[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[H.R. 624 Reported in House (RH)]

                                                  Union Calendar No. 25
113th CONGRESS
  1st Session
                                H. R. 624

                          [Report No. 113-39]

  To provide for the sharing of certain cyber threat intelligence and 
    cyber threat information between the intelligence community and 
            cybersecurity entities, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           February 13, 2013

 Mr. Rogers of Michigan (for himself and Mr. Ruppersberger) introduced 
   the following bill; which was referred to the Select Committee on 
                    Intelligence (Permanent Select)

                             April 15, 2013

Additional sponsors: Mr. McCaul, Mr. Thornberry, Mr. Upton, Mr. Walden, 
Mr. Westmoreland, Mr. Nunes, Mr. Pompeo, Mr. Peters of California, Ms. 
  Sinema, Mr. Lance, Mr. LoBiondo, Mr. King of New York, Mr. Heck of 
Nevada, Mr. Stivers, Mr. Conaway, Mr. McHenry, Mrs. Miller of Michigan, 
   Mr. Guthrie, Mr. Kline, Mr. Schock, Mr. Mulvaney, Mr. Hastings of 
Washington, Mr. Camp, Mr. Cole, Mr. Kinzinger of Illinois, Mr. Amodei, 
Mr. Griffin of Arkansas, Ms. Sewell of Alabama, Mr. Cuellar, Mr. Costa, 
  Mr. Hastings of Florida, Mr. Kilmer, Mr. Lipinski, Mr. Enyart, Mr. 
                       Gutierrez, and Mr. Vargas

                             April 15, 2013

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]
    [For text of introduced bill, see copy of bill as introduced on 
                           February 13, 2013]


_______________________________________________________________________

                                 A BILL


 
  To provide for the sharing of certain cyber threat intelligence and 
    cyber threat information between the intelligence community and 
            cybersecurity entities, and for other purposes.


 


    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cyber Intelligence Sharing and 
Protection Act''.

SEC. 2. CYBER THREAT INTELLIGENCE AND INFORMATION SHARING.

    (a) In General.--Title XI of the National Security Act of 1947 (50 
U.S.C. 442 et seq.) is amended by adding at the end the following new 
section:

          ``cyber threat intelligence and information sharing

    ``Sec. 1104.  (a) Intelligence Community Sharing of Cyber Threat 
Intelligence With Private Sector and Utilities.--
            ``(1) In general.--The Director of National Intelligence 
        shall establish procedures to allow elements of the 
        intelligence community to share cyber threat intelligence with 
        private-sector entities and utilities and to encourage the 
        sharing of such intelligence.
            ``(2) Sharing and use of classified intelligence.--The 
        procedures established under paragraph (1) shall provide that 
        classified cyber threat intelligence may only be--
                    ``(A) shared by an element of the intelligence 
                community with--
                            ``(i) a certified entity; or
                            ``(ii) a person with an appropriate 
                        security clearance to receive such cyber threat 
                        intelligence;
                    ``(B) shared consistent with the need to protect 
                the national security of the United States; and
                    ``(C) used by a certified entity in a manner which 
                protects such cyber threat intelligence from 
                unauthorized disclosure.
            ``(3) Security clearance approvals.--The Director of 
        National Intelligence shall issue guidelines providing that the 
        head of an element of the intelligence community may, as the 
        head of such element considers necessary to carry out this 
        subsection--
                    ``(A) grant a security clearance on a temporary or 
                permanent basis to an employee or officer of a 
                certified entity;
                    ``(B) grant a security clearance on a temporary or 
                permanent basis to a certified entity and approval to 
                use appropriate facilities; and
                    ``(C) expedite the security clearance process for a 
                person or entity as the head of such element considers 
                necessary, consistent with the need to protect the 
                national security of the United States.
            ``(4) No right or benefit.--The provision of information to 
        a private-sector entity or a utility under this subsection 
        shall not create a right or benefit to similar information by 
        such entity or such utility or any other private-sector entity 
        or utility.
            ``(5) Restriction on disclosure of cyber threat 
        intelligence.--Notwithstanding any other provision of law, a 
        certified entity receiving cyber threat intelligence pursuant 
        to this subsection shall not further disclose such cyber threat 
        intelligence to another entity, other than to a certified 
        entity or other appropriate agency or department of the Federal 
        Government authorized to receive such cyber threat 
        intelligence.
    ``(b) Use of Cybersecurity Systems and Sharing of Cyber Threat 
Information.--
            ``(1) In general.--
                    ``(A) Cybersecurity providers.--Notwithstanding any 
                other provision of law, a cybersecurity provider, with 
                the express consent of a protected entity for which 
                such cybersecurity provider is providing goods or 
                services for cybersecurity purposes, may, for 
                cybersecurity purposes--
                            ``(i) use cybersecurity systems to identify 
                        and obtain cyber threat information to protect 
                        the rights and property of such protected 
                        entity; and
                            ``(ii) share such cyber threat information 
                        with any other entity designated by such 
                        protected entity, including, if specifically 
                        designated, the Federal Government.
                    ``(B) Self-protected entities.--Notwithstanding any 
                other provision of law, a self-protected entity may, 
                for cybersecurity purposes--
                            ``(i) use cybersecurity systems to identify 
                        and obtain cyber threat information to protect 
                        the rights and property of such self-protected 
                        entity; and
                            ``(ii) share such cyber threat information 
                        with any other entity, including the Federal 
                        Government.
            ``(2) Sharing with the federal government.--
                    ``(A) Information shared with the national 
                cybersecurity and communications integration center of 
                the department of homeland security.--Subject to the 
                use and protection of information requirements under 
                paragraph (3), the head of a department or agency of 
                the Federal Government receiving cyber threat 
                information in accordance with paragraph (1) shall 
                provide such cyber threat information in as close to 
                real time as possible to the National Cybersecurity and 
                Communications Integration Center of the Department of 
                Homeland Security.
                    ``(B) Request to share with another department or 
                agency of the federal government.--An entity sharing 
                cyber threat information that is provided to the 
                National Cybersecurity and Communications Integration 
                Center of the Department of Homeland Security under 
                subparagraph (A) or paragraph (1) may request the head 
                of such Center to, and the head of such Center may, 
                provide such information in as close to real time as 
                possible to another department or agency of the Federal 
                Government.
            ``(3) Use and protection of information.--Cyber threat 
        information shared in accordance with paragraph (1)--
                    ``(A) shall only be shared in accordance with any 
                restrictions placed on the sharing of such information 
                by the protected entity or self-protected entity 
                authorizing such sharing, including appropriate 
                anonymization or minimization of such information and 
                excluding limiting a department or agency of the 
                Federal Government from sharing such information with 
                another department or agency of the Federal Government 
                in accordance with this section;
                    ``(B) may not be used by an entity to gain an 
