaboration with 
        each critical infrastructure sector and the relevant Sector 
        Specific Agency, shall recognize and partner with the Sector 
        Coordinating Council for each critical infrastructure sector 
        designated under subsection (b) to coordinate with each such 
        sector on security and resilience activities and emergency 
        response and recovery efforts.
            ``(2) Membership.--
                    ``(A) In general.--The Sector Coordinating Council 
                for a critical infrastructure sector designated under 
                subsection (b) shall--
                            ``(i) be comprised exclusively of relevant 
                        critical infrastructure owners, critical 
                        infrastructure operators, private entities, and 
                        representative trade associations for the 
                        sector;
                            ``(ii) reflect the unique composition of 
                        each sector; and
                            ``(iii) as appropriate, include relevant 
                        small, medium, and large critical 
                        infrastructure owners, critical infrastructure 
                        operators, private entities, and representative 
                        trade associations for the sector.
                    ``(B) Prohibition.--No government entity with 
                regulating authority shall be a member of the Sector 
                Coordinating Council.
                    ``(C) Limitation.--The Secretary shall have no role 
                in the determination of the membership of a Sector 
                Coordinating Council.
            ``(3) Roles and responsibilities.--The Sector Coordinating 
        Council for a critical infrastructure sector shall--
                    ``(A) serve as a self-governing, self-organized 
                primary policy, planning, and strategic communications 
                entity for coordinating with the Department, the 
                relevant Sector-Specific Agency designated under 
                subsection (c), and the relevant Information Sharing 
                and Analysis Centers under subsection (e) on security 
                and resilience activities and emergency response and 
                recovery efforts;
                    ``(B) establish governance and operating 
                procedures, and designate a chairperson for the sector 
                to carry out the activities described in this 
                subsection;
                    ``(C) coordinate with the Department, the relevant 
                Information Sharing and Analysis Centers under 
                subsection (e), and other Sector Coordinating Councils 
                to update, maintain, and exercise the National 
                Cybersecurity Incident Response Plan in accordance with 
                section 229(b); and
                    ``(D) provide any recommendations to the Department 
                on infrastructure protection technology gaps to help 
                inform research and development efforts at the 
                Department.
    ``(e) Sector Information Sharing and Analysis Centers.--
            ``(1) Recognition.--The Secretary, in collaboration with 
        the relevant Sector Coordinating Council and the critical 
        infrastructure sector represented by such Council, and in 
        coordination with the relevant Sector Specific Agency, shall 
        recognize at least one Information Sharing and Analysis Center 
        for each critical infrastructure sector designated under 
        subsection (b) for purposes of paragraph (3). No other 
        Information Sharing and Analysis Organizations, including 
        Information Sharing and Analysis Centers, may be precluded from 
        having an information sharing relationship within the National 
        Cybersecurity and Communications Integration Center established 
        pursuant to section 228. Nothing in this subsection or any 
        other provision of this subtitle may be construed to limit, 
        restrict, or condition any private entity or activity utilized 
        by, among, or between private entities.
            ``(2) Roles and responsibilities.--In addition to such 
        other activities as may be authorized by law, at least one 
        Information Sharing and Analysis Center for a critical 
        infrastructure sector shall--
                    ``(A) serve as an information sharing resource for 
                such sector and promote ongoing multi-directional 
                sharing of real-time, relevant, and actionable cyber 
                threat information and analysis by and among such 
                sector, the Department, the relevant Sector Specific 
                Agency, and other critical infrastructure sector 
                Information Sharing and Analysis Centers;
                    ``(B) establish governance and operating procedures 
                to carry out the activities conducted under this 
                subsection;
                    ``(C) serve as an emergency response and recovery 
                operations coordination point for such sector, and upon 
                request, facilitate cyber incident response 
                capabilities in coordination with the Department, the 
                relevant Sector Specific Agency and the relevant Sector 
                Coordinating Council;
                    ``(D) facilitate cross-sector coordination and 
                sharing of cyber threat information to prevent related 
                or consequential impacts to other critical 
                infrastructure sectors;
                    ``(E) coordinate with the Department, the relevant 
                Sector Coordinating Council, the relevant Sector 
                Specific Agency, and other critical infrastructure 
                sector Information Sharing and Analysis Centers on the 
                development, integration, and implementation of 
                procedures to support technology neutral, real-time 
                information sharing capabilities and mechanisms within 
                the National Cybersecurity and Communications 
                Integration Center established pursuant to section 228, 
                including--
                            ``(i) the establishment of a mechanism to 
                        voluntarily report identified vulnerabilities 
                        and opportunities for improvement;
                            ``(ii) the establishment of metrics to 
                        assess the effectiveness and timeliness of the 
                        Department's and Information Sharing and 
                        Analysis Centers' information sharing 
                        capabilities; and
                            ``(iii) the establishment of a mechanism 
                        for anonymous suggestions and comments;
                    ``(F) implement an integration and analysis 
                function to inform sector planning, risk mitigation, 
                and operational activities regarding the protection of 
                each critical infrastructure sector from cyber 
                incidents;
                    ``(G) combine consequence, vulnerability, and 
                threat information to share actionable assessments of 
                critical infrastructure sector risks from cyber 
                incidents;
                    ``(H) coordinate with the Department, the relevant 
                Sector Specific Agency, and the relevant Sector 
                Coordinating Council to update, maintain, and exercise 
                the National Cybersecurity Incident Response Plan in 
                accordance with section 229(b); and
                    ``(I) safeguard cyber threat information from 
                unauthorized disclosure.
            ``(3) Funding.--Of the amounts authorized to be 
        appropriated for each of fiscal years 2014, 2015, and 2016 for 
        the Cybersecurity and Communications Office of the Department, 
        the Secretary is authorized to use not less than $25,000,000 
        for any such year for operations support at the National 
        Cybersecurity and Communications Integration Center established 
        under section 228(a) of all recognized Information Sharing and 
        Analysis Centers under paragraph (1) of this subsection.
    ``(f) Clearances.--The Secretary--
            ``(1) shall expedite the process of security clearances 
        under Executive Order No. 13549 or successor orders for 
        appropriate representatives of Sector Coordinating Councils and 
        the critical infrastructure sector Information Sharing and 
        Analysis Centers; and
            ``(2) may so expedite such processing to--
                    ``(A) appropriate personnel of critical 
                infrastructure owners and critical infrastructure 
                operators; and
                    ``(B) any other person as determined by the 
                Secretary.
    ``(g) Public-Private Collaboration.--The Secretary, in 
collaboration with the critical infrastructure sectors designated under 
subsection (b), such sectors' Sector Specific Agencies recognized under 
subsection (c), and the Sector Coordinating Councils recognized under 
subsection (d), shall--
            ``(1) conduct an analysis and review of the existing 
        public-private partnership model and evaluate how the model 
        between the Department and critical infrastructure owners and 
        critical infrastructure operators can be improved to ensure the 
        Department, critical infrastructure owners, and critical 
        infrastructure operators are equal partners and regularly 
        collaborate on all programs and activities of the Department to 
        protect critical infrastructure;
            ``(2) develop and implement procedures to ensure 
        continuous, collaborative, and effective interactions between 
        the Department, critical infrastructure owners, and critical 
        infrastructure operators; and
            ``(3) ensure critical infrastructure sectors have a 
        reasonable period for review and comment of all jointly 
        produced materials with the Department.
    ``(h) Recommendations Regarding New Agreements.--Not later than 180 
days after the date of the enactment of this section, the Secretary 
shall submit to the appropriate congressional committees 
recommendations on how to expedite the implementation of information 
sharing agreements for cybersecurity purposes between the Secretary and 
critical information owners and critical infrastructure operators and 
other private entities. Such recommendations shall address the 
development and utilization of a scalable form that retains all privacy 
and other protections in such agreements in existence as of such date, 
including Cooperative and Research Development Agreements. Such 
recommendations should also include any additional authorities or 
resources that may be needed to carry out the implementation of any 
such new agreements.
    ``(i) Rule of Construction.--No provision of this title may be 
construed as modifying, limiting, or otherwise affecting the authority 
of any other Federal agency under any other provision of law.''.
    (b) Clerical Amendment.--The table of contents in section 1(b) of 
such Act is amended by adding after the item relating to section 226 
(as added by section 102) the following new item:

