[Congressional Record (Bound Edition), Volume 158 (2012), Part 9]
[Senate]
[Pages 12400-12532]
[From the U.S. Government Publishing Office, www.gpo.gov]




                           TEXT OF AMENDMENTS

  SA 2581. Mrs. HUTCHISON (for herself, Mr. McCain, Mr. Chambliss, Mr. 
Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson of 
Wisconsin) submitted an amendment intended to be proposed by her to the 
bill S. 3414, to enhance the security and resiliency of the cyber and 
communications infrastructure of the United States; which was ordered 
to lie on the table; as follows:

       Strike all after the enacting clause and insert the 
     following:

     SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the 
     ``Strengthening and Enhancing Cybersecurity by Using 
     Research, Education, Information, and Technology Act of 
     2012'' or ``SECURE IT''.
       (b) Table of Contents.--The table of contents of this Act 
     is as follows:

Sec. 1. Short title; table of contents.

       TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION

Sec. 101. Definitions.
Sec. 102. Authorization to share cyber threat information.
Sec. 103. Information sharing by the Federal government.
Sec. 104. Construction.
Sec. 105. Report on implementation.
Sec. 106. Inspector General review.
Sec. 107. Technical amendments.
Sec. 108. Access to classified information.

     TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY

Sec. 201. Coordination of Federal information security policy.
Sec. 202. Management of information technology.
Sec. 203. No new funding.
Sec. 204. Technical and conforming amendments.
Sec. 205. Clarification of authorities.

                     TITLE III--CRIMINAL PENALTIES

Sec. 301. Penalties for fraud and related activity in connection with 
              computers.
Sec. 302. Trafficking in passwords.
Sec. 303. Conspiracy and attempted computer fraud offenses.
Sec. 304. Criminal and civil forfeiture for fraud and related activity 
              in connection with computers.
Sec. 305. Damage to critical infrastructure computers.
Sec. 306. Limitation on actions involving unauthorized use.
Sec. 307. No new funding.

            TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT

Sec. 401. National High-Performance Computing Program planning and 
              coordination.
Sec. 402. Research in areas of national importance.
Sec. 403. Program improvements.
Sec. 404. Improving education of networking and information technology, 
              including high performance computing.
Sec. 405. Conforming and technical amendments to the High-Performance 
              Computing Act of 1991.
Sec. 406. Federal cyber scholarship-for-service program.
Sec. 407. Study and analysis of certification and training of 
              information infrastructure professionals.
Sec. 408. International cybersecurity technical standards.
Sec. 409. Identity management research and development.
Sec. 410. Federal cybersecurity research and development.

       TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION

     SEC. 101. DEFINITIONS.

       In this title:
       (1) Agency.--The term ``agency'' has the meaning given the 
     term in section 3502 of title 44, United States Code.
       (2) Antitrust laws.--The term ``antitrust laws''--
       (A) has the meaning given the term in section 1(a) of the 
     Clayton Act (15 U.S.C. 12(a));
       (B) includes section 5 of the Federal Trade Commission Act 
     (15 U.S.C. 45) to the extent that section 5 of that Act 
     applies to unfair methods of competition; and
       (C) includes any State law that has the same intent and 
     effect as the laws under subparagraphs (A) and (B).
       (3) Countermeasure.--The term ``countermeasure'' means an 
     automated or a manual action with defensive intent to 
     mitigate cyber threats.
       (4) Cyber threat information.--The term ``cyber threat 
     information'' means information that indicates or describes--
       (A) a technical or operation vulnerability or a cyber 
     threat mitigation measure;
       (B) an action or operation to mitigate a cyber threat;
       (C) malicious reconnaissance, including anomalous patterns 
     of network activity that appear to be transmitted for the 
     purpose of gathering technical information related to a 
     cybersecurity threat;
       (D) a method of defeating a technical control;
       (E) a method of defeating an operational control;
       (F) network activity or protocols known to be associated 
     with a malicious cyber actor or that signify malicious cyber 
     intent;
       (G) a method of causing a user with legitimate access to an 
     information system or information that is stored on, 
     processed by, or transiting an information system to 
     inadvertently enable the defeat of a technical or operational 
     control;
       (H) any other attribute of a cybersecurity threat or cyber 
     defense information that would foster situational awareness 
     of the United States cybersecurity posture, if disclosure of 
     such attribute or information is not otherwise prohibited by 
     law;
       (I) the actual or potential harm caused by a cyber 
     incident, including information exfiltrated when it is 
     necessary in order to identify or describe a cybersecurity 
     threat; or
       (J) any combination of subparagraphs (A) through (I).
       (5) Cybersecurity center.--The term ``cybersecurity 
     center'' means the Department of Defense Cyber Crime Center, 
     the Intelligence Community Incident Response Center, the 
     United States Cyber Command Joint Operations Center, the 
     National Cyber Investigative Joint Task Force, the National 
     Security Agency/Central Security Service Threat Operations 
     Center, the National Cybersecurity and Communications 
     Integration Center, and any successor center.
       (6) Cybersecurity system.--The term ``cybersecurity 
     system'' means a system designed or employed to ensure the 
     integrity, confidentiality, or availability of, or to 
     safeguard, a system or network, including measures intended 
     to protect a system or network from--
       (A) efforts to degrade, disrupt, or destroy such system or 
     network; or
       (B) theft or misappropriations of private or government 
     information, intellectual property, or personally 
     identifiable information.
       (7) Entity.--
       (A) In general.--The term ``entity'' means any private 
     entity, non-Federal government agency or department, or 
     State, tribal, or local government agency or department 
     (including an officer, employee, or agent thereof).
       (B) Inclusions.--The term ``entity'' includes a government 
     agency or department (including an officer, employee, or 
     agent thereof) of the District of Columbia, the Commonwealth 
     of Puerto Rico, the Virgin Islands, Guam, American Samoa, the 
     Northern Mariana Islands, and any other territory or 
     possession of the United States.
       (8) Federal information system.--The term ``Federal 
     information system'' means an information system of a Federal 
     department or agency used or operated by an executive agency, 
     by a contractor of an executive agency, or by another 
     organization on behalf of an executive agency.
       (9) Information security.--The term ``information 
     security'' means protecting information and information 
     systems from disruption or unauthorized access, use, 
     disclosure, modification, or destruction in order to 
     provide--
       (A) integrity, by guarding against improper information 
     modification or destruction, including by ensuring 
     information nonrepudiation and authenticity;
       (B) confidentiality, by preserving authorized restrictions 
     on access and disclosure, including means for protecting 
     personal privacy and proprietary information; or
       (C) availability, by ensuring timely and reliable access to 
     and use of information.
       (10) Information system.--The term ``information system'' 
     has the meaning given the term in section 3502 of title 44, 
     United States Code.
       (11) Local government.--The term ``local government'' means 
     any borough, city, county, parish, town, township, village, 
     or other general purpose political subdivision of a State.
       (12) Malicious reconnaissance.--The term ``malicious 
     reconnaissance'' means a method for actively probing or 
     passively monitoring an information system for the purpose of 
     discerning technical vulnerabilities of the information 
     system, if such method is associated with a known or 
     suspected cybersecurity threat.

[[Page 12401]]

       (13) Operational control.--The term ``operational control'' 
     means a security control for an information system that 
     primarily is implemented and executed by people.
       (14) Operational vulnerability.--The term ``operational 
     vulnerability'' means any attribute of policy, process, or 
     procedure that could enable or facilitate the defeat of an 
     operational control.
       (15) Private entity.--The term ``private entity'' means any 
     individual or any private group, organization, or 
     corporation, including an officer, employee, or agent 
     thereof.
       (16) Significant cyber incident.--The term ``significant 
     cyber incident'' means a cyber incident resulting in, or an 
     attempted cyber incident that, if successful, would have 
     resulted in--
       (A) the exfiltration from a Federal information system of 
     data that is essential to the operation of the Federal 
     information system; or
       (B) an incident in which an operational or technical 
     control essential to the security or operation of a Federal 
     information system was defeated.
       (17) Technical control.--The term ``technical control'' 
     means a hardware or software restriction on, or audit of, 
     access or use of an information system or information that is 
     stored on, processed by, or transiting an information system 
     that is intended to ensure the confidentiality, integrity, or 
     availability of that system.
       (18) Technical vulnerability.--The term ``technical 
     vulnerability'' means any attribute of hardware or software 
     that could enable or facilitate the defeat of a technical 
     control.
       (19) Tribal.--The term ``tribal'' has the meaning given the 
     term ``Indian tribe'' in section 4 of the Indian Self-
     Determination and Education Assistance Act (25 U.S.C. 450b).

     SEC. 102. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION.