                unfair competitive advantage to the detriment of the 
                protected entity or the self-protected entity 
                authorizing the sharing of information;
                    ``(C) may only be used by a non-Federal recipient 
                of such information for a cybersecurity purpose;
                    ``(D) if shared with the Federal Government--
                            ``(i) shall be exempt from disclosure under 
                        section 552 of title 5, United States Code 
                        (commonly known as the `Freedom of Information 
                        Act');
                            ``(ii) shall be considered proprietary 
                        information and shall not be disclosed to an 
                        entity outside of the Federal Government except 
                        as authorized by the entity sharing such 
                        information;
                            ``(iii) shall not be used by the Federal 
                        Government for regulatory purposes;
                            ``(iv) shall not be provided by the 
                        department or agency of the Federal Government 
                        receiving such cyber threat information to 
                        another department or agency of the Federal 
                        Government under paragraph (2)(A) if--
                                    ``(I) the entity providing such 
                                information determines that the 
                                provision of such information will 
                                undermine the purpose for which such 
                                information is shared; or
                                    ``(II) unless otherwise directed by 
                                the President, the head of the 
                                department or agency of the Federal 
                                Government receiving such cyber threat 
                                information determines that the 
                                provision of such information will 
                                undermine the purpose for which such 
                                information is shared; and
                            ``(v) shall be handled by the Federal 
                        Government consistent with the need to protect 
                        sources and methods and the national security 
                        of the United States; and
                    ``(E) shall be exempt from disclosure under a 
                State, local, or tribal law or regulation that requires 
                public disclosure of information by a public or quasi-
                public entity.
            ``(4) Exemption from liability.--
                    ``(A) Exemption.--No civil or criminal cause of 
                action shall lie or be maintained in Federal or State 
                court against a protected entity, self-protected 
                entity, cybersecurity provider, or an officer, 
                employee, or agent of a protected entity, self-
                protected entity, or cybersecurity provider, acting in 
                good faith--
                            ``(i) for using cybersecurity systems to 
                        identify or obtain cyber threat information or 
                        for sharing such information in accordance with 
                        this section; or
                            ``(ii) for decisions made for cybersecurity 
                        purposes and based on cyber threat information 
                        identified, obtained, or shared under this 
                        section.
                    ``(B) Lack of good faith.--For purposes of the 
                exemption from liability under subparagraph (A), a lack 
                of good faith includes, but is not limited to, any act 
                or omission taken with intent to injure, defraud, or 
                otherwise endanger any individual, government entity, 
                private entity, or utility.
            ``(5) Relationship to other laws requiring the disclosure 
        of information.--The submission of information under this 
        subsection to the Federal Government shall not satisfy or 
        affect--
                    ``(A) any requirement under any other provision of 
                law for a person or entity to provide information to 
                the Federal Government; or
                    ``(B) the applicability of other provisions of law, 
                including section 552 of title 5, United States Code 
                (commonly known as the `Freedom of Information Act'), 
                with respect to information required to be provided to 
                the Federal Government under such other provision of 
                law.
            ``(6) Rule of construction.--Nothing in this subsection 
        shall be construed to provide new authority to--
                    ``(A) a cybersecurity provider to use a 
                cybersecurity system to identify or obtain cyber threat 
                information from a system or network other than a 
                system or network owned or operated by a protected 
                entity for which such cybersecurity provider is 
                providing goods or services for cybersecurity purposes; 
                or
                    ``(B) a self-protected entity to use a 
                cybersecurity system to identify or obtain cyber threat 
                information from a system or network other than a 
                system or network owned or operated by such self-
                protected entity.
    ``(c) Federal Government Use of Information.--
            ``(1) Limitation.--The Federal Government may use cyber 
        threat information shared with the Federal Government in 
        accordance with subsection (b)--
                    ``(A) for cybersecurity purposes;
                    ``(B) for the investigation and prosecution of 
                cybersecurity crimes;
                    ``(C) for the protection of individuals from the 
                danger of death or serious bodily harm and the 
                investigation and prosecution of crimes involving such 
                danger of death or serious bodily harm; or
                    ``(D) for the protection of minors from child 
                pornography, any risk of sexual exploitation, and 
                serious threats to the physical safety of minors, 
                including kidnapping and trafficking and the 
                investigation and prosecution of crimes involving child 
                pornography, any risk of sexual exploitation, and 
                serious threats to the physical safety of minors, 
                including kidnapping and trafficking, and any crime 
