Redesignations

(a)

In general

Subtitle A of title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is amended—(1)by striking section 2201 (6 U.S.C. 651); (2)by redesignating sections 2202 through 2214 as sections 2201 through 2213, respectively; (3)by redesignating section 2217 (6 U.S.C. 665f) as section 2219; (4)by redesignating section 2216 (6 U.S.C. 665e) as section 2218; (5)by redesignating the fourth section 2215 (relating to Sector Risk Management Agencies) (6 U.S.C. 665d) as section 2217; (6)by redesignating the third section 2215 (relating to the Cybersecurity State Coordinator) (6 U.S.C. 665c) as section 2216; and(7)by redesignating the first section 2215 (relating to Duties and Authorities Relating to .GOV Internet Domain) (6 U.S.C. 665) as section 2214. (b)

Technical and conforming amendments

The Homeland Security Act of 2002 (6 U.S.C. 101 et seq.) is amended—(1)in section 320(d)(3)(C) (6 U.S.C. 195f(d)(3)(C)) by striking section 2201 and inserting section 2200; (2)in section 846(1) (6 U.S.C. 417(1)), by striking section 2209 and inserting section 2208; (3)in section 1801(c)(16) (6 U.S.C. 571(c)(16)) by striking section 2202(c)(7) and inserting section 2201(c)(7); (4)in section 2001(4)(A)(iii)(II) (6 U.S.C. 601(4)(A)(iii)(II)), by striking section 2214(a)(2) and inserting section 2213(a)(2); (5)in section 2008(a)(3) (6 U.S.C. 609(a)(3)), by striking section 2214(a)(2) and inserting section 2213(a)(2);(6)in section 2201, as so redesignated—(A)in subsection (c)—(i)in the first paragraph (12), by striking section 2215 and inserting section 2216; (ii)by redesignating the second and third paragraphs (12) as paragraphs (13) and (14), respectively; and(iii)in paragraph (13), as so redesignated, by striking section 2215 and inserting section 2214; and(B)in subsection (e)(2), by striking sections 2203(b) and 2204(b) and inserting sections 2202(b) and 2203(b); (7)in section 2202(b)(3), as so redesignated, by striking section 2202(c)(7) and inserting section 2201(c)(7); (8)in section 2203(b)(3), as so redesignated, by striking section 2202(c)(7) and inserting section 2201(c)(7);(9)in section 2204, as so redesignated, in the matter preceding paragraph (1), by striking section 2202 and inserting section 2201;(10)in section 2210(b)(2)(A), as so redesignated, by striking section 2209 and inserting section 2208; and(11)in section 2217(c)(4)(A), by striking section 2209 and inserting section 2208.(c)

Table of contents

The table of contents in section 1(b) of the Homeland Security Act of 2002 (Public Law 107–296; 116 Stat. 2135) is amended—(1)by striking inserting before the item relating to subtitle A of title XXII the following:

Sec. 2200. Definitions.

;

and

(2)by striking the items relating to sections 2201 through 2217 and inserting the following:

Sec. 2201. Cybersecurity and Infrastructure Security Agency.

Sec. 2202. Cybersecurity Division.

Sec. 2203. Infrastructure Security Division.

Sec. 2204. Enhancement of Federal and non-Federal cybersecurity.

Sec. 2205. Net guard.

Sec. 2206. Cyber Security Enhancement Act of 2002.

Sec. 2207. Cybersecurity recruitment and retention.

Sec. 2208. National cybersecurity and communications integration center.

Sec. 2209. Cybersecurity plans.

Sec. 2210. Cybersecurity strategy.

Sec. 2211. Clearances.

Sec. 2212. Federal intrusion detection and prevention system.

Sec. 2213. National Asset Database.

Sec. 2214. Duties and authorities relating to .gov internet domain.

Sec. 2215. Joint Cyber Planning Office.

Sec. 2216. Cybersecurity State Coordinator.

Sec. 2217. Sector Risk Management Agencies.

Sec. 2218. Cybersecurity Advisory Committee.

Sec. 2219. Cybersecurity education and training programs.

(d)

Additional technical amendment

(1)

Amendment

Section 904(b)(1) of the DOTGOV Act of 2020 (title IX of division U of Public Law 116–260) is amended, in the matter preceding subparagraph (A), by striking Homeland Security Act and inserting Homeland Security Act of 2002.(2)

Effective date

The amendment made by paragraph (1) shall take effect as if enacted as part of the DOTGOV Act of 2020 (title IX of division U of Public Law 116–260).

Consolidation of definitions

(a)

In general

Title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651) is amended—(1)by striking section 2201; and(2)by inserting before the subtitle A heading the following:

2200.

Definitions

Except as otherwise specifically provided, in this title:(1)

Agency

The term Agency means the Cybersecurity and Infrastructure Security Agency. (2)

Agency information

The term agency information means information collected or maintained by or on behalf of an agency. (3)

Agency information system

The term agency information system means an information system used or operated by an agency or by another entity on behalf of an agency. (4)

Appropriate congressional committees

The term appropriate congressional committees means—(A)the Committee on Homeland Security and Governmental Affairs of the Senate; and(B)the Committee on Homeland Security of the House of Representatives.(5)

Critical infrastructure information

The term critical infrastructure information means information not customarily in the public domain and related to the security of critical infrastructure or protected systems—(A)actual, potential, or threatened interference with, attack on, compromise of, or incapacitation of critical infrastructure or protected systems by either physical or computer-based attack or other similar conduct (including the misuse of or unauthorized access to all types of communications and data transmission systems) that violates Federal, State, or local law, harms interstate commerce of the United States, or threatens public health or safety;(B)the ability of any critical infrastructure or protected system to resist such interference, compromise, or incapacitation, including any planned or past assessment, projection, or estimate of the vulnerability of critical infrastructure or a protected system, including security testing, risk evaluation thereto, risk management planning, or risk audit; or(C)any planned or past operational problem or solution regarding critical infrastructure or protected systems, including repair, recovery, reconstruction, insurance, or continuity, to the extent it is related to such interference, compromise, or incapacitation.(6)

Cyber threat indicator

The term cyber threat indicator means information that is necessary to describe or identify—(A)malicious reconnaissance, including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability;(B)a method of defeating a security control or exploitation of a security vulnerability;(C)a security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability;(D)a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;(E)malicious cyber command and control;(F)the actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat;(G)any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or(H)any combination thereof.(7)

Cybersecurity purpose

The term cybersecurity purpose means the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability. (8)

Cybersecurity risk

The term cybersecurity risk—(A)means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information or information systems, including such related consequences caused by an act of terrorism; and(B)does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement.(9)

Cybersecurity threat

(A)

In general

Except as provided in subparagraph (B), the term cybersecurity threat means an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.(B)

Exclusion

The term cybersecurity threat does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement.(10)

Defensive measure

(A)

In general

Except as provided in subparagraph (B), the term defensive measure means an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.(B)

Exclusion

The term defensive measure does not include a measure that destroys, renders unusable, provides unauthorized access to, or substantially harms an information system or information stored on, processed by, or transiting such information system not owned by—(i)the entity operating the measure; or(ii)another entity or Federal entity that is authorized to provide consent and has provided consent to that private entity for operation of such measure. (11)

Homeland Security Enterprise

The term Homeland Security Enterprise means relevant governmental and nongovernmental entities involved in homeland security, including Federal, State, local, and tribal government officials, private sector representatives, academics, and other policy experts.(12)

Incident

The term incident means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system. (13)

Information sharing and analysis organization

The term Information Sharing and Analysis Organization means any formal or informal entity or collaboration created or employed by public or private sector organizations, for purposes of—(A)gathering and analyzing critical infrastructure information, including information related to cybersecurity risks and incidents, in order to better understand security problems and interdependencies related to critical infrastructure, including cybersecurity risks and incidents, and protected systems, so as to ensure the availability, integrity, and reliability thereof;(B)communicating or disclosing critical infrastructure information, including cybersecurity risks and incidents, to help prevent, detect, mitigate, or recover from the effects of a interference, compromise, or a incapacitation problem related to critical infrastructure, including cybersecurity risks and incidents, or protected systems; and(C)voluntarily disseminating critical infrastructure information, including cybersecurity risks and incidents, to its members, State, local, and Federal Governments, or any other entities that may be of assistance in carrying out the purposes specified in subparagraphs (A) and (B).(14)

Information system

The term information system has the meaning given the term in section 3502 of title 44, United States Code. (15)

Intelligence community

The term intelligence community has the meaning given the term in section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4)). (16)

Monitor

The term monitor means to acquire, identify, or scan, or to possess, information that is stored on, processed by, or transiting an information system.(17)

National cybersecurity asset response activities

The term national cybersecurity asset response activities means—(A)furnishing cybersecurity technical assistance to entities affected by cybersecurity risks to protect assets, mitigate vulnerabilities, and reduce impacts of cyber incidents;(B)identifying other entities that may be at risk of an incident and assessing risk to the same or similar vulnerabilities;(C)assessing potential cybersecurity risks to a sector or region, including potential cascading effects, and developing courses of action to mitigate such risks;(D)facilitating information sharing and operational coordination with threat response; and(E)providing guidance on how best to utilize Federal resources and capabilities in a timely, effective manner to speed recovery from cybersecurity risks.(18)

National security system

The term national security system has the meaning given the term in section 11103 of title 40, United States Code. (19)

Sector risk management agency

The term Sector Risk Management Agency means a Federal department or agency, designated by law or Presidential directive, with responsibility for providing institutional knowledge and specialized expertise of a sector, as well as leading, facilitating, or supporting programs and associated activities of its designated critical infrastructure sector in the all hazards environment in coordination with the Department.(20)

Security vulnerability

The term security vulnerability means any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control.(21)

Sharing

The term sharing (including all conjugations thereof) means providing, recieving, and disseminating (including all conjugations of each such terms).

(b)

Technical and conforming amendments

The Homeland Security Act of 2002 (6 U.S.C. 101 et seq.) is amended—(1)in section 2201, as so redesignated—(A)in subsection (a)(1), by striking (in this subtitle referred to as the Agency); (B)in subsection (f)—(i)in paragraph (1), by inserting Executive before Assistant Director; and(ii)in paragraph (2), by inserting Executive before Assistant Director; (2)in section 2202(a)(2), as so redesignated, by striking as the Assistant Director and inserting as the Executive Assistant Director; (3)in section 2203(a)(2), as so redesignated, by striking as the Assistant Director and inserting as the Executive Assistant Director; (4)in section 2208, as so redesignated—(A)by striking subsection (a); (B)by redesignating subsections (b) through subsection (o) as subsections (a) through (n), respectively; (C)in subsection (c)(1)(A)(iii), as so redesignated, by striking , as that term is defined under section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4)); (D)in subsection (d), as so redesignated, in the matter preceding paragraph (1), by striking subsection (c) and inserting subsection (b); (E)in subsection (j), as so redesignated, by striking subsection (c)(8) and inserting subsection (b)(8); and(F)in subsection (n), as so redesignated—(i)in paragraph (2)(A), by striking subsection (c)(12) and inserting subsection (b)(12); and(ii)in paragraph (3)(B)(i), by striking subsection (c)(12) and inserting subsection (b)(12); (5)in section 2209, as so redesignated—(A)by striking subsection (a); (B)by redesignating subsections (b) through (d) as subsections (a) through (c), respectively; (C)in subsection (b), as so redesignated—(i)by striking information sharing and analysis organizations (as defined in section 2222(5)) and inserting Information Sharing and Analysis Organizations; and(ii)by striking (as defined in section 2209); and(D)in subsection (c), as so redesignated, by striking subsection (c) and inserting subsection (b);(6)in section 2210, as so redesignated, by striking subsection (h); (7)in section 2211, as so redesignated, by striking information sharing and analysis organizations (as defined in section 2222(5)) and inserting Information Sharing and Analysis Organizations; (8)in section 2212, as so redesignated—(A)by striking subsection (a); (B)by redesignating subsections (b) through (f) as subsections (a) through (e); respectively; (C)in subsection (b), as so redesignated, by striking subsection (b) each place it appears and inserting subsection (a); (D)in subsection (c), as so redesignated, in the matter preceding paragraph (1), by striking subsection (b) and inserting subsection (a); and(E)in subsection (d), as so redesignated—(i)in paragraph (1)—(I)in the matter preceding subparagraph (A), by striking subsection (c)(2) and inserting subsection (b)(2); (II)in subparagraph (A), by striking subsection (c)(1) and inserting subsection (b)(1); and(III)in subparagraph (B), by striking subsection (c)(2) and inserting subsection (b)(2); and(ii)in paragraph (2), by striking subsection (c)(2) and inserting subsection (b)(2); (9)in section 2215 (6 U.S.C. 665b)—(A)by striking subsection (a); (B)by redesignating subsections (b) through (h) as subsections (a) through (g), respectively; (C)in subsection (a), as so redesignated—(i)in the matter preceding paragraph (1), by striking subsection (e) and inserting subsection (d); (ii)in paragraph (1), by striking subsection (c) and inserting subsection (b); and(iii)in paragraph (2), by striking subsection (c) and inserting subsection (b); (D)in subsection (b)(4), as so redesignated—(i)by striking subsection (e) and inserting subsection (d); and(ii)by striking subsection (h) and inserting subsection (g); (E)in subsection (d), as so redesignated, by striking subsection (b)(1) each place it appears and inserting subsection (a)(1); (F)in subsection (e), as so redesignated—(i)by striking subsection (b) and inserting subsection (a); (ii)by striking subsection (e) and inserting subsection (d); and(iii)by striking subsection (b)(1) and inserting subsection (a)(1); and(G)in subsection (f), as so redesignated, by striking subsection (c) and inserting subsection (b); (10)in section 2216, as so redesignated, by striking subsection (f) and inserting the following:

(f)

Cyber defense operation defined

In this section, the term cyber defense operation means the use of a defensive measure.

; and

(11)in section 2222—(A)by striking paragraphs (3), (5), and (8); (B)by redesignating paragraph (4) as paragraph (3); and (C)by redesignating paragraphs (6) and (7) as paragraphs (4) and (5), respectively. (c)

Cybersecurity Act of 2015 definitions

Section 102 of the Cybersecurity Act of 2015 (6 U.S.C. 1501) is amended—(1)by striking paragraphs (4) through (7) and inserting the following:

(4)

Cybersecurity purpose

The term cybersecurity purpose has the meaning given the term in section 2200 of the Homeland Security Act of 2002.(5)

Cybersecurity threat

The term cybersecurity threat has the meaning given the term in section 2200 of the Homeland Security Act of 2002.(6)

Cyber theat indicator

The term cyber threat indicator has the meaning given the term in section 2200 of the Homeland Security Act of 2002.(7)

Defensive measure

The term defensive measure has the meaning given the term in section 2200 of the Homeland Security Act of 2002.

;

(2)by striking paragraph (13) and inserting the following:

(13)

Monitor

The term monitor has the meaning given the term in section 2200 of the Homeland Security Act of 2002.

; and

(3)by striking paragraph (17) and inserting the following:

(17)

Security vulnerability

The term security vulnerability has the meaning given the term in section 2200 of the Homeland Security Act of 2002.

Additional technical and conforming amendments

(a)

Federal Cybersecurity Enhancement Act of 2015

The Federal Cybersecurity Enhancement Act of 2015 (6 U.S.C. 1521 et seq.) is amended—(1)in section 222 (6 U.S.C. 1521)—(A)in paragraph (2), by striking section 2210 and inserting section 2200; and(B)in paragraph (4), by striking section 2209 and inserting section 2200;(2)in section 223 (6 U.S.C. 151 note) is amended by striking section 2213(b)(1) each place it appears and inserting section 2212(a)(1); and(3)in section 226—(A)in subsection (a)—(i)in paragraph (1), by striking section 2213 and inserting section 2200; (ii)in paragraph (4), by striking section 2210(b)(1) and inserting section 2209(a)(1); and(iii)in paragraph (5), by striking section 2213(b) and inserting section 2212(a); and(B)in subsection (c)(1)(A)(vi), by striking section 2213(c)(5) and inserting section 2212(b)(5); and(4)in section 227 (6 U.S.C. 1525)—(A)in subsection (a), by striking section 2213 and inserting section 2212; and(B)in subsection (b), by striking section 2213(d)(2) and inserting section 2212(c)(2).(b)

Public Health Service Act

Section 2811(b)(4)(D) of the Public Health Service Act (42 U.S.C. 300hh–10(b)(4)(D)) is amended by striking section 228(c) of the Homeland Security Act of 2002 (6 U.S.C. 149(c)) and inserting section 2209(c) of the Homeland Security Act of 2002. (c)

William M. (Mac) Thornberry National Defense Authorization Act of Fiscal Year 2021

Section 9002 of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (6 U.S.C. 652a) is amended—(1)in subsection (a)—(A)in paragraph (5), by striking section 2222(5) of the Homeland Security Act of 2002 (6 U.S.C. 671(5)) and inserting section 2200 of the Homeland Security Act of 2002; and(B)in paragraph (7), by striking given the term and all that follows and inserting given the term in section 2200 of the Homeland Security Act of 2002; (2)in subsection (b)(1)(A), by striking section 2202(c)(4) of the Homeland Security Act (6 U.S.C. 652(c)(4)) and inserting section 2201(c)(4); (3)in subsection (c)(3)(B), by striking section 2201(5) of the Homeland Security Act of 2002 (6 U.S.C. 651(5)) and inserting section 2200 of the Homeland Security Act of 2002; and(4)in subsection (d)—(A)by striking section 2215 and inserting 2217; and(B)by striking , as added by this section. (d)

National Security Act of 1947

Section 113B of the National Security Act of 1947 (50 U.S.C. 3049a(b)(4)) is amended by striking section 226 of the Homeland Security Act of 2002 (6 U.S.C. 147) and inserting section 2207 of the Homeland Security Act of 2002.(e)

Cybersecurity Act of 2015

Section 404(a) of the Cybersecurity Act of 2015 (6 U.S.C. 1532(a)) is amended by striking section 2209 and inserting section 2208.(f)

IoT Cybersecurity Improvement Act of 2020

Section 5(b)(3) of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g–3c) is amended by striking section 2209(m) and inserting section 2208(l).(g)

Small Business Act

Section 21(a)(8)(B) of the Small Business Act (15 U.S.C. 648(a)(8)(B)) is amended by striking section 2209(a) and inserting section 2200.(h)

Title 46

Section 70101(2) of title 46, United States Code, is amended by striking section 227 of the Homeland Security Act of 2002 (6 U.S.C. 148) and inserting section 2200 of the Homeland Security Act of 2002.