[Congressional Record Volume 164, Number 179 (Tuesday, November 13, 2018)]
[House]
[Pages H9501-H9506]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




      CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY ACT OF 2018

  Mr. McCAUL. Mr. Speaker, I ask unanimous consent to take from the 
Speaker's table the bill (H.R. 3359) to amend the Homeland Security Act 
of 2002 to authorize the Cybersecurity and Infrastructure Security 
Agency of the Department of Homeland Security, and for other purposes, 
with the Senate amendment thereto, and concur in the Senate amendment.
  The Clerk read the title of the bill.
  The SPEAKER pro tempore (Mr. Mast). The Clerk will report the Senate 
amendment.
  The Clerk read as follows:
  Senate amendment:
Strike out all after the enacting clause and insert:

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Cybersecurity and 
     Infrastructure Security Agency Act of 2018''.

     SEC. 2. CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY.

       (a) In General.--The Homeland Security Act of 2002 (6 
     U.S.C. 101 et seq.) is amended by adding at the end the 
     following:

     ``TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

        ``Subtitle A--Cybersecurity and Infrastructure Security

     ``SEC. 2201. DEFINITIONS.

       ``In this subtitle:
       ``(1) Critical infrastructure information.--The term 
     `critical infrastructure information' has the meaning given 
     the term in section 2222.
       ``(2) Cybersecurity risk.--The term `cybersecurity risk' 
     has the meaning given the term in section 2209.
       ``(3) Cybersecurity threat.--The term `cybersecurity 
     threat' has the meaning given the term in section 102(5) of 
     the Cybersecurity Act of 2015 (contained in division N of the 
     Consolidated Appropriations Act, 2016 (Public Law 114-113; 6 
     U.S.C. 1501)).
       ``(4) National cybersecurity asset response activities.--
     The term `national cybersecurity asset response activities' 
     means--
       ``(A) furnishing cybersecurity technical assistance to 
     entities affected by cybersecurity risks to protect assets, 
     mitigate vulnerabilities, and reduce impacts of cyber 
     incidents;
       ``(B) identifying other entities that may be at risk of an 
     incident and assessing risk to the same or similar 
     vulnerabilities;
       ``(C) assessing potential cybersecurity risks to a sector 
     or region, including potential cascading effects, and 
     developing courses of action to mitigate such risks;
       ``(D) facilitating information sharing and operational 
     coordination with threat response; and
       ``(E) providing guidance on how best to utilize Federal 
     resources and capabilities in a timely, effective manner to 
     speed recovery from cybersecurity risks.

[[Page H9502]]

       ``(5) Sector-specific agency.--The term `Sector-Specific 
     Agency' means a Federal department or agency, designated by 
     law or presidential directive, with responsibility for 
     providing institutional knowledge and specialized expertise 
     of a sector, as well as leading, facilitating, or supporting 
     programs and associated activities of its designated critical 
     infrastructure sector in the all hazards environment in 
     coordination with the Department.
       ``(6) Sharing.--The term `sharing' has the meaning given 
     the term in section 2209.

     ``SEC. 2202. CYBERSECURITY AND INFRASTRUCTURE SECURITY 
                   AGENCY.