                referred to in section 2258A(a)(2) of title 18, United 
                States Code.
            ``(2) Affirmative search restriction.--The Federal 
        Government may not affirmatively search cyber threat 
        information shared with the Federal Government under subsection 
        (b) for a purpose other than a purpose referred to in paragraph 
        (1).
            ``(3) Anti-tasking restriction.--Nothing in this section 
        shall be construed to permit the Federal Government to--
                    ``(A) require a private-sector entity or utility to 
                share information with the Federal Government; or
                    ``(B) condition the sharing of cyber threat 
                intelligence with a private-sector entity or utility on 
                the provision of cyber threat information to the 
                Federal Government.
            ``(4) Protection of sensitive personal documents.--The 
        Federal Government may not use the following information, 
        containing information that identifies a person, shared with 
        the Federal Government in accordance with subsection (b) unless 
        such information is used in accordance with the policies and 
        procedures established under paragraph (7):
                    ``(A) Library circulation records.
                    ``(B) Library patron lists.
                    ``(C) Book sales records.
                    ``(D) Book customer lists.
                    ``(E) Firearms sales records.
                    ``(F) Tax return records.
                    ``(G) Educational records.
                    ``(H) Medical records.
            ``(5) Notification of non-cyber threat information.--If a 
        department or agency of the Federal Government receiving 
        information pursuant to subsection (b)(1) determines that such 
        information is not cyber threat information, such department or 
        agency shall notify the entity or provider sharing such 
        information pursuant to subsection (b)(1).
            ``(6) Retention and use of cyber threat information.--No 
        department or agency of the Federal Government shall retain or 
        use information shared pursuant to subsection (b)(1) for any 
        use other than a use permitted under subsection (c)(1).
            ``(7) Privacy and civil liberties.--
                    ``(A) Policies and procedures.--The Director of 
                National Intelligence, in consultation with the 
                Secretary of Homeland Security and the Attorney 
                General, shall establish and periodically review 
                policies and procedures governing the receipt, 
                retention, use, and disclosure of non-publicly 
                available cyber threat information shared with the 
                Federal Government in accordance with subsection 
                (b)(1). Such policies and procedures shall, consistent 
                with the need to protect systems and networks from 
                cyber threats and mitigate cyber threats in a timely 
                manner--
                            ``(i) minimize the impact on privacy and 
                        civil liberties;
                            ``(ii) reasonably limit the receipt, 
                        retention, use, and disclosure of cyber threat 
                        information associated with specific persons 
                        that is not necessary to protect systems or 
                        networks from cyber threats or mitigate cyber 
                        threats in a timely manner;
                            ``(iii) include requirements to safeguard 
                        non-publicly available cyber threat information 
                        that may be used to identify specific persons 
                        from unauthorized access or acquisition;
                            ``(iv) protect the confidentiality of cyber 
                        threat information associated with specific 
                        persons to the greatest extent practicable; and
                            ``(v) not delay or impede the flow of cyber 
                        threat information necessary to defend against 
                        or mitigate a cyber threat.
                    ``(B) Submission to congress.--The Director of 
                National Intelligence shall, consistent with the need 
                to protect sources and methods, submit to Congress the 
                policies and procedures required under subparagraph (A) 
                and any updates to such policies and procedures.
                    ``(C) Implementation.--The head of each department 
                or agency of the Federal Government receiving cyber 
                threat information shared with the Federal Government 
                under subsection (b)(1) shall--
                            ``(i) implement the policies and procedures 
                        established under subparagraph (A); and
                            ``(ii) promptly notify the Director of 
                        National Intelligence, the Attorney General, 
                        and the congressional intelligence committees 
                        of any significant violations of such policies 
                        and procedures.
                    ``(D) Oversight.--The Director of National 
                Intelligence, in consultation with the Attorney 
                General, the Secretary of Homeland Security, and the 
                Secretary of Defense, shall establish a program to 
                monitor and oversee compliance with the policies and 
                procedures established under subparagraph (A).
    ``(d) Federal Government Liability for Violations of Restrictions 
on the Disclosure, Use, and Protection of Voluntarily Shared 
Information.--
            ``(1) In general.--If a department or agency of the Federal 
        Government intentionally or willfully violates subsection 
        (b)(3)(D) or subsection (c) with respect to the disclosure, 
        use, or protection of voluntarily shared cyber threat 
        information shared under this section, the United States shall 
        be liable to a person adversely affected by such violation in 
        an amount equal to the sum of--
                    ``(A) the actual damages sustained by the person as 
                a result of the violation or $1,000, whichever is 
                greater; and
                    ``(B) the costs of the action together with 
                reasonable attorney fees as determined by the court.
            ``(2) Venue.--An action to enforce liability created under 
        this subsection may be brought in the district court of the 
        United States in--
                    ``(A) the district in which the complainant 