``Sec. 227. Protection of critical infrastructure and information 
                            sharing.''.

SEC. 104. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER.

    (a) In General.--Subtitle C of title II of the Homeland Security 
Act of 2002, as amended by sections 102 and 103, is further amended by 
adding at the end the following new section:

``SEC. 228. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION 
              CENTER.

    ``(a) Establishment.--There is established in the Department the 
National Cybersecurity and Communications Integration Center (referred 
to in this section as the `Center'), which shall be a Federal civilian 
information sharing interface that provides shared situational 
awareness to enable real-time, integrated, and operational actions 
across the Federal Government, and share cyber threat information by 
and among Federal, State, and local government entities, Information 
Sharing and Analysis Centers, private entities, and critical 
infrastructure owners and critical infrastructure operators that have 
an information sharing relationship with the Center.
    ``(b) Composition.--The Center shall include each of the following 
entities:
            ``(1) At least one Information Sharing and Analysis Center 
        established under section 227(e) for each critical 
        infrastructure sector.
            ``(2) The Multi-State Information Sharing and Analysis 
        Center to collaborate with State and local governments.
            ``(3) The United States Computer Emergency Readiness Team 
        to coordinate cyber threat information sharing, proactively 
        manage cyber risks to the United States, collaboratively 
        respond to cyber incidents, provide technical assistance to 
        information system owners and operators, and disseminate timely 
        notifications regarding current and potential cyber threats and 
        vulnerabilities.
            ``(4) The Industrial Control System Cyber Emergency 
        Response Team to coordinate with industrial control systems 
        owners and operators and share industrial control systems-
        related security incidents and mitigation measures.
            ``(5) The National Coordinating Center for 
        Telecommunications to coordinate the protection, response, and 
        recovery of national security emergency communications.
            ``(6) Such other Federal, State, and local government 
        entities, private entities, organizations, or individuals as 
        the Secretary may consider appropriate that agree to be 
        included.
    ``(c) Cyber Incident.--In the event of a cyber incident, the 
Secretary may grant the entities referred to in subsection (a) 
immediate temporary access to the Center as a situation may warrant.
    ``(d) Roles and Responsibilities.--The Center shall--
            ``(1) promote ongoing multi-directional sharing by and 
        among the entities referred to in subsection (a) of timely and 
        actionable cyber threat information and analysis on a real-time 
        basis that includes emerging trends, evolving threats, incident 
        reports, intelligence information, risk assessments, and best 
        practices;
            ``(2) coordinate with other Federal agencies to streamline 
        and reduce redundant reporting of cyber threat information;
            ``(3) provide, upon request, timely technical assistance 
        and crisis management support to Federal, State, and local 
        government entities and private entities that own or operate 
        information systems or networks of information systems to 
        protect from, prevent, mitigate, respond to, and recover from 
        cyber incidents;
            ``(4) facilitate cross-sector coordination and sharing of 
        cyber threat information to prevent related or consequential 
        impacts to other critical infrastructure sectors;
            ``(5) collaborate and facilitate discussions with Sector 
        Coordinating Councils, Information Sharing and Analysis 
        Centers, Sector Specific Agencies, and relevant critical 
        infrastructure sectors on the development of prioritized 
        Federal response efforts, if necessary, to support the defense 
        and recovery of critical infrastructure from cyber incidents;
            ``(6) collaborate with the Sector Coordinating Councils, 
        Information Sharing and Analysis Centers, Sector Specific 
        Agencies, and the relevant critical infrastructure sectors on 
        the development and implementation of procedures to support 
        technology neutral real-time information sharing capabilities 
        and mechanisms;
            ``(7) collaborate with the Sector Coordinating Councils, 
        Information Sharing and Analysis Centers, Sector Specific 
        Agencies, and the relevant critical infrastructure sectors to 
        identify requirements for data and information formats and 
        accessibility, system interoperability, and redundant systems 
        and alternative capabilities in the event of a disruption in 
        the primary information sharing capabilities and mechanisms at 
        the Center;
            ``(8) within the scope of relevant treaties, cooperate with 
        international partners to share information and respond to 
        cyber incidents;
            ``(9) safeguard sensitive cyber threat information from 
        unauthorized disclosure;
            ``(10) require other Federal civilian agencies to--
                    ``(A) send reports and information to the Center 
                about cyber incidents, threats, and vulnerabilities 
                affecting Federal civilian information systems and 
                critical infrastructure systems and, in the event a 
                private vendor product or service of such an agency is 
                so implicated, the Center shall first notify such 
                private vendor of the vulnerability before further 
                disclosing such information;
                    ``(B) provide to the Center cyber incident 
                detection, analysis, mitigation, and response 
                information; and
                    ``(C) immediately send and disclose to the Center 
                cyber threat information received by such agencies;
            ``(11) perform such other duties as the Secretary may 
        require to facilitate a national effort to strengthen and 
        maintain secure, functioning, and resilient critical 
        infrastructure from cyber threats;
            ``(12) implement policies and procedures to--
                    ``(A) provide technical assistance to Federal 
                civilian agencies to prevent and respond to data 
