[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3696 Introduced in House (IH)]
113th CONGRESS
1st Session
H. R. 3696
To amend the Homeland Security Act of 2002 to make certain improvements
regarding cybersecurity and critical infrastructure protection, and for
other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
December 11, 2013
Mr. McCaul (for himself, Mr. Meehan, Mr. Thompson of Mississippi, and
Ms. Clarke) introduced the following bill; which was referred to the
Committee on Homeland Security, and in addition to the Committees on
Science, Space, and Technology and Oversight and Government Reform, for
a period to be subsequently determined by the Speaker, in each case for
consideration of such provisions as fall within the jurisdiction of the
committee concerned
_______________________________________________________________________
A BILL
To amend the Homeland Security Act of 2002 to make certain improvements
regarding cybersecurity and critical infrastructure protection, and for
other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``National Cybersecurity and Critical
Infrastructure Protection Act of 2013''.
SEC. 2. TABLE OF CONTENTS.
The table of contents for this Act is as follows:
Sec. 1. Short title.
Sec. 2. Table of contents.
TITLE I--SECURING THE NATION AGAINST CYBER ATTACK
Sec. 101. Homeland Security Act of 2002 definitions.
Sec. 102. Enhancement of cybersecurity.
Sec. 103. Protection of critical infrastructure and information
sharing.
Sec. 104. National Cybersecurity and Communications Integration Center.
Sec. 105. Cyber incident response and technical assistance.
Sec. 106. Assessment of cybersecurity workforce.
Sec. 107. Personnel authorities.
Sec. 108. Streamlining of Department cybersecurity organization.
TITLE II--PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY
Sec. 201. Public-private collaboration on cybersecurity.
Sec. 202. SAFETY Act and qualifying cyber incidents.
Sec. 203. Prohibition on new regulatory authority.
Sec. 204. Prohibition on additional authorization of appropriations.
TITLE I--SECURING THE NATION AGAINST CYBER ATTACK
SEC. 101. HOMELAND SECURITY ACT OF 2002 DEFINITIONS.
Section 2 of the Homeland Security Act of 2002 (6 U.S.C. 101) is
amended by adding at the end the following new paragraphs:
``(19) The term `critical infrastructure' has the meaning
given that term in section 1016(e) of the USA Patriot Act (42
U.S.C. 5195c(e)).
``(20) The term `critical infrastructure owner' means a
person that owns critical infrastructure.
``(21) The term `critical infrastructure operator' means a
critical infrastructure owner or other person that manages,
runs, or operates, in whole or in part, the day-to-day
operations of critical infrastructure.
``(22) The term `cyber incident' means an incident
resulting in, or an attempt to cause an incident that, if
successful, would--
``(A) jeopardize or imminently jeopardize, without
lawful authority, the security, integrity,
confidentiality, or availability of an information
system or network of information systems or any
information stored on, processed on, or transiting such
a system;
``(B) constitute a violation or imminent threat of
violation of law, security policies, security
procedures, or acceptable use policies related to an
information system or network of information systems,
or an act of terrorism against an information system or
network of information systems; or
``(C) result in the denial of access to or
degradation, disruption, or destruction of an
information system or network of information systems,
or the defeat of an operations control or technical
control essential to the security or operation of an
information system or network of information systems.
``(23) The term `cybersecurity provider' means a non-
Federal entity that provides goods or services intended to be
used for cybersecurity purposes.
``(24) The term `cybersecurity purpose' means the purpose
of ensuring the security, integrity, confidentiality, or
availability of, or safeguarding, an information system or
network of information systems, including protecting an
information system or network of information systems, or data
residing on an information system or network of information
systems, including protection of an information system or
network of information systems, from--
``(A) a vulnerability of an information system or
network of information systems;
``(B) a threat to the security, integrity,
confidentiality, or availability of an information
system or network of information systems, or any
information stored on, processed on, or transiting such
a system or network;
``(C) efforts to deny access to or degrade,
disrupt, or destroy an information system or network of
information systems; or
``(D) efforts to gain unauthorized access to an
information system or network of information systems,
including to gain such unauthorized access for the
purpose of exfiltrating information stored on,
processed on, or transiting such a system or network.
``(25) The term `cybersecurity system' means a system
designed or employed to ensure the security, integrity,
confidentiality, or availability of, or safeguard, an
information system or network of information systems, including
protecting such a system or network from--
``(A) a vulnerability of an information system or
network of information systems;
``(B) a threat to the security, integrity,
confidentiality, or availability of an information
system or network of information systems or any
information stored on, processed on, or transiting such
a system or network;
``(C) efforts to deny access to or degrade,
disrupt, or destroy an information system or network of
information systems of a private entity; or
``(D) efforts to gain unauthorized access to an
information system or network of information systems,
including to gain such unauthorized access for the
purpose of exfiltrating information stored on,
processed on, or transiting such a system or network.
``(26) The term `cyber threat' means any action that may
result in unauthorized access to, exfiltration of, manipulation
of, harm of, or impairment to the security, integrity,
confidentiality, or availability of an information system or
network of information systems, or information that is stored
on, processed by, or transiting an information system or
network of information systems.
``(27) The term `cyber threat information' means
information directly pertaining to--
``(A) a vulnerability of an information system or
network of information systems of a government or
private entity;
``(B) a threat to the security, integrity,
confidentiality, or availability of an information
system or network of information systems of a
government or private entity or any information stored
on, processed on, or transiting such a system or
network;
``(C) efforts to deny access to or degrade,
disrupt, or destroy an information system or network of
information systems of a government or private entity;
``(D) efforts to gain unauthorized access to an
information system or network of information systems of
a government or private entity, including to gain such
unauthorized access for the purpose of exfiltrating
information stored on, processed on, or transiting such
a system or network; or
``(E) an act of terrorism against an information
system or network of information systems.