       ``(a) Redesignation.--
       ``(1) In general.--The National Protection and Programs 
     Directorate of the Department shall, on and after the date of 
     the enactment of this subtitle, be known as the 
     `Cybersecurity and Infrastructure Security Agency' (in this 
     subtitle referred to as the `Agency').
       ``(2) References.--Any reference to the National Protection 
     and Programs Directorate of the Department in any law, 
     regulation, map, document, record, or other paper of the 
     United States shall be deemed to be a reference to the 
     Cybersecurity and Infrastructure Security Agency of the 
     Department.
       ``(b) Director.--
       ``(1) In general.--The Agency shall be headed by a Director 
     of Cybersecurity and Infrastructure Security (in this 
     subtitle referred to as the `Director'), who shall report to 
     the Secretary.
       ``(2) Reference.--Any reference to an Under Secretary 
     responsible for overseeing critical infrastructure 
     protection, cybersecurity, and any other related program of 
     the Department as described in section 103(a)(1)(H) as in 
     effect on the day before the date of enactment of this 
     subtitle in any law, regulation, map, document, record, or 
     other paper of the United States shall be deemed to be a 
     reference to the Director of Cybersecurity and Infrastructure 
     Security of the Department.
       ``(c) Responsibilities.--The Director shall--
       ``(1) lead cybersecurity and critical infrastructure 
     security programs, operations, and associated policy for the 
     Agency, including national cybersecurity asset response 
     activities;
       ``(2) coordinate with Federal entities, including Sector-
     Specific Agencies, and non-Federal entities, including 
     international entities, to carry out the cybersecurity and 
     critical infrastructure activities of the Agency, as 
     appropriate;
       ``(3) carry out the responsibilities of the Secretary to 
     secure Federal information and information systems consistent 
     with law, including subchapter II of chapter 35 of title 44, 
     United States Code, and the Cybersecurity Act of 2015 
     (contained in division N of the Consolidated Appropriations 
     Act, 2016 (Public Law 114-113));
       ``(4) coordinate a national effort to secure and protect 
     against critical infrastructure risks, consistent with 
     subsection (e)(1)(E);
       ``(5) upon request, provide analyses, expertise, and other 
     technical assistance to critical infrastructure owners and 
     operators and, where appropriate, provide those analyses, 
     expertise, and other technical assistance in coordination 
     with Sector-Specific Agencies and other Federal departments 
     and agencies;
       ``(6) develop and utilize mechanisms for active and 
     frequent collaboration between the Agency and Sector-Specific 
     Agencies to ensure appropriate coordination, situational 
     awareness, and communications with Sector-Specific Agencies;
       ``(7) maintain and utilize mechanisms for the regular and 
     ongoing consultation and collaboration among the Divisions of 
     the Agency to further operational coordination, integrated 
     situational awareness, and improved integration across the 
     Agency in accordance with this Act;
       ``(8) develop, coordinate, and implement--
       ``(A) comprehensive strategic plans for the activities of 
     the Agency; and
       ``(B) risk assessments by and for the Agency;
       ``(9) carry out emergency communications responsibilities, 
     in accordance with title XVIII;
       ``(10) carry out cybersecurity, infrastructure security, 
     and emergency communications stakeholder outreach and 
     engagement and coordinate that outreach and engagement with 
     critical infrastructure Sector-Specific Agencies, as 
     appropriate; and
       ``(11) carry out such other duties and powers prescribed by 
     law or delegated by the Secretary.
       ``(d) Deputy Director.--There shall be in the Agency a 
     Deputy Director of Cybersecurity and Infrastructure Security 
     who shall--
       ``(1) assist the Director in the management of the Agency; 
     and
       ``(2) report to the Director.
       ``(e) Cybersecurity and Infrastructure Security Authorities 
     of the Secretary.--
       ``(1) In general.--The responsibilities of the Secretary 
     relating to cybersecurity and infrastructure security shall 
     include the following:
       ``(A) To access, receive, and analyze law enforcement 
     information, intelligence information, and other information 
     from Federal Government agencies, State, local, tribal, and 
     territorial government agencies, including law enforcement 
     agencies, and private sector entities, and to integrate that 
     information, in support of the mission responsibilities of 
     the Department, in order to--
       ``(i) identify and assess the nature and scope of terrorist 
     threats to the homeland;
       ``(ii) detect and identify threats of terrorism against the 
     United States; and
       ``(iii) understand those threats in light of actual and 
     potential vulnerabilities of the homeland.
       ``(B) To carry out comprehensive assessments of the 
     vulnerabilities of the key resources and critical 
     infrastructure of the United States, including the 
     performance of risk assessments to determine the risks posed 
     by particular types of terrorist attacks within the United 
     States, including an assessment of the probability of success 
     of those attacks and the feasibility and potential efficacy 
     of various countermeasures to those attacks. At the 
     discretion of the Secretary, such assessments may be carried 
     out in coordination with Sector-Specific Agencies.
       ``(C) To integrate relevant information, analysis, and 
     vulnerability assessments, regardless of whether the 
     information, analysis, or assessments are provided or 
     produced by the Department, in order to make recommendations, 
     including prioritization, for protective and support measures 
     by the Department, other Federal Government agencies, State, 
     local, tribal, and territorial government agencies and 
     authorities, the private sector, and other entities regarding 
     terrorist and other threats to homeland security.
       ``(D) To ensure, pursuant to section 202, the timely and 
     efficient access by the Department to all information 
     necessary to discharge the responsibilities under this title, 
     including obtaining that information from other Federal 
     Government agencies.
       ``(E) To develop, in coordination with the Sector-Specific 
     Agencies with available expertise, a comprehensive national 
     plan for securing the key resources and critical 
     infrastructure of the United States, including power 
     production, generation, and distribution systems, information 
     technology and telecommunications systems (including 
     satellites), electronic financial and property record storage 
     and transmission systems, emergency communications systems, 
     and the physical and technological assets that support those 
     systems.
       ``(F) To recommend measures necessary to protect the key 
     resources and critical infrastructure of the United States in 
     coordination with other Federal Government agencies, 
     including Sector-Specific Agencies, and in cooperation with 
     State, local, tribal, and territorial government agencies and 
     authorities, the private sector, and other entities.
       ``(G) To review, analyze, and make recommendations for 
     improvements to the policies and procedures governing the 
     sharing of information relating to homeland security within 
     the Federal Government and between Federal Government 
     agencies and State, local, tribal, and territorial government 
     agencies and authorities.
       ``(H) To disseminate, as appropriate, information analyzed 
     by the Department within the Department to other Federal 
     Government agencies with responsibilities relating to 
     homeland security and to State, local, tribal, and 
     territorial government agencies and private sector entities 
     with those responsibilities in order to assist in the 
     deterrence, prevention, or preemption of, or response to, 
     terrorist attacks against the United States.
       ``(I) To consult with State, local, tribal, and territorial 
     government agencies and private sector entities to ensure 
     appropriate exchanges of information, including law 
     enforcement-related information, relating to threats of 
     terrorism against the United States.
       ``(J) To ensure that any material received pursuant to this 
     Act is protected from unauthorized disclosure and handled and 
     used only for the performance of official duties.
       ``(K) To request additional information from other Federal 
     Government agencies, State, local, tribal, and territorial 
     government agencies, and the private sector relating to 
     threats of terrorism in the United States, or relating to 
     other areas of responsibility assigned by the Secretary, 
     including the entry into cooperative agreements through the 
     Secretary to obtain such information.
       ``(L) To establish and utilize, in conjunction with the 
     Chief Information Officer of the Department, a secure 
     communications and information technology infrastructure, 
     including data-mining and other advanced analytical tools, in 
     order to access, receive, and analyze data and information in 
     furtherance of the responsibilities under this section, and 
     to disseminate information acquired and analyzed by the 
     Department, as appropriate.
       ``(M) To coordinate training and other support to the 
     elements and personnel of the Department, other Federal 
     Government agencies, and State, local, tribal, and 
     territorial government agencies that provide information to 
     the Department, or are consumers of information provided by 
     the Department, in order to facilitate the identification and 
     sharing of information revealed in their ordinary duties and 
     the optimal utilization of information received from the 
     Department.
       ``(N) To coordinate with Federal, State, local, tribal, and 
     territorial law enforcement agencies, and the private sector, 
     as appropriate.
       ``(O) To exercise the authorities and oversight of the 
     functions, personnel, assets, and liabilities of those 
     components transferred to the Department pursuant to section 
     201(g).
       ``(P) To carry out the functions of the national 
     cybersecurity and communications integration center under 
     section 2209.
       ``(Q) To carry out the requirements of the Chemical 
     Facility Anti-Terrorism Standards Program established under 
     title XXI and the secure handling of ammonium nitrate program 
     established under subtitle J of title VIII, or any successor 
     programs.
       ``(2) Reallocation.--The Secretary may reallocate within 
     the Agency the functions specified in sections 2203(b) and 
     2204(b), consistent with the responsibilities provided in 
     paragraph (1), upon certifying to and briefing the 
     appropriate congressional committees, and making available to 
     the public, at least 60 days prior to the reallocation that 
     the reallocation is necessary for carrying out the activities 
     of the Agency.
       ``(3) Staff.--
       ``(A) In general.--The Secretary shall provide the Agency 
     with a staff of analysts having appropriate expertise and 
     experience to assist the Agency in discharging the 
     responsibilities of the Agency under this section.