                breaches involving unauthorized acquisition or access 
                of personally identifiable information that occur on 
                Federal civilian information systems;
                    ``(B) require Federal civilian agencies to notify 
                the Center about data breaches involving unauthorized 
                acquisition or access of personally identifiable 
                information that occur on Federal civilian information 
                systems without unreasonable delay after the discovery 
                of such a breach; and
                    ``(C) require Federal civilian agencies to notify 
                all potential victims of a data breach involving 
                unauthorized acquisition or access of personally 
                identifiable information that occur on Federal civilian 
                information systems without unreasonable delay, based 
                on a reasonable determination of the level of risk of 
                harm and consistent with the needs of law enforcement; 
                and
            ``(13) participate in exercises run by the Department's 
        National Exercise Program, where appropriate.
    ``(e) Integration and Analysis.--The Center, in coordination with 
the Office of Intelligence and Analysis of the Department, shall 
maintain an integration and analysis function, which shall --
            ``(1) integrate and analyze all cyber threat information 
        received from other Federal agencies, State and local 
        governments, Information Sharing and Analysis Centers, private 
        entities, critical infrastructure owners, and critical 
        infrastructure operators, and share relevant information in 
        near real-time;
            ``(2) on an ongoing basis, assess and evaluate consequence, 
        vulnerability, and threat information to share with the 
        entities referred to in subsection (a) actionable assessments 
        of critical infrastructure sector risks from cyber incidents 
        and to assist critical infrastructure owners and critical 
        infrastructure operators by making recommendations to 
        facilitate continuous improvements to the security and 
        resiliency of the critical infrastructure of the United States;
            ``(3) facilitate cross-sector integration, identification, 
        and analysis of key interdependencies to prevent related or 
        consequential impacts to other critical infrastructure sectors;
            ``(4) collaborate with the Information Sharing and Analysis 
        Centers to tailor the analysis of information to the specific 
        characteristics and risk to a relevant critical infrastructure 
        sector; and
            ``(5) assess and evaluate consequence, vulnerability, and 
        threat information regarding cyber incidents in coordination 
        with the Office of Emergency Communications of the Department 
        to help facilitate continuous improvements to the security and 
        resiliency of public safety communications networks.
    ``(f) Report of Cyber Attacks Against Federal Government 
Networks.--The Secretary shall submit to the Committee on Homeland 
Security of the House of Representatives, the Committee on Homeland 
Security and Governmental Affairs of the Senate, and the Comptroller 
General of the United States an annual report that summarizes major 
cyber incidents involving Federal civilian agency information systems 
and provides aggregate statistics on the number of breaches, the extent 
of any personally identifiable information that was involved, the 
volume of data exfiltrated, the consequential impact, and the estimated 
cost of remedying such breaches.
    ``(g) Report on the Operations of the Center.--The Secretary, in 
consultation with the Sector Coordinating Councils and appropriate 
Federal Government entities, shall submit to the Committee on Homeland 
Security of the House of Representatives, the Committee on Homeland 
Security and Governmental Affairs of the Senate, and the Comptroller 
General of the United States an annual report on--
            ``(1) the capability and capacity of the Center to carry 
        out its cybersecurity mission in accordance with this section, 
        and sections 226, 227, 229, 230, 230A, and 230B;
            ``(2) the extent to which the Department is engaged in 
        information sharing with each critical infrastructure sector 
        designated under section 227(b), including--
                    ``(A) the extent to which each such sector has 
                representatives at the Center; and
                    ``(B) the extent to which critical infrastructure 
                owners and critical infrastructure operators of each 
                critical infrastructure sector participate in 
                information sharing at the Center;
            ``(3) the volume and range of activities with respect to 
        which the Secretary collaborated with the Sector Coordinating 
        Councils and the Sector-Specific Agencies to promote greater 
        engagement with the Center; and
            ``(4) the volume and range of voluntary technical 
        assistance sought and provided by the Department to each 
        critical infrastructure owner and critical infrastructure 
        operator.''.
    (b) Clerical Amendment.--The table of contents in section 1(b) of 
such Act is amended by adding after the item relating to section 227 
(as added by section 103) the following new item:

``Sec. 228. National Cybersecurity and Communications Integration 
                            Center.''.
    (c) GAO Report.--Not later than one year after the date of the 
enactment of this Act, the Comptroller General of the United States 
shall submit to the Committee on Homeland Security of the House of 
Representatives and the Committee on Homeland Security and Governmental 
Affairs of the Senate a report on the effectiveness of the National 
Cybersecurity and Communications Integration Center established under 
section 228 of the Homeland Security Act of 2002, as added by 
subsection (a) of this section, in carrying out its cybersecurity 
mission (as such term is defined in section 2 of the Homeland Security 
Act of 2002, as amended by section 101) in accordance with this Act and 
such section 228 and sections 226, 227, 229, 230, 230A, and 230B of the 
Homeland Security Act of 2002, as added by this Act.

SEC. 105. CYBER INCIDENT RESPONSE AND TECHNICAL ASSISTANCE.

    (a) In General.--Subtitle C of title II of the Homeland Security 
Act of 2002, as amended by sections 102, 103, and 104, is further 
amended by adding at the end the following new section:

``SEC. 229. CYBER INCIDENT RESPONSE AND TECHNICAL ASSISTANCE.