``(28) The term `Federal civilian information systems'--
``(A) means information, information systems, and
networks of information systems that are owned,
operated, controlled, or licensed for use by, or on
behalf of, any Federal agency, including information
systems or networks of information systems used or
operated by another entity on behalf of a Federal
agency; but
``(B) does not include--
``(i) a national security system; or
``(ii) information, information systems,
and networks of information systems that are
owned, operated, controlled, or licensed solely
for use by, or on behalf of, the Department of
Defense, a military department, or an element
of the intelligence community.
``(29) The term `information security' means the protection
of information, information systems, and networks of
information systems from unauthorized access, use, disclosure,
disruption, modification, or destruction in order to provide--
``(A) integrity, including guarding against
improper information modification or destruction,
including ensuring nonrepudiation and authenticity;
``(B) confidentiality, including preserving
authorized restrictions on access and disclosure,
including means for protecting personal privacy and
proprietary information; and
``(C) availability, including ensuring timely and
reliable access to and use of information.
``(30) The term `information system' means the underlying
framework and functions used to process, transmit, receive, or
store information electronically, including programmable
electronic devices, communications networks, and industrial or
supervisory control systems and any associated hardware,
software, or data.
``(31) The term `private entity' means any individual or
any private or publically-traded company, public or private
utility, organization, or corporation, including an officer,
employee, or agent thereof.
``(32) The term `protected private entity' means an entity,
other than an individual, that enters into a contract with a
cybersecurity provider for goods and services to be used for
cybersecurity purposes.
``(33) The term `shared situational awareness' means an
environment in which cyber threat information is shared in real
time between all designated Federal cyber operations centers to
provide actionable information about all known cyber
threats.''.
SEC. 102. ENHANCEMENT OF CYBERSECURITY.
(a) In General.--Subtitle C of title II of the Homeland Security
Act of 2002 is amended by adding at the end the following new section:
``SEC. 226. ENHANCEMENT OF CYBERSECURITY.
``The Secretary, in collaboration with the heads of other
appropriate Federal Government entities, shall conduct activities for
cybersecurity purposes, including the provision of shared situational
awareness to each other to enable real-time, integrated, and
operational actions to protect from, prevent, mitigate, respond to, and
recover from cyber incidents.''.
(b) Clerical Amendments.--
(1) Subtitle heading.--The heading for subtitle C of title
II of such Act is amended to read as follows:
``Subtitle C--Cybersecurity and Information Sharing''.
(2) Table of contents.--The table of contents in section
1(b) of such Act is amended--
(A) by adding after the item relating to section
225 the following new item:
``Sec. 226. Enhancement of cybersecurity.'';
and
(B) by striking the item relating to subtitle C of
title II and inserting the following new item:
``Subtitle C--Cybersecurity and Information Sharing''.
SEC. 103. PROTECTION OF CRITICAL INFRASTRUCTURE AND INFORMATION
SHARING.
(a) In General.--Subtitle C of title II of the Homeland Security
Act of 2002, as amended by section 102, is further amended by adding at
the end the following new section:
``SEC. 227. PROTECTION OF CRITICAL INFRASTRUCTURE AND INFORMATION
SHARING.
``(a) Protection of Critical Infrastructure.--
``(1) In general.--The Secretary shall coordinate, on an
ongoing basis, with Federal, State, and local governments,
critical infrastructure owners, critical infrastructure
operators, and other cross sector coordinating entities to--
``(A) facilitate a national effort to strengthen
and maintain secure, functioning, and resilient
critical infrastructure from cyber threats;
``(B) ensure that Department policies and
procedures enable critical infrastructure owners and
critical infrastructure operators to receive real-time,
actionable, and relevant cyber threat information;
``(C) seek industry sector-specific expertise to--
``(i) assist in the development of
voluntary security and resiliency strategies;
and
``(ii) ensure that the allocation of
Federal resources are cost effective and reduce
any burden on critical infrastructure owners
and critical infrastructure operators;
``(D) upon request, facilitate and assist risk
management efforts of entities to reduce
vulnerabilities, identify and disrupt threats, and
minimize consequences to their critical infrastructure;
``(E) upon request, provide education and
assistance to critical infrastructure owners and
critical infrastructure operators on how they may use
protective measures and countermeasures to strengthen
the security and resilience of the Nation's critical
infrastructure; and
``(F) coordinate a research and development
strategy to facilitate and promote advancements and
innovation in cybersecurity technologies to protect
critical infrastructure.
``(2) Additional responsibilities.--The Secretary shall--
``(A) manage Federal efforts to secure, protect,
and ensure the resiliency of Federal civilian
information systems, and, upon request, support
critical infrastructure owners' and critical
infrastructure operators' efforts to secure, protect,
and ensure the resiliency of critical infrastructure
from cyber threats;
``(B) direct an entity within the Department to
serve as a Federal civilian entity by and among
Federal, State, and local governments, private
entities, and critical infrastructure sectors to
provide multi-directional sharing of real-time,
actionable, and relevant cyber threat information;
``(C) promote a national awareness effort to
educate the general public on the importance of
securing information systems;
``(D) upon request, facilitate expeditious cyber
incident response and recovery assistance, and provide
analysis and warnings related to threats to and
vulnerabilities of critical information systems, crisis
and consequence management support, and other remote or
on-site technical assistance with the heads of other
appropriate Federal agencies to Federal, State, and
local government entities and private entities for
cyber incidents affecting critical infrastructure; and
``(E) engage with international partners to
strengthen the security and resilience of domestic
critical infrastructure and critical infrastructure
located outside of the United States upon which the
United States depends.
``(3) Rule of construction.--Nothing in this section may be
construed to require any private entity to request assistance
from the Secretary, or require any private entity requesting
such assistance to implement any measure or recommendation
suggested by the Secretary.
``(b) Critical Infrastructure Sectors.--The Secretary, in
collaboration with the heads of other appropriate Federal agencies,
shall designate critical infrastructure sectors (that may include
subdivisions of sectors within a sector as the Secretary may determine
appropriate). The critical infrastructure sectors designated under this
subsection may include the following:
``(1) Chemical.
``(2) Commercial facilities.
``(3) Communications.
``(4) Critical manufacturing.
``(5) Dams.
``(6) Defense Industrial Base.