[[Page H9503]]

       ``(B) Private sector analysts.--Analysts under this 
     subsection may include analysts from the private sector.
       ``(C) Security clearances.--Analysts under this subsection 
     shall possess security clearances appropriate for their work 
     under this section.
       ``(4) Detail of personnel.--
       ``(A) In general.--In order to assist the Agency in 
     discharging the responsibilities of the Agency under this 
     section, personnel of the Federal agencies described in 
     subparagraph (B) may be detailed to the Agency for the 
     performance of analytic functions and related duties.
       ``(B) Agencies.--The Federal agencies described in this 
     subparagraph are--
       ``(i) the Department of State;
       ``(ii) the Central Intelligence Agency;
       ``(iii) the Federal Bureau of Investigation;
       ``(iv) the National Security Agency;
       ``(v) the National Geospatial-Intelligence Agency;
       ``(vi) the Defense Intelligence Agency;
       ``(vii) Sector-Specific Agencies; and
       ``(viii) any other agency of the Federal Government that 
     the President considers appropriate.
       ``(C) Interagency agreements.--The Secretary and the head 
     of a Federal agency described in subparagraph (B) may enter 
     into agreements for the purpose of detailing personnel under 
     this paragraph.
       ``(D) Basis.--The detail of personnel under this paragraph 
     may be on a reimbursable or non-reimbursable basis.
       ``(f) Composition.--The Agency shall be composed of the 
     following divisions:
       ``(1) The Cybersecurity Division, headed by an Assistant 
     Director.
       ``(2) The Infrastructure Security Division, headed by an 
     Assistant Director.
       ``(3) The Emergency Communications Division under title 
     XVIII, headed by an Assistant Director.
       ``(g) Co-location.--
       ``(1) In general.--To the maximum extent practicable, the 
     Director shall examine the establishment of central locations 
     in geographical regions with a significant Agency presence.
       ``(2) Coordination.--When establishing the central 
     locations described in paragraph (1), the Director shall 
     coordinate with component heads and the Under Secretary for 
     Management to co-locate or partner on any new real property 
     leases, renewing any occupancy agreements for existing 
     leases, or agreeing to extend or newly occupy any Federal 
     space or new construction.
       ``(h) Privacy.--
       ``(1) In general.--There shall be a Privacy Officer of the 
     Agency with primary responsibility for privacy policy and 
     compliance for the Agency.
       ``(2) Responsibilities.--The responsibilities of the 
     Privacy Officer of the Agency shall include--
       ``(A) assuring that the use of technologies by the Agency 
     sustain, and do not erode, privacy protections relating to 
     the use, collection, and disclosure of personal information;
       ``(B) assuring that personal information contained in 
     systems of records of the Agency is handled in full 
     compliance as specified in section 552a of title 5, United 
     States Code (commonly known as the `Privacy Act of 1974');
       ``(C) evaluating legislative and regulatory proposals 
     involving collection, use, and disclosure of personal 
     information by the Agency; and
       ``(D) conducting a privacy impact assessment of proposed 
     rules of the Agency on the privacy of personal information, 
     including the type of personal information collected and the 
     number of people affected.
       ``(i) Savings.--Nothing in this title may be construed as 
     affecting in any manner the authority, existing on the day 
     before the date of enactment of this title, of any other 
     component of the Department or any other Federal department 
     or agency, including the authority provided to the Sector-
     Specific Agency specified in section 61003(c) of division F 
     of the Fixing America's Surface Transportation Act (6 U.S.C. 
     121 note; Public Law 114-94).

     ``SEC. 2203. CYBERSECURITY DIVISION.

       ``(a) Establishment.--
       ``(1) In general.--There is established in the Agency a 
     Cybersecurity Division.
       ``(2) Assistant director.--The Cybersecurity Division shall 
     be headed by an Assistant Director for Cybersecurity (in this 
     section referred to as the `Assistant Director'), who shall--
       ``(A) be at the level of Assistant Secretary within the 
     Department;
       ``(B) be appointed by the President without the advice and 
     consent of the Senate; and
       ``(C) report to the Director.
       ``(3) Reference.--Any reference to the Assistant Secretary 
     for Cybersecurity and Communications in any law, regulation, 
     map, document, record, or other paper of the United States 
     shall be deemed to be a reference to the Assistant Director 
     for Cybersecurity.
       ``(b) Functions.--The Assistant Director shall--
       ``(1) direct the cybersecurity efforts of the Agency;
       ``(2) carry out activities, at the direction of the 
     Director, related to the security of Federal information and 
     Federal information systems consistent with law, including 
     subchapter II of chapter 35 of title 44, United States Code, 
     and the Cybersecurity Act of 2015 (contained in division N of 
     the Consolidated Appropriations Act, 2016 (Public Law 114-
     113));
       ``(3) fully participate in the mechanisms required under 
     section 2202(c)(7); and
       ``(4) carry out such other duties and powers as prescribed 
     by the Director.

     ``SEC. 2204. INFRASTRUCTURE SECURITY DIVISION.