    ``(a) In General.--The Secretary shall establish Cyber Incident 
Response Teams to--
            ``(1) upon request, provide timely technical assistance and 
        crisis management support to Federal, State, and local 
        government entities, private entities, and critical 
        infrastructure owners and critical infrastructure operators 
        involving cyber incidents affecting critical infrastructure; 
        and
            ``(2) upon request, provide actionable recommendations on 
        security and resilience measures and countermeasures to 
        Federal, State, and local government entities, private 
        entities, and critical infrastructure owners and critical 
        infrastructure operators prior to, during, and after cyber 
        incidents.
    ``(b) Coordination.--In carrying out subsection (a), the Secretary 
shall coordinate with the relevant Sector Specific Agencies, if 
applicable.
    ``(c) Cyber Incident Response Plan.--The Secretary, in coordination 
with the Sector Coordinating Councils, Information Sharing and Analysis 
Centers, and Federal, State, and local governments, shall develop, 
regularly update, maintain, and exercise a National Cybersecurity 
Incident Response Plan which shall--
            ``(1) include effective emergency response plans associated 
        with cyber threats to critical infrastructure, information 
        systems, or networks of information systems;
            ``(2) ensure that such National Cybersecurity Incident 
        Response Plan can adapt to and reflect a changing cyber threat 
        environment, and incorporate best practices and lessons learned 
        from regular exercises, training, and after-action reports; and
            ``(3) facilitate discussions on the best methods for 
        developing innovative and useful cybersecurity exercises for 
        coordinating between the Department and each of the critical 
        infrastructure sectors designated under section 227(b).
    ``(d) Update to Cyber Incident Annex to the National Response 
Framework.--The Secretary, in coordination with the heads of other 
Federal agencies and in accordance with the National Cybersecurity 
Incident Response Plan under subsection (c), shall regularly update, 
maintain, and exercise the Cyber Incident Annex to the National 
Response Framework of the Department.''.
    (b) Clerical Amendment.--The table of contents in section 1(b) of 
such Act is amended by adding after the item relating to section 228 
(as added by section 104) the following new item:

``Sec. 229. Cyber incident response and technical assistance.''.

SEC. 106. STREAMLINING OF DEPARTMENT CYBERSECURITY ORGANIZATION.

    (a) Cybersecurity and Infrastructure Protection Directorate.--The 
National Protection and Programs Directorate of the Department of 
Homeland Security shall, after the date of the enactment of this Act, 
be known and designated as the ``Cybersecurity and Infrastructure 
Protection Directorate''. Any reference to the National Protection and 
Programs Directorate of the Department in any law, regulation, map, 
document, record, or other paper of the United States shall be deemed 
to be a reference to the Cybersecurity and Infrastructure Protection 
Directorate of the Department.
    (b) Senior Leadership of the Cybersecurity and Infrastructure 
Protection Directorate.--
            (1) In general.--Paragraph (1) of section 103(a) of the 
        Homeland Security Act of 2002 (6 U.S.C. 113(a)) is amended by 
        adding at the end the following new subparagraphs:
                    ``(K) Under Secretary for Cybersecurity and 
                Infrastructure Protection.
                    ``(L) Deputy Under Secretary for Cybersecurity.
                    ``(M) Deputy Under Secretary for Infrastructure 
                Protection.''.
            (2) Continuation in office.--The individuals who hold the 
        positions referred to in subparagraphs (K), (L), and (M) of 
        subsection (a) of section 103 of the Homeland Security Act of 
        2002 (as added by paragraph (1) of this subsection) as of the 
        date of the enactment of this Act may continue to hold such 
        positions.
    (c) Report on Improving the Capability and Effectiveness of the 
Cybersecurity and Communications Office.--To improve the operational 
capability and effectiveness in carrying out the cybersecurity mission 
(as such term is defined in section 2 of the Homeland Security Act of 
2002, as amended by section 101) of the Department of Homeland 
Security, the Secretary of Homeland Security shall submit to the 
Committee on Homeland Security of the House of Representatives and the 
Committee on Homeland Security and Governmental Affairs of the Senate a 
report on--
            (1) the feasibility of making the Cybersecurity and 
        Communications Office of the Department an operational 
        component of the Department;
            (2) recommendations for restructuring the SAFETY Act Office 
        within the Department to protect and maintain operations in 
        accordance with the Office's mission to provide incentives for 
        the development and deployment of anti-terrorism technologies 
        while elevating the profile and mission of the Office, 
        including the feasibility of utilizing third-party registrars 
        for improving the throughput and effectiveness of the 
        certification process.
    (d) Report on Cybersecurity Acquisition Capabilities.--The 
Secretary of Homeland Security shall assess the effectiveness of the 
Department of Homeland Security's acquisition processes and the use of 
existing authorities for acquiring cybersecurity technologies to ensure 
that such processes and authorities are capable of meeting the needs 
and demands of the Department's cybersecurity mission (as such term is 
defined in section 2 of the Homeland Security Act of 2002, as amended 
by section 101). Not later than 180 days after the date of the 
enactment of this Act, the Secretary shall submit to the Committee on 
Homeland Security of the House of Representatives and the Committee on 
Homeland Security and Governmental Affairs of the Senate a report on 
the effectiveness of the Department's acquisition processes for 
cybersecurity technologies.
    (e) Resource Information.--The Secretary of Homeland Security shall 
make available Department of Homeland Security contact information to 
serve as a resource for Sector Coordinating Councils and critical 
infrastructure owners and critical infrastructure operators to better 
coordinate cybersecurity efforts with the Department relating to 
emergency response and recovery efforts for cyber incidents.

        TITLE II--PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY

SEC. 201. PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY.