       (a) Voluntary Disclosure.--
       (1) Private entities.--Notwithstanding any other provision 
     of law, a private entity may, for the purpose of preventing, 
     investigating, or otherwise mitigating threats to information 
     security, on its own networks, or as authorized by another 
     entity, on such entity's networks, employ countermeasures and 
     use cybersecurity systems in order to obtain, identify, or 
     otherwise possess cyber threat information.
       (2) Entities.--Notwithstanding any other provision of law, 
     an entity may disclose cyber threat information to--
       (A) a cybersecurity center; or
       (B) any other entity in order to assist with preventing, 
     investigating, or otherwise mitigating threats to information 
     security.
       (3) Information security providers.--If the cyber threat 
     information described in paragraph (1) is obtained, 
     identified, or otherwise possessed in the course of providing 
     information security products or services under contract to 
     another entity, that entity shall be given, at any time prior 
     to disclosure of such information, a reasonable opportunity 
     to authorize or prevent such disclosure, to request 
     anonymization of such information, or to request that 
     reasonable efforts be made to safeguard such information that 
     identifies specific persons from unauthorized access or 
     disclosure.
       (b) Significant Cyber Incidents Involving Federal 
     Information Systems.--
       (1) In general.--An entity providing electronic 
     communication services, remote computing services, or 
     information security services to a Federal department or 
     agency shall inform the Federal department or agency of a 
     significant cyber incident involving the Federal information 
     system of that Federal department or agency that--
       (A) is directly known to the entity as a result of 
     providing such services;
       (B) is directly related to the provision of such services 
     by the entity; and
       (C) as determined by the entity, has impeded or will impede 
     the performance of a critical mission of the Federal 
     department or agency.
       (2) Advance coordination.--A Federal department or agency 
     receiving the services described in paragraph (1) shall 
     coordinate in advance with an entity described in paragraph 
     (1) to develop the parameters of any information that may be 
     provided under paragraph (1), including clarification of the 
     type of significant cyber incident that will impede the 
     performance of a critical mission of the Federal department 
     or agency.
       (3) Report.--A Federal department or agency shall report 
     information provided under this subsection to a cybersecurity 
     center.
       (4) Construction.--Any information provided to a 
     cybersecurity center under paragraph (3) shall be treated in 
     the same manner as information provided to a cybersecurity 
     center under subsection (a).
       (c) Information Shared With or Provided to a Cybersecurity 
     Center.--Cyber threat information provided to a cybersecurity 
     center under this section--
       (1) may be disclosed to, retained by, and used by, 
     consistent with otherwise applicable Federal law, any Federal 
     agency or department, component, officer, employee, or agent 
     of the Federal government for a cybersecurity purpose, a 
     national security purpose, or in order to prevent, 
     investigate, or prosecute any of the offenses listed in 
     section 2516 of title 18, United States Code, and such 
     information shall not be disclosed to, retained by, or used 
     by any Federal agency or department for any use not permitted 
     under this paragraph;
       (2) may, with the prior written consent of the entity 
     submitting such information, be disclosed to and used by a 
     State, tribal, or local government or government agency for 
     the purpose of protecting information systems, or in 
     furtherance of preventing, investigating, or prosecuting a 
     criminal act, except that if the need for immediate 
     disclosure prevents obtaining written consent, such consent 
     may be provided orally with subsequent documentation of such 
     consent;
       (3) shall be considered the commercial, financial, or 
     proprietary information of the entity providing such 
     information to the Federal government and any disclosure 
     outside the Federal government may only be made upon the 
     prior written consent by such entity and shall not constitute 
     a waiver of any applicable privilege or protection provided 
     by law, except that if the need for immediate disclosure 
     prevents obtaining written consent, such consent may be 
     provided orally with subsequent documentation of such 
     consent;
       (4) shall be deemed voluntarily shared information and 
     exempt from disclosure under section 552 of title 5, United 
     States Code, and any State, tribal, or local law requiring 
     disclosure of information or records;
       (5) shall be, without discretion, withheld from the public 
     under section 552(b)(3)(B) of title 5, United States Code, 
     and any State, tribal, or local law requiring disclosure of 
     information or records;
       (6) shall not be subject to the rules of any Federal agency 
     or department or any judicial doctrine regarding ex parte 
     communications with a decision-making official;
       (7) shall not, if subsequently provided to a State, tribal, 
     or local government or government agency, otherwise be 
     disclosed or distributed to any entity by such State, tribal, 
     or local government or government agency without the prior 
     written consent of the entity submitting such information, 
     notwithstanding any State, tribal, or local law requiring 
     disclosure of information or records, except that if the need 
     for immediate disclosure prevents obtaining written consent, 
     such consent may be provided orally with subsequent 
     documentation of such consent; and
       (8) shall not be directly used by any Federal, State, 
     tribal, or local department or agency to regulate the lawful 
     activities of an entity, including activities relating to 
     obtaining, identifying, or otherwise possessing cyber threat 
     information, except that the procedures required to be 
     developed and implemented under this title shall not be 
     considered regulations within the meaning of this paragraph.
       (d) Procedures Relating to Information Sharing With a 
     Cybersecurity Center.--Not later than 60 days after the date 
     of enactment of this Act, the heads of each department or 
     agency containing a cybersecurity center shall jointly 
     develop, promulgate, and submit to Congress procedures to 
     ensure that cyber threat information shared with or provided 
     to--
       (1) a cybersecurity center under this section--
       (A) may be submitted to a cybersecurity center by an 
     entity, to the greatest extent possible, through a uniform, 
     publicly available process or format that is easily 
     accessible on the website of such cybersecurity center, and 
     that includes the ability to provide relevant details about 
     the cyber threat information and written consent to any 
     subsequent disclosures authorized by this paragraph;
       (B) shall immediately be further shared with each 
     cybersecurity center in order to prevent, investigate, or 
     otherwise mitigate threats to information security across the 
     Federal government;
       (C) is handled by the Federal government in a reasonable 
     manner, including consideration of the need to protect the 
     privacy and civil liberties of individuals through 
     anonymization or other appropriate methods, while fully 
     accomplishing the objectives of this title, and the Federal 
     government may undertake efforts consistent with this 
     subparagraph to limit the impact on privacy and civil 
     liberties of the sharing of cyber threat information with the 
     Federal government; and
       (D) except as provided in this section, shall only be used, 
     disclosed, or handled in accordance with the provisions of 
     subsection (c); and
       (2) a Federal agency or department under subsection (b) is 
     provided immediately to a cybersecurity center in order to 
     prevent, investigate, or otherwise mitigate threats to 
     information security across the Federal government.
       (e) Information Shared Between Entities.--
       (1) In general.--An entity sharing cyber threat information 
     with another entity under this title may restrict the use or 
     sharing of such information by such other entity.
       (2) Further sharing.--Cyber threat information shared by 
     any entity with another entity under this title--
       (A) shall only be further shared in accordance with any 
     restrictions placed on the

[[Page 12402]]

     sharing of such information by the entity authorizing such 
     sharing, such as appropriate anonymization of such 
     information; and
       (B) may not be used by any entity to gain an unfair 
     competitive advantage to the detriment of the entity 
     authorizing the sharing of such information, except that the 
     conduct described in paragraph (3) shall not constitute 
     unfair competitive conduct.
       (3) Information shared with state, tribal, or local 
     government or government agency.--Cyber threat information 
     shared with a State, tribal, or local government or 
     government agency under this title--
       (A) may, with the prior written consent of the entity 
     sharing such information, be disclosed to and used by a 
     State, tribal, or local government or government agency for 
     the purpose of protecting information systems, or in 
     furtherance of preventing, investigating, or prosecuting a 
     criminal act, except if the need for immediate disclosure 
     prevents obtaining written consent, consent may be provided 
     orally with subsequent documentation of the consent;
       (B) shall be deemed voluntarily shared information and 
     exempt from disclosure under any State, tribal, or local law 
     requiring disclosure of information or records;
       (C) shall not be disclosed or distributed to any entity by 
     the State, tribal, or local government or government agency 
     without the prior written consent of the entity submitting 
     such information, notwithstanding any State, tribal, or local 
     law requiring disclosure of information or records, except if 
     the need for immediate disclosure prevents obtaining written 
     consent, consent may be provided orally with subsequent 
     documentation of the consent; and
       (D) shall not be directly used by any State, tribal, or 
     local department or agency to regulate the lawful activities 
     of an entity, including activities relating to obtaining, 
     identifying, or otherwise possessing cyber threat 
     information, except that the procedures required to be 
     developed and implemented under this title shall not be 
     considered regulations within the meaning of this 
     subparagraph.
       (4) Antitrust exemption.--The exchange or provision of 
     cyber threat information or assistance between 2 or more 
     private entities under this title shall not be considered a 
     violation of any provision of antitrust laws if exchanged or 
     provided in order to assist with--
       (A) facilitating the prevention, investigation, or 
     mitigation of threats to information security; or
       (B) communicating or disclosing of cyber threat information 
     to help prevent, investigate or otherwise mitigate the 
     effects of a threat to information security.
       (5) No right or benefit.--The provision of cyber threat 
     information to an entity under this section shall not create 
     a right or a benefit to similar information by such entity or 
     any other entity.
       (f) Federal Preemption.--
       (1) In general.--This section supersedes any statute or 
     other law of a State or political subdivision of a State that 
     restricts or otherwise expressly regulates an activity 
     authorized under this section.
       (2) State law enforcement.--Nothing in this section shall 
     be construed to supersede any statute or other law of a State 
     or political subdivision of a State concerning the use of 
     authorized law enforcement techniques.
       (3) Public disclosure.--No information shared with or 
     provided to a State, tribal, or local government or 
     government agency pursuant to this section shall be made 
     publicly available pursuant to any State, tribal, or local 
     law requiring disclosure of information or records.
       (g) Civil and Criminal Liability.--
       (1) General protections.--
       (A) Private entities.--No cause of action shall lie or be 
     maintained in any court against any private entity for--
       (i) the use of countermeasures and cybersecurity systems as 
     authorized by this title;
       (ii) the use, receipt, or disclosure of any cyber threat 
     information as authorized by this title; or
       (iii) the subsequent actions or inactions of any lawful 
     recipient of cyber threat information provided by such 
     private entity.
       (B) Entities.--No cause of action shall lie or be 
     maintained in any court against any entity for--
       (i) the use, receipt, or disclosure of any cyber threat 
     information as authorized by this title; or
       (ii) the subsequent actions or inactions of any lawful 
     recipient of cyber threat information provided by such 
     entity.
       (2) Construction.--Nothing in this subsection shall be 
     construed as creating any immunity against, or otherwise 
     affecting, any action brought by the Federal government, or 
     any agency or department thereof, to enforce any law, 
     executive order, or procedure governing the appropriate 
     handling, disclosure, and use of classified information.
       (h) Otherwise Lawful Disclosures.--Nothing in this section 
     shall be construed to limit or prohibit otherwise lawful 
     disclosures of communications, records, or other information 
     by a private entity to any other governmental or private 
     entity not covered under this section.
       (i) Whistleblower Protection.--Nothing in this Act shall be 
     construed to preempt or preclude any employee from exercising 
     rights currently provided under any whistleblower law, rule, 
     or regulation.
       (j) Relationship to Other Laws.--The submission of cyber 
     threat information under this section to a cybersecurity 
     center shall not affect any requirement under any other 
     provision of law for an entity to provide information to the 
     Federal government.