``(7) Emergency services.
``(8) Energy.
``(9) Financial services.
``(10) Food and agriculture.
``(11) Government facilities.
``(12) Healthcare and public health.
``(13) Information technology.
``(14) Nuclear reactors, materials, and waste.
``(15) Transportation systems.
``(16) Water and wastewater systems.
``(17) Such other sectors as the Secretary determines
appropriate.
``(c) Sector Specific Agencies.--The Secretary, in collaboration
with the relevant critical infrastructure sector and the heads of other
appropriate Federal agencies, shall recognize the Federal agency
designated as of November 1, 2013, as the `Sector Specific Agency' for
each critical infrastructure sector designated under subsection (b). If
the designated Sector Specific Agency for a particular critical
infrastructure sector is the Department, for the purposes of this
section, the Secretary shall carry out this section. The Secretary, in
coordination with the heads of each such Sector Specific Agency shall--
``(1) support the security and resilience activities of the
relevant critical infrastructure sector in accordance with this
subtitle; and
``(2) provide institutional knowledge and specialized
expertise to the relevant critical infrastructure sector.
``(d) Sector Coordinating Councils.--
``(1) Recognition.--The Secretary, in collaboration with
each critical infrastructure sector and the relevant Sector
Specific Agency, shall recognize the Sector Coordinating
Council for each critical infrastructure sector designated
under subsection (b) to coordinate with each such sector on
security and resilience activities and emergency response and
recovery efforts.
``(2) Membership.--
``(A) In general.--The Sector Coordinating Council
for a critical infrastructure sector designated under
subsection (b) shall--
``(i) be comprised exclusively of relevant
critical infrastructure owners, critical
infrastructure operators, private entities, and
representative trade associations for the
sector;
``(ii) reflect the unique composition of
each sector; and
``(iii) include relevant small, medium, and
large critical infrastructure owners, critical
infrastructure operators, private entities, and
representative trade associations for the
sector.
``(B) Prohibition.--No government entity with
regulating authority shall be a member of the Sector
Coordinating Council.
``(3) Roles and responsibilities.--The Sector Coordinating
Council for a critical infrastructure sector shall--
``(A) serve as a self-governing, self-organized
primary policy, planning, and strategic communications
entity for coordinating with the Department, the
relevant Sector-Specific Agency designated under
subsection (c), and the relevant Information Sharing
and Analysis Centers under subsection (e) on security
and resilience activities and emergency response and
recovery efforts;
``(B) establish governance and operating
procedures, and designate a chairperson for the sector
to carry out the activities described in this
subsection;
``(C) coordinate with the Department, the relevant
Information Sharing and Analysis Centers under
subsection (e), and other Sector Coordinating Councils
to update, maintain, and exercise the National
Cybersecurity Incident Response Plan in accordance with
section 229(b); and
``(D) provide any recommendations to the Department
on infrastructure protection technology gaps to help
inform research and development efforts at the
Department.
``(e) Sector Information Sharing and Analysis Centers.--
``(1) Recognition.--The Secretary, in collaboration with
the relevant Sector Coordinating Council and the critical
infrastructure sector represented by such Council, and in
coordination with the relevant Sector Specific Agency, shall
recognize at least one Information Sharing and Analysis Center
for each critical infrastructure sector designated under
subsection (b) for purposes of paragraph (3). No other
Information Sharing and Analysis Organizations, including
Information Sharing and Analysis Centers, may be precluded from
having an information sharing relationship within the National
Cybersecurity and Communications Integration Center established
pursuant to section 228. Nothing in this subsection or any
other provision of this subtitle may be construed to limit,
restrict, or condition any private entity or activity utilized
by, among, or between private entities.
``(2) Roles and responsibilities.--In addition to such
other activities as may be authorized by law, at least one
Information Sharing and Analysis Center for a critical
infrastructure sector shall--
``(A) serve as an information sharing resource for
such sector and promote ongoing multi-directional
sharing of real-time, relevant, and actionable cyber
threat information and analysis by and among such
sector, the Department, the relevant Sector Specific
Agency, and other critical infrastructure sector
Information Sharing and Analysis Centers;
``(B) establish governance and operating procedures
to carry out the activities conducted under this
subsection;
``(C) serve as an emergency response and recovery
operations coordination point for such sector, and upon
request, facilitate cyber incident response
capabilities in coordination with the Department, the
relevant Sector Specific Agency and the relevant Sector
Coordinating Council;
``(D) facilitate cross-sector coordination and
sharing of cyber threat information to prevent related
or consequential impacts to other critical
infrastructure sectors;
``(E) coordinate with the Department, the relevant
Sector Coordinating Council, the relevant Sector
Specific Agency, and other critical infrastructure
sector Information Sharing and Analysis Centers on the
development, integration, and implementation of
procedures to support technology neutral, real-time
information sharing capabilities and mechanisms within
the National Cybersecurity and Communications
Integration Center established pursuant to section 228,
including--
``(i) the establishment of a mechanism to
voluntarily report identified vulnerabilities
and opportunities for improvement;
``(ii) the establishment of metrics to
assess the effectiveness and timeliness of the
Department's and Information Sharing and
Analysis Centers' information sharing
capabilities; and
``(iii) the establishment of a mechanism
for anonymous suggestions and comments;
``(F) implement an integration and analysis
function to inform sector planning, risk mitigation,
and operational activities regarding the protection of
each critical infrastructure sector from cyber
incidents;
``(G) combine consequence, vulnerability, and
threat information to share actionable assessments of
critical infrastructure sector risks from cyber
incidents;
``(H) coordinate with the Department, the relevant
Sector Specific Agency, and the relevant Sector
Coordinating Council to update, maintain, and exercise
the National Cybersecurity Incident Response Plan in
accordance with section 229(b); and
``(I) safeguard cyber threat information from
unauthorized disclosure.
``(3) Funding.--Of the amounts authorized to be
appropriated for each of fiscal years 2014, 2015, and 2016 for
the Cybersecurity and Communications Office of the Department,
the Secretary is authorized to use not less than $25,000,000
for any such year for operations support at the National
Cybersecurity and Communications Integration Center established
under section 228(a) of all recognized Information Sharing and
Analysis Centers under paragraph (1) of this subsection.