    (a) National Institute of Standards and Technology.--
            (1) In general.--The Director of the National Institute of 
        Standards and Technology, in coordination with the Secretary of 
        Homeland Security, shall, on an ongoing basis, facilitate and 
        support the development of a voluntary, industry-led set of 
        standards, guidelines, best practices, methodologies, 
        procedures, and processes to reduce cyber risks to critical 
        infrastructure. The Director, in coordination with the 
        Secretary--
                    (A) shall--
                            (i) coordinate closely and continuously 
                        with relevant private entities, critical 
                        infrastructure owners and critical 
                        infrastructure operators, Sector Coordinating 
                        Councils, Information Sharing and Analysis 
                        Centers, and other relevant industry 
                        organizations, and incorporate industry 
                        expertise to the fullest extent possible;
                            (ii) consult with the Sector Specific 
                        Agencies, Federal, State and local governments, 
                        the governments of other countries, and 
                        international organizations;
                            (iii) utilize a prioritized, flexible, 
                        repeatable, performance-based, and cost-
                        effective approach, including information 
                        security measures and controls, that may be 
                        voluntarily adopted by critical infrastructure 
                        owners and critical infrastructure operators to 
                        help them identify, assess, and manage cyber 
                        risks;
                            (iv) include methodologies to--
                                    (I) identify and mitigate impacts 
                                of the cybersecurity measures or 
                                controls on business confidentiality; 
                                and
                                    (II) protect individual privacy and 
                                civil liberties;
                            (v) incorporate voluntary consensus 
                        standards and industry best practices, and 
                        align with voluntary international standards to 
                        the fullest extent possible;
                            (vi) prevent duplication of regulatory 
                        processes and prevent conflict with or 
                        superseding of regulatory requirements, 
                        mandatory standards, and processes; and
                            (vii) include such other similar and 
                        consistent elements as determined necessary; 
                        and
                    (B) shall not prescribe or otherwise require--
                            (i) the use of specific solutions;
                            (ii) the use of specific information 
                        technology products or services; or
                            (iii) that information technology products 
                        or services be designed, developed, or 
                        manufactured in a particular manner.
            (2) Limitation.--Information shared with or provided to the 
        Director of the National Institute of Standards and Technology 
        or the Secretary of Homeland Security for the purpose of the 
        activities under paragraph (1) may not be used by any Federal, 
        State, or local government department or agency to regulate the 
        activity of any private entity.
    (b) Amendment.--
            (1) In general.--Subtitle C of title II of the Homeland 
        Security Act of 2002, as amended by sections 102, 103, 104, and 
        105, is further amended by adding at the end the following new 
        section:

``SEC. 230. PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY.

    ``(a) Meetings.--The Secretary shall meet with the Sector 
Coordinating Council for each critical infrastructure sector designated 
under section 227(b) on a biannual basis to discuss the cybersecurity 
threat to critical infrastructure, voluntary activities to address 
cybersecurity, and ideas to improve the public-private partnership to 
enhance cybersecurity, in which the Secretary shall--
            ``(1) provide each Sector Coordinating Council an 
        assessment of the cybersecurity threat to each critical 
        infrastructure sector designated under section 227(b), 
        including information relating to--
                    ``(A) any actual or assessed cyber threat, 
                including a consideration of adversary capability and 
                intent, preparedness, target attractiveness, and 
                deterrence capabilities;
                    ``(B) the extent and likelihood of death, injury, 
                or serious adverse effects to human health and safety 
                caused by an act of terrorism or other disruption, 
                destruction, or unauthorized use of critical 
                infrastructure;
                    ``(C) the threat to national security caused by an 
                act of terrorism or other disruption, destruction, or 
                unauthorized use of critical infrastructure; and
                    ``(D) the harm to the economy that would result 
                from an act of terrorism or other disruption, 
                destruction, or unauthorized use of critical 
                infrastructure; and
            ``(2) provide recommendations, which may be voluntarily 
        adopted, on ways to improve cybersecurity of critical 
        infrastructure.
    ``(b) Report.--
            ``(1) In general.--Starting 30 days after the end of the 
        fiscal year in which the National Cybersecurity and Critical 
        Infrastructure Protection Act of 2013 is enacted and annually 
        thereafter, the Secretary shall submit to the appropriate 
        congressional committees a report on the state of cybersecurity 
        for each critical infrastructure sector designated under 
        section 227(b) based on discussions between the Department and 
        the Sector Coordinating Council in accordance with subsection 
        (a) of this section. The Secretary shall maintain a public copy 
        of each report, and each report may include a non-public annex 
        for proprietary, business-sensitive information, or other 
        sensitive information. Each report shall include, at a minimum 
        information relating to--
                    ``(A) the risk to each critical infrastructure 
                sector, including known cyber threats, vulnerabilities, 
                and potential consequences;
                    ``(B) the extent and nature of any cybersecurity 
                incidents during the previous year, including the 
                extent to which cyber incidents jeopardized or 
                imminently jeopardized information systems;
                    ``(C) the current status of the voluntary, 
                industry-led set of standards, guidelines, best 
                practices, methodologies, procedures, and processes to 
                reduce cyber risks within each critical infrastructure 
                sector; and
                    ``(D) the volume and range of voluntary technical 
                assistance sought and provided by the Department to 
                each critical infrastructure sector.
            ``(2) Sector coordinating council response.--Before making 
        public and submitting each report required under paragraph (1), 
        the Secretary shall provide a draft of each report to the 
        Sector Coordinating Council for the critical infrastructure 
        sector covered by each such report. The Sector Coordinating 
        Council at issue may provide to the Secretary a written 
        response to such report within 45 days of receiving the draft. 
        If such Sector Coordinating Council provides a written 
        response, the Secretary shall include such written response in 
        the final version of each report required under paragraph (1).
    ``(c) Limitation.--Information shared with or provided to a Sector 
Coordinating Council, a critical infrastructure sector, or the 
Secretary for the purpose of the activities under subsections (a) and 
(b) may not be used by any Federal, State, or local government 
department or agency to regulate the activity of any private entity.''.
            (2) Clerical amendment.--The table of contents in section 
        1(b) of such Act is amended by adding after the item relating 
        to section 229 (as added by section 105) the following new 
        item:

``Sec. 230. Public-private collaboration on cybersecurity.''.

SEC. 202. SAFETY ACT AND QUALIFYING CYBER INCIDENTS.

