[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3313 Introduced in House (IH)]

114th CONGRESS
  1st Session
                                H. R. 3313

To amend the Homeland Security Act of 2002 to strengthen the ability of 
  the Secretary of Homeland Security to detect and prevent intrusions 
  against, and to use countermeasures to protect, agency information 
                    systems, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             July 29, 2015

  Mr. McCaul (for himself and Mr. Ratcliffe) introduced the following 
 bill; which was referred to the Committee on Oversight and Government 
 Reform, and in addition to the Committee on Homeland Security, for a 
 period to be subsequently determined by the Speaker, in each case for 
consideration of such provisions as fall within the jurisdiction of the 
                          committee concerned

_______________________________________________________________________

                                 A BILL


 
To amend the Homeland Security Act of 2002 to strengthen the ability of 
  the Secretary of Homeland Security to detect and prevent intrusions 
  against, and to use countermeasures to protect, agency information 
                    systems, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cyber Defense of Federal Networks 
Act of 2015''.

SEC. 2. CYBER DEFENSE OF FEDERAL NETWORKS.

    (a) In General.--Subtitle C of title II of the Homeland Security 
Act of 2002 (6 U.S.C. 141 et seq.) is amended by adding at the end the 
following new sections:

``SEC. 230. CYBERSECURITY PLANS.

    ``(a) Intrusion Detection and Response Plan.--Not later than one 
year after the date of the enactment of this section, the Secretary, in 
coordination with the Director of the Office of Management and Budget, 
shall develop and implement an intrusion detection and response plan to 
detect, identify, and remove intruders in agency information systems. 
The Secretary, in coordination with the Director, shall update such 
plan as necessary.
    ``(b) Exception.--The intrusion detection and response plan 
required under subsection (a) shall not apply to the Department of 
Defense or an element of the intelligence community.
    ``(c) Definitions.--In this section and sections 231, 232, and 233:
            ``(1) Agency.--The term `agency' has the meaning given such 
        term in section 3502 of title 44, United States Code.
            ``(2) Cybersecurity risk.--The term `cybersecurity risk' 
        has the meaning given such term in the second section 226 
        (relating to the national cybersecurity and communications 
        integration center).
            ``(3) Information system.--The term `information system' 
        has the meaning given such term in the second section 226 
        (relating to the national cybersecurity and communications 
        integration center).
            ``(4) Intelligence community.--The term `intelligence 
        community' has the meaning given such term in section 3(4) of 
        the National Security Act of 1947 (50 U.S.C. 3003(4)).

``SEC. 231. ADVANCED INTERNAL DEFENSES.

    ``(a) Advanced Network Security Tools.--
            ``(1) In general.--The Secretary shall include in the 
        Department's efforts to continuously diagnose and mitigate 
        cybersecurity risks advanced network security tools to improve 
        visibility of network activity, including through the use of 
        commercial and free or open source tools, to detect and 
        mitigate intrusions and anomalous activity in agencies' 
        information systems.
            ``(2) Development of plan.--The Secretary, in coordination 
        with the Director of the Office of Management and Budget, shall 
        develop and implement a plan to ensure advanced network 
        security tools, including tools described in paragraph (1), to 
        detect and mitigate intrusions and anomalous activity are 
        available for use by each agency.
    ``(b) Prioritizing Advanced Security Tools.--The Secretary, in 
coordination with the Director of the Office of Management and Budget, 
and in consultation with the heads of appropriate agencies, shall--
            ``(1) review and update operational capabilities to ensure 
        appropriate prioritization and use of network security 
        monitoring tools within such agency networks; and
            ``(2) brief the Committee on Homeland Security of the House 
        of Representatives and the Committee on Homeland Security and 
        Governmental Affairs of the Senate on such prioritization and 
        use.
    ``(c) Improved Metrics.--The Secretary, in coordination with the 
Director of the Office of Management and Budget, shall review and 
update the metrics used to measure security under section 3554 of title 
44, United States Code, to include measures of intrusion and incident 
detection and response times.
    ``(d) Transparency and Accountability.--The Secretary, in 
coordination with the Director of the Office of Management and Budget, 
shall increase transparency to the public on agency cybersecurity 
postures, including by increasing the number of metrics available on 
Federal Government performance websites and, to the greatest extent 
practicable, displaying metrics for agencies.
    ``(e) Maintenance of Technologies.--Subparagraph (B) of section 
3553(b)(6) of title 44, United States Code, is amended by inserting `, 
operating, and maintaining' after `deploying'.

``SEC. 232. FEDERAL CYBERSECURITY BEST PRACTICES.