``(f) Clearances.--The Secretary shall expedite the processing of
security clearances under Executive Order 13549 or successor orders to
appropriate members of the Sector Coordinating Councils and the
critical infrastructure sector Information Sharing and Analysis
Centers.
``(g) Public-Private Collaboration.--The Secretary, in
collaboration with the critical infrastructure sectors designated under
subsection (b), such sectors' Sector Specific Agencies recognized under
subsection (c), and the Sector Coordinating Councils recognized under
subsection (d), shall--
``(1) conduct an analysis and review of the existing
public-private partnership model and evaluate how the model
between the Department and critical infrastructure owners and
critical infrastructure operators can be improved to ensure the
Department, critical infrastructure owners, and critical
infrastructure operators are equal partners and regularly
collaborate on all programs and activities of the Department to
protect critical infrastructure;
``(2) develop procedures to ensure continuous,
collaborative, and effective interactions between the
Department, critical infrastructure owners, and critical
infrastructure operators; and
``(3) ensure critical infrastructure sectors have a
reasonable period for review and comment of all jointly
produced materials with the Department.
``(h) Protection of Federal Civilian Information Systems.--
``(1) In general.--The Secretary shall administer the
operational information security activities and functions to
protect and ensure the resiliency of all Federal civilian
information systems.
``(2) Roles and responsibilities.--The Secretary, in
coordination with the heads of other Federal civilian agencies,
shall--
``(A) develop, issue, and oversee the
implementation and compliance of all operational
information security policies and procedures to protect
and ensure the resiliency of Federal civilian
information systems;
``(B) administer Federal Government-wide efforts to
develop and provide adequate, risk-based, cost-
effective, and technology neutral information security
capabilities;
``(C) establish and sustain continuous diagnostics
systems for Federal civilian information systems to
aggregate data and identify and prioritize the
mitigation of cyber vulnerabilities in such systems for
cybersecurity purposes;
``(D) develop, acquire, and operate an integrated
and consolidated system of intrusion detection,
analytics, intrusion prevention, and other information
sharing and protective capabilities to defend Federal
civilian information systems from cyber threats;
``(E) develop and conduct targeted risk assessments
and operational evaluations of Federal civilian
information systems, in consultation with government
and private entities that own and operate such
information systems, including threat, vulnerability,
and impact assessments and penetration testing;
``(F) develop and provide technical assistance and
cyber incident response capabilities to secure and
ensure the resilience of Federal civilian information
systems;
``(G) review annually the operational information
security activities and functions of each of the
Federal civilian agencies;
``(H) develop minimum technology neutral
operational requirements for network and security
operations centers to facilitate the protection of all
Federal civilian information systems;
``(I) develop reporting requirements, consistent
with relevant law, to ensure the National Cybersecurity
and Communications Integration Center established
pursuant to section 228 receives all actionable cyber
threat information identified on Federal civilian
information systems;
``(J) develop technology neutral performance
requirements and metrics for the security of Federal
civilian information systems;
``(K) implement training requirements that include
industry recognized certifications to ensure that
Federal civilian agencies are able to fully and timely
comply with policies and procedures issued by the
Secretary under this subsection; and
``(L) develop training requirements regarding
privacy, civil rights, civil liberties, and information
oversight for information security employees who
operate Federal civilian information systems.
``(3) Use of certain communications.--
``(A) In general.--The Secretary may enter into
contracts or other agreements, or otherwise request and
obtain, in accordance with applicable law, the
assistance of private entities that provide electronic
communication services, remote computing services, or
cybersecurity services to acquire, intercept, retain,
use, and disclose communications and other system
traffic, deploy countermeasures, or otherwise operate
protective capabilities in accordance with
subparagraphs (C), (D), (E), and (F) of paragraph (2).
No cause of action shall exist against private entities
for assistance provided to the Secretary in accordance
with this subsection.
``(B) Rule of construction.--Nothing in
subparagraph (A) may be construed to--
``(i) require or compel any private entity
to enter in a contract or agreement described
in such subparagraph; or
``(ii) authorize the Secretary to take any
action with respect to any communications or
system traffic transiting or residing on any
information system or network of information
systems other than a Federal civilian
information system.
``(i) Rule of Construction.--No provision of this title may be
construed as modifying, limiting, or otherwise affecting the authority
of any other Federal agency under any other provision of law.''.
(b) Clerical Amendment.--The table of contents in section 1(b) of
such Act is amended by adding at the end of the items relating to such
subtitle the following new item:
``Sec. 227. Protection of critical infrastructure and information
sharing.''.
SEC. 104. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER.
(a) In General.--Subtitle C of title II of the Homeland Security
Act of 2002, as amended by sections 102 and 103, is further amended by
adding at the end the following new section:
``SEC. 228. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION
CENTER.
``(a) Establishment.--There is established in the Department the
National Cybersecurity and Communications Integration Center (referred
to in this section as the `Center'), which shall be a Federal civilian
information sharing interface that provides shared situational
awareness to enable real-time, integrated, and operational actions
across the Federal Government, and share cyber threat information by
and among Federal, State, and local government entities, Information
Sharing and Analysis Centers, private entities, and critical
infrastructure owners and critical infrastructure operators that have
an information sharing relationship with the Center.
``(b) Composition.--The Center shall include each of the following
entities:
``(1) At least one Information Sharing and Analysis Center
established under section 227(e) for each critical
infrastructure sector.
``(2) The Multi-State Information Sharing and Analysis
Center to collaborate with State and local governments.
``(3) The United States Computer Emergency Readiness Team
to coordinate cyber threat information sharing, proactively
manage cyber risks to the United States, collaboratively
respond to cyber incidents, provide technical assistance to
information system owners and operators, and disseminate timely
notifications regarding current and potential cyber threats and
vulnerabilities.