    (a) In General.--The Support Anti-Terrorism By Fostering Effective 
Technologies Act of 2002 (6 U.S.C. 441 et seq.) is amended--
            (1) in section 862(b) (6 U.S.C. 441(b))--
                    (A) in the heading, by striking ``Designation of 
                Qualified Anti-Terrorism Technologies'' and inserting 
                ``Designation of Anti-Terrorism and Cybersecurity 
                Technologies'';
                    (B) in the matter preceding paragraph (1), by 
                inserting ``and cybersecurity'' after ``anti-
                terrorism'';
                    (C) in paragraphs (3), (4), and (5), by inserting 
                ``or cybersecurity'' after ``anti-terrorism'' each 
                place it appears; and
                    (D) in paragraph (7)--
                            (i) by inserting ``or cybersecurity 
                        technology'' after ``Anti-terrorism 
                        technology''; and
                            (ii) by inserting ``or qualifying cyber 
                        incidents'' after ``acts of terrorism'';
            (2) in section 863 (6 U.S.C. 442)--
                    (A) by inserting ``or cybersecurity'' after ``anti-
                terrorism'' each place it appears;
                    (B) by inserting ``or qualifying cyber incident'' 
                after ``act of terrorism'' each place it appears; and
                    (C) by inserting ``or qualifying cyber incidents'' 
                after ``acts of terrorism'' each place it appears;
            (3) in section 864 (6 U.S.C. 443)--
                    (A) by inserting ``or cybersecurity'' after ``anti-
                terrorism'' each place it appears; and
                    (B) by inserting ``or qualifying cyber incident'' 
                after ``act of terrorism'' each place it appears; and
            (4) in section 865 (6 U.S.C. 444)--
                    (A) in paragraph (1)--
                            (i) in the heading, by inserting ``or 
                        cybersecurity'' after ``anti-terrorism'';
                            (ii) by inserting ``or cybersecurity'' 
                        after ``anti-terrorism'';
                            (iii) by inserting ``or qualifying cyber 
                        incidents'' after ``acts of terrorism''; and
                            (iv) by inserting ``or incidents'' after 
                        ``such acts''; and
                    (B) by adding at the end the following new 
                paragraph:
            ``(7) Qualifying cyber incident.--
                    ``(A) In general.--The term `qualifying cyber 
                incident' means any act that the Secretary determines 
                meets the requirements under subparagraph (B), as such 
                requirements are further defined and specified by the 
                Secretary.
                    ``(B) Requirements.--A qualifying cyber incident 
                meets the requirements of this subparagraph if--
                            ``(i) the incident is unlawful or otherwise 
                        exceeds authorized access authority;
                            ``(ii) the incident disrupts or imminently 
                        jeopardizes the integrity, operation, 
                        confidentiality, or availability of 
                        programmable electronic devices, communication 
                        networks, including hardware, software and data 
                        that are essential to their reliable operation, 
                        electronic storage devices, or any other 
                        information system, or the information that 
                        system controls, processes, stores, or 
                        transmits;
                            ``(iii) the perpetrator of the incident 
                        gains access to an information system or a 
                        network of information systems resulting in--
                                    ``(I) misappropriation or theft of 
                                data, assets, information, or 
                                intellectual property;
                                    ``(II) corruption of data, assets, 
                                information, or intellectual property;
                                    ``(III) operational disruption; or
                                    ``(IV) an adverse effect on such 
                                system or network, or the data, assets, 
                                information, or intellectual property 
                                contained therein; and
                            ``(iv) the incident causes harm inside or 
                        outside the United States that results in 
                        material levels of damage, disruption, or 
                        casualties severely affecting the United States 
                        population, infrastructure, economy, or 
                        national morale, or Federal, State, local, or 
                        tribal government functions.
                    ``(C) Rule of construction.--For purposes of clause 
                (iv) of subparagraph (B), the term `severely' includes 
                any qualifying cyber incident, whether at a local, 
                regional, state, national, international, or tribal 
                level, that affects--
                            ``(i) the United States population, 
                        infrastructure, economy, or national morale, or
                            ``(ii) Federal, State, local, or tribal 
                        government functions.''.
    (b) Funding.--Of the amounts authorized to be appropriated for each 
of fiscal years 2014, 2015, and 2016 for the Department of Homeland 
Security, the Secretary of Homeland Security is authorized to use not 
less than $20,000,000 for any such year for the Department's SAFETY Act 
Office.

SEC. 203. PROHIBITION ON NEW REGULATORY AUTHORITY.

    This Act and the amendments made by this Act (except that this 
section shall not apply in the case of section 202 of this Act and the 
amendments made by such section 202) do not--
            (1) create or authorize the issuance of any new regulations 
        or additional Federal Government regulatory authority; or
            (2) permit regulatory actions that would duplicate, 
        conflict with, or supercede regulatory requirements, mandatory 
        standards, or related processes.

SEC. 204. PROHIBITION ON ADDITIONAL AUTHORIZATION OF APPROPRIATIONS.

    No additional funds are authorized to be appropriated to carry out 
this Act and the amendments made by this Act. This Act and such 
amendments shall be carried out using amounts otherwise available for 
such purposes.

SEC. 205. PROHIBITION ON COLLECTION ACTIVITIES TO TRACK INDIVIDUALS' 
              PERSONALLY IDENTIFIABLE INFORMATION.

    Nothing in this Act shall permit the Department of Homeland 
Security to engage in the monitoring, surveillance, exfiltration, or 
other collection activities for the purpose of tracking an individual's 
personally identifiable information.

SEC. 206. CYBERSECURITY SCHOLARS.

    The Secretary of Homeland Security shall determine the feasibility 
and potential benefit of developing a visiting security researchers 
program from academia, including cybersecurity scholars at the 
Department of Homeland Security's Centers of Excellence, as designated 
by the Secretary, to enhance knowledge with respect to the unique 
challenges of addressing cyber threats to critical infrastructure. 
Eligible candidates shall possess necessary security clearances and 
have a history of working with Federal agencies in matters of national 
or domestic security.

SEC. 207. NATIONAL RESEARCH COUNCIL STUDY ON THE RESILIENCE AND 
              RELIABILITY OF THE NATION'S POWER GRID.

