[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[H. Res. 164 Engrossed in House (EH)]

H. Res. 164

                In the House of Representatives, U. S.,

                                                        April 17, 2013.
    Resolved, That at any time after the adoption of this resolution the Speaker 
may, pursuant to clause 2(b) of rule XVIII, declare the House resolved into the 
Committee of the Whole House on the state of the Union for consideration of the 
bill (H.R. 624) to provide for the sharing of certain cyber threat intelligence 
and cyber threat information between the intelligence community and 
cybersecurity entities, and for other purposes. The first reading of the bill 
shall be dispensed with. All points of order against consideration of the bill 
are waived. General debate shall be confined to the bill and shall not exceed 
one hour equally divided and controlled by the chair and ranking minority member 
of the Permanent Select Committee on Intelligence. After general debate the bill 
shall be considered for amendment under the five-minute rule. In lieu of the 
amendment in the nature of a substitute recommended by the Permanent Select 
Committee on Intelligence now printed in the bill, it shall be in order to 
consider as an original bill for the purpose of amendment under the five-minute 
rule an amendment in the nature of a substitute consisting of the text of Rules 
Committee Print 113-7. That amendment in the nature of a substitute shall be 
considered as read. All points of order against that amendment in the nature of 
a substitute are waived. No amendment to that amendment in the nature of a 
substitute shall be in order except those printed in the report of the Committee 
on Rules accompanying this resolution. Each such amendment may be offered only 
in the order printed in the report, may be offered only by a Member designated 
in the report, shall be considered as read, shall be debatable for the time 
specified in the report equally divided and controlled by the proponent and an 
opponent, shall not be subject to amendment, and shall not be subject to a 
demand for division of the question in the House or in the Committee of the 
Whole. All points of order against such amendments are waived. At the conclusion 
of consideration of the bill for amendment the Committee shall rise and report 
the bill to the House with such amendments as may have been adopted. Any Member 
may demand a separate vote in the House on any amendment adopted in the 
Committee of the Whole to the bill or to the amendment in the nature of a 
substitute made in order as original text. The previous question shall be 
considered as ordered on the bill and amendments thereto to final passage 
without intervening motion except one motion to recommit with or without 
instructions.
    Sec. 2.  Notwithstanding any other provision of this resolution, the 
amendment specified in section 3 shall be in order as though printed as the last 
amendment in House Report 113-41 if offered by Representative McCaul of Texas or 
his designee. That amendment shall be debatable for 10 minutes equally divided 
and controlled by the proponent and an opponent.
    Sec. 3.  The amendment referred to in section 2 is as follows: After section 
1, insert the following new section (and renumber subsequent sections 
accordingly):

``SEC. 2. FEDERAL GOVERNMENT COORDINATION WITH RESPECT TO CYBERSECURITY.