``(4) The Industrial Control System Cyber Emergency
Response Team to coordinate with industrial control systems
owners and operators and share industrial control systems-
related security incidents and mitigation measures.
``(5) The National Coordinating Center for
Telecommunications to coordinate the protection, response, and
recovery of national security emergency communications.
``(6) Such other Federal, State, and local government
entities, private entities, organizations, or individuals as
the Secretary may consider appropriate that agree to be
included.
``(c) Cyber Incident.--In the event of a cyber incident, the
Secretary may grant the entities referred to in subsection (a)
immediate temporary access to the Center as a situation may warrant.
``(d) Roles and Responsibilities.--The Center shall--
``(1) promote ongoing multi-directional sharing by and
among the entities referred to in subsection (a) of timely and
actionable cyber threat information and analysis on a real-time
basis that includes emerging trends, evolving threats, incident
reports, intelligence information, risk assessments, and best
practices;
``(2) coordinate with other Federal agencies to streamline
and reduce redundant reporting of cyber threat information;
``(3) provide, upon request, timely technical assistance
and crisis management support to Federal, State, and local
government entities and private entities that own or operate
information systems or networks of information systems to
protect from, prevent, mitigate, respond to, and recover from
cyber incidents;
``(4) facilitate cross-sector coordination and sharing of
cyber threat information to prevent related or consequential
impacts to other critical infrastructure sectors;
``(5) collaborate with the Sector Coordinating Councils,
Information Sharing and Analysis Centers, Sector Specific
Agencies, and the relevant critical infrastructure sectors on
the development and implementation of procedures to support
technology neutral real-time information sharing capabilities
and mechanisms;
``(6) collaborate with the Sector Coordinating Councils,
Information Sharing and Analysis Centers, Sector Specific
Agencies, and the relevant critical infrastructure sectors to
identify requirements for data and information formats and
accessibility, system interoperability, and redundant systems
and alternative capabilities in the event of a disruption in
the primary information sharing capabilities and mechanisms at
the Center;
``(7) within the scope of relevant treaties, cooperate with
international partners to share information and respond to
cyber incidents;
``(8) safeguard sensitive cyber threat information from
unauthorized disclosure;
``(9) require other Federal civilian agencies to--
``(A) send reports and information to the Center
about cyber incidents, threats, and vulnerabilities
affecting Federal civilian information systems and
critical infrastructure systems and, in the event a
private vendor product or service of such an agency is
so implicated, the Center shall first notify such
private vendor of the vulnerability before further
disclosing such information;
``(B) provide to the Center cyber incident
detection, analysis, mitigation, and response
information; and
``(C) immediately send and disclose to the Center
cyber threat information received by such agencies; and
``(10) perform such other duties as the Secretary may
require to facilitate a national effort to strengthen and
maintain secure, functioning, and resilient critical
infrastructure from cyber threats.
``(e) Integration and Analysis.--The Center shall maintain an
integration and analysis function, which shall --
``(1) integrate and analyze all cyber threat information
received from other Federal agencies, State and local
governments, Information Sharing and Analysis Centers, private
entities, critical infrastructure owners, and critical
infrastructure operators, and share relevant information in
near real-time;
``(2) on an ongoing basis, assess and evaluate consequence,
vulnerability, and threat information to share with the
entities referred to in subsection (a) actionable assessments
of critical infrastructure sector risks from cyber incidents
and to assist critical infrastructure owners and critical
infrastructure operators by making recommendations to
facilitate continuous improvements to the security and
resiliency of the critical infrastructure of the United States;
``(3) facilitate cross-sector integration, identification,
and analysis of key interdependencies to prevent related or
consequential impacts to other critical infrastructure sectors;
and
``(4) collaborate with the Information Sharing and Analysis
Centers to tailor the analysis of information to the specific
characteristics and risk to a relevant critical infrastructure
sector.
``(f) Report of Cyber Attacks Against Federal Government
Networks.--The Secretary shall submit to the Committee on Homeland
Security of the House of Representatives, the Committee on Homeland
Security and Governmental Affairs of the Senate, and the Comptroller
General of the United States an annual report that summarizes major
cyber incidents involving Federal civilian agency information systems
and provides aggregate statistics on the number of breaches, the volume
of data exfiltrated, the consequential impact, and the estimated cost
of remedying such breaches.
``(g) Report on the Operations of the Center.--The Secretary, in
consultation with the Sector Coordinating Councils and appropriate
Federal Government entities, shall submit to the Committee on Homeland
Security of the House of Representatives, the Committee on Homeland
Security and Governmental Affairs of the Senate, and the Comptroller
General of the United States an annual report on--
``(1) the capability and capacity of the Center to carry
out its cybersecurity mission in accordance with this section,
and sections 226, 227, 229, 230, 230A, and 230B;
``(2) the extent to which the Department is engaged in
information sharing with each critical infrastructure sector
designated under section 227(b), including--
``(A) the extent to which each such sector has
representatives at the Center; and
``(B) the extent to which critical infrastructure
owners and critical infrastructure operators of each
critical infrastructure sector participate in
information sharing at the Center;
``(3) the volume and range of activities with respect to
which the Secretary collaborated with the Sector Coordinating
Councils and the Sector-Specific Agencies to promote greater
engagement with the Center; and
``(4) the volume and range of voluntary technical
assistance sought and provided by the Department to each
critical infrastructure owner and critical infrastructure
operator.''.
(b) Clerical Amendment.--The table of contents in section 1(b) of
such Act, as amended by section 103, is further amended by adding at
the end the following new item:
``228. National Cybersecurity and Communications Integration Center.''.
(c) GAO Report.--Not later than one year after the date of the
enactment of this Act, the Comptroller General of the United States
shall submit to the Committee on Homeland Security of the House of
Representatives and the Committee on Homeland Security and Governmental
Affairs of the Senate a report on the effectiveness of the National
Cybersecurity and Communications Integration Center established under
section 228 of the Homeland Security Act of 2002, as added by
subsection (a) of this section, in carrying out its cybersecurity
mission in accordance with this Act and such section 228 and sections
226, 227, 229, 230, 230A, and 230B of the Homeland Security Act of
2002, as added by this Act.