       ``(a) Establishment.--
       ``(1) In general.--There is established in the Agency an 
     Infrastructure Security Division.
       ``(2) Assistant director.--The Infrastructure Security 
     Division shall be headed by an Assistant Director for 
     Infrastructure Security (in this section referred to as the 
     `Assistant Director'), who shall--
       ``(A) be at the level of Assistant Secretary within the 
     Department;
       ``(B) be appointed by the President without the advice and 
     consent of the Senate; and
       ``(C) report to the Director.
       ``(3) Reference.--Any reference to the Assistant Secretary 
     for Infrastructure Protection in any law, regulation, map, 
     document, record, or other paper of the United States shall 
     be deemed to be a reference to the Assistant Director for 
     Infrastructure Security.
       ``(b) Functions.--The Assistant Director shall--
       ``(1) direct the critical infrastructure security efforts 
     of the Agency;
       ``(2) carry out, at the direction of the Director, the 
     Chemical Facilities Anti-Terrorism Standards Program 
     established under title XXI and the secure handling of 
     ammonium nitrate program established under subtitle J of 
     title VIII, or any successor programs;
       ``(3) fully participate in the mechanisms required under 
     section 2202(c)(7); and
       ``(4) carry out such other duties and powers as prescribed 
     by the Director.''.
       (b) Treatment of Certain Positions.--
       (1) Under secretary.--The individual serving as the Under 
     Secretary appointed pursuant to section 103(a)(1)(H) of the 
     Homeland Security Act of 2002 (6 U.S.C. 113(a)(1)(H)) of the 
     Department of Homeland Security on the day before the date of 
     enactment of this Act may continue to serve as the Director 
     of Cybersecurity and Infrastructure Security of the 
     Department on and after such date.
       (2) Director for emergency communications.--The individual 
     serving as the Director for Emergency Communications of the 
     Department of Homeland Security on the day before the date of 
     enactment of this Act may continue to serve as the Assistant 
     Director for Emergency Communications of the Department on 
     and after such date.
       (3) Assistant secretary for cybersecurity and 
     communications.--The individual serving as the Assistant 
     Secretary for Cybersecurity and Communications on the day 
     before the date of enactment of this Act may continue to 
     serve as the Assistant Director for Cybersecurity on and 
     after such date.
       (4) Assistant secretary for infrastructure protection.--The 
     individual serving as the Assistant Secretary for 
     Infrastructure Protection on the day before the date of 
     enactment of this Act may continue to serve as the Assistant 
     Director for Infrastructure Security on and after such date.
       (c) Reference.--Any reference to--
       (1) the Office of Emergency Communications in any law, 
     regulation, map, document, record, or other paper of the 
     United States shall be deemed to be a reference to the 
     Emergency Communications Division; and
       (2) the Director for Emergency Communications in any law, 
     regulation, map, document, record, or other paper of the 
     United States shall be deemed to be a reference to the 
     Assistant Director for Emergency Communications.
       (d) Oversight.--The Director of Cybersecurity and 
     Infrastructure Security of the Department of Homeland 
     Security shall provide to Congress, in accordance with the 
     deadlines specified in paragraphs (1) through (6), 
     information on the following:
       (1) Not later than 60 days after the date of enactment of 
     this Act, a briefing on the activities of the Agency relating 
     to the development and use of the mechanisms required 
     pursuant to section 2202(c)(6) of the Homeland Security Act 
     of 2002 (as added by subsection (a)).
       (2) Not later than 1 year after the date of the enactment 
     of this Act, a briefing on the activities of the Agency 
     relating to the use and improvement by the Agency of the 
     mechanisms required pursuant to section 2202(c)(6) of the 
     Homeland Security Act of 2002 and how such activities have 
     impacted coordination, situational awareness, and 
     communications with Sector-Specific Agencies.
       (3) Not later than 90 days after the date of the enactment 
     of this Act, information on the mechanisms of the Agency for 
     regular and ongoing consultation and collaboration, as 
     required pursuant to section 2202(c)(7) of the Homeland 
     Security Act of 2002 (as added by subsection (a)).
       (4) Not later than 1 year after the date of the enactment 
     of this Act, information on the activities of the 
     consultation and collaboration mechanisms of the Agency as 
     required pursuant to section 2202(c)(7) of the Homeland 
     Security Act of 2002, and how such mechanisms have impacted 
     operational coordination, situational awareness, and 
     integration across the Agency.
       (5) Not later than 180 days after the date of enactment of 
     this Act, information, which shall be made publicly available 
     and updated as appropriate, on the mechanisms and structures 
     of the Agency responsible for stakeholder outreach and 
     engagement, as required under section 2202(c)(10) of the 
     Homeland Security Act of 2002 (as added by subsection (a)).
       (e) Cyber Workforce.--Not later than 90 days after the date 
     of enactment of this Act, the Director of the Cybersecurity 
     and Infrastructure Security Agency of the Department of 
     Homeland Security, in coordination with the Director of the 
     Office of Personnel Management, shall submit to Congress a 
     report detailing how the Agency is meeting legislative 
     requirements under the Cybersecurity Workforce Assessment Act 
     (Public Law 113-246; 128 Stat. 2880) and the Homeland 
     Security Cybersecurity Workforce Assessment Act (enacted as 
     section 4 of the Border Patrol Agent Pay Reform Act of 2014; 
     Public Law 113-277) to address cyber workforce needs.
       (f) Facility.--Not later than 180 days after the date of 
     enactment of this Act, the Director

[[Page H9504]]

     of the Cybersecurity and Infrastructure Security Agency of 
     the Department of Homeland Security shall report to Congress 
     on the most efficient and effective methods of consolidating 
     Agency facilities, personnel, and programs to most 
     effectively carry out the Agency's mission.
       (g) Technical and Conforming Amendments to the Homeland 
     Security Act of 2002.--The Homeland Security Act of 2002 (6 
     U.S.C. 101 et seq.) is amended--
       (1) by amending section 103(a)(1)(H) (6 U.S.C. 
     113(a)(1)(H)) to read as follows:
       ``(H) A Director of the Cybersecurity and Infrastructure 
     Security Agency.'';
       (2) in title II (6 U.S.C. 121 et seq.)--
       (A) in the title heading, by striking ``AND INFRASTRUCTURE 
     PROTECTION'';
       (B) in the subtitle A heading, by striking ``and 
     Infrastructure Protection'';
       (C) in section 201 (6 U.S.C. 121)--
       (i) in the section heading, by striking ``and 
     infrastructure protection'';
       (ii) in subsection (a)--

       (I) in the subsection heading, by striking ``and 
     Infrastructure Protection''; and
       (II) by striking ``and an Office of Infrastructure 
     Protection'';

       (iii) in subsection (b)--

       (I) in the subsection heading, by striking ``and Assistant 
     Secretary for Infrastructure Protection''; and
       (II) by striking paragraph (3);

       (iv) in subsection (c)--

       (I) by striking ``and infrastructure protection''; and
       (II) by striking ``or the Assistant Secretary for 
     Infrastructure Protection, as appropriate'';

       (v) in subsection (d)--

       (I) in the subsection heading, by striking ``and 
     Infrastructure Protection'';
       (II) in the matter preceding paragraph (1), by striking 
     ``and infrastructure protection'';
       (III) by striking paragraphs (5), (6), and (25);
       (IV) by redesignating paragraphs (7) through (24) as 
     paragraphs (5) through (22), respectively;
       (V) by redesignating paragraph (26) as paragraph (23); and
       (VI) in paragraph (23)(B)(i), as so redesignated, by 
     striking ``section 319'' and inserting ``section 320'';

       (vi) in subsection (e)(1), by striking ``and the Office of 
     Infrastructure Protection''; and
       (vii) in subsection (f)(1), by striking ``and the Office of 
     Infrastructure Protection'';
       (D) in section 202 (6 U.S.C. 122)--
       (i) in subsection (c), in the matter preceding paragraph 
     (1), by striking ``Director of Central Intelligence'' and 
     inserting ``Director of National Intelligence''; and
       (ii) in subsection (d)(2), by striking ``Director of 
     Central Intelligence'' and inserting ``Director of National 
     Intelligence'';
       (E) in section 204 (6 U.S.C. 124a)--
       (i) in subsection (c)(1), in the matter preceding 
     subparagraph (A), by striking ``Assistant Secretary for 
     Infrastructure Protection'' and inserting ``Director of the 
     Cybersecurity and Infrastructure Security Agency''; and
       (ii) in subsection (d)(1), in the matter preceding 
     subparagraph (A), by striking ``Assistant Secretary for 
     Infrastructure Protection'' and inserting ``Director of the 
     Cybersecurity and Infrastructure Security Agency'';
       (F) in section 210A(c)(2)(B) (6 U.S.C. 124h(c)(2)(B)), by 
     striking ``Office of Infrastructure Protection'' and 
     inserting ``Cybersecurity and Infrastructure Security 
     Agency'';
       (G) by redesignating section 210E (6 U.S.C. 124l) as 
     section 2214 and transferring such section to appear after 
     section 2213 (as redesignated by subparagraph (I));
       (H) in subtitle B, by redesignating sections 211 through 
     215 (6 U.S.C. 101 note, and 131 through 134) as sections 2221 
     through 2225, respectively, and transferring such subtitle, 
     including the enumerator and heading of subtitle B and such 
     sections, to appear after section 2214 (as redesignated by 
     subparagraph (G));
       (I) by redesignating sections 223 through 230 (6 U.S.C. 143 
     through 151) as sections 2205 through 2213, respectively, and 
     transferring such sections to appear after section 2204, as 
     added by this Act;
       (J) by redesignating section 210F as section 210E; and
       (K) by redesignating subtitles C and D as subtitles B and 
     C, respectively;
       (3) in title III (6 U.S.C. 181 et seq.)--
       (A) in section 302 (6 U.S.C. 182)--
       (i) by striking ``biological,,'' each place that term 
     appears and inserting ``biological,''; and
       (ii) in paragraph (3), by striking ``Assistant Secretary 
     for Infrastructure Protection'' and inserting ``Director of 
     the Cybersecurity and Infrastructure Security Agency'';
       (B) by redesignating the second section 319 (6 U.S.C. 195f) 
     (relating to EMP and GMD mitigation research and development) 
     as section 320; and
       (C) in section 320(c)(1), as so redesignated, by striking 
     ``Section 214'' and inserting ``Section 2224'';
       (4) in title V (6 U.S.C. 311 et seq.)--
       (A) in section 508(d)(2)(D) (6 U.S.C. 318(d)(2)(D)), by 
     striking ``The Director of the Office of Emergency 
     Communications of the Department of Homeland Security'' and 
     inserting ``The Assistant Director for Emergency 
     Communications'';
       (B) in section 514 (6 U.S.C. 321c)--
       (i) by striking subsection (b); and
       (ii) by redesignating subsection (c) as subsection (b); and
       (C) in section 523 (6 U.S.C. 321l)--
       (i) in subsection (a), in the matter preceding paragraph 
     (1), by striking ``Assistant Secretary for Infrastructure 
     Protection'' and inserting ``Director of Cybersecurity and 
     Infrastructure Security''; and
       (ii) in subsection (c), by striking ``Assistant Secretary 
     for Infrastructure Protection'' and inserting ``Director of 
     Cybersecurity and Infrastructure Security'';
       (5) in title VIII (6 U.S.C. 361 et seq.)--
       (A) in section 884(d)(4)(A)(ii) (6 U.S.C. 
     464(d)(4)(A)(ii)), by striking ``Under Secretary responsible 
     for overseeing critical infrastructure protection, 
     cybersecurity, and other related programs of the Department'' 
     and inserting ``Director of Cybersecurity and Infrastructure 
     Security''; and
       (B) in section 899B(a) (6 U.S.C. 488a(a)), by adding at the 
     end the following: ``Such regulations shall be carried out by 
     the Cybersecurity and Infrastructure Security Agency.'';
       (6) in title XVIII (6 U.S.C. 571 et seq.)--
       (A) in section 1801 (6 U.S.C. 571)--
       (i) in the section heading, by striking ``office of 
     emergency communications'' and inserting ``emergency 
     communications division'';
       (ii) in subsection (a)--

       (I) by striking ``Office of Emergency Communications'' and 
     inserting ``Emergency Communications Division''; and
       (II) by adding at the end the following: ``The Division 
     shall be located in the Cybersecurity and Infrastructure 
     Security Agency.'';

       (iii) by amending subsection (b) to read as follows:
       ``(b) Assistant Director.--The head of the Division shall 
     be the Assistant Director for Emergency Communications. The 
     Assistant Director shall report to the Director of 
     Cybersecurity and Infrastructure Security. All decisions of 
     the Assistant Director that entail the exercise of 
     significant authority shall be subject to the approval of the 
     Director of Cybersecurity and Infrastructure Security.'';
       (iv) in subsection (c)--

       (I) in the matter preceding paragraph (1), by inserting 
     ``Assistant'' before ``Director'';
       (II) in paragraph (14), by striking ``and'' at the end;
       (III) in paragraph (15), by striking the period at the end 
     and inserting ``; and''; and
       (IV) by inserting after paragraph (15) the following:

       ``(16) fully participate in the mechanisms required under 
     section 2202(c)(7).'';
       (v) in subsection (d), in the matter preceding paragraph 
     (1), by inserting ``Assistant'' before ``Director''; and
       (vi) in subsection (e), in the matter preceding paragraph 
     (1), by inserting ``Assistant'' before ``Director'';
       (B) in sections 1802 through 1805 (6 U.S.C. 572 through 
     575), by striking ``Director for Emergency Communications'' 
     each place that term appears and inserting ``Assistant 
     Director for Emergency Communications'';
       (C) in section 1809 (6 U.S.C. 579)--
       (i) by striking ``Director of Emergency Communications'' 
     each place that term appears and inserting ``Assistant 
     Director for Emergency Communications'';
       (ii) in subsection (b)--

       (I) by striking ``Director for Emergency Communications'' 
     and inserting ``Assistant Director for Emergency 
     Communications''; and
       (II) by striking ``Office of Emergency Communications'' and 
     inserting ``Emergency Communications Division'';

       (iii) in subsection (e)(3), by striking ``the Director'' 
     and inserting ``the Assistant Director''; and
       (iv) in subsection (m)(1)--

       (I) by striking ``The Director'' and inserting ``The 
     Assistant Director'';
       (II) by striking ``the Director determines'' and inserting 
     ``the Assistant Director determines''; and
       (III) by striking ``Office of Emergency Communications'' 
     and inserting ``Cybersecurity and Infrastructure Security 
     Agency'';

       (D) in section 1810 (6 U.S.C. 580)--
       (i) in subsection (a)(1), by striking ``Director of the 
     Office of Emergency Communications (referred to in this 
     section as the `Director')'' and inserting ``Assistant 
     Director for Emergency Communications (referred to in this 
     section as the `Assistant Director')'';
       (ii) in subsection (c), by striking ``Office of Emergency 
     Communications'' and inserting ``Emergency Communications 
     Division''; and
       (iii) by striking ``Director'' each place that term appears 
     and inserting ``Assistant Director'';
       (7) in title XX (6 U.S.C. 601 et seq.)--
       (A) in paragraph (4)(A)(iii)(II) of section 2001 (6 U.S.C. 
     601), by striking ``section 210E(a)(2)'' and inserting 
     ``section 2214(a)(2)'';
       (B) in section 2008(a)(3) (6 U.S.C. 609(a)(3)), by striking 
     ``section 210E(a)(2)'' and inserting ``section 2214(a)(2)''; 
     and
       (C) in section 2021 (6 U.S.C. 611)--
       (i) by striking subsection (c); and
       (ii) by redesignating subsection (d) as subsection (c);
       (8) in title XXI (6 U.S.C. 621 et seq.)--
       (A) in section 2102(a)(1) (6 U.S.C. 622(a)(1)), by 
     inserting ``, which shall be located in the Cybersecurity and 
     Infrastructure Security Agency'' before the period at the 
     end; and
       (B) in section 2104(c)(2) (6 U.S.C. 624(c)(2)), by striking 
     ``Under Secretary responsible for overseeing critical 
     infrastructure protection, cybersecurity, and other related 
     programs of the Department appointed under section 
     103(a)(1)(H)'' and inserting ``Director of Cybersecurity and 
     Infrastructure Security''; and
       (9) in title XXII, as added by this Act--
       (A) in subtitle A--
       (i) in section 2205, as so redesignated--

       (I) in the matter preceding paragraph (1)--

       (aa) by striking ``section 201'' and inserting ``section 
     2202''; and
       (bb) by striking ``Under Secretary appointed under section 
     103(a)(1)(H)'' and inserting ``Director of Cybersecurity and 
     Infrastructure Security''; and

       (II) in paragraph (1)(B), by striking ``and'' at the end;

       (ii) in section 2206, as so redesignated, by striking 
     ``Assistant Secretary for Infrastructure Protection'' and 
     inserting ``Director of Cybersecurity and Infrastructure 
     Security'';

[[Page H9505]]

       (iii) in section 2209, as so redesignated--

       (I) by striking ``Under Secretary appointed under section 
     103(a)(1)(H)'' each place that term appears and inserting 
     ``Director'';
       (II) in subsection (a)(4), by striking ``section 212(5)'' 
     and inserting ``section 2222(5)'';
       (III) in subsection (b), by adding at the end the 
     following: ``The Center shall be located in the Cybersecurity 
     and Infrastructure Security Agency. The head of the Center 
     shall report to the Assistant Director for Cybersecurity.''; 
     and
       (IV) in subsection (c)(11), by striking ``Office of 
     Emergency Communications'' and inserting ``Emergency 
     Communications Division'';

       (iv) in section 2210, as so redesignated--

       (I) by striking ``section 227'' each place that term 
     appears and inserting ``section 2209''; and
       (II) in subsection (c)--

       (aa) by striking ``Under Secretary appointed under section 
     103(a)(1)(H)'' and inserting ``Director of Cybersecurity and 
     Infrastructure Security''; and
       (bb) by striking ``section 212(5)'' and inserting ``section 
     2222(5)'';
       (v) in section 2211(b)(2)(A), as so redesignated, by 
     striking ``the section 227'' and inserting ``section 2209'';
       (vi) in section 2212, as so redesignated, by striking 
     ``section 212(5)'' and inserting ``section 2222(5)'';
       (vii) in section 2213(a), as so redesignated--

       (I) in paragraph (3), by striking ``section 228'' and 
     inserting ``section 2210''; and
       (II) in paragraph (4), by striking ``section 227'' and 
     inserting ``section 2209''; and

       (viii) in section 2214, as so redesignated--

       (I) by striking subsection (e); and
       (II) by redesignating subsection (f) as subsection (e); and

       (B) in subtitle B--
       (i) in section 2222(8), as so redesignated, by striking 
     ``section 227'' and inserting ``section 2209''; and
       (ii) in section 2224(h), as so redesignated, by striking 
     ``section 213'' and inserting ``section 2223'';
       (h) Technical and Conforming Amendments to Other Laws.--
       (1) Cybersecurity act of 2015.--The Cybersecurity Act of 
     2015 (6 U.S.C. 1501 et seq.) is amended--
       (A) in section 202(2) (6 U.S.C. 131 note)--
       (i) by striking ``section 227'' and inserting ``section 
     2209''; and
       (ii) by striking ``, as so redesignated by section 
     223(a)(3) of this division'';
       (B) in section 207(2) (Public Law 114-113; 129 Stat. 
     2962)--
       (i) by striking ``section 227'' and inserting ``section 
     2209''; and
       (ii) by striking ``, as redesignated by section 223(a) of 
     this division,'';
       (C) in section 208 (Public Law 114-113; 129 Stat. 2962), by 
     striking ``Under Secretary appointed under section 
     103(a)(1)(H) of the Homeland Security Act of 2002 (6 U.S.C. 
     113(a)(1)(H))'' and inserting ``Director of Cybersecurity and 
     Infrastructure Security of the Department'';
       (D) in section 222 (6 U.S.C. 1521)--
       (i) in paragraph (2)--

       (I) by striking ``section 228'' and inserting ``section 
     2210''; and
       (II) by striking ``, as added by section 223(a)(4) of this 
     division''; and

       (ii) in paragraph (4)--

       (I) by striking ``section 227'' and inserting ``section 
     2209''; and
       (II) by striking ``, as so redesignated by section 
     223(a)(3) of this division'';

       (E) in section 223(b) (6 U.S.C. 151 note)--
       (i) by striking ``section 230(b)(1) of the Homeland 
     Security Act of 2002, as added by subsection (a)'' each place 
     that term appears and inserting ``section 2213(b)(1) of the 
     Homeland Security Act of 2002''; and
       (ii) in paragraph (1)(B), by striking ``section 230(b)(2) 
     of the Homeland Security Act of 2002, as added by subsection 
     (a)'' and inserting ``section 2213(b)(2) of the Homeland 
     Security Act of 2002'';
       (F) in section 226 (6 U.S.C. 1524)--
       (i) in subsection (a)--

       (I) in paragraph (1)--

       (aa) by striking ``section 230'' and inserting ``section 
     2213''; and
       (bb) by striking ``, as added by section 223(a)(6) of this 
     division'';

       (II) in paragraph (4)--

       (aa) by striking ``section 228(b)(1)'' and inserting 
     ``section 2210(b)(1)''; and
       (bb) by striking ``, as added by section 223(a)(4) of this 
     division''; and

       (III) in paragraph (5)--

       (aa) by striking ``section 230(b)'' and inserting ``section 
     2213(b)''; and
       (bb) by striking ``, as added by section 223(a)(6) of this 
     division''; and
       (ii) in subsection (c)(1)(A)(vi)--

       (I) by striking ``section 230(c)(5)'' and inserting 
     ``section 2213(c)(5)''; and
       (II) by striking ``, as added by section 223(a)(6) of this 
     division'';

       (G) in section 227 (6 U.S.C. 1525)--
       (i) in subsection (a)--

       (I) by striking ``section 230'' and inserting ``section 
     2213''; and
       (II) by striking ``, as added by section 223(a)(6) of this 
     division,''; and

       (ii) in subsection (b)--

       (I) by striking ``section 230(d)(2)'' and inserting 
     ``section 2213(d)(2)''; and
       (II) by striking ``, as added by section 223(a)(6) of this 
     division,''; and

       (H) in section 404 (6 U.S.C. 1532)--
       (i) by striking ``Director for Emergency Communications'' 
     each place that term appears and inserting ``Assistant 
     Director for Emergency Communications''; and
       (ii) in subsection (a)--

       (I) by striking ``section 227'' and inserting ``section 
     2209''; and
       (II) by striking ``, as redesignated by section 223(a)(3) 
     of this division,''.

       (2) Small business act.--Section 21(a)(8)(B) of the Small 
     Business Act (15 U.S.C. 648(a)(8)(B)) is amended by striking 
     ``section 227(a) of the Homeland Security Act of 2002 (6 
     U.S.C. 148(a))'' and inserting ``section 2209(a) of the 
     Homeland Security Act of 2002''.
       (3) Title 5.--Subchapter II of chapter 53 of title 5, 
     United States Code, is amended--
       (A) in section 5314, by inserting after ``Under 
     Secretaries, Department of Homeland Security.'' the 
     following:
       ``Director, Cybersecurity and Infrastructure Security 
     Agency.''; and
       (B) in section 5315, by inserting after ``Assistant 
     Secretaries, Department of Homeland Security.'' the 
     following:
       ``Assistant Director for Cybersecurity, Cybersecurity and 
     Infrastructure Security Agency.
       ``Assistant Director for Infrastructure Security, 
     Cybersecurity and Infrastructure Security Agency.''.
       (i) Table of Contents Amendments.--The table of contents in 
     section 1(b) of the Homeland Security Act of 2002 (Public Law 
     107-296; 116 Stat. 2135) is amended--
       (1) by striking the item relating to title II and inserting 
     the following:

                  ``TITLE II--INFORMATION ANALYSIS'';

       (2) by striking the item relating to subtitle A of title II 
     and inserting the following:

    ``Subtitle A--Information and Analysis; Access to Information'';

       (3) by striking the item relating to section 201 and 
     inserting the following:

``Sec. 201. Information and analysis.'';
       (4) by striking the items relating to sections 210E and 
     210F and inserting the following:

``Sec. 210E. Classified Information Advisory Officer.'';
       (5) by striking the items relating to subtitle B of title 
     II and sections 211 through 215;
       (6) by striking the items relating to section 223 through 
     section 230;
       (7) by striking the item relating to subtitle C and 
     inserting the following:

                 ``Subtitle B--Information Security'';

       (8) by striking the item relating to subtitle D and 
     inserting the following:

           ``Subtitle C--Office of Science and Technology'';

       (9) by striking the items relating to sections 317, 319, 
     318, and 319 and inserting the following:

``Sec. 317. Promoting antiterrorism through international cooperation 
              program.
``Sec. 318. Social media working group.
``Sec. 319. Transparency in research and development.
``Sec. 320. EMP and GMD mitigation research and development.'';
       (10) by striking the item relating to section 1801 and 
     inserting the following:

``Sec. 1801. Emergency Communications Division.''; and
       (11) by adding at the end the following:

     ``TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

        ``Subtitle A--Cybersecurity and Infrastructure Security

``Sec. 2201. Definitions.
``Sec. 2202. Cybersecurity and Infrastructure Security Agency.
``Sec. 2203. Cybersecurity Division.
``Sec. 2204. Infrastructure Security Division.
``Sec. 2205. Enhancement of Federal and non-Federal cybersecurity.
``Sec. 2206. Net guard.
``Sec. 2207. Cyber Security Enhancement Act of 2002.
``Sec. 2208. Cybersecurity recruitment and retention.
``Sec. 2209. National cybersecurity and communications integration 
              center.
``Sec. 2210. Cybersecurity plans.
``Sec. 2211. Cybersecurity strategy.
``Sec. 2212. Clearances.
``Sec. 2213. Federal intrusion detection and prevention system.
``Sec. 2214. National Asset Database.

           ``Subtitle B--Critical Infrastructure Information

``Sec. 2221. Short title.
``Sec. 2222. Definitions.
``Sec. 2223. Designation of critical infrastructure protection program.
``Sec. 2224. Protection of voluntarily shared critical infrastructure 
              information.
``Sec. 2225. No private right of action.''.

     SEC. 3. TRANSFER OF OTHER ENTITIES.

       (a) Office of Biometric Identity Management.--The Office of 
     Biometric Identity Management of the Department of Homeland 
     Security located in the National Protection and Programs 
     Directorate of the Department of Homeland Security on the day 
     before the date of enactment of this Act is hereby 
     transferred to the Management Directorate of the Department.
       (b) Federal Protective Service.--
       (1) In general.--Not later than 90 days after the 
     completion of the Government Accountability Office review of 
     the organizational placement of the Federal Protective 
     Service (authorized under section 1315 of title 40, United 
     States Code), the Secretary of Homeland Security shall 
     determine the appropriate placement of the Service within the 
     Department of Homeland Security and commence the transfer of 
     the Service to such component, directorate, or other office 
     of the Department that the Secretary so determines 
     appropriate.
       (2) Exception.--If the Secretary of Homeland Security 
     determines pursuant to paragraph (1) that no component, 
     directorate, or other office of the Department of Homeland 
     Security is an appropriate placement for the Federal 
     Protective Service, the Secretary shall--

[[Page H9506]]

       (A) provide to the Committee on Homeland Security and the 
     Committee on Transportation and Infrastructure of the House 
     of Representatives and the Committee on Homeland Security and 
     Governmental Affairs of the Senate and the Office of 
     Management and Budget a detailed explanation, in writing, of 
     the reason for such determination that includes--
       (i) information on how the Department considered the 
     Government Accountability Office review described in such 
     paragraph;
       (ii) a list of the components, directorates, or other 
     offices of the Department that were considered for such 
     placement; and
       (iii) information on why each such component, directorate, 
     or other office of the Department was determined to not be an 
     appropriate placement for the Service;
       (B) not later than 120 days after the completion of the 
     Government Accountability Office review described in such 
     paragraph, develop and submit to the committees specified in 
     subparagraph (A) and the Office of Management and Budget a 
     plan to coordinate with other appropriate Federal agencies, 
     including the General Services Administration, to determine a 
     more appropriate placement for the Service; and
       (C) not later than 180 days after the completion of such 
     Government Accountability Office review, submit to such 
     committees and the Office of Management and Budget a 
     recommendation regarding the appropriate placement of the 
     Service within the executive branch of the Federal 
     Government.

     SEC. 4. DHS REPORT ON CLOUD-BASED CYBERSECURITY.

       (a) Definition.--In this section, the term ``Department'' 
     means the Department of Homeland Security.
       (b) Report.--Not later than 120 days after the date of 
     enactment of this Act, the Secretary of Homeland Security, in 
     coordination with the Director of the Office of Management 
     and Budget and the Administrator of General Services, shall 
     submit to the Committee on Homeland Security and Governmental 
     Affairs of the Senate and the Committee on Oversight and 
     Government Reform and the Committee on Homeland Security of 
     the House of Representatives a report on the leadership role 
     of the Department in cloud-based cybersecurity deployments 
     for civilian Federal departments and agencies, which shall 
     include--
       (1) information on the plan of the Department for ensuring 
     access to a security operations center as a service 
     capability in accordance with the December 19, 2017 Report to 
     the President on Federal IT Modernization issued by the 
     American Technology Council;
       (2) information on what service capabilities under 
     paragraph (1) the Department will prioritize, including--
       (A) criteria the Department will use to evaluate 
     capabilities offered by the private sector; and
       (B) how Federal government- and private sector-provided 
     capabilities will be integrated to enable visibility and 
     consistency of such capabilities across all cloud and on 
     premise environments, as called for in the report described 
     in paragraph (1); and
       (3) information on how the Department will adapt the 
     current capabilities of, and future enhancements to, the 
     intrusion detection and prevention system of the Department 
     and the Continuous Diagnostics and Mitigation Program of the 
     Department to secure civilian Federal government networks in 
     a cloud environment.

     SEC. 5. RULE OF CONSTRUCTION.

       Nothing in this Act or an amendment made by this Act may be 
     construed as--
       (1) conferring new authorities to the Secretary of Homeland 
     Security, including programmatic, regulatory, or enforcement 
     authorities, outside of the authorities in existence on the 
     day before the date of enactment of this Act;
       (2) reducing or limiting the programmatic, regulatory, or 
     enforcement authority vested in any other Federal agency by 
     statute; or
       (3) affecting in any manner the authority, existing on the 
     day before the date of enactment of this Act, of any other 
     Federal agency or component of the Department of Homeland 
     Security.

     SEC. 6. PROHIBITION ON ADDITIONAL FUNDING.

       No additional funds are authorized to be appropriated to 
     carry out this Act or the amendments made by this Act. This 
     Act and the amendments made by this Act shall be carried out 
     using amounts otherwise authorized.

  Mr. McCAUL (during the reading). Mr. Speaker, I ask unanimous consent 
to dispense with the reading of the amendment.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from Texas?
  There was no objection.
  The SPEAKER pro tempore. Is there objection to the original request 
of the gentleman from Texas?
  There was no objection.
  A motion to reconsider was laid on the table.

                          ____________________