                resides;
                    ``(B) the district in which the principal place of 
                business of the complainant is located;
                    ``(C) the district in which the department or 
                agency of the Federal Government that disclosed the 
                information is located; or
                    ``(D) the District of Columbia.
            ``(3) Statute of limitations.--No action shall lie under 
        this subsection unless such action is commenced not later than 
        two years after the date of the violation of subsection 
        (b)(3)(D) or subsection (c) that is the basis for the action.
            ``(4) Exclusive cause of action.--A cause of action under 
        this subsection shall be the exclusive means available to a 
        complainant seeking a remedy for a violation of subsection 
        (b)(3)(D) or subsection (c).
    ``(e) Reports on Information Sharing.--
            ``(1) Inspector general report.--The Inspector General of 
        the Intelligence Community, in consultation with the Inspector 
        General of the Department of Justice, the Inspector General of 
        the Department of Defense, and the Privacy and Civil Liberties 
        Oversight Board, shall annually submit to the congressional 
        intelligence committees a report containing a review of the use 
        of information shared with the Federal Government under this 
        section, including--
                    ``(A) a review of the use by the Federal Government 
                of such information for a purpose other than a 
                cybersecurity purpose;
                    ``(B) a review of the type of information shared 
                with the Federal Government under this section;
                    ``(C) a review of the actions taken by the Federal 
                Government based on such information;
                    ``(D) appropriate metrics to determine the impact 
                of the sharing of such information with the Federal 
                Government on privacy and civil liberties, if any;
                    ``(E) a list of the departments or agencies 
                receiving such information;
                    ``(F) a review of the sharing of such information 
                within the Federal Government to identify inappropriate 
                stovepiping of shared information; and
                    ``(G) any recommendations of the Inspector General 
                for improvements or modifications to the authorities 
                under this section.
            ``(2) Privacy and civil liberties officers report.--The 
        Civil Liberties Protection Officer of the Office of the 
        Director of National Intelligence and the Chief Privacy and 
        Civil Liberties Officer of the Department of Justice, in 
        consultation with the Privacy and Civil Liberties Oversight 
        Board, the Inspector General of the Intelligence Community, and 
        the senior privacy and civil liberties officer of each 
        department or agency of the Federal Government that receives 
        cyber threat information shared with the Federal Government 
        under this section, shall annually and jointly submit to 
        Congress a report assessing the privacy and civil liberties 
        impact of the activities conducted by the Federal Government 
        under this section. Such report shall include any 
        recommendations the Civil Liberties Protection Officer and 
        Chief Privacy and Civil Liberties Officer consider appropriate 
        to minimize or mitigate the privacy and civil liberties impact 
        of the sharing of cyber threat information under this section.
            ``(3) Form.--Each report required under paragraph (1) or 
        (2) shall be submitted in unclassified form, but may include a 
        classified annex.
    ``(f) Federal Preemption.--This section supersedes any statute of a 
State or political subdivision of a State that restricts or otherwise 
expressly regulates an activity authorized under subsection (b).
    ``(g) Savings Clauses.--
            ``(1) Existing authorities.--Nothing in this section shall 
        be construed to limit any other authority to use a 
        cybersecurity system or to identify, obtain, or share cyber 
        threat intelligence or cyber threat information.
            ``(2) Limitation on military and intelligence community 
        involvement in private and public sector cybersecurity 
        efforts.--Nothing in this section shall be construed to provide 
        additional authority to, or modify an existing authority of, 
        the Department of Defense or the National Security Agency or 
        any other element of the intelligence community to control, 
        modify, require, or otherwise direct the cybersecurity efforts 
        of a private-sector entity or a component of the Federal 
        Government or a State, local, or tribal government.
            ``(3) Information sharing relationships.--Nothing in this 
        section shall be construed to--
                    ``(A) limit or modify an existing information 
                sharing relationship;
                    ``(B) prohibit a new information sharing 
                relationship;
                    ``(C) require a new information sharing 
                relationship between the Federal Government and a 
                private-sector entity or utility;
                    ``(D) modify the authority of a department or 
                agency of the Federal Government to protect sources and 
                methods and the national security of the United States; 
                or
                    ``(E) preclude the Federal Government from 
                requiring an entity to report significant cyber 
                incidents if authorized or required to do so under 
                another provision of law.
            ``(4) Limitation on federal government use of cybersecurity 
        systems.--Nothing in this section shall be construed to provide 
        additional authority to, or modify an existing authority of, 
        any entity to use a cybersecurity system owned or controlled by 
        the Federal Government on a private-sector system or network to 
        protect such private-sector system or network.
            ``(5) No liability for non-participation.--Nothing in this 
        section shall be construed to subject a protected entity, self-
        protected entity, cyber security provider, or an officer, 
        employee, or agent of a protected entity, self-protected 
        entity, or cybersecurity provider, to liability for choosing 
        not to engage in the voluntary activities authorized under this 
        section.
            ``(6) Use and retention of information.--Nothing in this 