    ``(a) Coordinated Activities.--The Federal Government shall conduct 
cybersecurity activities to provide shared situational awareness that enables 
integrated operational actions to protect, prevent, mitigate, respond to, and 
recover from cyber incidents.
    ``(b) Coordinated Information Sharing.--
            ``(1) Designation of coordinating entity for cyber threat 
        information.--The President shall designate an entity within the 
        Department of Homeland Security as the civilian Federal entity to 
        receive cyber threat information that is shared by a cybersecurity 
        provider or self-protected entity in accordance with section 1104(b) of 
        the National Security Act of 1947, as added by section 3(a) of this Act, 
        except as provided in paragraph (2) and subject to the procedures 
        established under paragraph (4).
            ``(2) Designation of a coordinating entity for cybersecurity 
        crimes.--The President shall designate an entity within the Department 
        of Justice as the civilian Federal entity to receive cyber threat 
        information related to cybersecurity crimes that is shared by a 
        cybersecurity provider or self-protected entity in accordance with 
        section 1104(b) of the National Security Act of 1947, as added by 
        section 3(a) of this Act, subject to the procedures under paragraph (4).
            ``(3) Sharing by coordinating entities.--The entities designated 
        under paragraphs (1) and (2) shall share cyber threat information shared 
        with such entities in accordance with section 1104(b) of the National 
        Security Act of 1947, as added by section 3(a) of this Act, consistent 
        with the procedures established under paragraphs (4) and (5).
            ``(4) Procedures.--Each department or agency of the Federal 
        Government receiving cyber threat information shared in accordance with 
        section 1104(b) of the National Security Act of 1947, as added by 
        section 3(a) of this Act, shall establish procedures to--
                    ``(A) ensure that cyber threat information shared with 
                departments or agencies of the Federal Government in accordance 
                with such section 1104(b) is also shared with appropriate 
                departments and agencies of the Federal Government with a 
                national security mission in real time;
                    ``(B) ensure the distribution to other departments and 
                agencies of the Federal Government of cyber threat information 
                in real time; and
                    ``(C) facilitate information sharing, interaction, and 
                collaboration among and between the Federal Government; State, 
                local, tribal, and territorial governments; and cybersecurity 
                providers and self-protected entities.
            ``(5) Privacy and civil liberties.--
                    ``(A) Policies and procedures.--The Secretary of Homeland 
                Security, the Attorney General, the Director of National 
                Intelligence, and the Secretary of Defense shall jointly 
                establish and periodically review policies and procedures 
                governing the receipt, retention, use, and disclosure of non-
                publicly available cyber threat information shared with the 
                Federal Government in accordance with section 1104(b) of the 
                National Security Act of 1947, as added by section 3(a) of this 
                Act. Such policies and procedures shall, consistent with the 
                need to protect systems and networks from cyber threats and 
                mitigate cyber threats in a timely manner--
                            ``(i) minimize the impact on privacy and civil 
                        liberties;
                            ``(ii) reasonably limit the receipt, retention, use, 
                        and disclosure of cyber threat information associated 
                        with specific persons that is not necessary to protect 
                        systems or networks from cyber threats or mitigate cyber 
                        threats in a timely manner;
                            ``(iii) include requirements to safeguard non-
                        publicly available cyber threat information that may be 
                        used to identify specific persons from unauthorized 
                        access or acquisition;
                            ``(iv) protect the confidentiality of cyber threat 
                        information associated with specific persons to the 
                        greatest extent practicable; and
                            ``(v) not delay or impede the flow of cyber threat 
                        information necessary to defend against or mitigate a 
                        cyber threat.
                    ``(B) Submission to congress.--The Secretary of Homeland 
                Security, the Attorney General, the Director of National 
                Intelligence, and the Secretary of Defense shall, consistent 
                with the need to protect sources and methods, jointly submit to 
                Congress the policies and procedures required under subparagraph 
                (A) and any updates to such policies and procedures.
                    ``(C) Implementation.--The head of each department or agency 
                of the Federal Government receiving cyber threat information 
                shared with the Federal Government under such section 1104(b) 
                shall--
                            ``(i) implement the policies and procedures 
                        established under subparagraph (A); and
                            ``(ii) promptly notify the Secretary of Homeland 
                        Security, the Attorney General, the Director of National 
                        Intelligence, the Secretary of Defense, and the 
                        appropriate congressional committees of any significant 
                        violations of such policies and procedures.
                    ``(D) Oversight.--The Secretary of Homeland Security, the 
                Attorney General, the Director of National Intelligence, and the 
                Secretary of Defense shall jointly establish a program to 
                monitor and oversee compliance with the policies and procedures 
                established under subparagraph (A).
            ``(6) Information sharing relationships.--Nothing in this section 
        shall be construed to--
                    ``(A) alter existing agreements or prohibit new agreements 
                with respect to the sharing of cyber threat information between 
                the Department of Defense and an entity that is part of the 
                defense industrial base;
                    ``(B) alter existing information-sharing relationships 
                between a cybersecurity provider, protected entity, or self-
                protected entity and the Federal Government;
                    ``(C) prohibit the sharing of cyber threat information 
                directly with a department or agency of the Federal Government 
                for criminal investigative purposes related to crimes described 
                in section 1104(c)(1) of the National Security Act of 1947, as 
                added by section 3(a) of this Act; or
                    ``(D) alter existing agreements or prohibit new agreements 