    (a) Independent Study.--Not later than 60 days after the date of 
the enactment of this Act, the Secretary of Homeland Security, in 
coordination with the heads of other departments and agencies, as 
necessary, shall enter into an agreement with the National Research 
Council to conduct research of the future resilience and reliability of 
the Nation's electric power transmission and distribution system. The 
research under this subsection shall be known as the ``Saving More 
American Resources Today Study'' or the ``SMART Study''. In conducting 
such research, the National Research Council shall--
            (1) research the options for improving the Nation's ability 
        to expand and strengthen the capabilities of the Nation's power 
        grid, including estimation of the cost, time scale for 
        implementation, and identification of the scale and scope of 
        any potential significant health and environmental impacts;
            (2) consider the forces affecting the grid, including 
        technical, economic, regulatory, environmental, and 
        geopolitical factors, and how such forces are likely to 
        affect--
                    (A) the efficiency, control, reliability and 
                robustness of operation;
                    (B) the ability of the grid to recover from 
                disruptions, including natural disasters and terrorist 
                attacks;
                    (C) the ability of the grid to incorporate greater 
                reliance on distributed and intermittent power 
                generation and electricity storage;
                    (D) the ability of the grid to adapt to changing 
                patterns of demand for electricity; and
                    (E) the economic and regulatory factors affecting 
                the evolution of the grid;
            (3) review Federal, State, industry, and academic research 
        and development programs and identify technological options 
        that could improve the future grid;
            (4) review studies and analyses prepared by the North 
        American Electric Reliability Corporation (NERC) regarding the 
        future resilience and reliability of the grid;
            (5) review the implications of increased reliance on 
        digital information and control of the power grid for improving 
        reliability, resilience, and congestion and for potentially 
        increasing vulnerability to cyber attack;
            (6) review regulatory, industry, and institutional factors 
        and programs affecting the future of the grid;
            (7) research the costs and benefits, as well as the 
        strengths and weaknesses, of the options identified under 
        paragraph (1) to address the emerging forces described in 
        paragraph (2) that are shaping the grid;
            (8) identify the barriers to realizing the options 
        identified and suggest strategies for overcoming those barriers 
        including suggested actions, priorities, incentives, and 
        possible legislative and executive actions; and
            (9) research the ability of the grid to integrate existing 
        and future infrastructure, including utilities, 
        telecommunications lines, highways, and other critical 
        infrastructure.
    (b) Cooperation and Access to Information and Personnel.--The 
Secretary shall ensure that the National Research Council receives full 
and timely cooperation, including full access to information and 
personnel, from the Department of Homeland Security, the Department of 
Energy, including the management and operating components of the 
Departments, and other Federal departments and agencies, as necessary, 
for the purposes of conducting the study described in subsection (a).
    (c) Report.--
            (1) In general.--Not later than 18 months from the date on 
        which the Secretary enters into the agreement with the National 
        Research Council described in subsection (a), the National 
        Research Council shall submit to the Secretary and the 
        Committee on Homeland Security and the Committee on Energy and 
        Commerce of the House of Representatives and the Committee on 
        Homeland Security and Governmental Affairs and the Committee on 
        Energy and Natural Resources of the Senate a report containing 
        the findings of the research required by that subsection.
            (2) Form of report.--The report under paragraph (1) shall 
        be submitted in unclassified form, but may include a classified 
        annex.
    (d) Funding.--Of the amounts authorized to be appropriated for 2014 
for the Department of Homeland Security, the Secretary of Homeland 
Security is authorized to obligate and expend not more than $2,000,000 
for the National Research Council report.

          TITLE III--HOMELAND SECURITY CYBERSECURITY WORKFORCE

SEC. 301. HOMELAND SECURITY CYBERSECURITY WORKFORCE.

    (a) In General.--Subtitle C of title II of the Homeland Security 
Act of 2002, as amended by sections 101, 102, 103, 104, 105, and 201, 
is further amended by adding at the end the following new section:

``SEC. 230A. CYBERSECURITY OCCUPATION CATEGORIES, WORKFORCE ASSESSMENT, 
              AND STRATEGY.