     SEC. 103. INFORMATION SHARING BY THE FEDERAL GOVERNMENT.

       (a) Classified Information.--
       (1) Procedures.--Consistent with the protection of 
     intelligence sources and methods, and as otherwise determined 
     appropriate, the Director of National Intelligence and the 
     Secretary of Defense, in consultation with the heads of the 
     appropriate Federal departments or agencies, shall develop 
     and promulgate procedures to facilitate and promote--
       (A) the immediate sharing, through the cybersecurity 
     centers, of classified cyber threat information in the 
     possession of the Federal government with appropriately 
     cleared representatives of any appropriate entity; and
       (B) the declassification and immediate sharing, through the 
     cybersecurity centers, with any entity or, if appropriate, 
     public availability of cyber threat information in the 
     possession of the Federal government;
       (2) Handling of classified information.--The procedures 
     developed under paragraph (1) shall ensure that each entity 
     receiving classified cyber threat information pursuant to 
     this section has acknowledged in writing the ongoing 
     obligation to comply with all laws, executive orders, and 
     procedures concerning the appropriate handling, disclosure, 
     or use of classified information.
       (b) Unclassified Cyber Threat Information.--The heads of 
     each department or agency containing a cybersecurity center 
     shall jointly develop and promulgate procedures that ensure 
     that, consistent with the provisions of this section, 
     unclassified, including controlled unclassified, cyber threat 
     information in the possession of the Federal government--
       (1) is shared, through the cybersecurity centers, in an 
     immediate and adequate manner with appropriate entities; and
       (2) if appropriate, is made publicly available.
       (c) Development of Procedures.--
       (1) In general.--The procedures developed under this 
     section shall incorporate, to the greatest extent possible, 
     existing processes utilized by sector specific information 
     sharing and analysis centers.
       (2) Coordination with entities.--In developing the 
     procedures required under this section, the Director of 
     National Intelligence and the heads of each department or 
     agency containing a cybersecurity center shall coordinate 
     with appropriate entities to ensure that protocols are 
     implemented that will facilitate and promote the sharing of 
     cyber threat information by the Federal government.
       (d) Additional Responsibilities of Cybersecurity Centers.--
     Consistent with section 102, a cybersecurity center shall--
       (1) facilitate information sharing, interaction, and 
     collaboration among and between cybersecurity centers and--
       (A) other Federal entities;
       (B) any entity; and
       (C) international partners, in consultation with the 
     Secretary of State;
       (2) disseminate timely and actionable cybersecurity threat, 
     vulnerability, mitigation, and warning information, including 
     alerts, advisories, indicators, signatures, and mitigation 
     and response measures, to improve the security and protection 
     of information systems; and
       (3) coordinate with other Federal entities, as appropriate, 
     to integrate information from across the Federal government 
     to provide situational awareness of the cybersecurity posture 
     of the United States.
       (e) Sharing Within the Federal Government.--The heads of 
     appropriate Federal departments and agencies shall ensure 
     that cyber threat information in the possession of such 
     Federal departments or agencies that relates to the 
     prevention, investigation, or mitigation of threats to 
     information security across the Federal government is shared 
     effectively with the cybersecurity centers.
       (f) Submission to Congress.--Not later than 60 days after 
     the date of enactment of this Act, the Director of National 
     Intelligence, in coordination with the appropriate head of a 
     department or an agency containing a cybersecurity center, 
     shall submit the procedures required by this section to 
     Congress.

     SEC. 104. CONSTRUCTION.

       (a) Information Sharing Relationships.--Nothing in this 
     title shall be construed--
       (1) to limit or modify an existing information sharing 
     relationship;
       (2) to prohibit a new information sharing relationship;
       (3) to require a new information sharing relationship 
     between any entity and the Federal government, except as 
     specified under section 102(b); or
       (4) to modify the authority of a department or agency of 
     the Federal government to protect sources and methods and the 
     national security of the United States.

[[Page 12403]]

       (b) Anti-tasking Restriction.--Nothing in this title shall 
     be construed to permit the Federal government--
       (1) to require an entity to share information with the 
     Federal government, except as expressly provided under 
     section 102(b); or
       (2) to condition the sharing of cyber threat information 
     with an entity on such entity's provision of cyber threat 
     information to the Federal government.
       (c) No Liability for Non-participation.--Nothing in this 
     title shall be construed to subject any entity to liability 
     for choosing not to engage in the voluntary activities 
     authorized under this title.
       (d) Use and Retention of Information.--Nothing in this 
     title shall be construed to authorize, or to modify any 
     existing authority of, a department or agency of the Federal 
     government to retain or use any information shared under 
     section 102 for any use other than a use permitted under 
     subsection 102(c)(1).
       (e) No New Funding.--An applicable Federal agency shall 
     carry out the provisions of this title with existing 
     facilities and funds otherwise available, through such means 
     as the head of the agency considers appropriate.

     SEC. 105. REPORT ON IMPLEMENTATION.

       (a) Content of Report.--Not later than 1 year after the 
     date of enactment of this Act, and biennially thereafter, the 
     heads of each department or agency containing a cybersecurity 
     center shall jointly submit, in coordination with the privacy 
     and civil liberties officials of such departments or agencies 
     and the Privacy and Civil Liberties Oversight Board, a 
     detailed report to Congress concerning the implementation of 
     this title, including--
       (1) an assessment of the sufficiency of the procedures 
     developed under section 103 of this Act in ensuring that 
     cyber threat information in the possession of the Federal 
     government is provided in an immediate and adequate manner to 
     appropriate entities or, if appropriate, is made publicly 
     available;
       (2) an assessment of whether information has been 
     appropriately classified and an accounting of the number of 
     security clearances authorized by the Federal government for 
     purposes of this title;
       (3) a review of the type of cyber threat information shared 
     with a cybersecurity center under section 102 of this Act, 
     including whether such information meets the definition of 
     cyber threat information under section 101, the degree to 
     which such information may impact the privacy and civil 
     liberties of individuals, any appropriate metrics to 
     determine any impact of the sharing of such information with 
     the Federal government on privacy and civil liberties, and 
     the adequacy of any steps taken to reduce such impact;
       (4) a review of actions taken by the Federal government 
     based on information provided to a cybersecurity center under 
     section 102 of this Act, including the appropriateness of any 
     subsequent use under section 102(c)(1) of this Act and 
     whether there was inappropriate stovepiping within the 
     Federal government of any such information;
       (5) a description of any violations of the requirements of 
     this title by the Federal government;
       (6) a classified list of entities that received classified 
     information from the Federal government under section 103 of 
     this Act and a description of any indication that such 
     information may not have been appropriately handled;
       (7) a summary of any breach of information security, if 
     known, attributable to a specific failure by any entity or 
     the Federal government to act on cyber threat information in 
     the possession of such entity or the Federal government that 
     resulted in substantial economic harm or injury to a specific 
     entity or the Federal government; and
       (8) any recommendation for improvements or modifications to 
     the authorities under this title.
       (b) Form of Report.--The report under subsection (a) shall 
     be submitted in unclassified form, but shall include a 
     classified annex.

     SEC. 106. INSPECTOR GENERAL REVIEW.

       (a) In General.--The Council of the Inspectors General on 
     Integrity and Efficiency are authorized to review compliance 
     by the cybersecurity centers, and by any Federal department 
     or agency receiving cyber threat information from such 
     cybersecurity centers, with the procedures required under 
     section 102 of this Act.
       (b) Scope of Review.--The review under subsection (a) shall 
     consider whether the Federal government has handled such 
     cyber threat information in a reasonable manner, including 
     consideration of the need to protect the privacy and civil 
     liberties of individuals through anonymization or other 
     appropriate methods, while fully accomplishing the objectives 
     of this title.
       (c) Report to Congress.--Each review conducted under this 
     section shall be provided to Congress not later than 30 days 
     after the date of completion of the review.

     SEC. 107. TECHNICAL AMENDMENTS.

       Section 552(b) of title 5, United States Code, is amended--
       (1) in paragraph (8), by striking ``or'';
       (2) in paragraph (9), by striking ``wells.'' and inserting 
     ``wells; or''; and
       (3) by adding at the end the following:
       ``(10) information shared with or provided to a 
     cybersecurity center under section 102 of title I of the 
     Strengthening and Enhancing Cybersecurity by Using Research, 
     Education, Information, and Technology Act of 2012.''.

     SEC. 108. ACCESS TO CLASSIFIED INFORMATION.

       (a) Authorization Required.--No person shall be provided 
     with access to classified information (as defined in section 
     6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to 
     classified national security information)) relating to cyber 
     security threats or cyber security vulnerabilities under this 
     title without the appropriate security clearances.
       (b) Security Clearances.--The appropriate Federal agencies 
     or departments shall, consistent with applicable procedures 
     and requirements, and if otherwise deemed appropriate, assist 
     an individual in timely obtaining an appropriate security 
     clearance where such individual has been determined to be 
     eligible for such clearance and has a need-to-know (as 
     defined in section 6.1 of that Executive Order) classified 
     information to carry out this title.

     TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY

     SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY 
                   POLICY.