SEC. 105. CYBER INCIDENT RESPONSE AND TECHNICAL ASSISTANCE.
(a) In General.--Subtitle C of title II of the Homeland Security
Act of 2002, as amended by sections 102, 103, and 104, is further
amended by adding at the end the following new section:
``SEC. 229. CYBER INCIDENT RESPONSE AND TECHNICAL ASSISTANCE.
``(a) In General.--The Secretary shall establish Cyber Incident
Response Teams to--
``(1) upon request, provide timely technical assistance and
crisis management support to Federal, State, and local
government entities, private entities, and critical
infrastructure owners and critical infrastructure operators
involving cyber incidents affecting critical infrastructure;
and
``(2) upon request, provide actionable recommendations on
security and resilience measures and countermeasures to
Federal, State, and local government entities, private
entities, and critical infrastructure owners and critical
infrastructure operators prior to, during, and after cyber
incidents.
``(b) Coordination.--In carrying out subsection (a), the Secretary
shall coordinate with the relevant Sector Specific Agencies, if
applicable.
``(c) Cyber Incident Response Plan.--The Secretary, in coordination
with the Sector Coordinating Councils, Information Sharing and Analysis
Centers, and Federal, State, and local governments, shall develop,
regularly update, maintain, and exercise a National Cybersecurity
Incident Response Plan which shall--
``(1) include effective emergency response plans associated
with cyber threats to critical infrastructure, information
systems, or networks of information systems; and
``(2) ensure that such National Cybersecurity Incident
Response Plan can adapt to and reflect a changing cyber threat
environment, and incorporate best practices and lessons learned
from regular exercises, training, and after-action reports.''.
(b) Clerical Amendment.--The table of contents in section 1(b) of
such Act, as amended by sections 103 and 104, is further amended by
adding at the end the following new item:
``229. Cyber incident response and technical assistance.''.
SEC. 106. ASSESSMENT OF CYBERSECURITY WORKFORCE.
(a) In General.--Subtitle C of title II of the Homeland Security
Act of 2002, as amended by sections 101, 103, 104, and 105, is further
amended by adding at the end the following new section:
``SEC. 230. ASSESSMENT OF CYBERSECURITY WORKFORCE.
``(a) Assessment.--The Secretary, in consultation with relevant
private entities, shall regularly assess the readiness and capacity of
the workforce of the Department to meet the needs of the cybersecurity
mission of the Department.
``(b) Strategy Required.--Not later than 180 days after the date of
the enactment of this section, the Secretary shall develop, maintain,
and, as necessary, update, a comprehensive workforce strategy designed
to enhance the readiness, capacity, training, recruitment, and
retention of the cybersecurity personnel of the Department. Such
strategy shall include a five-year plan on recruitment of personnel for
the workforce of the Department, and ten-year projections of the
workforce needs of the Department. The Secretary shall submit such
strategy to the Committee on Homeland Security of the House of
Representatives and the Committee on Homeland Security and Governmental
Affairs of the Senate.''.
(b) Clerical Amendment.--The table of contents in section 1(b) of
such Act, as amended by sections 103, 104, and 105, is further amended
by adding at the end the following new item:
``230. Assessment of cybersecurity workforce.''.
SEC. 107. PERSONNEL AUTHORITIES.
(a) In General.--Subtitle C of title II of the Homeland Security
Act of 2002, as amended by sections 101, 102, 103, 104, 105, and 106,
is further amended by adding at the end the following new section:
``SEC. 230A. PERSONNEL AUTHORITIES.
``(a) In General.--
``(1) Personnel authorities.--The Secretary may exercise
with respect to qualified employees of the Department the same
authority that the Secretary of Defense has with respect to
civilian intelligence personnel and the scholarship program
under sections 1601, 1602, 1603, and 2200a of title 10, United
States Code, to establish as positions in the excepted service,
appoint individuals to such positions, fix pay, and pay a
retention bonus to any employee appointed under this section if
the Secretary determines that such is needed to retain
essential personnel. Before announcing the payment of a bonus
under this paragraph, the Secretary shall submit to the
Committee on Homeland Security of the House of Representatives
and the Committee on Homeland Security and Governmental Affairs
of the Senate a written explanation of such determination. Such
authority shall be exercised--
``(A) to the same extent and subject to the same
conditions and limitations that the Secretary of
Defense may exercise such authority with respect to
civilian intelligence personnel of the Department of
Defense; and
``(B) in a manner consistent with the merit system
principles set forth in section 2301 of title 5, United
States Code.
``(2) Civil service protections.--Sections 1221 and 2302,
and chapter 75 of title 5, United States Code, shall apply to
the positions established pursuant to the authorities provided
under paragraph (1).
``(3) Plan for execution of authorities.--Not later than
120 days after the date of the enactment of this section, the
Secretary shall submit to the Committee on Homeland Security of
the House of Representatives and the Committee on Homeland
Security and Governmental Affairs of the Senate a report that
contains a plan for the use of the authorities provided under
this subsection.
``(b) Annual Report.--Not later than one year after the date of the
enactment of this section and annually thereafter for four years, the
Secretary shall submit to the Committee on Homeland Security of the
House of Representatives and the Committee on Homeland Security and
Governmental Affairs of the Senate a detailed report (including
appropriate metrics on actions occurring during the reporting period)
that discusses the processes used by the Secretary in implementing this
section and accepting applications, assessing candidates, ensuring
adherence to veterans' preference, and selecting applicants for
vacancies to be filled by a qualified employee.
``(c) Definition of Qualified Employee.--In this section, the term
`qualified employee' means an employee who performs functions relating
to the security of Federal civilian information systems, critical
infrastructure information systems, or networks of either of such
systems.''.
(b) Clerical Amendment.--The table of contents in section 1(b) of
such Act, as amended by sections 103, 104, 105, and 106, is further
amended by adding at the end the following new item:
``230A. Personnel authorities.''.
SEC. 108. STREAMLINING OF DEPARTMENT CYBERSECURITY ORGANIZATION.