    ``(a) Short Title.--This section may be cited as the `Homeland 
Security Cybersecurity Boots-on-the-Ground Act'.
    ``(b) Cybersecurity Occupation Categories.--
            ``(1) In general.--Not later than 90 days after the date of 
        the enactment of this section, the Secretary shall develop and 
        issue comprehensive occupation categories for individuals 
        performing activities in furtherance of the cybersecurity 
        mission of the Department.
            ``(2) Applicability.--The Secretary shall ensure that the 
        comprehensive occupation categories issued under paragraph (1) 
        are used throughout the Department and are made available to 
        other Federal agencies.
    ``(c) Cybersecurity Workforce Assessment.--
            ``(1) In general.--Not later than 180 days after the date 
        of the enactment of this section and annually thereafter, the 
        Secretary shall assess the readiness and capacity of the 
        workforce of the Department to meet its cybersecurity mission.
            ``(2) Contents.--The assessment required under paragraph 
        (1) shall, at a minimum, include the following:
                    ``(A) Information where cybersecurity positions are 
                located within the Department, specified in accordance 
                with the cybersecurity occupation categories issued 
                under subsection (b).
                    ``(B) Information on which cybersecurity positions 
                are--
                            ``(i) performed by--
                                    ``(I) permanent full time 
                                departmental employees, together with 
                                demographic information about such 
                                employees' race, ethnicity, gender, 
                                disability status, and veterans status;
                                    ``(II) individuals employed by 
                                independent contractors; and
                                    ``(III) individuals employed by 
                                other Federal agencies, including the 
                                National Security Agency; and
                            ``(ii) vacant.
                    ``(C) The number of individuals hired by the 
                Department pursuant to the authority granted to the 
                Secretary in 2009 to permit the Secretary to fill 1,000 
                cybersecurity positions across the Department over a 
                three year period, and information on what challenges, 
                if any, were encountered with respect to the 
                implementation of such authority.
                    ``(D) Information on vacancies within the 
                Department's cybersecurity supervisory workforce, from 
                first line supervisory positions through senior 
                departmental cybersecurity positions.
                    ``(E) Information on the percentage of individuals 
                within each cybersecurity occupation category who 
                received essential training to perform their jobs, and 
                in cases in which such training is not received, 
                information on what challenges, if any, were 
                encountered with respect to the provision of such 
                training.
                    ``(F) Information on recruiting costs incurred with 
                respect to efforts to fill cybersecurity positions 
                across the Department in a manner that allows for 
                tracking of overall recruiting and identifying areas 
                for better coordination and leveraging of resources 
                within the Department.
    ``(d) Workforce Strategy.--
            ``(1) In general.--Not later than 180 days after the date 
        of the enactment of this section, the Secretary shall develop, 
        maintain, and, as necessary, update, a comprehensive workforce 
        strategy that enhances the readiness, capacity, training, 
        recruitment, and retention of the cybersecurity workforce of 
        the Department.
            ``(2) Contents.--The comprehensive workforce strategy 
        developed under paragraph (1) shall include--
                    ``(A) a multiphased recruitment plan, including 
                relating to experienced professionals, members of 
                disadvantaged or underserved communities, the 
                unemployed, and veterans;
                    ``(B) a 5-year implementation plan;
                    ``(C) a 10-year projection of the Department's 
                cybersecurity workforce needs; and
                    ``(D) obstacles impeding the hiring and development 
                of a cybersecurity workforce at the Department.
    ``(e) Information Security Training.--Not later than 270 days after 
the date of the enactment of this section, the Secretary shall 
establish and maintain a process to verify on an ongoing basis that 
individuals employed by independent contractors who serve in 
cybersecurity positions at the Department receive initial and recurrent 
information security training comprised of general security awareness 
training necessary to perform their job functions, and role-based 
security training that is commensurate with assigned responsibilities. 
The Secretary shall maintain documentation to ensure that training 
provided to an individual under this subsection meets or exceeds 
requirements for such individual's job function.
    ``(f) Updates.--The Secretary shall submit to the appropriate 
congressional committees annual updates regarding the cybersecurity 
workforce assessment required under subsection (c), information on the 
progress of carrying out the comprehensive workforce strategy developed 
under subsection (d), and information on the status of the 
implementation of the information security training required under 
subsection (e).
    ``(g) GAO Study.--The Secretary shall provide the Comptroller 
General of the United States with information on the cybersecurity 
workforce assessment required under subsection (c) and progress on 
carrying out the comprehensive workforce strategy developed under 
subsection (d). The Comptroller General shall submit to the Secretary 
and the appropriate congressional committees a study on such assessment 
and strategy.
    ``(h) Cybersecurity Fellowship Program.--Not later than 120 days 
after the date of the enactment of this section, the Secretary shall 
submit to the appropriate congressional committees a report on the 
feasibility of establishing a Cybersecurity Fellowship Program to offer 
a tuition payment plan for undergraduate and doctoral candidates who 
agree to work for the Department for an agreed-upon period of time.''.
    (b) Clerical Amendment.--The table of contents in section 1(b) of 
such Act is amended by adding after the item relating to section 230 
(as added by section 201) the following new item:

``Sec. 230A. Cybersecurity occupation categories, workforce assessment, 
                            and strategy.''.

SEC. 302. PERSONNEL AUTHORITIES.

    (a) In General.--Subtitle C of title II of the Homeland Security 
Act of 2002, as amended by sections 101, 102, 103, 104, 105, 106, 201, 
and 301 is further amended by adding at the end the following new 
section:

``SEC. 230B. PERSONNEL AUTHORITIES.

    ``(a) In General.--
            ``(1) Personnel authorities.--The Secretary may exercise 
        with respect to qualified employees of the Department the same 
        authority that the Secretary of Defense has with respect to 
        civilian intelligence personnel and the scholarship program 
        under sections 1601, 1602, 1603, and 2200a of title 10, United 
        States Code, to establish as positions in the excepted service, 
        appoint individuals to such positions, fix pay, and pay a 
        retention bonus to any employee appointed under this section if 
        the Secretary determines that such is needed to retain 
        essential personnel. Before announcing the payment of a bonus 
        under this paragraph, the Secretary shall submit to the 
        Committee on Homeland Security of the House of Representatives 
        and the Committee on Homeland Security and Governmental Affairs 
        of the Senate a written explanation of such determination. Such 
        authority shall be exercised--
                    ``(A) to the same extent and subject to the same 
                conditions and limitations that the Secretary of 
                Defense may exercise such authority with respect to 
                civilian intelligence personnel of the Department of 
                Defense; and
                    ``(B) in a manner consistent with the merit system 
                principles set forth in section 2301 of title 5, United 
                States Code.
            ``(2) Civil service protections.--Sections 1221 and 2302, 
        and chapter 75 of title 5, United States Code, shall apply to 
        the positions established pursuant to the authorities provided 
        under paragraph (1).
            ``(3) Plan for execution of authorities.--Not later than 
        120 days after the date of the enactment of this section, the 
        Secretary shall submit to the Committee on Homeland Security of 
        the House of Representatives and the Committee on Homeland 
        Security and Governmental Affairs of the Senate a report that 
        contains a plan for the use of the authorities provided under 
        this subsection.
    ``(b) Annual Report.--Not later than one year after the date of the 
enactment of this section and annually thereafter for four years, the 
Secretary shall submit to the Committee on Homeland Security of the 
House of Representatives and the Committee on Homeland Security and 
Governmental Affairs of the Senate a detailed report (including 
appropriate metrics on actions occurring during the reporting period) 
that discusses the processes used by the Secretary in implementing this 
section and accepting applications, assessing candidates, ensuring 
adherence to veterans' preference, and selecting applicants for 
vacancies to be filled by a qualified employee.
    ``(c) Definition of Qualified Employee.--In this section, the term 
`qualified employee' means an employee who performs functions relating 
to the security of Federal civilian information systems, critical 
infrastructure information systems, or networks of either of such 
systems.''.
    (b) Clerical Amendment.--The table of contents in section 1(b) of 
such Act is amended by adding after the item relating to section 230A 
(as added by section 301) the following new item:

``Sec. 230B. Personnel authorities.''.

            Passed the House of Representatives July 28, 2014.

            Attest:

                                                                 Clerk.
113th CONGRESS

  2d Session

                               H. R. 3696

_______________________________________________________________________

                                 AN ACT

To amend the Homeland Security Act of 2002 to make certain improvements 
regarding cybersecurity and critical infrastructure protection, and for 
                            other purposes.