       (a) In General.--Chapter 35 of title 44, United States 
     Code, is amended by striking subchapters II and III and 
     inserting the following:

                 ``SUBCHAPTER II--INFORMATION SECURITY

     ``Sec. 3551. Purposes

       ``The purposes of this subchapter are--
       ``(1) to provide a comprehensive framework for ensuring the 
     effectiveness of information security controls over 
     information resources that support Federal operations and 
     assets;
       ``(2) to recognize the highly networked nature of the 
     current Federal computing environment and provide effective 
     government-wide management of policies, directives, 
     standards, and guidelines, as well as effective and nimble 
     oversight of and response to information security risks, 
     including coordination of information security efforts 
     throughout the Federal civilian, national security, and law 
     enforcement communities;
       ``(3) to provide for development and maintenance of 
     controls required to protect agency information and 
     information systems and contribute to the overall improvement 
     of agency information security posture;
       ``(4) to provide for the development of tools and methods 
     to assess and respond to real-time situational risk for 
     Federal information system operations and assets; and
       ``(5) to provide a mechanism for improving agency 
     information security programs through continuous monitoring 
     of agency information systems and streamlined reporting 
     requirements rather than overly prescriptive manual 
     reporting.

     ``Sec. 3552. Definitions

       ``In this subchapter:
       ``(1) Adequate security.--The term `adequate security' 
     means security commensurate with the risk and magnitude of 
     the harm resulting from the unauthorized access to or loss, 
     misuse, destruction, or modification of information.
       ``(2) Agency.--The term `agency' has the meaning given the 
     term in section 3502 of title 44.
       ``(3) Cybersecurity center.--The term `cybersecurity 
     center' means the Department of Defense Cyber Crime Center, 
     the Intelligence Community Incident Response Center, the 
     United States Cyber Command Joint Operations Center, the 
     National Cyber Investigative Joint Task Force, the National 
     Security Agency/Central Security Service Threat Operations 
     Center, the National Cybersecurity and Communications 
     Integration Center, and any successor center.
       ``(4) Cyber threat information.--The term `cyber threat 
     information' means information that indicates or describes--
       ``(A) a technical or operation vulnerability or a cyber 
     threat mitigation measure;
       ``(B) an action or operation to mitigate a cyber threat;
       ``(C) malicious reconnaissance, including anomalous 
     patterns of network activity that appear to be transmitted 
     for the purpose of gathering technical information related to 
     a cybersecurity threat;
       ``(D) a method of defeating a technical control;
       ``(E) a method of defeating an operational control;
       ``(F) network activity or protocols known to be associated 
     with a malicious cyber actor or that signify malicious cyber 
     intent;
       ``(G) a method of causing a user with legitimate access to 
     an information system or information that is stored on, 
     processed by, or transiting an information system to 
     inadvertently enable the defeat of a technical or operational 
     control;
       ``(H) any other attribute of a cybersecurity threat or 
     cyber defense information that would foster situational 
     awareness of the United States cybersecurity posture, if 
     disclosure of such attribute or information is not otherwise 
     prohibited by law;
       ``(I) the actual or potential harm caused by a cyber 
     incident, including information exfiltrated when it is 
     necessary in order to identify or describe a cybersecurity 
     threat; or

[[Page 12404]]

       ``(J) any combination of subparagraphs (A) through (I).
       ``(5) Director.--The term `Director' means the Director of 
     the Office of Management and Budget unless otherwise 
     specified.
       ``(6) Environment of operation.--The term `environment of 
     operation' means the information system and environment in 
     which those systems operate, including changing threats, 
     vulnerabilities, technologies, and missions and business 
     practices.
       ``(7) Federal information system.--The term `Federal 
     information system' means an information system used or 
     operated by an executive agency, by a contractor of an 
     executive agency, or by another organization on behalf of an 
     executive agency.
       ``(8) Incident.--The term `incident' means an occurrence 
     that--
       ``(A) actually or imminently jeopardizes the integrity, 
     confidentiality, or availability of an information system or 
     the information that system controls, processes, stores, or 
     transmits; or
       ``(B) constitutes a violation of law or an imminent threat 
     of violation of a law, a security policy, a security 
     procedure, or an acceptable use policy.
       ``(9) Information resources.--The term `information 
     resources' has the meaning given the term in section 3502 of 
     title 44.
       ``(10) Information security.--The term `information 
     security' means protecting information and information 
     systems from disruption or unauthorized access, use, 
     disclosure, modification, or destruction in order to 
     provide--
       ``(A) integrity, by guarding against improper information 
     modification or destruction, including by ensuring 
     information nonrepudiation and authenticity;
       ``(B) confidentiality, by preserving authorized 
     restrictions on access and disclosure, including means for 
     protecting personal privacy and proprietary information; or
       ``(C) availability, by ensuring timely and reliable access 
     to and use of information.
       ``(11) Information system.--The term `information system' 
     has the meaning given the term in section 3502 of title 44.
       ``(12) Information technology.--The term `information 
     technology' has the meaning given the term in section 11101 
     of title 40.
       ``(13) Malicious reconnaissance.--The term `malicious 
     reconnaissance' means a method for actively probing or 
     passively monitoring an information system for the purpose of 
     discerning technical vulnerabilities of the information 
     system, if such method is associated with a known or 
     suspected cybersecurity threat.
       ``(14) National security system.--
       ``(A) In general.--The term `national security system' 
     means any information system (including any 
     telecommunications system) used or operated by an agency or 
     by a contractor of an agency, or other organization on behalf 
     of an agency--
       ``(i) the function, operation, or use of which--

       ``(I) involves intelligence activities;

       ``(II) involves cryptologic activities related to national 
     security;
       ``(III) involves command and control of military forces;
       ``(IV) involves equipment that is an integral part of a 
     weapon or weapons system; or
       ``(V) subject to subparagraph (B), is critical to the 
     direct fulfillment of military or intelligence missions; or

       ``(ii) is protected at all times by procedures established 
     for information that have been specifically authorized under 
     criteria established by an Executive Order or an Act of 
     Congress to be kept classified in the interest of national 
     defense or foreign policy.
       ``(B) Limitation.--Subparagraph (A)(i)(V) does not include 
     a system that is to be used for routine administrative and 
     business applications (including payroll, finance, logistics, 
     and personnel management applications).
       ``(15) Operational control.--The term `operational control' 
     means a security control for an information system that 
     primarily is implemented and executed by people.
       ``(16) Person.--The term `person' has the meaning given the 
     term in section 3502 of title 44.
       ``(17) Secretary.--The term `Secretary' means the Secretary 
     of Commerce unless otherwise specified.
       ``(18) Security control.--The term `security control' means 
     the management, operational, and technical controls, 
     including safeguards or countermeasures, prescribed for an 
     information system to protect the confidentiality, integrity, 
     and availability of the system and its information.
       ``(19) Significant cyber incident.--The term `significant 
     cyber incident' means a cyber incident resulting in, or an 
     attempted cyber incident that, if successful, would have 
     resulted in--
       ``(A) the exfiltration from a Federal information system of 
     data that is essential to the operation of the Federal 
     information system; or
       ``(B) an incident in which an operational or technical 
     control essential to the security or operation of a Federal 
     information system was defeated.
       ``(20) Technical control.--The term `technical control' 
     means a hardware or software restriction on, or audit of, 
     access or use of an information system or information that is 
     stored on, processed by, or transiting an information system 
     that is intended to ensure the confidentiality, integrity, or 
     availability of that system.

     ``Sec. 3553. Federal information security authority and 
       coordination

       ``(a) In General.--The Secretary, in consultation with the 
     Secretary of Homeland Security, shall--
       ``(1) issue compulsory and binding policies and directives 
     governing agency information security operations, and require 
     implementation of such policies and directives, including--
       ``(A) policies and directives consistent with the standards 
     and guidelines promulgated under section 11331 of title 40 to 
     identify and provide information security protections 
     prioritized and commensurate with the risk and impact 
     resulting from the unauthorized access, use, disclosure, 
     disruption, modification, or destruction of--
       ``(i) information collected or maintained by or on behalf 
     of an agency; or
       ``(ii) information systems used or operated by an agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency;
       ``(B) minimum operational requirements for Federal 
     Government to protect agency information systems and provide 
     common situational awareness across all agency information 
     systems;
       ``(C) reporting requirements, consistent with relevant law, 
     regarding information security incidents and cyber threat 
     information;
       ``(D) requirements for agencywide information security 
     programs;
       ``(E) performance requirements and metrics for the security 
     of agency information systems;
       ``(F) training requirements to ensure that agencies are 
     able to fully and timely comply with the policies and 
     directives issued by the Secretary under this subchapter;
       ``(G) training requirements regarding privacy, civil 
     rights, and civil liberties, and information oversight for 
     agency information security personnel;
       ``(H) requirements for the annual reports to the Secretary 
     under section 3554(d);
       ``(I) any other information security operations or 
     information security requirements as determined by the 
     Secretary in coordination with relevant agency heads; and
       ``(J) coordinating the development of standards and 
     guidelines under section 20 of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3) with agencies 
     and offices operating or exercising control of national 
     security systems (including the National Security Agency) to 
     assure, to the maximum extent feasible, that such standards 
     and guidelines are complementary with standards and 
     guidelines developed for national security systems;
       ``(2) review the agencywide information security programs 
     under section 3554; and
       ``(3) designate an individual or an entity at each 
     cybersecurity center, among other responsibilities--
       ``(A) to receive reports and information about information 
     security incidents, cyber threat information, and 
     deterioration of security control affecting agency 
     information systems; and
       ``(B) to act on or share the information under subparagraph 
     (A) in accordance with this subchapter.
       ``(b) Considerations.--When issuing policies and directives 
     under subsection (a), the Secretary shall consider any 
     applicable standards or guidelines developed by the National 
     Institute of Standards and Technology under section 11331 of 
     title 40.
       ``(c) Limitation of Authority.--The authorities of the 
     Secretary under this section shall not apply to national 
     security systems. Information security policies, directives, 
     standards and guidelines for national security systems shall 
     be overseen as directed by the President and, in accordance 
     with that direction, carried out under the authority of the 
     heads of agencies that operate or exercise authority over 
     such national security systems.
       ``(d) Statutory Construction.--Nothing in this subchapter 
     shall be construed to alter or amend any law regarding the 
     authority of any head of an agency over such agency.

     ``Sec. 3554. Agency responsibilities

       ``(a) In General.--The head of each agency shall--
       ``(1) be responsible for--
       ``(A) complying with the policies and directives issued 
     under section 3553;
       ``(B) providing information security protections 
     commensurate with the risk resulting from unauthorized 
     access, use, disclosure, disruption, modification, or 
     destruction of--
       ``(i) information collected or maintained by the agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency; and
       ``(ii) information systems used or operated by an agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency;
       ``(C) complying with the requirements of this subchapter, 
     including--
       ``(i) information security standards and guidelines 
     promulgated under section 11331 of title 40;

[[Page 12405]]

       ``(ii) for any national security systems operated or 
     controlled by that agency, information security policies, 
     directives, standards and guidelines issued as directed by 
     the President; and
       ``(iii) for any non-national security systems operated or 
     controlled by that agency, information security policies, 
     directives, standards and guidelines issued under section 
     3553;
       ``(D) ensuring that information security management 
     processes are integrated with agency strategic and 
     operational planning processes;
       ``(E) reporting and sharing, for an agency operating or 
     exercising control of a national security system, information 
     about information security incidents, cyber threat 
     information, and deterioration of security controls to the 
     individual or entity designated at each cybersecurity center 
     and to other appropriate entities consistent with policies 
     and directives for national security systems issued as 
     directed by the President; and
       ``(F) reporting and sharing, for those agencies operating 
     or exercising control of non-national security systems, 
     information about information security incidents, cyber 
     threat information, and deterioration of security controls to 
     the individual or entity designated at each cybersecurity 
     center and to other appropriate entities consistent with 
     policies and directives for non-national security systems as 
     prescribed under section 3553(a), including information to 
     assist the entity designated under section 3555(a) with the 
     ongoing security analysis under section 3555;
       ``(2) ensure that each senior agency official provides 
     information security for the information and information 
     systems that support the operations and assets under the 
     senior agency official's control, including by--
       ``(A) assessing the risk and impact that could result from 
     the unauthorized access, use, disclosure, disruption, 
     modification, or destruction of such information or 
     information systems;
       ``(B) determining the level of information security 
     appropriate to protect such information and information 
     systems in accordance with policies and directives issued 
     under section 3553(a), and standards and guidelines 
     promulgated under section 11331 of title 40 for information 
     security classifications and related requirements;
       ``(C) implementing policies, procedures, and capabilities 
     to reduce risks to an acceptable level in a cost-effective 
     manner;
       ``(D) actively monitoring the effective implementation of 
     information security controls and techniques; and
       ``(E) reporting information about information security 
     incidents, cyber threat information, and deterioration of 
     security controls in a timely and adequate manner to the 
     entity designated under section 3553(a)(3) in accordance with 
     paragraph (1);
       ``(3) assess and maintain the resiliency of information 
     technology systems critical to agency mission and operations;
       ``(4) designate the agency Inspector General (or an 
     independent entity selected in consultation with the Director 
     and the Council of Inspectors General on Integrity and 
     Efficiency if the agency does not have an Inspector General) 
     to conduct the annual independent evaluation required under 
     section 3556, and allow the agency Inspector General to 
     contract with an independent entity to perform such 
     evaluation;
       ``(5) delegate to the Chief Information Officer or 
     equivalent (or to a senior agency official who reports to the 
     Chief Information Officer or equivalent)--
       ``(A) the authority and primary responsibility to implement 
     an agencywide information security program; and
       ``(B) the authority to provide information security for the 
     information collected and maintained by the agency (or by a 
     contractor, other agency, or other source on behalf of the 
     agency) and for the information systems that support the 
     operations, assets, and mission of the agency (including any 
     information system provided or managed by a contractor, other 
     agency, or other source on behalf of the agency);
       ``(6) delegate to the appropriate agency official (who is 
     responsible for a particular agency system or subsystem) the 
     responsibility to ensure and enforce compliance with all 
     requirements of the agency's agencywide information security 
     program in coordination with the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5);
       ``(7) ensure that an agency has trained personnel who have 
     obtained any necessary security clearances to permit them to 
     assist the agency in complying with this subchapter;
       ``(8) ensure that the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5), 
     in coordination with other senior agency officials, reports 
     to the agency head on the effectiveness of the agencywide 
     information security program, including the progress of any 
     remedial actions; and
       ``(9) ensure that the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5) 
     has the necessary qualifications to administer the functions 
     described in this subchapter and has information security 
     duties as a primary duty of that official.
       ``(b) Chief Information Officers.--Each Chief Information 
     Officer or equivalent (or the senior agency official who 
     reports to the Chief Information Officer or equivalent) under 
     subsection (a)(5) shall--
       ``(1) establish and maintain an enterprise security 
     operations capability that on a continuous basis--
       ``(A) detects, reports, contains, mitigates, and responds 
     to information security incidents that impair adequate 
     security of the agency's information or information system in 
     a timely manner and in accordance with the policies and 
     directives under section 3553; and
       ``(B) reports any information security incident under 
     subparagraph (A) to the entity designated under section 3555;
       ``(2) develop, maintain, and oversee an agencywide 
     information security program;
       ``(3) develop, maintain, and oversee information security 
     policies, procedures, and control techniques to address 
     applicable requirements, including requirements under section 
     3553 of this title and section 11331 of title 40; and
       ``(4) train and oversee the agency personnel who have 
     significant responsibility for information security with 
     respect to that responsibility.
       ``(c) Agencywide Information Security Programs.--
       ``(1) In general.--Each agencywide information security 
     program under subsection (b)(2) shall include--
       ``(A) relevant security risk assessments, including 
     technical assessments and others related to the acquisition 
     process;
       ``(B) security testing commensurate with risk and impact;
       ``(C) mitigation of deterioration of security controls 
     commensurate with risk and impact;
       ``(D) risk-based continuous monitoring and threat 
     assessment of the operational status and security of agency 
     information systems to enable evaluation of the effectiveness 
     of and compliance with information security policies, 
     procedures, and practices, including a relevant and 
     appropriate selection of security controls of information 
     systems identified in the inventory under section 3505(c);
       ``(E) operation of appropriate technical capabilities in 
     order to detect, mitigate, report, and respond to information 
     security incidents, cyber threat information, and 
     deterioration of security controls in a manner that is 
     consistent with the policies and directives under section 
     3553, including--
       ``(i) mitigating risks associated with such information 
     security incidents;
       ``(ii) notifying and consulting with the entity designated 
     under section 3555; and
       ``(iii) notifying and consulting with, as appropriate--

       ``(I) law enforcement and the relevant Office of the 
     Inspector General; and
       ``(II) any other entity, in accordance with law and as 
     directed by the President;

       ``(F) a process to ensure that remedial action is taken to 
     address any deficiencies in the information security 
     policies, procedures, and practices of the agency; and
       ``(G) a plan and procedures to ensure the continuity of 
     operations for information systems that support the 
     operations and assets of the agency.
       ``(2) Risk management strategies.--Each agencywide 
     information security program under subsection (b)(2) shall 
     include the development and maintenance of a risk management 
     strategy for information security. The risk management 
     strategy shall include--
       ``(A) consideration of information security incidents, 
     cyber threat information, and deterioration of security 
     controls; and
       ``(B) consideration of the consequences that could result 
     from the unauthorized access, use, disclosure, disruption, 
     modification, or destruction of information and information 
     systems that support the operations and assets of the agency, 
     including any information system provided or managed by a 
     contractor, other agency, or other source on behalf of the 
     agency;
       ``(3) Policies and procedures.--Each agencywide information 
     security program under subsection (b)(2) shall include 
     policies and procedures that--
       ``(A) are based on the risk management strategy under 
     paragraph (2);
       ``(B) reduce information security risks to an acceptable 
     level in a cost-effective manner;
       ``(C) ensure that cost-effective and adequate information 
     security is addressed as part of the acquisition and ongoing 
     management of each agency information system; and
       ``(D) ensure compliance with--
       ``(i) this subchapter; and
       ``(ii) any other applicable requirements.
       ``(4) Training requirements.--Each agencywide information 
     security program under subsection (b)(2) shall include 
     information security, privacy, civil rights, civil liberties, 
     and information oversight training that meets any applicable 
     requirements under section 3553. The training shall inform 
     each information security personnel that has access to agency 
     information systems (including contractors and other users of 
     information systems that support the operations and assets of 
     the agency) of--

[[Page 12406]]

       ``(A) the information security risks associated with the 
     information security personnel's activities; and
       ``(B) the individual's responsibility to comply with the 
     agency policies and procedures that reduce the risks under 
     subparagraph (A).
       ``(d) Annual Report.--Each agency shall submit a report 
     annually to the Secretary of Homeland Security on its 
     agencywide information security program and information 
     systems.

     ``Sec. 3555. Multiagency ongoing threat assessment

       ``(a) Implementation.--The Director of the Office of 
     Management and Budget, in coordination with the Secretary of 
     Homeland Security, shall designate an entity to implement 
     ongoing security analysis concerning agency information 
     systems--
       ``(1) based on cyber threat information;
       ``(2) based on agency information system and environment of 
     operation changes, including--
       ``(A) an ongoing evaluation of the information system 
     security controls; and
       ``(B) the security state, risk level, and environment of 
     operation of an agency information system, including--
       ``(i) a change in risk level due to a new cyber threat;
       ``(ii) a change resulting from a new technology;
       ``(iii) a change resulting from the agency's mission; and
       ``(iv) a change resulting from the business practice; and
       ``(3) using automated processes to the maximum extent 
     possible--
       ``(A) to increase information system security;
       ``(B) to reduce paper-based reporting requirements; and
       ``(C) to maintain timely and actionable knowledge of the 
     state of the information system security.
       ``(b) Standards.--The National Institute of Standards and 
     Technology may promulgate standards, in coordination with the 
     Secretary of Homeland Security, to assist an agency with its 
     duties under this section.
       ``(c) Compliance.--The head of each appropriate department 
     and agency shall be responsible for ensuring compliance and 
     implementing necessary procedures to comply with this 
     section. The head of each appropriate department and agency, 
     in consultation with the Director of the Office of Management 
     and Budget and the Secretary of Homeland Security, shall--
       ``(1) monitor compliance under this section;
       ``(2) develop a timeline and implement for the department 
     or agency--
       ``(A) adoption of any technology, system, or method that 
     facilitates continuous monitoring and threat assessments of 
     an agency information system;
       ``(B) adoption or updating of any technology, system, or 
     method that prevents, detects, or remediates a significant 
     cyber incident to a Federal information system of the 
     department or agency that has impeded, or is reasonably 
     likely to impede, the performance of a critical mission of 
     the department or agency; and
       ``(C) adoption of any technology, system, or method that 
     satisfies a requirement under this section.
       ``(d) Limitation of Authority.--The authorities of the 
     Director of the Office of Management and Budget and of the 
     Secretary of Homeland Security under this section shall not 
     apply to national security systems.
       ``(e) Report.--Not later than 6 months after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the Government Accountability Office shall issue a 
     report evaluating each agency's status toward implementing 
     this section.

     ``Sec. 3556. Independent evaluations

       ``(a) In General.--The Council of the Inspectors General on 
     Integrity and Efficiency, in consultation with the Director 
     and the Secretary of Homeland Security, the Secretary of 
     Commerce, and the Secretary of Defense, shall issue and 
     maintain criteria for the timely, cost-effective, risk-based, 
     and independent evaluation of each agencywide information 
     security program (and practices) to determine the 
     effectiveness of the agencywide information security program 
     (and practices). The criteria shall include measures to 
     assess any conflicts of interest in the performance of the 
     evaluation and whether the agencywide information security 
     program includes appropriate safeguards against disclosure of 
     information where such disclosure may adversely affect 
     information security.
       ``(b) Annual Independent Evaluations.--Each agency shall 
     perform an annual independent evaluation of its agencywide 
     information security program (and practices) in accordance 
     with the criteria under subsection (a).
       ``(c) Distribution of Reports.--Not later than 30 days 
     after receiving an independent evaluation under subsection 
     (b), each agency head shall transmit a copy of the 
     independent evaluation to the Secretary of Homeland Security, 
     the Secretary of Commerce, and the Secretary of Defense.
       ``(d) National Security Systems.--Evaluations involving 
     national security systems shall be conducted as directed by 
     President.

     ``Sec. 3557. National security systems.

       ``The head of each agency operating or exercising control 
     of a national security system shall be responsible for 
     ensuring that the agency--
       ``(1) provides information security protections 
     commensurate with the risk and magnitude of the harm 
     resulting from the unauthorized access, use, disclosure, 
     disruption, modification, or destruction of the information 
     contained in such system; and
       ``(2) implements information security policies and 
     practices as required by standards and guidelines for 
     national security systems, issued in accordance with law and 
     as directed by the President.''.
       (b) Savings Provisions.--
       (1) Policy and compliance guidance.--Policy and compliance 
     guidance issued by the Director before the date of enactment 
     of this Act under section 3543(a)(1) of title 44, United 
     States Code (as in effect on the day before the date of 
     enactment of this Act), shall continue in effect, according 
     to its terms, until modified, terminated, superseded, or 
     repealed pursuant to section 3553(a)(1) of title 44, United 
     States Code.
       (2) Standards and guidelines.--Standards and guidelines 
     issued by the Secretary of Commerce or by the Director before 
     the date of enactment of this Act under section 11331(a)(1) 
     of title 40, United States Code, (as in effect on the day 
     before the date of enactment of this Act) shall continue in 
     effect, according to their terms, until modified, terminated, 
     superseded, or repealed pursuant to section 11331(a)(1) of 
     title 40, United States Code, as amended by this Act.
       (c) Technical and Conforming Amendments.--
       (1) Chapter analysis.--The chapter analysis for chapter 35 
     of title 44, United States Code, is amended--
       (A) by striking the items relating to sections 3531 through 
     3538;
       (B) by striking the items relating to sections 3541 through 
     3549; and
       (C) by inserting the following:

``3551. Purposes.
``3552. Definitions.
``3553. Federal information security authority and coordination.
       ``3554. Agency responsibilities.
       ``3555. Multiagency ongoing threat assessment.
       ``3556. Independent evaluations.
       ``3557. National security systems.''.

       (2) Other references.--
       (A) Section 1001(c)(1)(A) of the Homeland Security Act of 
     2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section 
     3532(3)'' and inserting ``section 3552''.
       (B) Section 2222(j)(5) of title 10, United States Code, is 
     amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (C) Section 2223(c)(3) of title 10, United States Code, is 
     amended, by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (D) Section 2315 of title 10, United States Code, is 
     amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (E) Section 20 of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-3) is amended--
       (i) in subsection (a)(2), by striking ``section 
     3532(b)(2)'' and inserting ``section 3552'';
       (ii) in subsection (c)(3), by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (iii) in subsection (d)(1), by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (iv) in subsection (d)(8) by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (v) in subsection (d)(8), by striking ``submitted to the 
     Director'' and inserting ``submitted to the Secretary'';
       (vi) in subsection (e)(2), by striking ``section 3532(1) of 
     such title'' and inserting ``section 3552 of title 44''; and
       (vii) in subsection (e)(5), by striking ``section 
     3532(b)(2) of such title'' and inserting ``section 3552 of 
     title 44''.
       (F) Section 8(d)(1) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7406(d)(1)) is amended by striking 
     ``section 3534(b)'' and inserting ``section 3554(b)(2)''.

     SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY.

       (a) In General.--Section 11331 of title 40, United States 
     Code, is amended to read as follows:

     ``Sec. 11331. Responsibilities for Federal information 
       systems standards

       ``(a) Standards and Guidelines.--
       ``(1) Authority to prescribe.--Except as provided under 
     paragraph (2), the Secretary of Commerce shall prescribe 
     standards and guidelines pertaining to Federal information 
     systems--
       ``(A) in consultation with the Secretary of Homeland 
     Security; and
       ``(B) on the basis of standards and guidelines developed by 
     the National Institute of Standards and Technology under 
     paragraphs (2) and (3) of section 20(a) of the National 
     Institute of Standards and Technology Act (15 U.S.C. 278g-
     3(a)(2) and (a)(3)).

[[Page 12407]]

       ``(2) National security systems.--Standards and guidelines 
     for national security systems shall be developed, prescribed, 
     enforced, and overseen as otherwise authorized by law and as 
     directed by the President.
       ``(b) Mandatory Standards and Guidelines.--
       ``(1) Authority to make mandatory standards and 
     guidelines.--The Secretary of Commerce shall make standards 
     and guidelines under subsection (a)(1) compulsory and binding 
     to the extent determined necessary by the Secretary of 
     Commerce to improve the efficiency of operation or security 
     of Federal information systems.
       ``(2) Required mandatory standards and guidelines.--
       ``(A) In general.--Standards and guidelines under 
     subsection (a)(1) shall include information security 
     standards that--
       ``(i) provide minimum information security requirements as 
     determined under section 20(b) of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3(b)); and
       ``(ii) are otherwise necessary to improve the security of 
     Federal information and information systems.
       ``(B) Binding effect.--Information security standards under 
     subparagraph (A) shall be compulsory and binding.
       ``(c) Exercise of Authority.--To ensure fiscal and policy 
     consistency, the Secretary of Commerce shall exercise the 
     authority conferred by this section subject to direction by 
     the President and in coordination with the Director.
       ``(d) Application of More Stringent Standards and 
     Guidelines.--The head of an executive agency may employ 
     standards for the cost-effective information security for 
     information systems within or under the supervision of that 
     agency that are more stringent than the standards and 
     guidelines the Secretary of Commerce prescribes under this 
     section if the more stringent standards and guidelines--
       ``(1) contain at least the applicable standards and 
     guidelines made compulsory and binding by the Secretary of 
     Commerce; and
       ``(2) are otherwise consistent with the policies, 
     directives, and implementation memoranda issued under section 
     3553(a) of title 44.
       ``(e) Decisions on Promulgation of Standards and 
     Guidelines.--The decision by the Secretary of Commerce 
     regarding the promulgation of any standard or guideline under 
     this section shall occur not later than 6 months after the 
     date of submission of the proposed standard to the Secretary 
     of Commerce by the National Institute of Standards and 
     Technology under section 20 of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3).
       ``(f) Notice and Comment.--A decision by the Secretary of 
     Commerce to significantly modify, or not promulgate, a 
     proposed standard submitted to the Secretary by the National 
     Institute of Standards and Technology under section 20 of the 
     National Institute of Standards and Technology Act (15 U.S.C. 
     278g-3) shall be made after the public is given an 
     opportunity to comment on the Secretary's proposed decision.
       ``(g) Definitions.--In this section:
       ``(1) Federal information system.--The term `Federal 
     information system' has the meaning given the term in section 
     3552 of title 44.
       ``(2) Information security.--The term `information 
     security' has the meaning given the term in section 3552 of 
     title 44.
       ``(3) National security system.--The term `national 
     security system' has the meaning given the term in section 
     3552 of title 44.''.