    ``The Secretary, in consultation with the Director of the Office of 
Management and Budget, shall regularly assess and require 
implementation of best practices for--
            ``(1) securing agency information systems against 
        intrusion; and
            ``(2) preventing data exfiltration from such systems in the 
        event of an intrusion.

``SEC. 233. ASSESSMENT; REPORTS.

    ``(a) Definitions.--In this section:
            ``(1) Appropriate congressional committees.--The term 
        `appropriate congressional committees' means the Committee on 
        Homeland Security of the House of Representatives and the 
        Committee on Homeland Security and Governmental Affairs of the 
        Senate.
            ``(2) Intrusion assessments.--The term `intrusion 
        assessments' means actions taken under the intrusion detection 
        and response plan described in section 230 to detect, identify, 
        and remove intruders in agency information systems.
            ``(3) Intrusion detection and response plan.--The term 
        `intrusion detection and response plan' means the intrusion 
        detection and response plan described in section 230.
    ``(b) GAO Assessment.--Not later than three years after the date of 
the enactment of this section, the Comptroller General of the United 
States shall conduct a study and publish a report on the effectiveness 
of the approach and strategy of the Department's capabilities and plans 
in securing agency information systems, including in the plans and 
assessments under sections 230, 231, and 232.
    ``(c) Report to Congress.--The Secretary, in coordination with the 
Director of the Office of Management and Budget, shall--
            ``(1) not later than six months after the date of the 
        enactment of this section and 30 days after any update thereto, 
        submit to the appropriate congressional committees the 
        intrusion detection and response plan described in section 230; 
        and
            ``(2) not later than one year after the date of the 
        enactment of this section and annually thereafter, submit to 
        Congress--
                    ``(A) a description of the implementation of such 
                intrusion detection and response plan;
                    ``(B) the findings of the intrusion assessments 
                conducted pursuant to such intrusion detection and 
                response plan;
                    ``(C) a description of the advanced network 
                security tools referred to in section 231;
                    ``(D) information relating to the results of the 
                assessment of the Secretary of Federal cybersecurity 
                best practices under section 232; and
                    ``(E) the improved metrics referred to in section 
                231.''.
    (b) Definitions.--Paragraphs (1) and (2) of the second section 226 
of the Homeland Security Act of 2002 (6 U.S.C. 148; relating to the 
national cybersecurity and communications integration center) are 
amended to read as follows:
            ``(1)(A) except as provided in subparagraph (B), the term 
        `cybersecurity risk' means threats to and vulnerabilities of 
        information or information systems and any related consequences 
        caused by or resulting from unauthorized access, use, 
        disclosure, degradation, disruption, modification, or 
        destruction of such information or information systems, 
        including such related consequences caused by an act of 
        terrorism; and
            ``(B) such term does not include any action that solely 
        involves a violation of a consumer term of service or a 
        consumer licensing agreement;
            ``(2) the term `incident' means an occurrence that actually 
        or imminently jeopardizes, without lawful authority, the 
        integrity, confidentiality, or availability of information on 
        an information system, or actually or imminently jeopardizes, 
        without lawful authority, an information system;''.
    (c) Clerical Amendments.--The table of contents for subtitle C of 
title II of the Homeland Security Act of 2002 is amended by adding at 
the end the following new items:

``Sec. 230. Cybersecurity plans.
``Sec. 231. Advanced internal defenses.
``Sec. 232. Federal cybersecurity best practices.
``Sec. 233. Assessment; reports.''.

SEC. 3. DUTIES OF THE SECRETARY OF HOMELAND SECURITY RELATED TO 
              INFORMATION SECURITY.

    Section 3553(b)(6) of title 44, United States Code, is amended by 
striking subparagraphs (C) and (D) and inserting the following:
                    ``(C) providing incident detection, analysis, 
                mitigation, and response information, disseminating 
                related homeland security information, and providing 
                remote or onsite technical assistance to the head of an 
                agency;
                    ``(D) compiling and analyzing data on agency 
                information security and disseminating related homeland 
                security information;
                    ``(E) developing and conducting targeted risk 
                assessments, including assessments of the risk of 
                terrorism, and operational evaluations for agency 
                information and information systems in consultation 
                with the heads of other agencies or governmental and 
                private entities that own and operate such systems, 
                that may include threat, vulnerability, and impact 
                assessments;
                    ``(F) in conjunction with other agencies and the 
                private sector, assessing and fostering the development 
                of information security technologies and capabilities 
                for use across multiple agencies; and
                    ``(G) coordinating with appropriate agencies and 
                officials to ensure, to the maximum extent feasible, 
                that policies and directives issued under paragraph (2) 
                are complementary with--
                            ``(i) standards and guidelines developed 
                        for national security systems; and
                            ``(ii) policies and directives issued by 
                        the Secretary of Defense and the Director of 
                        National Intelligence under subsection (e)(1); 
                        and''.

SEC. 4. DIRECTIVES AND IMMINENT THREATS.

    Section 3553 of title 44, United States Code, is amended by adding 
at the end the following:
    ``(h) Direction to Agencies.--
            ``(1) Authority.--
                    ``(A) In general.--Notwithstanding section 3554, 
                and subject to subparagraph (B), in response to a known 
                or reasonably suspected information security threat, 
                vulnerability, risk, or incident, including an act of 
                terrorism, that represents a substantial threat to the 
                information security of an agency, the Secretary may 
                issue a directive to the head of an agency to take any 
                lawful action with respect to the operation of the 
                information system, including such systems owned or 
                operated by another entity on behalf of an agency, that 
                collects, processes, stores, transmits, disseminates, 
                or otherwise maintains agency information, for the 
                purpose of protecting the information system from, or 
                mitigating, an information security threat or an act of 
                terrorism.
                    ``(B) Exception.--The authorities of the Secretary 
                under this subsection shall not apply to a system 
                described in paragraph (2) or (3) of subsection (e).
            ``(2) Procedures for use of authority.--The Secretary 
        shall--
                    ``(A) in coordination with the Director and in 
                consultation with Federal contractors, as appropriate, 
                establish procedures under which a directive may be 
                issued under this subsection, which shall include--
                            ``(i) thresholds and other criteria;
                            ``(ii) privacy and civil liberties 
                        protections; and
                            ``(iii) providing notice to potentially 
                        affected third parties;
                    ``(B) specify the reasons for the required action 
                and the duration of the directive;
                    ``(C) minimize the impact of a directive under this 
                subsection by--
                            ``(i) adopting the least intrusive means 
                        possible under the circumstances to secure the 
                        agency information systems; and
                            ``(ii) limiting the directive to the 
                        shortest period practicable; and
                    ``(D) notify the Director and the head of any 
                affected agency immediately upon the issuance of a 
                directive under this subsection.
            ``(3) Imminent threats.--
                    ``(A) In general.--If the Secretary determines that 
                there is an imminent threat, including a threat of 
                terrorism, to agency information systems and a 
                directive under this subsection is not reasonably 
                likely to result in a timely response to the threat, 
                the Secretary may authorize the use of protective 
                capabilities under the control of the Secretary for 
                communications or other system traffic transiting to or 
                from or stored on an agency information system without 
                prior consultation with the affected agency for the 
                purpose of ensuring the security of the information, 
                information system, or other agency information 
                systems.
                    ``(B) Limitation on delegation.--The authority 
                under this paragraph may not be delegated to an 
                official in a position lower than an Assistant 
                Secretary of the Department of Homeland Security.
                    ``(C) Notice.--The Secretary shall immediately 
                notify the Director and the head and chief information 
                officer (or equivalent official) of each affected 
                agency of--
                            ``(i) any action taken under this 
                        subsection; and
                            ``(ii) the reasons for and duration and 
                        nature of the action.
                    ``(D) Other law.--Any action of the Secretary under 
                this paragraph shall be consistent with applicable law.
            ``(4) Limitation.--The Secretary may direct or authorize 
        lawful action or protective capability under this subsection 
        only to--
                    ``(A) protect agency information from unauthorized 
                access, use, disclosure, disruption, modification, or 
                destruction; or
                    ``(B) require the remediation of or protect against 
                identified information security risks, including acts 
                of terrorism, with respect to--
                            ``(i) information collected or maintained 
                        by or on behalf of an agency; or
                            ``(ii) that portion of an information 
                        system used or operated by an agency or by a 
                        contractor of an agency or other organization 
                        on behalf of an agency.''.

SEC. 5. REPORT TO CONGRESS REGARDING DHS FUNCTIONS.

    Section 3553 of title 44, United States Code, as amended by section 
3, is further amended by adding at the end the following new 
subsection:
    ``(i) Annual Report to Congress.--Not later than February 1 of 
every year, the Secretary shall report to the Committee on Homeland 
Security of the House of Representatives and the Committee on Homeland 
Security and Governmental Affairs of the Senate, regarding the specific 
actions the Secretary has taken pursuant to subsections (b) and (h).''.
                                 <all>