        section shall be construed to authorize, or to modify any 
        existing authority of, a department or agency of the Federal 
        Government to retain or use information shared pursuant to 
        subsection (b)(1) for any use other than a use permitted under 
        subsection (c)(1).
    ``(h) Definitions.--In this section:
            ``(1) Availability.--The term `availability' means ensuring 
        timely and reliable access to and use of information.
            ``(2) Certified entity.--The term `certified entity' means 
        a protected entity, self-protected entity, or cybersecurity 
        provider that--
                    ``(A) possesses or is eligible to obtain a security 
                clearance, as determined by the Director of National 
                Intelligence; and
                    ``(B) is able to demonstrate to the Director of 
                National Intelligence that such provider or such entity 
                can appropriately protect classified cyber threat 
                intelligence.
            ``(3) Confidentiality.--The term `confidentiality' means 
        preserving authorized restrictions on access and disclosure, 
        including means for protecting personal privacy and proprietary 
        information.
            ``(4) Cyber threat information.--
                    ``(A) In general.--The term `cyber threat 
                information' means information directly pertaining to--
                            ``(i) a vulnerability of a system or 
                        network of a government or private entity or 
                        utility;
                            ``(ii) a threat to the integrity, 
                        confidentiality, or availability of a system or 
                        network of a government or private entity or 
                        utility or any information stored on, processed 
                        on, or transiting such a system or network;
                            ``(iii) efforts to deny access to or 
                        degrade, disrupt, or destroy a system or 
                        network of a government or private entity or 
                        utility; or
                            ``(iv) efforts to gain unauthorized access 
                        to a system or network of a government or 
                        private entity or utility, including to gain 
                        such unauthorized access for the purpose of 
                        exfiltrating information stored on, processed 
                        on, or transiting a system or network of a 
                        government or private entity or utility.
                    ``(B) Exclusion.--Such term does not include 
                information pertaining to efforts to gain unauthorized 
                access to a system or network of a government or 
                private entity or utility that solely involve 
                violations of consumer terms of service or consumer 
                licensing agreements and do not otherwise constitute 
                unauthorized access.
            ``(5) Cyber threat intelligence.--
                    ``(A) In general.--The term `cyber threat 
                intelligence' means intelligence in the possession of 
                an element of the intelligence community directly 
                pertaining to--
                            ``(i) a vulnerability of a system or 
                        network of a government or private entity or 
                        utility;
                            ``(ii) a threat to the integrity, 
                        confidentiality, or availability of a system or 
                        network of a government or private entity or 
                        utility or any information stored on, processed 
                        on, or transiting such a system or network;
                            ``(iii) efforts to deny access to or 
                        degrade, disrupt, or destroy a system or 
                        network of a government or private entity or 
                        utility; or
                            ``(iv) efforts to gain unauthorized access 
                        to a system or network of a government or 
                        private entity or utility, including to gain 
                        such unauthorized access for the purpose of 
                        exfiltrating information stored on, processed 
                        on, or transiting a system or network of a 
                        government or private entity or utility.
                    ``(B) Exclusion.--Such term does not include 
                intelligence pertaining to efforts to gain unauthorized 
                access to a system or network of a government or 
                private entity or utility that solely involve 
                violations of consumer terms of service or consumer 
                licensing agreements and do not otherwise constitute 
                unauthorized access.
            ``(6) Cybersecurity crime.--The term `cybersecurity crime' 
        means--
                    ``(A) a crime under a Federal or State law that 
                involves--
                            ``(i) efforts to deny access to or degrade, 
                        disrupt, or destroy a system or network;
                            ``(ii) efforts to gain unauthorized access 
                        to a system or network; or
                            ``(iii) efforts to exfiltrate information 
                        from a system or network without authorization; 
                        or
                    ``(B) the violation of a provision of Federal law 
                relating to computer crimes, including a violation of 
                any provision of title 18, United States Code, created 
                or amended by the Computer Fraud and Abuse Act of 1986 
                (Public Law 99-474).
            ``(7) Cybersecurity provider.--The term `cybersecurity 
        provider' means a non-Federal entity that provides goods or 
        services intended to be used for cybersecurity purposes.
            ``(8) Cybersecurity purpose.--
                    ``(A) In general.--The term `cybersecurity purpose' 
                means the purpose of ensuring the integrity, 
                confidentiality, or availability of, or safeguarding, a 
                system or network, including protecting a system or 
                network from--
                            ``(i) a vulnerability of a system or 
                        network;
                            ``(ii) a threat to the integrity, 
                        confidentiality, or availability of a system or 
                        network or any information stored on, processed 
                        on, or transiting such a system or network;
