[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[S. 754 Engrossed in Senate (ES)]

<DOC>
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
114th CONGRESS
  1st Session
                                 S. 754

_______________________________________________________________________

                                 AN ACT


 
To improve cybersecurity in the United States through enhanced sharing 
  of information about cybersecurity threats, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. TABLE OF CONTENTS.

    The table of contents of this Act is as follows:

Sec. 1. Table of contents.
               TITLE I--CYBERSECURITY INFORMATION SHARING

Sec. 101. Short title.
Sec. 102. Definitions.
Sec. 103. Sharing of information by the Federal Government.
Sec. 104. Authorizations for preventing, detecting, analyzing, and 
                            mitigating cybersecurity threats.
Sec. 105. Sharing of cyber threat indicators and defensive measures 
                            with the Federal Government.
Sec. 106. Protection from liability.
Sec. 107. Oversight of Government activities.
Sec. 108. Construction and preemption.
Sec. 109. Report on cybersecurity threats.
Sec. 110. Conforming amendment.
              TITLE II--FEDERAL CYBERSECURITY ENHANCEMENT

Sec. 201. Short title.
Sec. 202. Definitions.
Sec. 203. Improved Federal network security.
Sec. 204. Advanced internal defenses.
Sec. 205. Federal cybersecurity requirements.
Sec. 206. Assessment; reports.
Sec. 207. Termination.
Sec. 208. Identification of information systems relating to national 
                            security.
Sec. 209. Direction to agencies.
         TITLE III--FEDERAL CYBERSECURITY WORKFORCE ASSESSMENT

Sec. 301. Short title.
Sec. 302. Definitions.
Sec. 303. National cybersecurity workforce measurement initiative.
Sec. 304. Identification of cyber-related roles of critical need.
Sec. 305. Government Accountability Office status reports.
                     TITLE IV--OTHER CYBER MATTERS

Sec. 401. Study on mobile device security.
Sec. 402. Department of State international cyberspace policy strategy.
Sec. 403. Apprehension and prosecution of international cyber 
                            criminals.
Sec. 404. Enhancement of emergency services.
Sec. 405. Improving cybersecurity in the health care industry.
Sec. 406. Federal computer security.
Sec. 407. Strategy to protect critical infrastructure at greatest risk.
Sec. 408. Stopping the fraudulent sale of financial information of 
                            people of the United States.
Sec. 409. Effective period.

               TITLE I--CYBERSECURITY INFORMATION SHARING

SEC. 101. SHORT TITLE.

    This title may be cited as the ``Cybersecurity Information Sharing 
Act of 2015''.

SEC. 102. DEFINITIONS.

    In this title:
            (1) Agency.--The term ``agency'' has the meaning given the 
        term in section 3502 of title 44, United States Code.
            (2) Antitrust laws.--The term ``antitrust laws''--
                    (A) has the meaning given the term in section 1 of 
                the Clayton Act (15 U.S.C. 12);
                    (B) includes section 5 of the Federal Trade 
                Commission Act (15 U.S.C. 45) to the extent that 
                section 5 of that Act applies to unfair methods of 
                competition; and
                    (C) includes any State law that has the same intent 
                and effect as the laws under subparagraphs (A) and (B).
            (3) Appropriate federal entities.--The term ``appropriate 
        Federal entities'' means the following:
                    (A) The Department of Commerce.
                    (B) The Department of Defense.
                    (C) The Department of Energy.
                    (D) The Department of Homeland Security.
                    (E) The Department of Justice.
                    (F) The Department of the Treasury.
                    (G) The Office of the Director of National 
                Intelligence.
            (4) Cybersecurity purpose.--The term ``cybersecurity 
        purpose'' means the purpose of protecting an information system 
        or information that is stored on, processed by, or transiting 
        an information system from a cybersecurity threat or security 
        vulnerability.
            (5) Cybersecurity threat.--
                    (A) In general.--Except as provided in subparagraph 
                (B), the term ``cybersecurity threat'' means an action, 
                not protected by the First Amendment to the 
                Constitution of the United States, on or through an 
                information system that may result in an unauthorized 
                effort to adversely impact the security, availability, 
                confidentiality, or integrity of an information system 
                or information that is stored on, processed by, or 
                transiting an information system.
                    (B) Exclusion.--The term ``cybersecurity threat'' 
                does not include any action that solely involves a 
                violation of a consumer term of service or a consumer 
                licensing agreement.
            (6) Cyber threat indicator.--The term ``cyber threat 
        indicator'' means information that is necessary to describe or 
        identify--
                    (A) malicious reconnaissance, including anomalous 
                patterns of communications that appear to be 
                transmitted for the purpose of gathering technical 
                information related to a cybersecurity threat or 
                security vulnerability;
                    (B) a method of defeating a security control or 
                exploitation of a security vulnerability;
                    (C) a security vulnerability, including anomalous 
                activity that appears to indicate the existence of a 
                security vulnerability;
                    (D) a method of causing a user with legitimate 
                access to an information system or information that is 
                stored on, processed by, or transiting an information 
                system to unwittingly enable the defeat of a security 
                control or exploitation of a security vulnerability;
                    (E) malicious cyber command and control;
                    (F) the actual or potential harm caused by an 
                incident, including a description of the information 
                exfiltrated as a result of a particular cybersecurity 
                threat;
                    (G) any other attribute of a cybersecurity threat, 
                if disclosure of such attribute is not otherwise 
                prohibited by law; or
                    (H) any combination thereof.
            (7) Defensive measure.--
                    (A) In general.--Except as provided in subparagraph 
                (B), the term ``defensive measure'' means an action, 
                device, procedure, signature, technique, or other 
                measure applied to an information system or information 
                that is stored on, processed by, or transiting an 
                information system that detects, prevents, or mitigates 
                a known or suspected cybersecurity threat or security 
                vulnerability.
                    (B) Exclusion.--The term ``defensive measure'' does 
                not include a measure that destroys, renders unusable, 
                provides unauthorized access to, or substantially harms 
                an information system or data on an information system 
                not belonging to--
                            (i) the private entity operating the 
                        measure; or
                            (ii) another entity or Federal entity that 
                        is authorized to provide consent and has 
                        provided consent to that private entity for 
                        operation of such measure.
            (8) Entity.--
                    (A) In general.--Except as otherwise provided in 
                this paragraph, the term ``entity'' means any private 
                entity, non-Federal government agency or department, or 
                State, tribal, or local government (including a 
                political subdivision, department, or component 
                thereof).
                    (B) Inclusions.--The term ``entity'' includes a 
                government agency or department of the District of 
                Columbia, the Commonwealth of Puerto Rico, the Virgin 
                Islands, Guam, American Samoa, the Northern Mariana 
                Islands, and any other territory or possession of the 
                United States.
                    (C) Exclusion.--The term ``entity'' does not 
                include a foreign power as defined in section 101 of 
                the Foreign Intelligence Surveillance Act of 1978 (50 
                U.S.C. 1801).
            (9) Federal entity.--The term ``Federal entity'' means a 
        department or agency of the United States or any component of 
        such department or agency.
            (10) Information system.--The term ``information system''--
                    (A) has the meaning given the term in section 3502 
                of title 44, United States Code; and
                    (B) includes industrial control systems, such as 
                supervisory control and data acquisition systems, 
                distributed control systems, and programmable logic 
                controllers.
            (11) Local government.--The term ``local government'' means 
        any borough, city, county, parish, town, township, village, or 
        other political subdivision of a State.
            (12) Malicious cyber command and control.--The term 
        ``malicious cyber command and control'' means a method for 
        unauthorized remote identification of, access to, or use of, an 
        information system or information that is stored on, processed 
        by, or transiting an information system.
            (13) Malicious reconnaissance.--The term ``malicious 
        reconnaissance'' means a method for actively probing or 
        passively monitoring an information system for the purpose of 
        discerning security vulnerabilities of the information system, 
        if such method is associated with a known or suspected 
        cybersecurity threat.
            (14) Monitor.--The term ``monitor'' means to acquire, 
        identify, or scan, or to possess, information that is stored 
        on, processed by, or transiting an information system.
            (15) Private entity.--
                    (A) In general.--Except as otherwise provided in 
                this paragraph, the term ``private entity'' means any 
                person or private group, organization, proprietorship, 
                partnership, trust, cooperative, corporation, or other 
                commercial or nonprofit entity, including an officer, 
                employee, or agent thereof.
                    (B) Inclusion.--The term ``private entity'' 
                includes a State, tribal, or local government 
                performing electric or other utility services.
                    (C) Exclusion.--The term ``private entity'' does 
                not include a foreign power as defined in section 101 
                of the Foreign Intelligence Surveillance Act of 1978 
                (50 U.S.C. 1801).
            (16) Security control.--The term ``security control'' means 
        the management, operational, and technical controls used to 
        protect against an unauthorized effort to adversely affect the 
        confidentiality, integrity, and availability of an information 
        system or its information.
            (17) Security vulnerability.--The term ``security 
        vulnerability'' means any attribute of hardware, software, 
        process, or procedure that could enable or facilitate the 
        defeat of a security control.
            (18) Tribal.--The term ``tribal'' has the meaning given the 
        term ``Indian tribe'' in section 4 of the Indian Self-
        Determination and Education Assistance Act (25 U.S.C. 450b).

SEC. 103. SHARING OF INFORMATION BY THE FEDERAL GOVERNMENT.

    (a) In General.--Consistent with the protection of classified 
information, intelligence sources and methods, and privacy and civil 
liberties, the Director of National Intelligence, the Secretary of 
Homeland Security, the Secretary of Defense, and the Attorney General, 
in consultation with the heads of the appropriate Federal entities, 
shall develop and promulgate procedures to facilitate and promote--
            (1) the timely sharing of classified cyber threat 
        indicators in the possession of the Federal Government with 
        cleared representatives of relevant entities;
            (2) the timely sharing with relevant entities of cyber 
        threat indicators or information in the possession of the 
        Federal Government that may be declassified and shared at an 
        unclassified level;
            (3) the sharing with relevant entities, or the public if 
        appropriate, of unclassified, including controlled 
        unclassified, cyber threat indicators in the possession of the 
        Federal Government;
            (4) the sharing with entities, if appropriate, of 
        information in the possession of the Federal Government about 
        cybersecurity threats to such entities to prevent or mitigate 
        adverse effects from such cybersecurity threats; and
            (5) the periodic sharing, through publication and targeted 
        outreach, of cybersecurity best practices that are developed 
        based on ongoing analysis of cyber threat indicators and 
        information in possession of the Federal Government, with 
        attention to accessibility and implementation challenges faced 
        by small business concerns (as defined in section 3 of the 
        Small Business Act (15 U.S.C. 632)).
    (b) Development of Procedures.--
            (1) In general.--The procedures developed and promulgated 
        under subsection (a) shall--
                    (A) ensure the Federal Government has and maintains 
                the capability to share cyber threat indicators in real 
                time consistent with the protection of classified 
                information;
                    (B) incorporate, to the greatest extent 
                practicable, existing processes and existing roles and 
                responsibilities of Federal and non-Federal entities 
                for information sharing by the Federal Government, 
                including sector specific information sharing and 
                analysis centers;
                    (C) include procedures for notifying, in a timely 
                manner, entities that have received a cyber threat 
                indicator from a Federal entity under this title that 
                is known or determined to be in error or in 
                contravention of the requirements of this title or 
                another provision of Federal law or policy of such 
                error or contravention;
                    (D) include requirements for Federal entities 
                sharing cyber threat indicators or defensive measures 
                to implement and utilize security controls to protect 
                against unauthorized access to or acquisition of such 
                cyber threat indicators or defensive measures;
                    (E) include procedures that require a Federal 
                entity, prior to the sharing of a cyber threat 
                indicator--
                            (i) to review such cyber threat indicator 
                        to assess whether such cyber threat indicator 
                        contains any information that such Federal 
                        entity knows at the time of sharing to be 
                        personal information or information that 
                        identifies a specific person not directly 
                        related to a cybersecurity threat and remove 
                        such information; or
                            (ii) to implement and utilize a technical 
                        capability configured to remove any personal 
                        information or information that identifies a 
                        specific person not directly related to a 
                        cybersecurity threat; and
                    (F) include procedures for notifying, in a timely 
                manner, any United States person whose personal 
                information is known or determined to have been shared 
                by a Federal entity in violation of this Act.
            (2) Coordination.--In developing the procedures required 
        under this section, the Director of National Intelligence, the 
        Secretary of Homeland Security, the Secretary of Defense, and 
        the Attorney General shall coordinate with appropriate Federal 
        entities, including the Small Business Administration and the 
        National Laboratories (as defined in section 2 of the Energy 
        Policy Act of 2005 (42 U.S.C. 15801)), to ensure that effective 
        protocols are implemented that will facilitate and promote the 
        sharing of cyber threat indicators by the Federal Government in 
        a timely manner.
    (c) Submittal to Congress.--Not later than 60 days after the date 
of the enactment of this Act, the Director of National Intelligence, in 
consultation with the heads of the appropriate Federal entities, shall 
submit to Congress the procedures required by subsection (a).

SEC. 104. AUTHORIZATIONS FOR PREVENTING, DETECTING, ANALYZING, AND 
              MITIGATING CYBERSECURITY THREATS.