                with respect to the sharing of cyber threat information between 
                the Department of Treasury and an entity that is part of the 
                financial services sector.
            ``(7) Technical assistance.--
                    ``(A) Discussions and assistance.--Nothing in this section 
                shall be construed to prohibit any department or agency of the 
                Federal Government from engaging in formal or informal technical 
                discussion regarding cyber threat information with a 
                cybersecurity provider or self-protected entity or from 
                providing technical assistance to address vulnerabilities or 
                mitigate threats at the request of such a provider or such an 
                entity.
                    ``(B) Coordination.--Any department or agency of the Federal 
                Government engaging in an activity referred to in subparagraph 
                (A) shall coordinate such activity with the entity of the 
                Department of Homeland Security designated under paragraph (1) 
                and share all significant information resulting from such 
                activity with such entity and all other appropriate departments 
                and agencies of the Federal Government.
                    ``(C) Sharing by designated entity.--Consistent with the 
                policies and procedures established under paragraph (5), the 
                entity of the Department of Homeland Security designated under 
                paragraph (1) shall share with all appropriate departments and 
                agencies of the Federal Government all significant information 
                resulting from--
                            ``(i) formal or informal technical discussions 
                        between such entity of the Department of Homeland 
                        Security and a cybersecurity provider or self-protected 
                        entity about cyber threat information; or
                            ``(ii) any technical assistance such entity of the 
                        Department of Homeland Security provides to such 
                        cybersecurity provider or such self-protected entity to 
                        address vulnerabilities or mitigate threats.
    ``(c) Reports on Information Sharing.--
            ``(1) Inspector general of the department of homeland security 
        report.--The Inspector General of the Department of Homeland Security, 
        in consultation with the Inspector General of the Department of Justice, 
        the Inspector General of the Intelligence Community, the Inspector 
        General of the Department of Defense, and the Privacy and Civil 
        Liberties Oversight Board, shall annually submit to the appropriate 
        congressional committees a report containing a review of the use of 
        information shared with the Federal Government under subsection (b) of 
        section 1104 of the National Security Act of 1947, as added by section 
        3(a) of this Act, including--
                    ``(A) a review of the use by the Federal Government of such 
                information for a purpose other than a cybersecurity purpose;
                    ``(B) a review of the type of information shared with the 
                Federal Government under such subsection;
                    ``(C) a review of the actions taken by the Federal 
                Government based on such information;
                    ``(D) appropriate metrics to determine the impact of the 
                sharing of such information with the Federal Government on 
                privacy and civil liberties, if any;
                    ``(E) a list of the departments or agencies receiving such 
                information;
                    ``(F) a review of the sharing of such information within the 
                Federal Government to identify inappropriate stovepiping of 
                shared information; and
                    ``(G) any recommendations of the Inspector General of the 
                Department of Homeland Security for improvements or 
                modifications to the authorities under such section.
            ``(2) Privacy and civil liberties officers report.--The Officer for 
        Civil Rights and Civil Liberties of the Department of Homeland Security, 
        in consultation with the Privacy and Civil Liberties Oversight Board, 
        the Inspector General of the Intelligence Community, and the senior 
        privacy and civil liberties officer of each department or agency of the 
        Federal Government that receives cyber threat information shared with 
        the Federal Government under such subsection (b), shall annually and 
        jointly submit to Congress a report assessing the privacy and civil 
        liberties impact of the activities conducted by the Federal Government 
        under such section 1104. Such report shall include any recommendations 
        the Civil Liberties Protection Officer and Chief Privacy and Civil 
        Liberties Officer consider appropriate to minimize or mitigate the 
        privacy and civil liberties impact of the sharing of cyber threat 
        information under such section 1104.
            ``(3) Form.--Each report required under paragraph (1) or (2) shall 
        be submitted in unclassified form, but may include a classified annex.
    ``(d) Definitions.--In this section:
            ``(1) Appropriate congressional committees.--The term `appropriate 
        congressional committees' means--
                    ``(A) the Committee on Homeland Security, the Committee on 
                the Judiciary, the Permanent Select Committee on Intelligence, 
                and the Committee on Armed Services of the House of 
                Representatives; and
                    ``(B) the Committee on Homeland Security and Governmental 
                Affairs, the Committee on the Judiciary, the Select Committee on 
                Intelligence, and the Committee on Armed Services of the Senate.
            ``(2) Cyber threat information, cyber threat intelligence, 
        cybersecurity crimes, cybersecurity provider, cybersecurity purpose, and 
        self-protected entity.--The terms `cyber threat information', `cyber 
        threat intelligence', `cybersecurity crimes', `cybersecurity provider', 
        `cybersecurity purpose', and `self-protected entity' have the meaning 
        given those terms in section 1104 of the National Security Act of 1947, 
        as added by section 3(a) of this Act.
            ``(3) Intelligence community.--The term `intelligence community' has 
        the meaning given the term in section 3(4) of the National Security Act 
        of 1947 (50 U.S.C. 401a(4)).
            ``(4) Shared situational awareness.--The term `shared situational 
        awareness' means an environment where cyber threat information is shared 
        in real time between all designated Federal cyber operations centers to 
        provide actionable information about all known cyber threats.''.
     Page 5, strike line 6 and all that follows through page 6, line 7.
     Page 7, beginning on line 17, strike ``by the department or agency of the 
Federal Government receiving such cyber threat information''.
     Page 13, strike line 13 and all that follows through page 15, line 23.
     Page 17, strike line 15 and all that follows through page 19, line 19.
            Attest:

                                                                          Clerk.