                            ``(iii) efforts to deny access to or 
                        degrade, disrupt, or destroy a system or 
                        network; or
                            ``(iv) efforts to gain unauthorized access 
                        to a system or network, including to gain such 
                        unauthorized access for the purpose of 
                        exfiltrating information stored on, processed 
                        on, or transiting a system or network.
                    ``(B) Exclusion.--Such term does not include the 
                purpose of protecting a system or network from efforts 
                to gain unauthorized access to such system or network 
                that solely involve violations of consumer terms of 
                service or consumer licensing agreements and do not 
                otherwise constitute unauthorized access.
            ``(9) Cybersecurity system.--
                    ``(A) In general.--The term `cybersecurity system' 
                means a system designed or employed to ensure the 
                integrity, confidentiality, or availability of, or 
                safeguard, a system or network, including protecting a 
                system or network from--
                            ``(i) a vulnerability of a system or 
                        network;
                            ``(ii) a threat to the integrity, 
                        confidentiality, or availability of a system or 
                        network or any information stored on, processed 
                        on, or transiting such a system or network;
                            ``(iii) efforts to deny access to or 
                        degrade, disrupt, or destroy a system or 
                        network; or
                            ``(iv) efforts to gain unauthorized access 
                        to a system or network, including to gain such 
                        unauthorized access for the purpose of 
                        exfiltrating information stored on, processed 
                        on, or transiting a system or network.
                    ``(B) Exclusion.--Such term does not include a 
                system designed or employed to protect a system or 
                network from efforts to gain unauthorized access to 
                such system or network that solely involve violations 
                of consumer terms of service or consumer licensing 
                agreements and do not otherwise constitute unauthorized 
                access.
            ``(10) Integrity.--The term `integrity' means guarding 
        against improper information modification or destruction, 
        including ensuring information nonrepudiation and authenticity.
            ``(11) Protected entity.--The term `protected entity' means 
        an entity, other than an individual, that contracts with a 
        cybersecurity provider for goods or services to be used for 
        cybersecurity purposes.
            ``(12) Self-protected entity.--The term `self-protected 
        entity' means an entity, other than an individual, that 
        provides goods or services for cybersecurity purposes to 
        itself.
            ``(13) Utility.--The term `utility' means an entity 
        providing essential services (other than law enforcement or 
        regulatory services), including electricity, natural gas, 
        propane, telecommunications, transportation, water, or 
        wastewater services.''.
    (b) Procedures and Guidelines.--The Director of National 
Intelligence shall--
            (1) not later than 60 days after the date of the enactment 
        of this Act, establish procedures under paragraph (1) of 
        section 1104(a) of the National Security Act of 1947, as added 
        by subsection (a) of this section, and issue guidelines under 
        paragraph (3) of such section 1104(a);
            (2) in establishing such procedures and issuing such 
        guidelines, consult with the Secretary of Homeland Security to 
        ensure that such procedures and such guidelines permit the 
        owners and operators of critical infrastructure to receive all 
        appropriate cyber threat intelligence (as defined in section 
        1104(h)(5) of such Act, as added by subsection (a)) in the 
        possession of the Federal Government; and
            (3) following the establishment of such procedures and the 
        issuance of such guidelines, expeditiously distribute such 
        procedures and such guidelines to appropriate departments and 
        agencies of the Federal Government, private-sector entities, 
        and utilities (as defined in section 1104(h)(13) of such Act, 
        as added by subsection (a)).
    (c) Privacy and Civil Liberties Policies and Procedures.--Not later 
than 60 days after the date of the enactment of this Act, the Director 
of National Intelligence, in consultation with the Secretary of 
Homeland Security and the Attorney General, shall establish the 
policies and procedures required under section 1104(c)(7)(A) of the 
National Security Act of 1947, as added by subsection (a) of this 
section.
    (d) Initial Reports.--The first reports required to be submitted 
under paragraphs (1) and (2) of subsection (e) of section 1104 of the 
National Security Act of 1947, as added by subsection (a) of this 
section, shall be submitted not later than 1 year after the date of the 
enactment of this Act.
    (e) Table of Contents Amendment.--The table of contents in the 
first section of the National Security Act of 1947 is amended by adding 
at the end the following new item:

``Sec. 1104. Cyber threat intelligence and information sharing.''.

SEC. 3. SUNSET.

    Effective on the date that is 5 years after the date of the 
enactment of this Act--
            (1) section 1104 of the National Security Act of 1947, as 
        added by section 2(a) of this Act, is repealed; and
            (2) the table of contents in the first section of the 
        National Security Act of 1947, as amended by section 2(e) of 
        this Act, is amended by striking the item relating to section 
        1104, as added by such section 2(e).
                                                  Union Calendar No. 25

113th CONGRESS

  1st Session

                               H. R. 624

                          [Report No. 113-39]

_______________________________________________________________________

                                 A BILL

  To provide for the sharing of certain cyber threat intelligence and 
    cyber threat information between the intelligence community and 
            cybersecurity entities, and for other purposes.

_______________________________________________________________________

                             April 15, 2013

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed