[Congressional Record Volume 161, Number 158 (Tuesday, October 27, 2015)]
[Senate]
[Pages S7549-S7550]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                           TEXT OF AMENDMENTS

  SA 2749. Mr. BURR (for himself and Mrs. Feinstein) proposed an 
amendment to amendment SA 2716 proposed by Mr. Burr (for himself and 
Mrs. Feinstein) to the bill S. 754, to improve cybersecurity in the 
United States through enhanced sharing of information about 
cybersecurity threats, and for other purposes; as follows:



 =========================== NOTE =========================== 

  
  On page S7549, October 27, 2015, in the second column, under the 
heading TEXT OF AMENDMENTS, the following language appears: SA 
2749. Mr. BURR proposed an amendment to amendment SA 2716 proposed 
by Mr. BURR (for himself and Mrs. Feinstein) to the bill S. 754, 
to improve cybersecurity in the United States through enhanced 
sharing of information about cybersecurity threats, and for other 
purposes; as follows:
  
  The online Record has been corrected to read: SA 2749. Mr. BURR 
(for himself and Mrs. Feinstein) proposed an amendment to 
amendment SA 2716 proposed by Mr. BURR (for himself and Mrs. 
Feinstein) to the bill S. 754, to improve cybersecurity in the 
United States through enhanced sharing of information about 
cybersecurity threats, and for other purposes; as follows:


 ========================= END NOTE ========================= 

       On page 11, line 3, strike ``period'' and insert 
     ``periodic''.
       On page 11, line 10, strike ``532'' and insert ``632''.
       On page 20, line 21, strike ``measures'' and insert 
     ``measure''.
       On page 56, line 8, strike ``and'' and all that follows 
     through ``(7)'' on line 9 and insert the following:
       (7) the term ``national security system'' has the meaning 
     given the term in section 11103 of title 40, United States 
     Code; and
       (8)
       On page 57, line 8, strike ``and''.
       On page 57, line 11, strike the period at the end and 
     insert ``; and''.
       On page 57, between lines 11 and 12, insert the following:
       ``(4) the term `national security system' has the meaning 
     given the term in section 11103 of title 40, United States 
     Code.
       On page 64, lines 14 and 15, strike ``Notwithstanding 
     section 202, in this subsection'' and insert ``In this 
     subsection only''.
       On page 69, line 13, strike ``all taken'' and insert 
     ``taken all''.
       On page 76, line 22, insert ``and the Director of the 
     Office of Management and Budget'' after ``Intelligence''.
       On page 77, lines 12 and 13, strike ``, as defined in 
     section 11103 of title 40, United States Code''.
       On page 77, line 14, insert ``and the Director of the 
     Office of Management and Budget'' after ``Intelligence''.
       On page 78, between lines 2 and 3, insert the following:
       (d) Rule of Construction.--Nothing in this section shall be 
     construed to designate an information system as a national 
     security system.
       On page 78, line 18, strike ``owned'' and insert ``used''.
       Beginning on page 80, line 25, strike ``use'' and all that 
     follows through ``other'' on page 81, line 6, and insert 
     ``intrusion detection and prevention capabilities under 
     section 230(b)(1) of the Homeland Security Act of 2002 for 
     the purpose of ensuring the security of''.
       On page 84, line 25, strike ``Act'' and insert ``Act of 
     2015''.
       On page 85, between lines 11 and 12, insert the following:
       (D) the Committee on Commerce, Science, and Transportation 
     of the Senate;
       On page 86, line 26, insert ``the Director of the National 
     Institute of Standards and Technology and'' after 
     ``coordination with''.
       On page 88, line 8, strike ``non-civilian'' and insert 
     ``noncivilian''.
       On page 89, line 23, insert ``, the Director of the 
     National Institute of Standards and Technology,'' after 
     ``Director''.
       On page 91, line 11, strike ``203 and 204'' and insert 
     ``303 and 304''.
       On page 91, line 21, insert ``, in consultation with the 
     Director of the National Institute of Standards and 
     Technology,'' after ``Security''.
       On page 92, line 9, insert ``, in consultation with the 
     Director of the National Institute of Standards and 
     Technology,'' after ``Secretary''.
       On page 96, line 19, strike ``likely,'' and insert 
     ``likely''.
       On page 96, line 22, strike ``present'' and insert 
     ``present,''.
       Beginning on page 103, strike line 10 and all that follows 
     through page 105, line 24, and insert the following:
       (1) In general.--Not later than 60 days after the date of 
     enactment of this Act, the Secretary, in consultation with 
     the Director of the National Institute of Standards and 
     Technology and the Secretary of Homeland Security, shall 
     convene health care industry stakeholders, cybersecurity 
     experts, and any Federal agencies or entities the Secretary 
     determines appropriate to establish a task force to--
       (A) analyze how industries, other than the health care 
     industry, have implemented strategies and safeguards for 
     addressing cybersecurity threats within their respective 
     industries;
       (B) analyze challenges and barriers private entities 
     (notwithstanding section 102(15)(B), excluding any State, 
     tribal, or local government) in the health care industry face 
     securing themselves against cyber attacks;
       (C) review challenges that covered entities and business 
     associates face in securing networked medical devices and 
     other software or systems that connect to an electronic 
     health record;
       (D) provide the Secretary with information to disseminate 
     to health care industry stakeholders for purposes of 
     improving their preparedness for, and response to, 
     cybersecurity threats affecting the health care industry;
       (E) establish a plan for creating a single system for the 
     Federal Government to share information on actionable 
     intelligence regarding cybersecurity threats to the health 
     care industry in near real time, requiring no fee to the 
     recipients of such information, including which Federal 
     agency or other entity may be best suited to be the central 
     conduit to facilitate the sharing of such information; and
       (F) report to Congress on the findings and recommendations 
     of the task force regarding carrying out subparagraphs (A) 
     through (E).
       (2) Termination.--The task force established under this 
     subsection shall terminate on the date that is 1 year after 
     the date of enactment of this Act.
       (3) Dissemination.--Not later than 60 days after the 
     termination of the task force established under this 
     subsection, the Secretary shall disseminate the information 
     described in paragraph (1)(D) to health care industry 
     stakeholders in accordance with such paragraph.
       (4) Rule of construction.--Nothing in this subsection shall 
     be construed to limit the antitrust exemption under section 
     104(e) or the protection from liability under section 106.
       (e) Cybersecurity Framework.--
       (1) In general.--The Secretary shall establish, through a 
     collaborative process with the Secretary of Homeland 
     Security, health care industry stakeholders, the National 
     Institute of Standards and Technology, and any Federal agency 
     or entity the Secretary determines appropriate, a single, 
     voluntary, national health-specific cybersecurity framework 
     that--
       (A) establishes a common set of voluntary, consensus-based, 
     and industry-led standards, security practices, guidelines, 
     methodologies, procedures, and processes that serve as

[[Page S7550]]

     a resource for cost-effectively reducing cybersecurity risks 
     for a range of health care organizations;
       (B) supports voluntary adoption and implementation efforts 
     to improve safeguards to address cybersecurity threats;
       (C) is consistent with the security and privacy regulations 
     promulgated under section 264(c) of the Health Insurance 
     Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2 
     note) and with the Health Information Technology for Economic 
     and Clinical Health Act (title XIII of division A, and title 
     IV of division B, of Public Law 111-5), and the amendments 
     made by such Act; and
       (D) is updated on a regular basis and applicable to the 
     range of health care organizations described in subparagraph 
     (A).
       (2) Limitation.--Nothing in this subsection shall be 
     interpreted as granting the Secretary authority to--
       (A) provide for audits to ensure that health care 
     organizations are in compliance with the voluntary framework 
     under this subsection; or
       (B) mandate, direct, or condition the award of any Federal 
     grant, contract, or purchase on compliance with such 
     voluntary framework.
       (3) No liability for nonparticipation.--Nothing in this 
     title shall be construed to subject a health care 
     organization to liability for choosing not to engage in the 
     voluntary activities authorized under this subsection.
       On page 107, line 10, strike ``shall each'' and insert 
     ``shall''.
       On page 107, lines 11 and 12, strike ``each Comptroller 
     General of the United States and''.
       On page 110, strikes lines 6 through 16.
       On page 111, lines 8 and 9, strike ``under subsection (b)'' 
     and insert ``pursuant to section 9(a) of Executive Order 
     13636 of February 12, 2013 (78 Fed. Reg. 11742), relating to 
     identification of critical infrastructure where a 
     cybersecurity incident could reasonably result in 
     catastrophic regional or national effects on public health or 
     safety, economic security, or national security''.
       On page 111, strike lines 22 through 24 and insert the 
     following:

     Resources of the Senate;
       (F) the Committee on Energy and Commerce of the House of 
     Representatives; and
       (G) the Committee on Commerce, Science, and Transportation 
     of the Senate.
       On page 112, line 3, add a period at the end.
       On page 112, strike lines 4 through 10.
       On page 113, line 14, strike ``intrusion''.
       Beginning on page 114, strike line 7 and all that follows 
     through page 115, line 9.
       On page 115, after line 9, add the following:

     SEC. 408. STOPPING THE FRAUDULENT SALE OF FINANCIAL 
                   INFORMATION OF PEOPLE OF THE UNITED STATES.

       Section 1029(h) of title 18, United States Code, is amended 
     by striking ``title if--'' and all that follows through 
     ``therefrom.'' and inserting ``title if the offense involves 
     an access device issued, owned, managed, or controlled by a 
     financial institution, account issuer, credit card system 
     member, or other entity organized under the laws of the 
     United States, or any State, the District of Columbia, or 
     other Territory of the United States.''.

                          ____________________