     SEC. 203. NO NEW FUNDING.

       An applicable Federal agency shall carry out the provisions 
     of this title with existing facilities and funds otherwise 
     available, through such means as the head of the agency 
     considers appropriate.

     SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS.

       Section 21(b) of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-4(b)) is amended--
       (1) in paragraph (2), by striking ``and the Director of the 
     Office of Management and Budget'' and inserting ``, the 
     Secretary of Commerce, and the Secretary of Homeland 
     Security''; and
       (2) in paragraph (3), by inserting ``, the Secretary of 
     Homeland Security,'' after ``the Secretary of Commerce''.

     SEC. 205. CLARIFICATION OF AUTHORITIES.

       Nothing in this title shall be construed to convey any new 
     regulatory authority to any government entity implementing or 
     complying with any provision of this title.

                     TITLE III--CRIMINAL PENALTIES

     SEC. 301. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN 
                   CONNECTION WITH COMPUTERS.

       Section 1030(c) of title 18, United States Code, is amended 
     to read as follows:
       ``(c) The punishment for an offense under subsection (a) or 
     (b) of this section is--
       ``(1) a fine under this title or imprisonment for not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(1) of this section;
       ``(2)(A) except as provided in subparagraph (B), a fine 
     under this title or imprisonment for not more than 3 years, 
     or both, in the case of an offense under subsection (a)(2); 
     or
       ``(B) a fine under this title or imprisonment for not more 
     than ten years, or both, in the case of an offense under 
     subsection (a)(2) of this section, if--
       ``(i) the offense was committed for purposes of commercial 
     advantage or private financial gain;
       ``(ii) the offense was committed in the furtherance of any 
     criminal or tortious act in violation of the Constitution or 
     laws of the United States, or of any State; or
       ``(iii) the value of the information obtained, or that 
     would have been obtained if the offense was completed, 
     exceeds $5,000;
       ``(3) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(3) of this section;
       ``(4) a fine under this title or imprisonment of not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(4) of this section;
       ``(5)(A) except as provided in subparagraph (C), a fine 
     under this title, imprisonment for not more than 20 years, or 
     both, in the case of an offense under subsection (a)(5)(A) of 
     this section, if the offense caused--
       ``(i) loss to 1 or more persons during any 1-year period 
     (and, for purposes of an investigation, prosecution, or other 
     proceeding brought by the United States only, loss resulting 
     from a related course of conduct affecting 1 or more other 
     protected computers) aggregating at least $5,000 in value;
       ``(ii) the modification or impairment, or potential 
     modification or impairment, of the medical examination, 
     diagnosis, treatment, or care of 1 or more individuals;
       ``(iii) physical injury to any person;
       ``(iv) a threat to public health or safety;
       ``(v) damage affecting a computer used by, or on behalf of, 
     an entity of the United States Government in furtherance of 
     the administration of justice, national defense, or national 
     security; or
       ``(vi) damage affecting 10 or more protected computers 
     during any 1-year period;
       ``(B) a fine under this title, imprisonment for not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(5)(B), if the offense caused a harm provided 
     in clause (i) through (vi) of subparagraph (A) of this 
     subsection;
       ``(C) if the offender attempts to cause or knowingly or 
     recklessly causes death from conduct in violation of 
     subsection (a)(5)(A), a fine under this title, imprisonment 
     for any term of years or for life, or both;
       ``(D) a fine under this title, imprisonment for not more 
     than 10 years, or both, for any other offense under 
     subsection (a)(5);
       ``(E) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(6) of this section; or
       ``(F) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(7) of this section.''.

     SEC. 302. TRAFFICKING IN PASSWORDS.

       Section 1030(a)(6) of title 18, United States Code, is 
     amended to read as follows:
       ``(6) knowingly and with intent to defraud traffics (as 
     defined in section 1029) in any password or similar 
     information or means of access through which a protected 
     computer (as defined in subparagraphs (A) and (B) of 
     subsection (e)(2)) may be accessed without authorization.''.

     SEC. 303. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.

       Section 1030(b) of title 18, United States Code, is amended 
     by inserting ``as if for the completed offense'' after 
     ``punished as provided''.

     SEC. 304. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED 
                   ACTIVITY IN CONNECTION WITH COMPUTERS.

       Section 1030 of title 18, United States Code, is amended by 
     striking subsections (i) and (j) and inserting the following:
       ``(i) Criminal Forfeiture.--
       ``(1) The court, in imposing sentence on any person 
     convicted of a violation of this section, or convicted of 
     conspiracy to violate this section, shall order, in addition 
     to any other sentence imposed and irrespective of any 
     provision of State law, that such person forfeit to the 
     United States--
       ``(A) such persons interest in any property, real or 
     personal, that was used, or intended to be used, to commit or 
     facilitate the commission of such violation; and
       ``(B) any property, real or personal, constituting or 
     derived from any gross proceeds, or any property traceable to 
     such property, that such person obtained, directly or 
     indirectly, as a result of such violation.
       ``(2) The criminal forfeiture of property under this 
     subsection, including any seizure and disposition of the 
     property, and any related judicial or administrative 
     proceeding, shall be governed by the provisions of section 
     413 of the Comprehensive Drug Abuse Prevention and Control 
     Act of 1970 (21 U.S.C. 853), except subsection (d) of that 
     section.
       ``(j) Civil Forfeiture.--
       ``(1) The following shall be subject to forfeiture to the 
     United States and no property right, real or personal, shall 
     exist in them:
       ``(A) Any property, real or personal, that was used, or 
     intended to be used, to commit or facilitate the commission 
     of any violation of this section, or a conspiracy to violate 
     this section.
       ``(B) Any property, real or personal, constituting or 
     derived from any gross proceeds obtained directly or 
     indirectly, or any property traceable to such property, as a 
     result of the

[[Page 12408]]

     commission of any violation of this section, or a conspiracy 
     to violate this section.
       ``(2) Seizures and forfeitures under this subsection shall 
     be governed by the provisions in chapter 46 relating to civil 
     forfeitures, except that such duties as are imposed on the 
     Secretary of the Treasury under the customs laws described in 
     section 981(d) shall be performed by such officers, agents 
     and other persons as may be designated for that purpose by 
     the Secretary of Homeland Security or the Attorney 
     General.''.

     SEC. 305. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.

       (a) In General.--Chapter 47 of title 18, United States 
     Code, is amended by inserting after section 1030 the 
     following:

     ``Sec. 1030A. Aggravated damage to a critical infrastructure 
       computer

       ``(a) Definitions.--In this section--
       ``(1) the term `computer' has the meaning given the term in 
     section 1030;
       ``(2) the term `critical infrastructure computer' means a 
     computer that manages or controls systems or assets vital to 
     national defense, national security, national economic 
     security, public health or safety, or any combination of 
     those matters, whether publicly or privately owned or 
     operated, including--
       ``(A) oil and gas production, storage, conversion, and 
     delivery systems;
       ``(B) water supply systems;
       ``(C) telecommunication networks;
       ``(D) electrical power generation and delivery systems;
       ``(E) finance and banking systems;
       ``(F) emergency services;
       ``(G) transportation systems and services; and
       ``(H) government operations that provide essential services 
     to the public; and
       ``(3) the term `damage' has the meaning given the term in 
     section 1030.
       ``(b) Offense.--It shall be unlawful, during and in 
     relation to a felony violation of section 1030, to knowingly 
     cause or attempt to cause damage to a critical infrastructure 
     computer if the damage results in (or, in the case of an 
     attempt, if completed, would have resulted in) the 
     substantial impairment--
       ``(1) of the operation of the critical infrastructure 
     computer; or
       ``(2) of the critical infrastructure associated with the 
     computer.
       ``(c) Penalty.--Any person who violates subsection (b) 
     shall be--
       ``(1) fined under this title;
       ``(2) imprisoned for not less than 3 years but not more 
     than 20 years; or
       ``(3) penalized under paragraphs (1) and (2).
       ``(d) Consecutive Sentence.--Notwithstanding any other 
     provision of law--
       ``(1) a court shall not place on probation any person 
     convicted of a violation of this section;
       ``(2) except as provided in paragraph (4), no term of 
     imprisonment imposed on a person under this section shall run 
     concurrently with any other term of imprisonment, including 
     any term of imprisonment imposed on the person under any 
     other provision of law, including any term of imprisonment 
     imposed for a felony violation of section 1030;
       ``(3) in determining any term of imprisonment to be imposed 
     for a felony violation of section 1030, a court shall not in 
     any way reduce the term to be imposed for such crime so as to 
     compensate for, or otherwise take into account, any separate 
     term of imprisonment imposed or to be imposed for a violation 
     of this section; and
       ``(4) a term of imprisonment imposed on a person for a 
     violation of this section may, in the discretion of the 
     court, run concurrently, in whole or in part, only with 
     another term of imprisonment that is imposed by the court at 
     the same time on that person for an additional violation of 
     this section, provided that such discretion shall be 
     exercised in accordance with any applicable guidelines and 
     policy statements issued by the United States Sentencing 
     Commission pursuant to section 994 of title 28.''.
       (b) Technical and Conforming Amendment.--The chapter 
     analysis for chapter 47 of title 18, United States Code, is 
     amended by inserting after the item relating to section 1030 
     the following:

``1030A. Aggravated damage to a critical infrastructure computer.''.

     SEC. 306. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.

       Section 1030(e)(6) of title 18, United States Code, is 
     amended by striking ``alter;'' and inserting ``alter, but 
     does not include access in violation of a contractual 
     obligation or agreement, such as an acceptable use policy or 
     terms of service agreement, with an Internet service 
     provider, Internet website, or non-government employer, if 
     such violation constitutes the sole basis for determining 
     that access to a protected computer is unauthorized;''.