    (a) Authorization for Monitoring.--
            (1) In general.--Notwithstanding any other provision of 
        law, a private entity may, for cybersecurity purposes, 
        monitor--
                    (A) an information system of such private entity;
                    (B) an information system of another entity, upon 
                the authorization and written consent of such other 
                entity;
                    (C) an information system of a Federal entity, upon 
                the authorization and written consent of an authorized 
                representative of the Federal entity; and
                    (D) information that is stored on, processed by, or 
                transiting an information system monitored by the 
                private entity under this paragraph.
            (2) Construction.--Nothing in this subsection shall be 
        construed--
                    (A) to authorize the monitoring of an information 
                system, or the use of any information obtained through 
                such monitoring, other than as provided in this title; 
                or
                    (B) to limit otherwise lawful activity.
    (b) Authorization for Operation of Defensive Measures.--
            (1) In general.--Notwithstanding any other provision of 
        law, a private entity may, for cybersecurity purposes, operate 
        a defensive measure that is applied to--
                    (A) an information system of such private entity in 
                order to protect the rights or property of the private 
                entity;
                    (B) an information system of another entity upon 
                written consent of such entity for operation of such 
                defensive measure to protect the rights or property of 
                such entity; and
                    (C) an information system of a Federal entity upon 
                written consent of an authorized representative of such 
                Federal entity for operation of such defensive measure 
                to protect the rights or property of the Federal 
                Government.
            (2) Construction.--Nothing in this subsection shall be 
        construed--
                    (A) to authorize the use of a defensive measure 
                other than as provided in this subsection; or
                    (B) to limit otherwise lawful activity.
    (c) Authorization for Sharing or Receiving Cyber Threat Indicators 
or Defensive Measures.--
            (1) In general.--Except as provided in paragraph (2) and 
        notwithstanding any other provision of law, an entity may, for 
        a cybersecurity purpose and consistent with the protection of 
        classified information, share with, or receive from, any other 
        entity or the Federal Government a cyber threat indicator or 
        defensive measure.
            (2) Lawful restriction.--An entity receiving a cyber threat 
        indicator or defensive measure from another entity or Federal 
        entity shall comply with otherwise lawful restrictions placed 
        on the sharing or use of such cyber threat indicator or 
        defensive measure by the sharing entity or Federal entity.
            (3) Construction.--Nothing in this subsection shall be 
        construed--
                    (A) to authorize the sharing or receiving of a 
                cyber threat indicator or defensive measure other than 
                as provided in this subsection; or
                    (B) to limit otherwise lawful activity.
    (d) Protection and Use of Information.--
            (1) Security of information.--An entity monitoring an 
        information system, operating a defensive measure, or providing 
        or receiving a cyber threat indicator or defensive measure 
        under this section shall implement and utilize a security 
        control to protect against unauthorized access to or 
        acquisition of such cyber threat indicator or defensive 
        measure.
            (2) Removal of certain personal information.--An entity 
        sharing a cyber threat indicator pursuant to this title shall, 
        prior to such sharing--
                    (A) review such cyber threat indicator to assess 
                whether such cyber threat indicator contains any 
                information that the entity knows at the time of 
                sharing to be personal information or information that 
                identifies a specific person not directly related to a 
                cybersecurity threat and remove such information; or
                    (B) implement and utilize a technical capability 
                configured to remove any information contained within 
                such indicator that the entity knows at the time of 
                sharing to be personal information or information that 
                identifies a specific person not directly related to a 
                cybersecurity threat.
            (3) Use of cyber threat indicators and defensive measures 
        by entities.--
                    (A) In general.--Consistent with this title, a 
                cyber threat indicator or defensive measure shared or 
                received under this section may, for cybersecurity 
                purposes--
                            (i) be used by an entity to monitor or 
                        operate a defensive measure that is applied 
                        to--
                                    (I) an information system of the 
                                entity; or
                                    (II) an information system of 
                                another entity or a Federal entity upon 
                                the written consent of that other 
                                entity or that Federal entity; and
                            (ii) be otherwise used, retained, and 
                        further shared by an entity subject to--
                                    (I) an otherwise lawful restriction 
                                placed by the sharing entity or Federal 
                                entity on such cyber threat indicator 
                                or defensive measure; or
                                    (II) an otherwise applicable 
                                provision of law.
                    (B) Construction.--Nothing in this paragraph shall 
                be construed to authorize the use of a cyber threat 
                indicator or defensive measure other than as provided 
                in this section.
            (4) Use of cyber threat indicators by state, tribal, or 
        local government.--
                    (A) Law enforcement use.--
                            (i) Prior written consent.--Except as 
                        provided in clause (ii), a cyber threat 
                        indicator shared with a State, tribal, or local 
                        government under this section may, with the 
                        prior written consent of the entity sharing 
                        such indicator, be used by a State, tribal, or 
                        local government for the purpose of preventing, 
                        investigating, or prosecuting any of the 
                        offenses described in section 105(d)(5)(A)(vi).
                            (ii) Oral consent.--If exigent 
                        circumstances prevent obtaining written consent 
                        under clause (i), such consent may be provided 
                        orally with subsequent documentation of the 
                        consent.
                    (B) Exemption from disclosure.--A cyber threat 
                indicator shared with a State, tribal, or local 
                government under this section shall be--
                            (i) deemed voluntarily shared information; 
                        and
                            (ii) exempt from disclosure under any 
                        State, tribal, or local law requiring 
                        disclosure of information or records.
                    (C) State, tribal, and local regulatory 
                authority.--
                            (i) In general.--Except as provided in 
                        clause (ii), a cyber threat indicator or 
                        defensive measure shared with a State, tribal, 
                        or local government under this title shall not 
                        be directly used by any State, tribal, or local 
                        government to regulate, including an 
                        enforcement action, the lawful activity of any 
                        entity, including an activity relating to 
                        monitoring, operating a defensive measure, or 
                        sharing of a cyber threat indicator.
                            (ii) Regulatory authority specifically 
                        relating to prevention or mitigation of 
                        cybersecurity threats.--A cyber threat 
                        indicator or defensive measure shared as 
                        described in clause (i) may, consistent with a 
                        State, tribal, or local government regulatory 
                        authority specifically relating to the 
                        prevention or mitigation of cybersecurity 
                        threats to information systems, inform the 
                        development or implementation of a regulation 
                        relating to such information systems.
    (e) Antitrust Exemption.--
            (1) In general.--Except as provided in section 108(e), it 
        shall not be considered a violation of any provision of 
        antitrust laws for 2 or more private entities to exchange or 
        provide a cyber threat indicator, or assistance relating to the 
        prevention, investigation, or mitigation of a cybersecurity 
        threat, for cybersecurity purposes under this title.
            (2) Applicability.--Paragraph (1) shall apply only to 
        information that is exchanged or assistance provided in order 
        to assist with--
                    (A) facilitating the prevention, investigation, or 
                mitigation of a cybersecurity threat to an information 
                system or information that is stored on, processed by, 
                or transiting an information system; or
                    (B) communicating or disclosing a cyber threat 
                indicator to help prevent, investigate, or mitigate the 
                effect of a cybersecurity threat to an information 
                system or information that is stored on, processed by, 
                or transiting an information system.
    (f) No Right or Benefit.--The sharing of a cyber threat indicator 
with an entity under this title shall not create a right or benefit to 
similar information by such entity or any other entity.

SEC. 105. SHARING OF CYBER THREAT INDICATORS AND DEFENSIVE MEASURES 
              WITH THE FEDERAL GOVERNMENT.

    (a) Requirement for Policies and Procedures.--
            (1) Interim policies and procedures.--Not later than 60 
        days after the date of the enactment of this Act, the Attorney 
        General and the Secretary of Homeland Security shall, in 
        coordination with the heads of the appropriate Federal 
        entities, develop and submit to Congress interim policies and 
        procedures relating to the receipt of cyber threat indicators 
        and defensive measures by the Federal Government.
            (2) Final policies and procedures.--Not later than 180 days 
        after the date of the enactment of this Act, the Attorney 
        General and the Secretary of Homeland Security shall, in 
        coordination with the heads of the appropriate Federal 
        entities, promulgate final policies and procedures relating to 
        the receipt of cyber threat indicators and defensive measures 
        by the Federal Government.
            (3) Requirements concerning policies and procedures.--
        Consistent with the guidelines required by subsection (b), the 
        policies and procedures developed and promulgated under this 
        subsection shall--
                    (A) ensure that cyber threat indicators shared with 
                the Federal Government by any entity pursuant to 
                section 104(c) through the real-time process described 
                in subsection (c) of this section--
                            (i) are shared in an automated manner with 
                        all of the appropriate Federal entities;
                            (ii) are only subject to a delay, 
                        modification, or other action due to controls 
                        established for such real-time process that 
                        could impede real-time receipt by all of the 
                        appropriate Federal entities when the delay, 
                        modification, or other action is due to 
                        controls--
                                    (I) agreed upon unanimously by all 
                                of the heads of the appropriate Federal 
                                entities;
                                    (II) carried out before any of the 
                                appropriate Federal entities retains or 
                                uses the cyber threat indicators or 
                                defensive measures; and
                                    (III) uniformly applied such that 
                                each of the appropriate Federal 
                                entities is subject to the same delay, 
                                modification, or other action; and
                            (iii) may be provided to other Federal 
                        entities;
                    (B) ensure that cyber threat indicators shared with 
                the Federal Government by any entity pursuant to 
                section 104 in a manner other than the real time 
                process described in subsection (c) of this section--
                            (i) are shared as quickly as operationally 
                        practicable with all of the appropriate Federal 
                        entities;
                            (ii) are not subject to any unnecessary 
                        delay, interference, or any other action that 
                        could impede receipt by all of the appropriate 
                        Federal entities; and
                            (iii) may be provided to other Federal 
                        entities;
                    (C) consistent with this title, any other 
                applicable provisions of law, and the fair information 
                practice principles set forth in appendix A of the 
                document entitled ``National Strategy for Trusted 
                Identities in Cyberspace'' and published by the 
                President in April, 2011, govern the retention, use, 
                and dissemination by the Federal Government of cyber 
                threat indicators shared with the Federal Government 
                under this title, including the extent, if any, to 
                which such cyber threat indicators may be used by the 
                Federal Government; and
                    (D) ensure there are--
                            (i) audit capabilities; and
                            (ii) appropriate sanctions in place for 
                        officers, employees, or agents of a Federal 
                        entity who knowingly and willfully conduct 
                        activities under this title in an unauthorized 
                        manner.
            (4) Guidelines for entities sharing cyber threat indicators 
        with federal government.--
                    (A) In general.--Not later than 60 days after the 
                date of the enactment of this Act, the Attorney General 
                and the Secretary of Homeland Security shall develop 
                and make publicly available guidance to assist entities 
                and promote sharing of cyber threat indicators with 
                Federal entities under this title.
                    (B) Contents.--The guidelines developed and made 
                publicly available under subparagraph (A) shall include 
                guidance on the following:
                            (i) Identification of types of information 
                        that would qualify as a cyber threat indicator 
                        under this title that would be unlikely to 
                        include personal information or information 
                        that identifies a specific person not directly 
                        related to a cyber security threat.
                            (ii) Identification of types of information 
                        protected under otherwise applicable privacy 
                        laws that are unlikely to be directly related 
                        to a cybersecurity threat.
                            (iii) Such other matters as the Attorney 
                        General and the Secretary of Homeland Security 
                        consider appropriate for entities sharing cyber 
                        threat indicators with Federal entities under 
                        this title.
    (b) Privacy and Civil Liberties.--
            (1) Guidelines of attorney general.--Not later than 60 days 
        after the date of the enactment of this Act, the Attorney 
        General shall, in coordination with heads of the appropriate 
        Federal entities and in consultation with officers designated 
        under section 1062 of the National Security Intelligence Reform 
        Act of 2004 (42 U.S.C. 2000ee-1), develop, submit to Congress, 
        and make available to the public interim guidelines relating to 
        privacy and civil liberties which shall govern the receipt, 
        retention, use, and dissemination of cyber threat indicators by 
        a Federal entity obtained in connection with activities 
        authorized in this title.
            (2) Final guidelines.--
                    (A) In general.--Not later than 180 days after the 
                date of the enactment of this Act, the Attorney General 
                shall, in coordination with heads of the appropriate 
                Federal entities and in consultation with officers 
                designated under section 1062 of the National Security 
                Intelligence Reform Act of 2004 (42 U.S.C. 2000ee-1) 
                and such private entities with industry expertise as 
                the Attorney General considers relevant, promulgate 
                final guidelines relating to privacy and civil 
                liberties which shall govern the receipt, retention, 
                use, and dissemination of cyber threat indicators by a 
                Federal entity obtained in connection with activities 
                authorized in this title.
                    (B) Periodic review.--The Attorney General shall, 
                in coordination with heads of the appropriate Federal 
                entities and in consultation with officers and private 
                entities described in subparagraph (A), periodically, 
                but not less frequently than once every two years, 
                review the guidelines promulgated under subparagraph 
                (A).
            (3) Content.--The guidelines required by paragraphs (1) and 
        (2) shall, consistent with the need to protect information 
        systems from cybersecurity threats and mitigate cybersecurity 
        threats--
                    (A) limit the effect on privacy and civil liberties 
                of activities by the Federal Government under this 
                title;
                    (B) limit the receipt, retention, use, and 
                dissemination of cyber threat indicators containing 
                personal information or information that identifies 
                specific persons, including by establishing--
                            (i) a process for the timely destruction of 
                        such information that is known not to be 
                        directly related to uses authorized under this 
                        title; and
                            (ii) specific limitations on the length of 
                        any period in which a cyber threat indicator 
                        may be retained;
                    (C) include requirements to safeguard cyber threat 
                indicators containing personal information or 
                information that identifies specific persons from 
                unauthorized access or acquisition, including 
                appropriate sanctions for activities by officers, 
                employees, or agents of the Federal Government in 
                contravention of such guidelines;
                    (D) include procedures for notifying entities and 
                Federal entities if information received pursuant to 
                this section is known or determined by a Federal entity 
                receiving such information not to constitute a cyber 
                threat indicator;
                    (E) protect the confidentiality of cyber threat 
                indicators containing personal information or 
                information that identifies specific persons to the 
                greatest extent practicable and require recipients to 
                be informed that such indicators may only be used for 
                purposes authorized under this title; and
                    (F) include steps that may be needed so that 
                dissemination of cyber threat indicators is consistent 
                with the protection of classified and other sensitive 
                national security information.
    (c) Capability and Process Within the Department of Homeland 
Security.--
            (1) In general.--Not later than 90 days after the date of 
        the enactment of this Act, the Secretary of Homeland Security, 
        in coordination with the heads of the appropriate Federal 
        entities, shall develop and implement a capability and process 
        within the Department of Homeland Security that--
                    (A) shall accept from any entity in real time cyber 
                threat indicators and defensive measures, pursuant to 
                this section;
                    (B) shall, upon submittal of the certification 
                under paragraph (2) that such capability and process 
                fully and effectively operates as described in such 
                paragraph, be the process by which the Federal 
                Government receives cyber threat indicators and 
                defensive measures under this title that are shared by 
                a private entity with the Federal Government through 
                electronic mail or media, an interactive form on an 
                Internet website, or a real time, automated process 
                between information systems except--
                            (i) consistent with section 104, 
                        communications between a Federal entity and a 
                        private entity regarding a previously shared 
                        cyber threat indicator to describe the relevant 
                        cybersecurity threat or develop a defensive 
                        measure based on such cyber threat indicator; 
                        and
                            (ii) communications by a regulated entity 
                        with such entity's Federal regulatory authority 
                        regarding a cybersecurity threat;
                    (C) ensures that all of the appropriate Federal 
                entities receive in an automated manner such cyber 
                threat indicators shared through the real-time process 
                within the Department of Homeland Security;
                    (D) is in compliance with the policies, procedures, 
                and guidelines required by this section; and
                    (E) does not limit or prohibit otherwise lawful 
                disclosures of communications, records, or other 
                information, including--
                            (i) reporting of known or suspected 
                        criminal activity, by an entity to any other 
                        entity or a Federal entity;
                            (ii) voluntary or legally compelled 
                        participation in a Federal investigation; and
                            (iii) providing cyber threat indicators or 
                        defensive measures as part of a statutory or 
                        authorized contractual requirement.
            (2) Certification.--Not later than 10 days prior to the 
        implementation of the capability and process required by 
        paragraph (1), the Secretary of Homeland Security shall, in 
        consultation with the heads of the appropriate Federal 
        entities, certify to Congress whether such capability and 
        process fully and effectively operates--
                    (A) as the process by which the Federal Government 
                receives from any entity a cyber threat indicator or 
                defensive measure under this title; and
                    (B) in accordance with the policies, procedures, 
                and guidelines developed under this section.
            (3) Public notice and access.--The Secretary of Homeland 
        Security shall ensure there is public notice of, and access to, 
        the capability and process developed and implemented under 
        paragraph (1) so that--
                    (A) any entity may share cyber threat indicators 
                and defensive measures through such process with the 
                Federal Government; and
                    (B) all of the appropriate Federal entities receive 
                such cyber threat indicators and defensive measures in 
                real time with receipt through the process within the 
                Department of Homeland Security.
            (4) Other federal entities.--The process developed and 
        implemented under paragraph (1) shall ensure that other Federal 
        entities receive in a timely manner any cyber threat indicators 
        and defensive measures shared with the Federal Government 
        through such process.
            (5)  Report on development and implementation.--
                    (A) In general.--Not later than 60 days after the 
                date of the enactment of this Act, the Secretary of 
                Homeland Security shall submit to Congress a report on 
                the development and implementation of the capability 
                and process required by paragraph (1), including a 
                description of such capability and process and the 
                public notice of, and access to, such process.
                    (B) Classified annex.--The report required by 
                subparagraph (A) shall be submitted in unclassified 
                form, but may include a classified annex.
    (d) Information Shared With or Provided to the Federal 
Government.--
            (1) No waiver of privilege or protection.--The provision of 
        cyber threat indicators and defensive measures to the Federal 
        Government under this title shall not constitute a waiver of 
        any applicable privilege or protection provided by law, 
        including trade secret protection.
            (2) Proprietary information.--Consistent with section 
        104(c)(2), a cyber threat indicator or defensive measure 
        provided by an entity to the Federal Government under this 
        title shall be considered the commercial, financial, and 
        proprietary information of such entity when so designated by 
        the originating entity or a third party acting in accordance 
        with the written authorization of the originating entity.
            (3) Exemption from disclosure.--Cyber threat indicators and 
        defensive measures provided to the Federal Government under 
        this title shall be--
                    (A) deemed voluntarily shared information and 
                exempt from disclosure under section 552 of title 5, 
                United States Code, and any State, tribal, or local law 
                requiring disclosure of information or records; and
                    (B) withheld, without discretion, from the public 
                under section 552(b)(3)(B) of title 5, United States 
                Code, and any State, tribal, or local provision of law 
                requiring disclosure of information or records.
            (4) Ex parte communications.--The provision of a cyber 
        threat indicator or defensive measure to the Federal Government 
        under this title shall not be subject to a rule of any Federal 
        agency or department or any judicial doctrine regarding ex 
        parte communications with a decision-making official.
            (5) Disclosure, retention, and use.--
                    (A) Authorized activities.--Cyber threat indicators 
                and defensive measures provided to the Federal 
                Government under this title may be disclosed to, 
                retained by, and used by, consistent with otherwise 
                applicable provisions of Federal law, any Federal 
                agency or department, component, officer, employee, or 
                agent of the Federal Government solely for--
                            (i) a cybersecurity purpose;
                            (ii) the purpose of identifying a 
                        cybersecurity threat, including the source of 
                        such cybersecurity threat, or a security 
                        vulnerability;
                            (iii) the purpose of identifying a 
                        cybersecurity threat involving the use of an 
                        information system by a foreign adversary or 
                        terrorist;
                            (iv) the purpose of responding to, or 
                        otherwise preventing or mitigating, an imminent 
                        threat of death, serious bodily harm, or 
                        serious economic harm, including a terrorist 
                        act or a use of a weapon of mass destruction;
                            (v) the purpose of responding to, or 
                        otherwise preventing or mitigating, a serious 
                        threat to a minor, including sexual 
                        exploitation and threats to physical safety; or
                            (vi) the purpose of preventing, 
                        investigating, disrupting, or prosecuting an 
                        offense arising out of a threat described in 
                        clause (iv) or any of the offenses listed in--
                                    (I) sections 1028 through 1030 of 
                                title 18, United States Code (relating 
                                to fraud and identity theft);
                                    (II) chapter 37 of such title 
                                (relating to espionage and censorship); 
                                and
                                    (III) chapter 90 of such title 
                                (relating to protection of trade 
                                secrets).
                    (B) Prohibited activities.--Cyber threat indicators 
                and defensive measures provided to the Federal 
                Government under this title shall not be disclosed to, 
                retained by, or used by any Federal agency or 
                department for any use not permitted under subparagraph 
                (A).
                    (C) Privacy and civil liberties.--Cyber threat 
                indicators and defensive measures provided to the 
                Federal Government under this title shall be retained, 
                used, and disseminated by the Federal Government--
                            (i) in accordance with the policies, 
                        procedures, and guidelines required by 
                        subsections (a) and (b);
                            (ii) in a manner that protects from 
                        unauthorized use or disclosure any cyber threat 
                        indicators that may contain personal 
                        information or information that identifies 
                        specific persons; and
                            (iii) in a manner that protects the 
                        confidentiality of cyber threat indicators 
                        containing personal information or information 
                        that identifies a specific person.
                    (D) Federal regulatory authority.--
                            (i) In general.--Except as provided in 
                        clause (ii), cyber threat indicators and 
                        defensive measures provided to the Federal 
                        Government under this title shall not be 
                        directly used by any Federal, State, tribal, or 
                        local government to regulate, including an 
                        enforcement action, the lawful activities of 
                        any entity, including activities relating to 
                        monitoring, operating defensive measures, or 
                        sharing cyber threat indicators.
                            (ii) Exceptions.--
                                    (I) Regulatory authority 
                                specifically relating to prevention or 
                                mitigation of cybersecurity threats.--
                                Cyber threat indicators and defensive 
                                measures provided to the Federal 
                                Government under this title may, 
                                consistent with Federal or State 
                                regulatory authority specifically 
                                relating to the prevention or 
                                mitigation of cybersecurity threats to 
                                information systems, inform the 
                                development or implementation of 
                                regulations relating to such 
                                information systems.
                                    (II) Procedures developed and 
                                implemented under this title.--Clause 
                                (i) shall not apply to procedures 
                                developed and implemented under this 
                                title.

SEC. 106. PROTECTION FROM LIABILITY.

    (a) Monitoring of Information Systems.--No cause of action shall 
lie or be maintained in any court against any private entity, and such 
action shall be promptly dismissed, for the monitoring of information 
systems and information under section 104(a) that is conducted in 
accordance with this title.
    (b) Sharing or Receipt of Cyber Threat Indicators.--No cause of 
action shall lie or be maintained in any court against any entity, and 
such action shall be promptly dismissed, for the sharing or receipt of 
cyber threat indicators or defensive measures under section 104(c) if--
            (1) such sharing or receipt is conducted in accordance with 
        this title; and
            (2) in a case in which a cyber threat indicator or 
        defensive measure is shared with the Federal Government, the 
        cyber threat indicator or defensive measure is shared in a 
        manner that is consistent with section 105(c)(1)(B) and the 
        sharing or receipt, as the case may be, occurs after the 
        earlier of--
                    (A) the date on which the interim policies and 
                procedures are submitted to Congress under section 
                105(a)(1) and guidelines are submitted to Congress 
                under section 105(b)(1); or
                    (B) the date that is 60 days after the date of the 
                enactment of this Act.
    (c) Construction.--Nothing in this section shall be construed--
            (1) to require dismissal of a cause of action against an 
        entity that has engaged in gross negligence or willful 
        misconduct in the course of conducting activities authorized by 
        this title; or
            (2) to undermine or limit the availability of otherwise 
        applicable common law or statutory defenses.

SEC. 107. OVERSIGHT OF GOVERNMENT ACTIVITIES.

    (a) Biennial Report on Implementation.--
            (1) In general.--Not later than 1 year after the date of 
        the enactment of this Act, and not less frequently than once 
        every 2 years thereafter, the heads of the appropriate Federal 
        entities shall jointly submit and the Inspector General of the 
        Department of Homeland Security, the Inspector General of the 
        Intelligence Community, the Inspector General of the Department 
        of Justice, the Inspector General of the Department of Defense, 
        and the Inspector General of the Department of Energy, in 
        consultation with the Council of Inspectors General on 
        Financial Oversight, shall jointly submit to Congress a 
        detailed report concerning the implementation of this title 
        during--
                    (A) in the case of the first report submitted under 
                this paragraph, the most recent 1-year period; and
                    (B) in the case of any subsequent report submitted 
                under this paragraph, the most recent 2-year period.
            (2) Contents.--Each report submitted under paragraph (1) 
        shall include, for the period covered by the report, the 
        following:
                    (A) An assessment of the sufficiency of the 
                policies, procedures, and guidelines required by 
                section 105 in ensuring that cyber threat indicators 
                are shared effectively and responsibly within the 
                Federal Government.
                    (B) An evaluation of the effectiveness of real-time 
                information sharing through the capability and process 
                developed under section 105(c), including any 
                impediments to such real-time sharing.
                    (C) An assessment of the sufficiency of the 
                procedures developed under section 103 in ensuring that 
                cyber threat indicators in the possession of the 
                Federal Government are shared in a timely and adequate 
                manner with appropriate entities, or, if appropriate, 
                are made publicly available.
                    (D) An assessment of whether cyber threat 
                indicators have been properly classified and an 
                accounting of the number of security clearances 
                authorized by the Federal Government for the purposes 
                of this title.
                    (E) A review of the type of cyber threat indicators 
                shared with the appropriate Federal entities under this 
                title, including the following:
                            (i) The number of cyber threat indicators 
                        received through the capability and process 
                        developed under section 105(c).
                            (ii) The number of times that information 
                        shared under this title was used by a Federal 
                        entity to prosecute an offense consistent with 
                        section 105(d)(5)(A).
                            (iii) The degree to which such information 
                        may affect the privacy and civil liberties of 
                        specific persons.
                            (iv) A quantitative and qualitative 
                        assessment of the effect of the sharing of such 
                        cyber threat indicators with the Federal 
                        Government on privacy and civil liberties of 
                        specific persons, including the number of 
                        notices that were issued with respect to a 
                        failure to remove personal information or 
                        information that identified a specific person 
                        not directly related to a cybersecurity threat 
                        in accordance with the procedures required by 
                        section 105(b)(3)(D).
                            (v) The adequacy of any steps taken by the 
                        Federal Government to reduce such effect.
                    (F) A review of actions taken by the Federal 
                Government based on cyber threat indicators shared with 
                the Federal Government under this title, including the 
                appropriateness of any subsequent use or dissemination 
                of such cyber threat indicators by a Federal entity 
                under section 105.
                    (G) A description of any significant violations of 
                the requirements of this title by the Federal 
                Government.
                    (H) A summary of the number and type of entities 
                that received classified cyber threat indicators from 
                the Federal Government under this title and an 
                evaluation of the risks and benefits of sharing such 
                cyber threat indicators.
            (3) Recommendations.--Each report submitted under paragraph 
        (1) may include recommendations for improvements or 
        modifications to the authorities and processes under this 
        title.
            (4) Form of report.--Each report required by paragraph (1) 
        shall be submitted in unclassified form, but may include a 
        classified annex.
    (b) Reports on Privacy and Civil Liberties.--
            (1) Biennial report from privacy and civil liberties 
        oversight board.--Not later than 2 years after the date of the 
        enactment of this Act and not less frequently than once every 2 
        years thereafter, the Privacy and Civil Liberties Oversight 
        Board shall submit to Congress and the President a report 
        providing--
                    (A) an assessment of the effect on privacy and 
                civil liberties by the type of activities carried out 
                under this title; and
                    (B) an assessment of the sufficiency of the 
                policies, procedures, and guidelines established 
                pursuant to section 105 in addressing concerns relating 
                to privacy and civil liberties.
            (2) Biennial report of inspectors general.--
                    (A) In general.--Not later than 2 years after the 
                date of the enactment of this Act and not less 
                frequently than once every 2 years thereafter, the 
                Inspector General of the Department of Homeland 
                Security, the Inspector General of the Intelligence 
                Community, the Inspector General of the Department of 
                Justice, the Inspector General of the Department of 
                Defense, and the Inspector General of the Department of 
                Energy shall, in consultation with the Council of 
                Inspectors General on Financial Oversight, jointly 
                submit to Congress a report on the receipt, use, and 
                dissemination of cyber threat indicators and defensive 
                measures that have been shared with Federal entities 
                under this title.
                    (B) Contents.--Each report submitted under 
                subparagraph (A) shall include the following:
                            (i) A review of the types of cyber threat 
                        indicators shared with Federal entities.
                            (ii) A review of the actions taken by 
                        Federal entities as a result of the receipt of 
                        such cyber threat indicators.
                            (iii) A list of Federal entities receiving 
                        such cyber threat indicators.
                            (iv) A review of the sharing of such cyber 
                        threat indicators among Federal entities to 
                        identify inappropriate barriers to sharing 
                        information.
            (3) Recommendations.--Each report submitted under this 
        subsection may include such recommendations as the Privacy and 
        Civil Liberties Oversight Board, with respect to a report 
        submitted under paragraph (1), or the Inspectors General 
        referred to in paragraph (2)(A), with respect to a report 
        submitted under paragraph (2), may have for improvements or 
        modifications to the authorities under this title.
            (4) Form.--Each report required under this subsection shall 
        be submitted in unclassified form, but may include a classified 
        annex.

SEC. 108. CONSTRUCTION AND PREEMPTION.

    (a) Otherwise Lawful Disclosures.--Nothing in this title shall be 
construed--
            (1) to limit or prohibit otherwise lawful disclosures of 
        communications, records, or other information, including 
        reporting of known or suspected criminal activity, by an entity 
        to any other entity or the Federal Government under this title; 
        or
            (2) to limit or prohibit otherwise lawful use of such 
        disclosures by any Federal entity, even when such otherwise 
        lawful disclosures duplicate or replicate disclosures made 
        under this title.
    (b) Whistle Blower Protections.--Nothing in this title shall be 
construed to prohibit or limit the disclosure of information protected 
under section 2302(b)(8) of title 5, United States Code (governing 
disclosures of illegality, waste, fraud, abuse, or public health or 
safety threats), section 7211 of title 5, United States Code (governing 
disclosures to Congress), section 1034 of title 10, United States Code 
(governing disclosure to Congress by members of the military), section 
1104 of the National Security Act of 1947 (50 U.S.C. 3234) (governing 
disclosure by employees of elements of the intelligence community), or 
any similar provision of Federal or State law.
    (c) Protection of Sources and Methods.--Nothing in this title shall 
be construed--
            (1) as creating any immunity against, or otherwise 
        affecting, any action brought by the Federal Government, or any 
        agency or department thereof, to enforce any law, executive 
        order, or procedure governing the appropriate handling, 
        disclosure, or use of classified information;
            (2) to affect the conduct of authorized law enforcement or 
        intelligence activities; or
            (3) to modify the authority of a department or agency of 
        the Federal Government to protect classified information and 
        sources and methods and the national security of the United 
        States.
    (d) Relationship to Other Laws.--Nothing in this title shall be 
construed to affect any requirement under any other provision of law 
for an entity to provide information to the Federal Government.
    (e) Prohibited Conduct.--Nothing in this title shall be construed 
to permit price-fixing, allocating a market between competitors, 
monopolizing or attempting to monopolize a market, boycotting, or 
exchanges of price or cost information, customer lists, or information 
regarding future competitive planning.
    (f) Information Sharing Relationships.--Nothing in this title shall 
be construed--
            (1) to limit or modify an existing information sharing 
        relationship;
            (2) to prohibit a new information sharing relationship;
            (3) to require a new information sharing relationship 
        between any entity and another entity or a Federal entity; or
            (4) to require the use of the capability and process within 
        the Department of Homeland Security developed under section 
        105(c).
    (g) Preservation of Contractual Obligations and Rights.--Nothing in 
this title shall be construed--
            (1) to amend, repeal, or supersede any current or future 
        contractual agreement, terms of service agreement, or other 
        contractual relationship between any entities, or between any 
        entity and a Federal entity; or
            (2) to abrogate trade secret or intellectual property 
        rights of any entity or Federal entity.
    (h) Anti-tasking Restriction.--Nothing in this title shall be 
construed to permit a Federal entity--
            (1) to require an entity to provide information to a 
        Federal entity or another entity;
            (2) to condition the sharing of cyber threat indicators 
        with an entity on such entity's provision of cyber threat 
        indicators to a Federal entity or another entity; or
            (3) to condition the award of any Federal grant, contract, 
        or purchase on the provision of a cyber threat indicator to a 
        Federal entity or another entity.
    (i) No Liability for Non-participation.--Nothing in this title 
shall be construed to subject any entity to liability for choosing not 
to engage in the voluntary activities authorized in this title.
    (j) Use and Retention of Information.--Nothing in this title shall 
be construed to authorize, or to modify any existing authority of, a 
department or agency of the Federal Government to retain or use any 
information shared under this title for any use other than permitted in 
this title.
    (k) Federal Preemption.--
            (1) In general.--This title supersedes any statute or other 
        provision of law of a State or political subdivision of a State 
        that restricts or otherwise expressly regulates an activity 
        authorized under this title.
            (2) State law enforcement.--Nothing in this title shall be 
        construed to supersede any statute or other provision of law of 
        a State or political subdivision of a State concerning the use 
        of authorized law enforcement practices and procedures.
    (l) Regulatory Authority.--Nothing in this title shall be 
construed--
            (1) to authorize the promulgation of any regulations not 
        specifically authorized by this title;
            (2) to establish or limit any regulatory authority not 
        specifically established or limited under this title; or
            (3) to authorize regulatory actions that would duplicate or 
        conflict with regulatory requirements, mandatory standards, or 
        related processes under another provision of Federal law.
    (m) Authority of Secretary of Defense To Respond to Cyber 
Attacks.--Nothing in this title shall be construed to limit the 
authority of the Secretary of Defense to develop, prepare, coordinate, 
or, when authorized by the President to do so, conduct a military cyber 
operation in response to a malicious cyber activity carried out against 
the United States or a United States person by a foreign government or 
an organization sponsored by a foreign government or a terrorist 
organization.

SEC. 109. REPORT ON CYBERSECURITY THREATS.

    (a) Report Required.--Not later than 180 days after the date of the 
enactment of this Act, the Director of National Intelligence, in 
coordination with the heads of other appropriate elements of the 
intelligence community, shall submit to the Select Committee on 
Intelligence of the Senate and the Permanent Select Committee on 
Intelligence of the House of Representatives a report on cybersecurity 
threats, including cyber attacks, theft, and data breaches.
    (b) Contents.--The report required by subsection (a) shall include 
the following:
            (1) An assessment of the current intelligence sharing and 
        cooperation relationships of the United States with other 
        countries regarding cybersecurity threats, including cyber 
        attacks, theft, and data breaches, directed against the United 
        States and which threaten the United States national security 
        interests and economy and intellectual property, specifically 
        identifying the relative utility of such relationships, which 
        elements of the intelligence community participate in such 
        relationships, and whether and how such relationships could be 
        improved.
            (2) A list and an assessment of the countries and nonstate 
        actors that are the primary threats of carrying out a 
        cybersecurity threat, including a cyber attack, theft, or data 
        breach, against the United States and which threaten the United 
        States national security, economy, and intellectual property.
            (3) A description of the extent to which the capabilities 
        of the United States Government to respond to or prevent 
        cybersecurity threats, including cyber attacks, theft, or data 
        breaches, directed against the United States private sector are 
        degraded by a delay in the prompt notification by private 
        entities of such threats or cyber attacks, theft, and breaches.
            (4) An assessment of additional technologies or 
        capabilities that would enhance the ability of the United 
        States to prevent and to respond to cybersecurity threats, 
        including cyber attacks, theft, and data breaches.
            (5) An assessment of any technologies or practices utilized 
        by the private sector that could be rapidly fielded to assist 
        the intelligence community in preventing and responding to 
        cybersecurity threats.
    (c) Additional Report.--At the time the report required by 
subsection (a) is submitted, the Director of National Intelligence 
shall submit to the Committee on Foreign Relations of the Senate and 
the Committee on Foreign Affairs of the House of Representatives a 
report containing the information required by subsection (b)(2).
    (d) Form of Report.--The report required by subsection (a) shall be 
made available in classified and unclassified forms.
    (e) Intelligence Community Defined.--In this section, the term 
``intelligence community'' has the meaning given that term in section 3 
of the National Security Act of 1947 (50 U.S.C. 3003).

SEC. 110. CONFORMING AMENDMENT.

    Section 941(c)(3) of the National Defense Authorization Act for 
Fiscal Year 2013 (Public Law 112-239; 10 U.S.C. 2224 note) is amended 
by inserting at the end the following: ``The Secretary may share such 
information with other Federal entities if such information consists of 
cyber threat indicators and defensive measures and such information is 
shared consistent with the policies and procedures promulgated by the 
Attorney General and the Secretary of Homeland Security under section 
105 of the Cybersecurity Information Sharing Act of 2015.''.

              TITLE II--FEDERAL CYBERSECURITY ENHANCEMENT

SEC. 201. SHORT TITLE.

    This title may be cited as the ``Federal Cybersecurity Enhancement 
Act of 2015''.

SEC. 202. DEFINITIONS.

    In this title--
            (1) the term ``agency'' has the meaning given the term in 
        section 3502 of title 44, United States Code;
            (2) the term ``agency information system'' has the meaning 
        given the term in section 228 of the Homeland Security Act of 
        2002, as added by section 203(a);
            (3) the term ``appropriate congressional committees'' 
        means--
                    (A) the Committee on Homeland Security and 
                Governmental Affairs of the Senate; and
                    (B) the Committee on Homeland Security of the House 
                of Representatives;
            (4) the terms ``cybersecurity risk'' and ``information 
        system'' have the meanings given those terms in section 227 of 
        the Homeland Security Act of 2002, as so redesignated by 
        section 203(a);
            (5) the term ``Director'' means the Director of the Office 
        of Management and Budget;
            (6) the term ``intelligence community'' has the meaning 
        given the term in section 3(4) of the National Security Act of 
        1947 (50 U.S.C. 3003(4));
            (7) the term ``national security system'' has the meaning 
        given the term in section 11103 of title 40, United States 
        Code; and
            (8) the term ``Secretary'' means the Secretary of Homeland 
        Security.

SEC. 203. IMPROVED FEDERAL NETWORK SECURITY.

    (a) In General.--Subtitle C of title II of the Homeland Security 
Act of 2002 (6 U.S.C. 141 et seq.) is amended--
            (1) by redesignating section 228 as section 229;
            (2) by redesignating section 227 as subsection (c) of 
        section 228, as added by paragraph (4), and adjusting the 
        margins accordingly;
            (3) by redesignating the second section designated as 
        section 226 (relating to the national cybersecurity and 
        communications integration center) as section 227;
            (4) by inserting after section 227, as so redesignated, the 
        following:

``SEC. 228. CYBERSECURITY PLANS.

    ``(a) Definitions.--In this section--
            ``(1) the term `agency information system' means an 
        information system used or operated by an agency or by another 
        entity on behalf of an agency;
            ``(2) the terms `cybersecurity risk' and `information 
        system' have the meanings given those terms in section 227;
            ``(3) the term `intelligence community' has the meaning 
        given the term in section 3(4) of the National Security Act of 
        1947 (50 U.S.C. 3003(4)); and
            ``(4) the term `national security system' has the meaning 
        given the term in section 11103 of title 40, United States 
        Code.
    ``(b) Intrusion Assessment Plan.--
            ``(1) Requirement.--The Secretary, in coordination with the 
        Director of the Office of Management and Budget, shall develop 
        and implement an intrusion assessment plan to identify and 
        remove intruders in agency information systems.
            ``(2) Exception.--The intrusion assessment plan required 
        under paragraph (1) shall not apply to the Department of 
        Defense, a national security system, or an element of the 
        intelligence community.'';
            (5) in section 228(c), as so redesignated, by striking 
        ``section 226'' and inserting ``section 227''; and
            (6) by inserting after section 229, as so redesignated, the 
        following:

``SEC. 230. FEDERAL INTRUSION DETECTION AND PREVENTION SYSTEM.

    ``(a) Definitions.--In this section--
            ``(1) the term `agency' has the meaning given that term in 
        section 3502 of title 44, United States Code;
            ``(2) the term `agency information' means information 
        collected or maintained by or on behalf of an agency;
            ``(3) the term `agency information system' has the meaning 
        given the term in section 228; and
            ``(4) the terms `cybersecurity risk' and `information 
        system' have the meanings given those terms in section 227.
    ``(b) Requirement.--
            ``(1) In general.--Not later than 1 year after the date of 
        enactment of this section, the Secretary shall deploy, operate, 
        and maintain, to make available for use by any agency, with or 
        without reimbursement--
                    ``(A) a capability to detect cybersecurity risks in 
                network traffic transiting or traveling to or from an 
                agency information system; and
                    ``(B) a capability to prevent network traffic 
                associated with such cybersecurity risks from 
                transiting or traveling to or from an agency 
                information system or modify such network traffic to 
                remove the cybersecurity risk.
            ``(2) Regular improvement.--The Secretary shall regularly 
        deploy new technologies and modify existing technologies to the 
        intrusion detection and prevention capabilities described in 
        paragraph (1) as appropriate to improve the intrusion detection 
        and prevention capabilities.
    ``(c) Activities.--In carrying out subsection (b), the Secretary--
            ``(1) may access, and the head of an agency may disclose to 
        the Secretary or a private entity providing assistance to the 
        Secretary under paragraph (2), information transiting or 
        traveling to or from an agency information system, regardless 
        of the location from which the Secretary or a private entity 
        providing assistance to the Secretary under paragraph (2) 
        accesses such information, notwithstanding any other provision 
        of law that would otherwise restrict or prevent the head of an 
        agency from disclosing such information to the Secretary or a 
        private entity providing assistance to the Secretary under 
        paragraph (2);
            ``(2) may enter into contracts or other agreements with, or 
        otherwise request and obtain the assistance of, private 
        entities to deploy and operate technologies in accordance with 
        subsection (b);
            ``(3) may retain, use, and disclose information obtained 
        through the conduct of activities authorized under this section 
        only to protect information and information systems from 
        cybersecurity risks;
            ``(4) shall regularly assess through operational test and 
        evaluation in real world or simulated environments available 
        advanced protective technologies to improve detection and 
        prevention capabilities, including commercial and non-
        commercial technologies and detection technologies beyond 
        signature-based detection, and utilize such technologies when 
        appropriate;
            ``(5) shall establish a pilot to acquire, test, and deploy, 
        as rapidly as possible, technologies described in paragraph 
        (4);
            ``(6) shall periodically update the privacy impact 
        assessment required under section 208(b) of the E-Government 
        Act of 2002 (44 U.S.C. 3501 note); and
            ``(7) shall ensure that--
                    ``(A) activities carried out under this section are 
                reasonably necessary for the purpose of protecting 
                agency information and agency information systems from 
                a cybersecurity risk;
                    ``(B) information accessed by the Secretary will be 
                retained no longer than reasonably necessary for the 
                purpose of protecting agency information and agency 
                information systems from a cybersecurity risk;
                    ``(C) notice has been provided to users of an 
                agency information system concerning access to 
                communications of users of the agency information 
                system for the purpose of protecting agency information 
                and the agency information system; and
                    ``(D) the activities are implemented pursuant to 
                policies and procedures governing the operation of the 
                intrusion detection and prevention capabilities.
    ``(d) Private Entities.--
            ``(1) Conditions.--A private entity described in subsection 
        (c)(2) may not--
                    ``(A) disclose any network traffic transiting or 
                traveling to or from an agency information system to 
                any entity without the consent of the Department or the 
                agency that disclosed the information under subsection 
                (c)(1); or
                    ``(B) use any network traffic transiting or 
                traveling to or from an agency information system to 
                which the private entity gains access in accordance 
                with this section for any purpose other than to protect 
                agency information and agency information systems 
                against cybersecurity risks or to administer a contract 
                or other agreement entered into pursuant to subsection 
                (c)(2) or as part of another contract with the 
                Secretary.
            ``(2) Limitation on liability.--No cause of action shall 
        lie in any court against a private entity for assistance 
        provided to the Secretary in accordance with this section and 
        any contract or agreement entered into pursuant to subsection 
        (c)(2).
            ``(3) Rule of construction.--Nothing in paragraph (2) shall 
        be construed to authorize an Internet service provider to break 
        a user agreement with a customer without the consent of the 
        customer.
    ``(e) Attorney General Review.--Not later than 1 year after the 
date of enactment of this section, the Attorney General shall review 
the policies and guidelines for the program carried out under this 
section to ensure that the policies and guidelines are consistent with 
applicable law governing the acquisition, interception, retention, use, 
and disclosure of communications.''.
    (b) Prioritizing Advanced Security Tools.--The Director and the 
Secretary, in consultation with appropriate agencies, shall--
            (1) review and update governmentwide policies and programs 
        to ensure appropriate prioritization and use of network 
        security monitoring tools within agency networks; and
            (2) brief appropriate congressional committees on such 
        prioritization and use.
    (c) Agency Responsibilities.--
            (1) In general.--Except as provided in paragraph (2)--
                    (A) not later than 1 year after the date of 
                enactment of this Act or 2 months after the date on 
                which the Secretary makes available the intrusion 
                detection and prevention capabilities under section 
                230(b)(1) of the Homeland Security Act of 2002, as 
                added by subsection (a), whichever is later, the head 
                of each agency shall apply and continue to utilize the 
                capabilities to all information traveling between an 
                agency information system and any information system 
                other than an agency information system; and
                    (B) not later than 6 months after the date on which 
                the Secretary makes available improvements to the 
                intrusion detection and prevention capabilities 
                pursuant to section 230(b)(2) of the Homeland Security 
                Act of 2002, as added by subsection (a), the head of 
                each agency shall apply and continue to utilize the 
                improved intrusion detection and prevention 
                capabilities.
            (2) Exception.--The requirements under paragraph (1) shall 
        not apply to the Department of Defense, a national security 
        system, or an element of the intelligence community.
            (3) Definition.--In this subsection only, the term ``agency 
        information system'' means an information system owned or 
        operated by an agency.
            (4) Rule of construction.--Nothing in this subsection shall 
        be construed to limit an agency from applying the intrusion 
        detection and prevention capabilities under section 230(b)(1) 
        of the Homeland Security Act of 2002, as added by subsection 
        (a), at the discretion of the head of the agency or as provided 
        in relevant policies, directives, and guidelines.
    (d) Table of Contents Amendment.--The table of contents in section 
1(b) of the Homeland Security Act of 2002 (6 U.S.C. 101 note) is 
amended by striking the items relating to the first section designated 
as section 226, the second section designated as section 226 (relating 
to the national cybersecurity and communications integration center), 
section 227, and section 228 and inserting the following:

``Sec. 226. Cybersecurity recruitment and retention.
``Sec. 227. National cybersecurity and communications integration 
                            center.
``Sec. 228. Cybersecurity plans.
``Sec. 229. Clearances.
``Sec. 230. Federal intrusion detection and prevention system.''.

SEC. 204. ADVANCED INTERNAL DEFENSES.

    (a) Advanced Network Security Tools.--
            (1) In general.--The Secretary shall include in the 
        Continuous Diagnostics and Mitigation Program advanced network 
        security tools to improve visibility of network activity, 
        including through the use of commercial and free or open source 
        tools, to detect and mitigate intrusions and anomalous 
        activity.
            (2) Development of plan.--The Director shall develop and 
        implement a plan to ensure that each agency utilizes advanced 
        network security tools, including those described in paragraph 
        (1), to detect and mitigate intrusions and anomalous activity.
    (b) Improved Metrics.--The Secretary, in collaboration with the 
Director, shall review and update the metrics used to measure security 
under section 3554 of title 44, United States Code, to include measures 
of intrusion and incident detection and response times.
    (c) Transparency and Accountability.--The Director, in consultation 
with the Secretary, shall increase transparency to the public on agency 
cybersecurity posture, including by increasing the number of metrics 
available on Federal Government performance websites and, to the 
greatest extent practicable, displaying metrics for department 
components, small agencies, and micro agencies.
    (d) Maintenance of Technologies.--Section 3553(b)(6)(B) of title 
44, United States Code, is amended by inserting ``, operating, and 
maintaining'' after ``deploying''.
    (e) Exception.--The requirements under this section shall not apply 
to the Department of Defense, a national security system, or an element 
of the intelligence community.

SEC. 205. FEDERAL CYBERSECURITY REQUIREMENTS.

    (a) Implementation of Federal Cybersecurity Standards.--Consistent 
with section 3553 of title 44, United States Code, the Secretary, in 
consultation with the Director, shall exercise the authority to issue 
binding operational directives to assist the Director in ensuring 
timely agency adoption of and compliance with policies and standards 
promulgated under section 11331 of title 40, United States Code, for 
securing agency information systems.
    (b) Cybersecurity Requirements at Agencies.--
            (1) In general.--Consistent with policies, standards, 
        guidelines, and directives on information security under 
        subchapter II of chapter 35 of title 44, United States Code, 
        and the standards and guidelines promulgated under section 
        11331 of title 40, United States Code, and except as provided 
        in paragraph (2), not later than 1 year after the date of the 
        enactment of this Act, the head of each agency shall--
                    (A) identify sensitive and mission critical data 
                stored by the agency consistent with the inventory 
                required under the first subsection (c) (relating to 
                the inventory of major information systems) and the 
                second subsection (c) (relating to the inventory of 
                information systems) of section 3505 of title 44, 
                United States Code;
                    (B) assess access controls to the data described in 
                subparagraph (A), the need for readily accessible 
                storage of the data, and individuals' need to access 
                the data;
                    (C) encrypt or otherwise render indecipherable to 
                unauthorized users the data described in subparagraph 
                (A) that is stored on or transiting agency information 
                systems;
                    (D) implement a single sign-on trusted identity 
                platform for individuals accessing each public website 
                of the agency that requires user authentication, as 
                developed by the Administrator of General Services in 
                collaboration with the Secretary; and
                    (E) implement identity management consistent with 
                section 504 of the Cybersecurity Enhancement Act of 
                2014 (Public Law 113-274; 15 U.S.C. 7464), including 
                multi-factor authentication, for--
                            (i) remote access to an agency information 
                        system; and
                            (ii) each user account with elevated 
                        privileges on an agency information system.
            (2) Exception.--The requirements under paragraph (1) shall 
        not apply to an agency information system for which--
                    (A) the head of the agency has personally certified 
                to the Director with particularity that--
                            (i) operational requirements articulated in 
                        the certification and related to the agency 
                        information system would make it excessively 
                        burdensome to implement the cybersecurity 
                        requirement;
                            (ii) the cybersecurity requirement is not 
                        necessary to secure the agency information 
                        system or agency information stored on or 
                        transiting it; and
                            (iii) the agency has taken all necessary 
                        steps to secure the agency information system 
                        and agency information stored on or transiting 
                        it; and
                    (B) the head of the agency or the designee of the 
                head of the agency has submitted the certification 
                described in subparagraph (A) to the appropriate 
                congressional committees and the agency's authorizing 
                committees.
            (3) Construction.--Nothing in this section shall be 
        construed to alter the authority of the Secretary, the 
        Director, or the Director of the National Institute of 
        Standards and Technology in implementing subchapter II of 
        chapter 35 of title 44, United States Code. Nothing in this 
        section shall be construed to affect the National Institute of 
        Standards and Technology standards process or the requirement 
        under section 3553(a)(4) of such title or to discourage 
        continued improvements and advancements in the technology, 
        standards, policies, and guidelines used to promote Federal 
        information security.
    (c) Exception.--The requirements under this section shall not apply 
to the Department of Defense, a national security system, or an element 
of the intelligence community.

SEC. 206. ASSESSMENT; REPORTS.

    (a) Definitions.--In this section--
            (1) the term ``intrusion assessments'' means actions taken 
        under the intrusion assessment plan to identify and remove 
        intruders in agency information systems;
            (2) the term ``intrusion assessment plan'' means the plan 
        required under section 228(b)(1) of the Homeland Security Act 
        of 2002, as added by section 203(a) of this Act; and
            (3) the term ``intrusion detection and prevention 
        capabilities'' means the capabilities required under section 
        230(b) of the Homeland Security Act of 2002, as added by 
        section 203(a) of this Act.
    (b) Third Party Assessment.--Not later than 3 years after the date 
of enactment of this Act, the Government Accountability Office shall 
conduct a study and publish a report on the effectiveness of the 
approach and strategy of the Federal Government to securing agency 
information systems, including the intrusion detection and prevention 
capabilities and the intrusion assessment plan.
    (c) Reports to Congress.--
            (1) Intrusion detection and prevention capabilities.--
                    (A) Secretary of homeland security report.--Not 
                later than 6 months after the date of enactment of this 
                Act, and annually thereafter, the Secretary shall 
                submit to the appropriate congressional committees a 
                report on the status of implementation of the intrusion 
                detection and prevention capabilities, including--
                            (i) a description of privacy controls;
                            (ii) a description of the technologies and 
                        capabilities utilized to detect cybersecurity 
                        risks in network traffic, including the extent 
                        to which those technologies and capabilities 
                        include existing commercial and non-commercial 
                        technologies;
                            (iii) a description of the technologies and 
                        capabilities utilized to prevent network 
                        traffic associated with cybersecurity risks 
                        from transiting or traveling to or from agency 
                        information systems, including the extent to 
                        which those technologies and capabilities 
                        include existing commercial and non-commercial 
                        technologies;
                            (iv) a list of the types of indicators or 
                        other identifiers or techniques used to detect 
                        cybersecurity risks in network traffic 
                        transiting or traveling to or from agency 
                        information systems on each iteration of the 
                        intrusion detection and prevention capabilities 
                        and the number of each such type of indicator, 
                        identifier, and technique;
                            (v) the number of instances in which the 
                        intrusion detection and prevention capabilities 
                        detected a cybersecurity risk in network 
                        traffic transiting or traveling to or from 
                        agency information systems and the number of 
                        times the intrusion detection and prevention 
                        capabilities blocked network traffic associated 
                        with cybersecurity risk; and
                            (vi) a description of the pilot established 
                        under section 230(c)(5) of the Homeland 
                        Security Act of 2002, as added by section 
                        203(a) of this Act, including the number of new 
                        technologies tested and the number of 
                        participating agencies.
                    (B) OMB report.--Not later than 18 months after the 
                date of enactment of this Act, and annually thereafter, 
                the Director shall submit to Congress, as part of the 
                report required under section 3553(c) of title 44, 
                United States Code, an analysis of agency application 
                of the intrusion detection and prevention capabilities, 
                including--
                            (i) a list of each agency and the degree to 
                        which each agency has applied the intrusion 
                        detection and prevention capabilities to an 
                        agency information system; and
                            (ii) a list by agency of--
                                    (I) the number of instances in 
                                which the intrusion detection and 
                                prevention capabilities detected a 
                                cybersecurity risk in network traffic 
                                transiting or traveling to or from an 
                                agency information system and the types 
                                of indicators, identifiers, and 
                                techniques used to detect such 
                                cybersecurity risks; and
                                    (II) the number of instances in 
                                which the intrusion detection and 
                                prevention capabilities prevented 
                                network traffic associated with a 
                                cybersecurity risk from transiting or 
                                traveling to or from an agency 
                                information system and the types of 
                                indicators, identifiers, and techniques 
                                used to detect such agency information 
                                systems.
            (2) OMB report on development and implementation of 
        intrusion assessment plan, advanced internal defenses, and 
        federal cybersecurity best practices.--The Director shall--
                    (A) not later than 6 months after the date of 
                enactment of this Act, and 30 days after any update 
                thereto, submit the intrusion assessment plan to the 
                appropriate congressional committees;
                    (B) not later than 1 year after the date of 
                enactment of this Act, and annually thereafter, submit 
                to Congress, as part of the report required under 
                section 3553(c) of title 44, United States Code--
                            (i) a description of the implementation of 
                        the intrusion assessment plan;
                            (ii) the findings of the intrusion 
                        assessments conducted pursuant to the intrusion 
                        assessment plan;
                            (iii) advanced network security tools 
                        included in the Continuous Diagnostics and 
                        Mitigation Program pursuant to section 
                        204(a)(1);
                            (iv) the results of the assessment of the 
                        Secretary of best practices for Federal 
                        cybersecurity pursuant to section 205(a); and
                            (v) a list by agency of compliance with the 
                        requirements of section 205(b); and
                    (C) not later than 1 year after the date of 
                enactment of this Act, submit to the appropriate 
                congressional committees--
                            (i) a copy of the plan developed pursuant 
                        to section 204(a)(2); and
                            (ii) the improved metrics developed 
                        pursuant to section 204(b).

SEC. 207. TERMINATION.

    (a) In General.--The authority provided under section 230 of the 
Homeland Security Act of 2002, as added by section 203(a) of this Act, 
and the reporting requirements under section 206(c) shall terminate on 
the date that is 7 years after the date of enactment of this Act.
    (b) Rule of Construction.--Nothing in subsection (a) shall be 
construed to affect the limitation of liability of a private entity for 
assistance provided to the Secretary under section 230(d)(2) of the 
Homeland Security Act of 2002, as added by section 203(a) of this Act, 
if such assistance was rendered before the termination date under 
subsection (a) or otherwise during a period in which the assistance was 
authorized.

SEC. 208. IDENTIFICATION OF INFORMATION SYSTEMS RELATING TO NATIONAL 
              SECURITY.

    (a) In General.--Except as provided in subsection (c), not later 
than 180 days after the date of enactment of this Act--
            (1) the Director of National Intelligence and the Director 
        of the Office of Management and Budget, in coordination with 
        the heads of other agencies, shall--
                    (A) identify all unclassified information systems 
                that provide access to information that may provide an 
                adversary with the ability to derive information that 
                would otherwise be considered classified;
                    (B) assess the risks that would result from the 
                breach of each unclassified information system 
                identified in subparagraph (A); and
                    (C) assess the cost and impact on the mission 
                carried out by each agency that owns an unclassified 
                information system identified in subparagraph (A) if 
                the system were to be subsequently designated as a 
                national security system; and
            (2) the Director of National Intelligence and the Director 
        of the Office of Management and Budget shall submit to the 
        appropriate congressional committees, the Select Committee on 
        Intelligence of the Senate, and the Permanent Select Committee 
        on Intelligence of the House of Representatives a report that 
        includes the findings under paragraph (1).
    (b) Form.--The report submitted under subsection (a)(2) shall be in 
unclassified form, and shall include a classified annex.
    (c) Exception.--The requirements under subsection (a)(1) shall not 
apply to the Department of Defense, a national security system, or an 
element of the intelligence community.
    (d) Rule of Construction.--Nothing in this section shall be 
construed to designate an information system as a national security 
system.

SEC. 209. DIRECTION TO AGENCIES.

    (a) In General.--Section 3553 of title 44, United States Code, is 
amended by adding at the end the following:
    ``(h) Direction to Agencies.--
            ``(1) Authority.--
                    ``(A) In general.--Subject to subparagraph (B), in 
                response to a known or reasonably suspected information 
                security threat, vulnerability, or incident that 
                represents a substantial threat to the information 
                security of an agency, the Secretary may issue an 
                emergency directive to the head of an agency to take 
                any lawful action with respect to the operation of the 
                information system, including such systems used or 
                operated by another entity on behalf of an agency, that 
                collects, processes, stores, transmits, disseminates, 
                or otherwise maintains agency information, for the 
                purpose of protecting the information system from, or 
                mitigating, an information security threat.
                    ``(B) Exception.--The authorities of the Secretary 
                under this subsection shall not apply to a system 
                described subsection (d) or to a system described in 
                paragraph (2) or (3) of subsection (e).
            ``(2) Procedures for use of authority.--The Secretary 
        shall--
                    ``(A) in coordination with the Director, establish 
                procedures governing the circumstances under which a 
                directive may be issued under this subsection, which 
                shall include--
                            ``(i) thresholds and other criteria;
                            ``(ii) privacy and civil liberties 
                        protections; and
                            ``(iii) providing notice to potentially 
                        affected third parties;
                    ``(B) specify the reasons for the required action 
                and the duration of the directive;
                    ``(C) minimize the impact of a directive under this 
                subsection by--
                            ``(i) adopting the least intrusive means 
                        possible under the circumstances to secure the 
                        agency information systems; and
                            ``(ii) limiting directives to the shortest 
                        period practicable;
                    ``(D) notify the Director and the head of any 
                affected agency immediately upon the issuance of a 
                directive under this subsection;
                    ``(E) consult with the Director of the National 
                Institute of Standards and Technology regarding any 
                directive under this subsection that implements 
                standards and guidelines developed by the National 
                Institute of Standards and Technology;
                    ``(F) ensure that directives issued under this 
                subsection do not conflict with the standards and 
                guidelines issued under section 11331 of title 40;
                    ``(G) consider any applicable standards or 
                guidelines developed by the National Institute of 
                Standards and issued by the Secretary of Commerce under 
                section 11331 of title 40; and
                    ``(H) not later than February 1 of each year, 
                submit to the appropriate congressional committees a 
                report regarding the specific actions the Secretary has 
                taken pursuant to paragraph (1)(A).
            ``(3) Imminent threats.--
                    ``(A) In general.--Notwithstanding section 3554, 
                the Secretary may authorize the intrusion detection and 
                prevention capabilities under section 230(b)(1) of the 
                Homeland Security Act of 2002 for the purpose of 
                ensuring the security of agency information systems, 
                if--
                            ``(i) the Secretary determines there is an 
                        imminent threat to agency information systems;
                            ``(ii) the Secretary determines a directive 
                        under subsection (b)(2)(C) or paragraph (1)(A) 
                        is not reasonably likely to result in a timely 
                        response to the threat;
                            ``(iii) the Secretary determines the risk 
                        posed by the imminent threat outweighs any 
                        adverse consequences reasonably expected to 
                        result from the use of protective capabilities 
                        under the control of the Secretary;
                            ``(iv) the Secretary provides prior notice 
                        to the Director, and the head and chief 
                        information officer (or equivalent official) of 
                        each agency to which specific actions will be 
                        taken pursuant to subparagraph (A), and 
                        notifies the appropriate congressional 
                        committees and authorizing committees of each 
                        such agencies within seven days of taking an 
                        action under this subsection of--
                                    ``(I) any action taken under this 
                                subsection; and
                                    ``(II) the reasons for and duration 
                                and nature of the action;
                            ``(v) the action of the Secretary is 
                        consistent with applicable law; and
                            ``(vi) the Secretary authorizes the use of 
                        protective capabilities in accordance with the 
                        advance procedures established under 
                        subparagraph (C).
                    ``(B) Limitation on delegation.--The authority 
                under this subsection may not be delegated by the 
                Secretary.
                    ``(C) Advance procedures.--The Secretary shall, in 
                coordination with the Director, and in consultation 
                with the heads of Federal agencies, establish 
                procedures governing the circumstances under which the 
                Secretary may authorize the use of protective 
                capabilities subparagraph (A). The Secretary shall 
                submit the procedures to Congress.
            ``(4) Limitation.--The Secretary may direct or authorize 
        lawful action or protective capability under this subsection 
        only to--
                    ``(A) protect agency information from unauthorized 
                access, use, disclosure, disruption, modification, or 
                destruction; or
                    ``(B) require the remediation of or protect against 
                identified information security risks with respect to--
                            ``(i) information collected or maintained 
                        by or on behalf of an agency; or
                            ``(ii) that portion of an information 
                        system used or operated by an agency or by a 
                        contractor of an agency or other organization 
                        on behalf of an agency.
    ``(i) Annual Report to Congress.--Not later than February 1 of each 
year, the Director shall submit to the appropriate congressional 
committees a report regarding the specific actions the Director has 
taken pursuant to subsection (a)(5), including any actions taken 
pursuant to section 11303(b)(5) of title 40.
    ``(j) Appropriate Congressional Committees Defined.--In this 
section, the term `appropriate congressional committees' means--
            ``(1) the Committee on Appropriations and the Committee on 
        Homeland Security and Governmental Affairs of the Senate; and
            ``(2) the Committee on Appropriations, the Committee on 
        Homeland Security, the Committee on Oversight and Government 
        Reform, and the Committee on Science, Space, and Technology of 
        the House of Representatives.''.
    (b) Conforming Amendment.--Section 3554(a)(1)(B) of title 44, 
United States Code, is amended--
            (1) in clause (iii), by striking ``and'' at the end; and
            (2) by adding at the end the following:
                            ``(v) emergency directives issued by the 
                        Secretary under section 3553(h); and''.

         TITLE III--FEDERAL CYBERSECURITY WORKFORCE ASSESSMENT

SEC. 301. SHORT TITLE.

    This title may be cited as the ``Federal Cybersecurity Workforce 
Assessment Act of 2015''.

SEC. 302. DEFINITIONS.

    In this title:
            (1) Appropriate congressional committees.--The term 
        ``appropriate congressional committees'' means--
                    (A) the Committee on Armed Services of the Senate;
                    (B) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;
                    (C) the Select Committee on Intelligence of the 
                Senate;
                    (D) the Committee on Commerce, Science, and 
                Transportation of the Senate;
                    (E) the Committee on Armed Services in the House of 
                Representatives;
                    (F) the Committee on Homeland Security of the House 
                of Representatives;
                    (G) the Committee on Oversight and Government 
                Reform of the House of Representatives; and
                    (H) the Permanent Select Committee on Intelligence 
                of the House of Representatives.
            (2) Director.--The term ``Director'' means the Director of 
        the Office of Personnel Management.
            (3) Roles.--The term ``roles'' has the meaning given the 
        term in the National Initiative for Cybersecurity Education's 
        Cybersecurity Workforce Framework.

SEC. 303. NATIONAL CYBERSECURITY WORKFORCE MEASUREMENT INITIATIVE.

    (a) In General.--The head of each Federal agency shall--
            (1) identify all positions within the agency that require 
        the performance of cybersecurity or other cyber-related 
        functions; and
            (2) assign the corresponding employment code, which shall 
        be added to the National Initiative for Cybersecurity 
        Education's National Cybersecurity Workforce Framework, in 
        accordance with subsection (b).
    (b) Employment Codes.--
            (1) Procedures.--
                    (A) Coding structure.--Not later than 180 days 
                after the date of the enactment of this Act, the 
                Secretary of Commerce, acting through the National 
                Institute of Standards and Technology, shall update the 
                National Initiative for Cybersecurity Education's 
                Cybersecurity Workforce Framework to include a 
                corresponding coding structure.
                    (B) Identification of civilian cyber personnel.--
                Not later than 9 months after the date of enactment of 
                this Act, the Director, in coordination with the 
                Director of the National Institute of Standards and 
                Technology and the Director of National Intelligence, 
                shall establish procedures to implement the National 
                Initiative for Cybersecurity Education's coding 
                structure to identify all Federal civilian positions 
                that require the performance of information technology, 
                cybersecurity, or other cyber-related functions.
                    (C) Identification of noncivilian cyber 
                personnel.--Not later than 18 months after the date of 
                enactment of this Act, the Secretary of Defense shall 
                establish procedures to implement the National 
                Initiative for Cybersecurity Education's coding 
                structure to identify all Federal noncivilian positions 
                that require the performance of information technology, 
                cybersecurity, or other cyber-related functions.
                    (D) Baseline assessment of existing cybersecurity 
                workforce.--Not later than 3 months after the date on 
                which the procedures are developed under subparagraphs 
                (B) and (C), respectively, the head of each Federal 
                agency shall submit to the appropriate congressional 
                committees of jurisdiction a report that identifies--
                            (i) the percentage of personnel with 
                        information technology, cybersecurity, or other 
                        cyber-related job functions who currently hold 
                        the appropriate industry-recognized 
                        certifications as identified in the National 
                        Initiative for Cybersecurity Education's 
                        Cybersecurity Workforce Framework;
                            (ii) the level of preparedness of other 
                        civilian and noncivilian cyber personnel 
                        without existing credentials to take 
                        certification exams; and
                            (iii) a strategy for mitigating any gaps 
                        identified in clause (i) or (ii) with the 
                        appropriate training and certification for 
                        existing personnel.
                    (E) Procedures for assigning codes.--Not later than 
                3 months after the date on which the procedures are 
                developed under subparagraphs (B) and (C), 
                respectively, the head of each Federal agency shall 
                establish procedures--
                            (i) to identify all encumbered and vacant 
                        positions with information technology, 
                        cybersecurity, or other cyber-related functions 
                        (as defined in the National Initiative for 
                        Cybersecurity Education's coding structure); 
                        and
                            (ii) to assign the appropriate employment 
                        code to each such position, using agreed 
                        standards and definitions.
            (2) Code assignments.--Not later than 1 year after the date 
        after the procedures are established under paragraph (1)(E), 
        the head of each Federal agency shall complete assignment of 
        the appropriate employment code to each position within the 
        agency with information technology, cybersecurity, or other 
        cyber-related functions.
    (c) Progress Report.--Not later than 180 days after the date of 
enactment of this Act, the Director shall submit a progress report on 
the implementation of this section to the appropriate congressional 
committees.

SEC. 304. IDENTIFICATION OF CYBER-RELATED ROLES OF CRITICAL NEED.

    (a) In General.--Beginning not later than 1 year after the date on 
which the employment codes are assigned to employees pursuant to 
section 203(b)(2), and annually through 2022, the head of each Federal 
agency, in consultation with the Director, the Director of the National 
Institute of Standards and Technology, and the Secretary of Homeland 
Security, shall--
            (1) identify information technology, cybersecurity, or 
        other cyber-related roles of critical need in the agency's 
        workforce; and
            (2) submit a report to the Director that--
                    (A) describes the information technology, 
                cybersecurity, or other cyber-related roles identified 
                under paragraph (1); and
                    (B) substantiates the critical need designations.
    (b) Guidance.--The Director shall provide Federal agencies with 
timely guidance for identifying information technology, cybersecurity, 
or other cyber-related roles of critical need, including--
            (1) current information technology, cybersecurity, and 
        other cyber-related roles with acute skill shortages; and
            (2) information technology, cybersecurity, or other cyber-
        related roles with emerging skill shortages.
    (c) Cybersecurity Needs Report.--Not later than 2 years after the 
date of the enactment of this Act, the Director, in consultation with 
the Secretary of Homeland Security, shall--
            (1) identify critical needs for information technology, 
        cybersecurity, or other cyber-related workforce across all 
        Federal agencies; and
            (2) submit a progress report on the implementation of this 
        section to the appropriate congressional committees.

SEC. 305. GOVERNMENT ACCOUNTABILITY OFFICE STATUS REPORTS.

    The Comptroller General of the United States shall--
            (1) analyze and monitor the implementation of sections 303 
        and 304; and
            (2) not later than 3 years after the date of the enactment 
        of this Act, submit a report to the appropriate congressional 
        committees that describes the status of such implementation.

                     TITLE IV--OTHER CYBER MATTERS

SEC. 401. STUDY ON MOBILE DEVICE SECURITY.

    (a) In General.--Not later than 1 year after the date of the 
enactment of this Act, the Secretary of Homeland Security, in 
consultation with the Director of the National Institute of Standards 
and Technology, shall--
            (1) complete a study on threats relating to the security of 
        the mobile devices of the Federal Government; and
            (2) submit an unclassified report to Congress, with a 
        classified annex if necessary, that contains the findings of 
        such study, the recommendations developed under paragraph (3) 
        of subsection (b), the deficiencies, if any, identified under 
        (4) of such subsection, and the plan developed under paragraph 
        (5) of such subsection.
    (b) Matters Studied.--In carrying out the study under subsection 
(a)(1), the Secretary, in consultation with the Director of the 
National Institute of Standards and Technology, shall--
            (1) assess the evolution of mobile security techniques from 
        a desktop-centric approach, and whether such techniques are 
        adequate to meet current mobile security challenges;
            (2) assess the effect such threats may have on the 
        cybersecurity of the information systems and networks of the 
        Federal Government (except for national security systems or the 
        information systems and networks of the Department of Defense 
        and the intelligence community);
            (3) develop recommendations for addressing such threats 
        based on industry standards and best practices;
            (4) identify any deficiencies in the current authorities of 
        the Secretary that may inhibit the ability of the Secretary to 
        address mobile device security throughout the Federal 
        Government (except for national security systems and the 
        information systems and networks of the Department of Defense 
        and intelligence community); and
            (5) develop a plan for accelerated adoption of secure 
        mobile device technology by the Department of Homeland 
        Security.
    (c) Intelligence Community Defined.--In this section, the term 
``intelligence community'' has the meaning given such term in section 3 
of the National Security Act of 1947 (50 U.S.C. 3003).

SEC. 402. DEPARTMENT OF STATE INTERNATIONAL CYBERSPACE POLICY STRATEGY.

    (a) In General.--Not later than 90 days after the date of the 
enactment of this Act, the Secretary of State shall produce a 
comprehensive strategy relating to United States international policy 
with regard to cyberspace.
    (b) Elements.--The strategy required by subsection (a) shall 
include the following:
            (1) A review of actions and activities undertaken by the 
        Secretary of State to date to support the goal of the 
        President's International Strategy for Cyberspace, released in 
        May 2011, to ``work internationally to promote an open, 
        interoperable, secure, and reliable information and 
        communications infrastructure that supports international trade 
        and commerce, strengthens international security, and fosters 
        free expression and innovation.''.
            (2) A plan of action to guide the diplomacy of the 
        Secretary of State, with regard to foreign countries, including 
        conducting bilateral and multilateral activities to develop the 
        norms of responsible international behavior in cyberspace, and 
        status review of existing discussions in multilateral fora to 
        obtain agreements on international norms in cyberspace.
            (3) A review of the alternative concepts with regard to 
        international norms in cyberspace offered by foreign countries 
        that are prominent actors, including China, Russia, Brazil, and 
        India.
            (4) A detailed description of threats to United States 
        national security in cyberspace from foreign countries, state-
        sponsored actors, and private actors to Federal and private 
        sector infrastructure of the United States, intellectual 
        property in the United States, and the privacy of citizens of 
        the United States.
            (5) A review of policy tools available to the President to 
        deter foreign countries, state-sponsored actors, and private 
        actors, including those outlined in Executive Order 13694, 
        released on April 1, 2015.
            (6) A review of resources required by the Secretary, 
        including the Office of the Coordinator for Cyber Issues, to 
        conduct activities to build responsible norms of international 
        cyber behavior.
    (c) Consultation.--In preparing the strategy required by subsection 
(a), the Secretary of State shall consult, as appropriate, with other 
agencies and departments of the United States and the private sector 
and nongovernmental organizations in the United States with recognized 
credentials and expertise in foreign policy, national security, and 
cybersecurity.
    (d) Form of Strategy.--The strategy required by subsection (a) 
shall be in unclassified form, but may include a classified annex.
    (e) Availability of Information.--The Secretary of State shall--
            (1) make the strategy required in subsection (a) available 
        the public; and
            (2) brief the Committee on Foreign Relations of the Senate 
        and the Committee on Foreign Affairs of the House of 
        Representatives on the strategy, including any material 
        contained in a classified annex.

SEC. 403. APPREHENSION AND PROSECUTION OF INTERNATIONAL CYBER 
              CRIMINALS.

    (a) International Cyber Criminal Defined.--In this section, the 
term ``international cyber criminal'' means an individual--
            (1) who is believed to have committed a cybercrime or 
        intellectual property crime against the interests of the United 
        States or the citizens of the United States; and
            (2) for whom--
                    (A) an arrest warrant has been issued by a judge in 
                the United States; or
                    (B) an international wanted notice (commonly 
                referred to as a ``Red Notice'') has been circulated by 
                Interpol.
    (b) Consultations for Noncooperation.--The Secretary of State, or 
designee, shall consult with the appropriate government official of 
each country from which extradition is not likely due to the lack of an 
extradition treaty with the United States or other reasons, in which 
one or more international cyber criminals are physically present, to 
determine what actions the government of such country has taken--
            (1) to apprehend and prosecute such criminals; and
            (2) to prevent such criminals from carrying out cybercrimes 
        or intellectual property crimes against the interests of the 
        United States or its citizens.
    (c) Annual Report.--
            (1) In general.--The Secretary of State shall submit to the 
        appropriate congressional committees an annual report that 
        includes--
                    (A) the number of international cyber criminals 
                located in other countries, disaggregated by country, 
                and indicating from which countries extradition is not 
                likely due to the lack of an extradition treaty with 
                the United States or other reasons;
                    (B) the nature and number of significant 
                discussions by an official of the Department of State 
                on ways to thwart or prosecute international cyber 
                criminals with an official of another country, 
                including the name of each such country; and
                    (C) for each international cyber criminal who was 
                extradited to the United States during the most 
                recently completed calendar year--
                            (i) his or her name;
                            (ii) the crimes for which he or she was 
                        charged;
                            (iii) his or her previous country of 
                        residence; and
                            (iv) the country from which he or she was 
                        extradited into the United States.
            (2) Form.--The report required by this subsection shall be 
        in unclassified form to the maximum extent possible, but may 
        include a classified annex.
            (3) Appropriate congressional committees.--For purposes of 
        this subsection, the term ``appropriate congressional 
        committees'' means--
                    (A) the Committee on Foreign Relations, the 
                Committee on Appropriations, the Committee on Homeland 
                Security and Governmental Affairs, the Committee on 
                Banking, Housing, and Urban Affairs, the Select 
                Committee on Intelligence, and the Committee on the 
                Judiciary of the Senate; and
                    (B) the Committee on Foreign Affairs, the Committee 
                on Appropriations, the Committee on Homeland Security, 
                the Committee on Financial Services, the Permanent 
                Select Committee on Intelligence, and the Committee on 
                the Judiciary of the House of Representatives.

SEC. 404. ENHANCEMENT OF EMERGENCY SERVICES.

    (a) Collection of Data.--Not later than 90 days after the date of 
enactment of this Act, the Secretary of Homeland Security, acting 
through the National Cybersecurity and Communications Integration 
Center, in coordination with appropriate Federal entities and the 
Director for Emergency Communications, shall establish a process by 
which a Statewide Interoperability Coordinator may report data on any 
cybersecurity risk or incident involving any information system or 
network used by emergency response providers (as defined in section 2 
of the Homeland Security Act of 2002 (6 U.S.C. 101)) within the State.
    (b) Analysis of Data.--Not later than 1 year after the date of 
enactment of this Act, the Secretary of Homeland Security, acting 
through the Director of the National Cybersecurity and Communications 
Integration Center, in coordination with appropriate entities and the 
Director for Emergency Communications, and in consultation with the 
Director of the National Institute of Standards and Technology, shall 
conduct integration and analysis of the data reported under subsection 
(a) to develop information and recommendations on security and 
resilience measures for any information system or network used by State 
emergency response providers.
    (c) Best Practices.--
            (1) In general.--Using the results of the integration and 
        analysis conducted under subsection (b), and any other relevant 
        information, the Director of the National Institute of 
        Standards and Technology shall, on an ongoing basis, facilitate 
        and support the development of methods for reducing 
        cybersecurity risks to emergency response providers using the 
        process described in section 2(e) of the National Institute of 
        Standards and Technology Act (15 U.S.C. 272(e)).
            (2) Report.--The Director of the National Institute of 
        Standards and Technology shall submit a report to Congress on 
        the methods developed under paragraph (1) and shall make such 
        report publically available on the website of the National 
        Institute of Standards and Technology.
    (d) Rule of Construction.--Nothing in this section shall be 
construed to--
            (1) require a State to report data under subsection (a); or
            (2) require an entity to--
                    (A) adopt a recommended measure developed under 
                subsection (b); or
                    (B) follow the best practices developed under 
                subsection (c).

SEC. 405. IMPROVING CYBERSECURITY IN THE HEALTH CARE INDUSTRY.

    (a) Definitions.--In this section:
            (1) Business associate.--The term ``business associate'' 
        has the meaning given such term in section 160.103 of title 45, 
        Code of Federal Regulations.
            (2) Covered entity.--The term ``covered entity'' has the 
        meaning given such term in section 160.103 of title 45, Code of 
        Federal Regulations.
            (3) Health care clearinghouse; health care provider; health 
        plan.--The terms ``health care clearinghouse'', ``health care 
        provider'', and ``health plan'' have the meanings given the 
        terms in section 160.103 of title 45, Code of Federal 
        Regulations.
            (4) Health care industry stakeholder.--The term ``health 
        care industry stakeholder'' means any--
                    (A) health plan, health care clearinghouse, or 
                health care provider;
                    (B) patient advocate;
                    (C) pharmacist;
                    (D) developer of health information technology;
                    (E) laboratory;
                    (F) pharmaceutical or medical device manufacturer; 
                or
                    (G) additional stakeholder the Secretary determines 
                necessary for purposes of subsection (d)(1), (d)(3), or 
                (e).
            (5) Secretary.--The term ``Secretary'' means the Secretary 
        of Health and Human Services.
    (b) Report.--Not later than 1 year after the date of enactment of 
this Act, the Secretary shall submit, to the Committee on Health, 
Education, Labor, and Pensions of the Senate and the Committee on 
Energy and Commerce of the House of Representatives, a report on the 
preparedness of the health care industry in responding to cybersecurity 
threats.
    (c) Contents of Report.--With respect to the internal response of 
the Department of Health and Human Services to emerging cybersecurity 
threats, the report shall include--
            (1) a clear statement of the official within the Department 
        of Health and Human Services to be responsible for leading and 
        coordinating efforts of the Department regarding cybersecurity 
        threats in the health care industry; and
            (2) a plan from each relevant operating division and 
        subdivision of the Department of Health and Human Services on 
        how such division or subdivision will address cybersecurity 
        threats in the health care industry, including a clear 
        delineation of how each such division or subdivision will 
        divide responsibility among the personnel of such division or 
        subdivision and communicate with other such divisions and 
        subdivisions regarding efforts to address such threats.
    (d) Health Care Industry Cybersecurity Task Force.--
            (1) In general.--Not later than 60 days after the date of 
        enactment of this Act, the Secretary, in consultation with the 
        Director of the National Institute of Standards and Technology 
        and the Secretary of Homeland Security, shall convene health 
        care industry stakeholders, cybersecurity experts, and any 
        Federal agencies or entities the Secretary determines 
        appropriate to establish a task force to--
                    (A) analyze how industries, other than the health 
                care industry, have implemented strategies and 
                safeguards for addressing cybersecurity threats within 
                their respective industries;
                    (B) analyze challenges and barriers private 
                entities (notwithstanding section 102(15)(B), excluding 
                any State, tribal, or local government) in the health 
                care industry face securing themselves against cyber 
                attacks;
                    (C) review challenges that covered entities and 
                business associates face in securing networked medical 
                devices and other software or systems that connect to 
                an electronic health record;
                    (D) provide the Secretary with information to 
                disseminate to health care industry stakeholders for 
                purposes of improving their preparedness for, and 
                response to, cybersecurity threats affecting the health 
                care industry;
                    (E) establish a plan for creating a single system 
                for the Federal Government to share information on 
                actionable intelligence regarding cybersecurity threats 
                to the health care industry in near real time, 
                requiring no fee to the recipients of such information, 
                including which Federal agency or other entity may be 
                best suited to be the central conduit to facilitate the 
                sharing of such information; and
                    (F) report to Congress on the findings and 
                recommendations of the task force regarding carrying 
                out subparagraphs (A) through (E).
            (2) Termination.--The task force established under this 
        subsection shall terminate on the date that is 1 year after the 
        date of enactment of this Act.
            (3) Dissemination.--Not later than 60 days after the 
        termination of the task force established under this 
        subsection, the Secretary shall disseminate the information 
        described in paragraph (1)(D) to health care industry 
        stakeholders in accordance with such paragraph.
            (4) Rule of construction.--Nothing in this subsection shall 
        be construed to limit the antitrust exemption under section 
        104(e) or the protection from liability under section 106.
    (e) Cybersecurity Framework.--
            (1) In general.--The Secretary shall establish, through a 
        collaborative process with the Secretary of Homeland Security, 
        health care industry stakeholders, the National Institute of 
        Standards and Technology, and any Federal agency or entity the 
        Secretary determines appropriate, a single, voluntary, national 
        health-specific cybersecurity framework that--
                    (A) establishes a common set of voluntary, 
                consensus-based, and industry-led standards, security 
                practices, guidelines, methodologies, procedures, and 
                processes that serve as a resource for cost-effectively 
                reducing cybersecurity risks for a range of health care 
                organizations;
                    (B) supports voluntary adoption and implementation 
                efforts to improve safeguards to address cybersecurity 
                threats;
                    (C) is consistent with the security and privacy 
                regulations promulgated under section 264(c) of the 
                Health Insurance Portability and Accountability Act of 
                1996 (42 U.S.C. 1320d-2 note) and with the Health 
                Information Technology for Economic and Clinical Health 
                Act (title XIII of division A, and title IV of division 
                B, of Public Law 111-5), and the amendments made by 
                such Act; and
                    (D) is updated on a regular basis and applicable to 
                the range of health care organizations described in 
                subparagraph (A).
            (2) Limitation.--Nothing in this subsection shall be 
        interpreted as granting the Secretary authority to--
                    (A) provide for audits to ensure that health care 
                organizations are in compliance with the voluntary 
                framework under this subsection; or
                    (B) mandate, direct, or condition the award of any 
                Federal grant, contract, or purchase on compliance with 
                such voluntary framework.
            (3) No liability for nonparticipation.--Nothing in this 
        title shall be construed to subject a health care organization 
        to liability for choosing not to engage in the voluntary 
        activities authorized under this subsection.

SEC. 406. FEDERAL COMPUTER SECURITY.

    (a) Definitions.--In this section:
            (1) Covered system.--The term ``covered system'' shall mean 
        a national security system as defined in section 11103 of title 
        40, United States Code, or a Federal computer system that 
        provides access to personally identifiable information.
            (2) Covered agency.--The term ``covered agency'' means an 
        agency that operates a covered system.
            (3) Logical access control.--The term ``logical access 
        control'' means a process of granting or denying specific 
        requests to obtain and use information and related information 
        processing services.
            (4) Multi-factor logical access controls.--The term 
        ``multi-factor logical access controls'' means a set of not 
        less than 2 of the following logical access controls:
                    (A) Information that is known to the user, such as 
                a password or personal identification number.
                    (B) An access device that is provided to the user, 
                such as a cryptographic identification device or token.
                    (C) A unique biometric characteristic of the user.
            (5) Privileged user.--The term ``privileged user'' means a 
        user who, by virtue of function or seniority, has been 
        allocated powers within a covered system, which are 
        significantly greater than those available to the majority of 
        users.
    (b) Inspector General Reports on Covered Systems.--
            (1) In general.--Not later than 240 days after the date of 
        enactment of this Act, the Inspector General of each covered 
        agency shall submit to the appropriate committees of 
        jurisdiction in the Senate and the House of Representatives a 
        report, which shall include information collected from the 
        covered agency for the contents described in paragraph (2) 
        regarding the Federal computer systems of the covered agency.
            (2) Contents.--The report submitted by each Inspector 
        General of a covered agency under paragraph (1) shall include, 
        with respect to the covered agency, the following:
                    (A) A description of the logical access standards 
                used by the covered agency to access a covered system, 
                including--
                            (i) in aggregate, a list and description of 
                        logical access controls used to access such a 
                        covered system; and
                            (ii) whether the covered agency is using 
                        multi-factor logical access controls to access 
                        such a covered system.
                    (B) A description of the logical access controls 
                used by the covered agency to govern access to covered 
                systems by privileged users.
                    (C) If the covered agency does not use logical 
                access controls or multi-factor logical access controls 
                to access a covered system, a description of the 
                reasons for not using such logical access controls or 
                multi-factor logical access controls.
                    (D) A description of the following data security 
                management practices used by the covered agency:
                            (i) The policies and procedures followed to 
                        conduct inventories of the software present on 
                        the covered systems of the covered agency and 
                        the licenses associated with such software.
                            (ii) What capabilities the covered agency 
                        utilizes to monitor and detect exfiltration and 
                        other threats, including--
                                    (I) data loss prevention 
                                capabilities; or
                                    (II) digital rights management 
                                capabilities.
                            (iii) A description of how the covered 
                        agency is using the capabilities described in 
                        clause (ii).
                            (iv) If the covered agency is not utilizing 
                        capabilities described in clause (ii), a 
                        description of the reasons for not utilizing 
                        such capabilities.
                    (E) A description of the policies and procedures of 
                the covered agency with respect to ensuring that 
                entities, including contractors, that provide services 
                to the covered agency are implementing the data 
                security management practices described in subparagraph 
                (D).
            (3) Existing review.--The reports required under this 
        subsection may be based in whole or in part on an audit, 
        evaluation, or report relating to programs or practices of the 
        covered agency, and may be submitted as part of another report, 
        including the report required under section 3555 of title 44, 
        United States Code.
            (4) Classified information.--Reports submitted under this 
        subsection shall be in unclassified form, but may include a 
        classified annex.

SEC. 407. STRATEGY TO PROTECT CRITICAL INFRASTRUCTURE AT GREATEST RISK.

    (a) Definitions.--In this section:
            (1) Appropriate agency.--The term ``appropriate agency'' 
        means, with respect to a covered entity--
                    (A) except as provided in subparagraph (B), the 
                applicable sector-specific agency; or
                    (B) in the case of a covered entity that is 
                regulated by a Federal entity, such Federal entity.
            (2) Appropriate agency head.--The term ``appropriate agency 
        head'' means, with respect to a covered entity, the head of the 
        appropriate agency.
            (3) Covered entity.--The term ``covered entity'' means an 
        entity identified pursuant to section 9(a) of Executive Order 
        13636 of February 12, 2013 (78 Fed. Reg. 11742), relating to 
        identification of critical infrastructure where a cybersecurity 
        incident could reasonably result in catastrophic regional or 
        national effects on public health or safety, economic security, 
        or national security.
            (4) Appropriate congressional committees.--The term 
        ``appropriate congressional committees'' means--
                    (A) the Select Committee on Intelligence of the 
                Senate;
                    (B) the Permanent Select Committee on Intelligence 
                of the House of Representatives;
                    (C) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;
                    (D) the Committee on Homeland Security of the House 
                of Representatives;
                    (E) the Committee on Energy and Natural Resources 
                of the Senate;
                    (F) the Committee on Energy and Commerce of the 
                House of Representatives; and
                    (G) the Committee on Commerce, Science, and 
                Transportation of the Senate.
            (5) Secretary.--The term ``Secretary'' means the Secretary 
        of the Department of Homeland Security.
    (b) Status of Existing Cyber Incident Reporting.--
            (1) In general.--No later than 120 days after the date of 
        the enactment of this Act, the Secretary, in conjunction with 
        the appropriate agency head (as the case may be), shall submit 
        to the appropriate congressional committees describing the 
        extent to which each covered entity reports significant 
        intrusions of information systems essential to the operation of 
        critical infrastructure to the Department of Homeland Security 
        or the appropriate agency head in a timely manner.
            (2) Form.--The report submitted under paragraph (1) may 
        include a classified annex.
    (c) Mitigation Strategy Required for Critical Infrastructure at 
Greatest Risk.--
            (1) In general.--No later than 180 days after the date of 
        the enactment of this Act, the Secretary, in conjunction with 
        the appropriate agency head (as the case may be), shall conduct 
        an assessment and develop a strategy that addresses each of the 
        covered entities, to ensure that, to the greatest extent 
        feasible, a cyber security incident affecting such entity would 
        no longer reasonably result in catastrophic regional or 
        national effects on public health or safety, economic security, 
        or national security.
            (2) Elements.--The strategy submitted by the Secretary with 
        respect to a covered entity shall include the following:
                    (A) An assessment of whether each entity should be 
                required to report cyber security incidents.
                    (B) A description of any identified security gaps 
                that must be addressed.
                    (C) Additional statutory authority necessary to 
                reduce the likelihood that a cyber incident could cause 
                catastrophic regional or national effects on public 
                health or safety, economic security, or national 
                security.
            (3) Submittal.--The Secretary shall submit to the 
        appropriate congressional committees the assessment and 
        strategy required by paragraph (1).
            (4) Form.--The assessment and strategy submitted under 
        paragraph (3) may each include a classified annex.

SEC. 408. STOPPING THE FRAUDULENT SALE OF FINANCIAL INFORMATION OF 
              PEOPLE OF THE UNITED STATES.

    Section 1029(h) of title 18, United States Code, is amended by 
striking ``title if--'' and all that follows through ``therefrom.'' and 
inserting ``title if the offense involves an access device issued, 
owned, managed, or controlled by a financial institution, account 
issuer, credit card system member, or other entity organized under the 
laws of the United States, or any State, the District of Columbia, or 
other Territory of the United States.''.

SEC. 409. EFFECTIVE PERIOD.

    (a) In General.--Except as provided in subsection (b), this Act and 
the amendments made by this Act shall be in effect during the 10-year 
period beginning on the date of the enactment of this Act.
    (b) Exception.--With respect to any action authorized by this Act 
or information obtained pursuant to an action authorized by this Act, 
which occurred before the date on which the provisions referred to in 
subsection (a) cease to have effect, the provisions of this Act shall 
continue in effect.

            Passed the Senate October 27, 2015.

            Attest:

                                                             Secretary.
114th CONGRESS

  1st Session

                                 S. 754

_______________________________________________________________________

                                 AN ACT

To improve cybersecurity in the United States through enhanced sharing 
  of information about cybersecurity threats, and for other purposes.