(a) Cybersecurity and Infrastructure Protection Directorate.--The
National Protection and Programs Directorate of the Department of
Homeland Security shall, after the date of the enactment of this Act,
be known and designated as the ``Cybersecurity and Infrastructure
Protection Directorate''. Any reference to the National Protection and
Programs Directorate of the Department in any law, regulation, map,
document, record, or other paper of the United States shall be deemed
to be a reference to the Cybersecurity and Infrastructure Protection
Directorate of the Department.
(b) Senior Leadership of the Cybersecurity and Infrastructure
Protection Directorate.--
(1) In general.--Subsection (a) of section 103 of the
Homeland Security Act of 2002 (6 U.S.C. 113) is amended by
adding at the end the following new subparagraphs:
``(K) Under Secretary for Cybersecurity and
Infrastructure Protection.
``(L) Deputy Under Secretary for Cybersecurity.
``(M) Deputy Under Secretary for Infrastructure
Protection.''.
(2) Continuation in office.--The individuals who hold the
positions referred to in subparagraphs (K), (L), and (M) of
subsection (a) of section 103 of the Homeland Security Act of
2002 (as added by paragraph (1) of this subsection) as of the
date of the enactment of this Act may continue to hold such
positions.
(c) Report on Improving the Capability and Effectiveness of the
Cybersecurity and Communications Office.--To improve the operational
capability and effectiveness in carrying out the cybersecurity mission
of the Department of Homeland Security, the Secretary of Homeland
Security shall submit to the Committee on Homeland Security of the
House of Representatives and the Committee on Homeland Security and
Governmental Affairs of the Senate a report on--
(1) the feasibility of making the Cybersecurity and
Communications Office of the Department an operational
component of the Department;
(2) recommendations for restructuring the SAFETY Act Office
within the Department to elevate the profile and mission of the
Office, including the feasibility of utilizing third-party
registrars for improving the throughput and effectiveness of
the certification process.
(d) Report on Cybersecurity Acquisition Capabilities.--The
Secretary of Homeland Security shall assess the effectiveness of the
Department of Homeland Security's acquisition processes and the use of
existing authorities for acquiring cybersecurity technologies to ensure
that such processes and authorities are capable of meeting the needs
and demands of the Department's cybersecurity mission. Not later than
180 days after the date of the enactment of this Act, the Secretary
shall submit to the Committee on Homeland Security of the House of
Representatives and the Committee on Homeland Security and Governmental
Affairs of the Senate a report on the effectiveness of the Department's
acquisition processes for cybersecurity technologies.
TITLE II--PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY
SEC. 201. PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY.
(a) In General.--Subtitle C of title II of the Homeland Security
Act of 2002, as amended by sections 102, 103, 104, 105, 106, and 107,
is further amended by adding at the end the following new section:
``SEC. 230B. PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY.
``(a) National Institute of Standards and Technology.--The Director
of the National Institute of Standards and Technology, in collaboration
with the Secretary, shall, on an ongoing basis, facilitate and support
the development of a voluntary, industry-led set of standards,
guidelines, best practices, methodologies, procedures, and processes to
reduce cyber risks to critical infrastructure. The Director, in
collaboration with the Secretary--
``(1) shall--
``(A) coordinate closely and continuously with
relevant private entities, critical infrastructure
owners and critical infrastructure operators, Sector
Coordinating Councils, Information Sharing and Analysis
Centers, and other relevant industry organizations, and
incorporate industry expertise to the fullest extent
possible;
``(B) consult with the Sector Specific Agencies,
Federal, State and local governments, the governments
of other countries, and international organizations;
``(C) utilize a prioritized, flexible, repeatable,
performance-based, and cost-effective approach,
including information security measures and controls,
that may be voluntarily adopted by critical
infrastructure owners and critical infrastructure
operators to help them identify, assess, and manage
cyber risks;
``(D) include methodologies to--
``(i) identify and mitigate impacts of the
cybersecurity measures or controls on business
confidentiality; and
``(ii) protect individual privacy and civil
liberties;
``(E) incorporate voluntary consensus standards and
industry best practices, and align with voluntary
international standards to the fullest extent possible;
``(F) prevent duplication of existing regulatory
processes and prevent conflict with or superseding of
existing regulatory requirements and processes; and
``(G) include such other similar and consistent
elements as determined necessary; and
``(2) shall not prescribe or otherwise require--
``(A) the use of specific solutions;
``(B) the use of specific information technology
products or services; or
``(C) that information technology products or
services be designed, developed, or manufactured in a
particular manner.
``(b) Meetings.--The Secretary shall meet with the Sector
Coordinating Council for each critical infrastructure sector designated
under section 227(b) on a biannual basis to discuss the cybersecurity
threat to critical infrastructure, voluntary activities to address
cybersecurity, and ideas to improve the public-private partnership to
enhance cybersecurity, in which the Secretary shall--
``(1) provide each Sector Coordinating Council an
assessment of the cybersecurity threat to each critical
infrastructure sector designated under section 227(b),
including information relating to--
``(A) any actual or assessed cyber threat,
including a consideration of adversary capability and
intent, preparedness, target attractiveness, and
deterrence capabilities;
``(B) the extent and likelihood of death, injury,
or serious adverse effects to human health and safety
caused by an act of terrorism or other disruption,
destruction, or unauthorized use of critical
infrastructure;
``(C) the threat to national security caused by an
act of terrorism or other disruption, destruction, or
unauthorized use of critical infrastructure; and
``(D) the harm to the economy that would result
from an act of terrorism or other disruption,
destruction, or unauthorized use of critical
infrastructure; and
``(2) provide recommendations, which may be voluntarily
adopted, on ways to improve cybersecurity of critical
infrastructure.
``(c) Report.--
``(1) In general.--Starting 30 days after the end of the
fiscal year in which the National Cybersecurity and Critical
Infrastructure Protection Act of 2013 is enacted and annually
thereafter, the Secretary shall submit to the Committee on
Homeland Security of the House of Representatives and the
Committee on Homeland Security and Governmental Affairs of the
Senate a report on the state of cybersecurity for each critical
infrastructure sector designated under section 227(b) based on
discussions between the Department and the Sector Coordinating
Council in accordance with subsection (b) of this section. The
Secretary shall maintain a public copy of each report, and each
report may include a non-public annex for proprietary or
business-sensitive information. Each report shall include, at a
minimum information relating to--
``(A) the risk to each critical infrastructure
sector, including known cyber threats, vulnerabilities,
and potential consequences;
``(B) the extent and nature of any cybersecurity
incidents during the previous year, including the
extent to which cyber incidents jeopardized or
imminently jeopardized information systems;
``(C) the current status of the voluntary,
industry-led set of standards, guidelines, best
practices, methodologies, procedures, and processes to
reduce cyber risks within each critical infrastructure
sector; and
``(D) the volume and range of voluntary technical
assistance sought and provided by the Department to
each critical infrastructure sector.
``(2) Sector coordinating council response.--Before making
public and submitting each report required under paragraph (1),
the Secretary shall provide a draft of each report to the
Sector Coordinating Council for the critical infrastructure
sector covered by each such report. The Sector Coordinating
Council at issue may provide to the Secretary a written
response to such report within 45 days of receiving the draft.
If such Sector Coordinating Council provides a written
response, the Secretary shall include such written response in
the final version of each report required under paragraph (1).
``(d) Limitation.--Information shared with or provided to the
Director of the National Institute of Standards and Technology or the
Secretary for the purpose of the activities under subsections (a) and
(b) shall not be used by any Federal, State, or local government
department or agency to regulate the activity of any private entity.''.
(b) Clerical Amendment.--The table of contents in section 1(b) of
such Act, as amended by sections 102, 103, 104, 105, 106, and 107 is
further amended by adding at the end the following new item:
``Sec. 230B. Public-private collaboration on cybersecurity.''.
SEC. 202. SAFETY ACT AND QUALIFYING CYBER INCIDENTS.
(a) In General.--The Support Anti-Terrorism By Fostering Effective
Technologies Act of 2002 (6 U.S.C. 441 et seq.) is amended--
(1) in section 862(b) (6 U.S.C. 441(b))--
(A) in the heading, by striking ``Designation of
Qualified Anti-Terrorism Technologies'' and inserting
``Designation of Anti-Terrorism and Cybersecurity
Technologies'';
(B) in the matter preceding paragraph (1), by
inserting ``and cybersecurity'' after ``anti-
terrorism'';
(C) in paragraphs (3), (4), and (5), by inserting
``or cybersecurity'' after ``anti-terrorism'' each
place it appears; and
(D) in paragraph (7)--
(i) by inserting ``or cybersecurity
technology'' after ``Anti-terrorism
technology''; and
(ii) by inserting ``or qualifying cyber
incidents'' after ``acts of terrorism'';
(2) in section 863 (6 U.S.C. 442)--
(A) by inserting ``or cybersecurity'' after ``anti-
terrorism'' each place it appears;
(B) by inserting ``or qualifying cyber incident''
after ``act of terrorism'' each place it appears; and
(C) by inserting ``or qualifying cyber incidents''
after ``acts of terrorism'' each place it appears;
(3) in section 864 (6 U.S.C. 443)--
(A) by inserting ``or cybersecurity'' after ``anti-
terrorism'' each place it appears; and
(B) by inserting ``or qualifying cyber incident''
after ``act of terrorism'' each place it appears; and
(4) in section 865 (6 U.S.C. 444)--
(A) in paragraph (1)--
(i) in the heading, by inserting ``or
cybersecurity'' after ``anti-terrorism'';
(ii) by inserting ``or cybersecurity''
after ``anti-terrorism''; and
(iii) by inserting ``or qualifying cyber
incident'' after ``acts of terrorism''; and
(B) by adding at the end the following new
paragraph:
``(7) Qualifying cyber incident.--
``(A) In general.--The term `qualifying cyber
incident' means any act that the Secretary determines
meets the requirements under subparagraph (B), as such
requirements are further defined and specified by the
Secretary.
``(B) Requirements.--A qualifying cyber incident
meets the requirements of this subparagraph if the
incident--
``(i) is unlawful or otherwise exceeds
authorized access authority;
``(ii) disrupts or imminently jeopardizes
the integrity, operation, confidentiality, or
availability of programmable electronic
devices, communication networks, including
hardware, software and data that are essential
to their reliable operation, electronic storage
devices, or any other information system, or
the information that system controls,
processes, stores, or transmits;
``(iii) gains access to an information
system or a network of information systems
resulting in--
``(I) misappropriation or theft of
data, assets, information, or
intellectual property;
``(II) corruption of data, assets,
information, or intellectual property;
``(III) operational disruption; or
``(IV) an adverse effect on such
system or network, or the data, assets,
information, or intellectual property
contained therein; and
``(iv) causes harm inside or outside the
United States that results in material levels
of damage, disruption, or casualties severely
affecting the United States population,
infrastructure, economy, national morale, or
Federal, State, local, or tribal government
functions.''.
(b) Funding.--Of the amounts authorized to be appropriated for each
of fiscal years 2014, 2015, and 2016 for the Science and Technology
Directorate of the Department of Homeland Security, the Secretary of
Homeland Security is authorized to use not less than $20,000,000 for
any such year for the Department's SAFETY Act Office.
SEC. 203. PROHIBITION ON NEW REGULATORY AUTHORITY.
This Act and the amendments made by this Act do not--
(1) create or authorize the issuance of any new regulations
or additional Federal Government regulatory authority; or
(2) permit regulatory actions that would duplicate,
conflict with, or supercede existing regulatory requirements,
mandatory standards, or related processes.
SEC. 204. PROHIBITION ON ADDITIONAL AUTHORIZATION OF APPROPRIATIONS.
No additional funds are authorized to be appropriated to carry out
this Act and the amendments made by this Act. This Act and such
amendments shall be carried out using amounts otherwise available for
such purposes.
<all>