     SEC. 307. NO NEW FUNDING.

       An applicable Federal agency shall carry out the provisions 
     of this title with existing facilities and funds otherwise 
     available, through such means as the head of the agency 
     considers appropriate.

            TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT

     SEC. 401. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM 
                   PLANNING AND COORDINATION.

       (a) Goals and Priorities.--Section 101 of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511) is amended 
     by adding at the end the following:
       ``(d) Goals and Priorities.--The goals and priorities for 
     Federal high-performance computing research, development, 
     networking, and other activities under subsection (a)(2)(A) 
     shall include--
       ``(1) encouraging and supporting mechanisms for 
     interdisciplinary research and development in networking and 
     information technology, including--
       ``(A) through collaborations across agencies;
       ``(B) through collaborations across Program Component 
     Areas;
       ``(C) through collaborations with industry;
       ``(D) through collaborations with institutions of higher 
     education;
       ``(E) through collaborations with Federal laboratories (as 
     defined in section 4 of the Stevenson-Wydler Technology 
     Innovation Act of 1980 (15 U.S.C. 3703)); and
       ``(F) through collaborations with international 
     organizations;
       ``(2) addressing national, multi-agency, multi-faceted 
     challenges of national importance; and
       ``(3) fostering the transfer of research and development 
     results into new technologies and applications for the 
     benefit of society.''.
       (b) Development of Strategic Plan.--Section 101 of the 
     High-Performance Computing Act of 1991 (15 U.S.C. 5511) is 
     amended by adding at the end the following:
       ``(e) Strategic Plan.--
       ``(1) In general.--Not later than 1 year after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the agencies under subsection (a)(3)(B), working 
     through the National Science and Technology Council and with 
     the assistance of the Office of Science and Technology Policy 
     shall develop a 5-year strategic plan to guide the activities 
     under subsection (a)(1).
       ``(2) Contents.--The strategic plan shall specify--
       ``(A) the near-term objectives for the Program;
       ``(B) the long-term objectives for the Program;
       ``(C) the anticipated time frame for achieving the near-
     term objectives;
       ``(D) the metrics that will be used to assess any progress 
     made toward achieving the near-term objectives and the long-
     term objectives; and
       ``(E) how the Program will achieve the goals and priorities 
     under subsection (d).
       ``(3) Implementation roadmap.--
       ``(A) In general.--The agencies under subsection (a)(3)(B) 
     shall develop and annually update an implementation roadmap 
     for the strategic plan.
       ``(B) Requirements.--The information in the implementation 
     roadmap shall be coordinated with the database under section 
     102(c) and the annual report under section 101(a)(3). The 
     implementation roadmap shall--
       ``(i) specify the role of each Federal agency in carrying 
     out or sponsoring research and development to meet the 
     research objectives of the strategic plan, including a 
     description of how progress toward the research objectives 
     will be evaluated, with consideration of any relevant 
     recommendations of the advisory committee;
       ``(ii) specify the funding allocated to each major research 
     objective of the strategic plan and the source of funding by 
     agency for the current fiscal year; and
       ``(iii) estimate the funding required for each major 
     research objective of the strategic plan for the next 3 
     fiscal years.
       ``(4) Recommendations.--The agencies under subsection 
     (a)(3)(B) shall take into consideration when developing the 
     strategic plan under paragraph (1) the recommendations of--
       ``(A) the advisory committee under subsection (b); and
       ``(B) the stakeholders under section 102(a)(3).
       ``(5) Report to congress.--The Director of the Office of 
     Science and Technology Policy shall transmit the strategic 
     plan under this subsection, including the implementation 
     roadmap and any updates under paragraph (3), to--
       ``(A) the advisory committee under subsection (b);
       ``(B) the Committee on Commerce, Science, and 
     Transportation of the Senate; and
       ``(C) the Committee on Science and Technology of the House 
     of Representatives.''.
       (c) Periodic Reviews.--Section 101 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511) is amended by adding 
     at the end the following:
       ``(f) Periodic Reviews.--The agencies under subsection 
     (a)(3)(B) shall--
       ``(1) periodically assess the contents and funding levels 
     of the Program Component Areas and restructure the Program 
     when warranted, taking into consideration any relevant 
     recommendations of the advisory committee under subsection 
     (b); and
       ``(2) ensure that the Program includes national, multi-
     agency, multi-faceted research and development activities, 
     including activities described in section 104.''.

[[Page 12409]]

       (d) Additional Responsibilities of Director.--Section 
     101(a)(2) of the High-Performance Computing Act of 1991 (15 
     U.S.C. 5511(a)(2)) is amended--
       (1) by redesignating subparagraphs (E) and (F) as 
     subparagraphs (G) and (H), respectively; and
       (2) by inserting after subparagraph (D) the following:
       ``(E) encourage and monitor the efforts of the agencies 
     participating in the Program to allocate the level of 
     resources and management attention necessary--
       ``(i) to ensure that the strategic plan under subsection 
     (e) is developed and executed effectively; and
       ``(ii) to ensure that the objectives of the Program are 
     met;
       ``(F) working with the Office of Management and Budget and 
     in coordination with the creation of the database under 
     section 102(c), direct the Office of Science and Technology 
     Policy and the agencies participating in the Program to 
     establish a mechanism (consistent with existing law) to track 
     all ongoing and completed research and development projects 
     and associated funding;''.
       (e) Advisory Committee.--Section 101(b) of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is 
     amended--
       (1) in paragraph (1)--
       (A) by inserting after the first sentence the following: 
     ``The co-chairs of the advisory committee shall meet the 
     qualifications of committee members and may be members of the 
     Presidents Council of Advisors on Science and Technology.''; 
     and
       (B) by striking ``high-performance'' in subparagraph (D) 
     and inserting ``high-end''; and
       (2) by amending paragraph (2) to read as follows:
       ``(2) In addition to the duties under paragraph (1), the 
     advisory committee shall conduct periodic evaluations of the 
     funding, management, coordination, implementation, and 
     activities of the Program. The advisory committee shall 
     report its findings and recommendations not less frequently 
     than once every 3 fiscal years to the Committee on Commerce, 
     Science, and Transportation of the Senate and the Committee 
     on Science and Technology of the House of Representatives. 
     The report shall be submitted in conjunction with the update 
     of the strategic plan.''.
       (f) Report.--Section 101(a)(3) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended--
       (1) in subparagraph (C)--
       (A) by striking ``is submitted,'' and inserting ``is 
     submitted, the levels for the previous fiscal year,''; and
       (B) by striking ``each Program Component Area'' and 
     inserting ``each Program Component Area and each research 
     area supported in accordance with section 104'';
       (2) in subparagraph (D)--
       (A) by striking ``each Program Component Area,'' and 
     inserting ``each Program Component Area and each research 
     area supported in accordance with section 104,'';
       (B) by striking ``is submitted,'' and inserting ``is 
     submitted, the levels for the previous fiscal year,''; and
       (C) by striking ``and'' after the semicolon;
       (3) by redesignating subparagraph (E) as subparagraph (G); 
     and
       (4) by inserting after subparagraph (D) the following:
       ``(E) include a description of how the objectives for each 
     Program Component Area, and the objectives for activities 
     that involve multiple Program Component Areas, relate to the 
     objectives of the Program identified in the strategic plan 
     under subsection (e);
       ``(F) include--
       ``(i) a description of the funding required by the Office 
     of Science and Technology Policy to perform the functions 
     under subsections (a) and (c) of section 102 for the next 
     fiscal year by category of activity;
       ``(ii) a description of the funding required by the Office 
     of Science and Technology Policy to perform the functions 
     under subsections (a) and (c) of section 102 for the current 
     fiscal year by category of activity; and
       ``(iii) the amount of funding provided for the Office of 
     Science and Technology Policy for the current fiscal year by 
     each agency participating in the Program; and''.
       (g) Definitions.--Section 4 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5503) is amended--
       (1) by redesignating paragraphs (1) and (2) as paragraphs 
     (2) and (3), respectively;
       (2) by redesignating paragraph (3) as paragraph (6);
       (3) by redesignating paragraphs (6) and (7) as paragraphs 
     (7) and (8), respectively;
       (4) by inserting before paragraph (2), as redesignated, the 
     following:
       ``(1) `cyber-physical systems' means physical or engineered 
     systems whose networking and information technology functions 
     and physical elements are deeply integrated and are actively 
     connected to the physical world through sensors, actuators, 
     or other means to perform monitoring and control 
     functions;'';
       (5) in paragraph (3), as redesignated, by striking ``high-
     performance computing'' and inserting ``networking and 
     information technology'';
       (6) in paragraph (6), as redesignated--
       (A) by striking ``high-performance computing'' and 
     inserting ``networking and information technology''; and
       (B) by striking ``supercomputer'' and inserting ``high-end 
     computing'';
       (7) in paragraph (5), by striking ``network referred to 
     as'' and all that follows through the semicolon and inserting 
     ``network, including advanced computer networks of Federal 
     agencies and departments''; and
       (8) in paragraph (7), as redesignated, by striking 
     ``National High-Performance Computing Program'' and inserting 
     ``networking and information technology research and 
     development program''.

     SEC. 402. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.

       (a) Research in Areas of National Importance.--Title I of 
     the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et 
     seq.) is amended by adding at the end the following:

     ``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.

       ``(a) In General.--The Program shall encourage agencies 
     under section 101(a)(3)(B) to support, maintain, and improve 
     national, multi-agency, multi-faceted, research and 
     development activities in networking and information 
     technology directed toward application areas that have the 
     potential for significant contributions to national economic 
     competitiveness and for other significant societal benefits.
       ``(b) Technical Solutions.--An activity under subsection 
     (a) shall be designed to advance the development of research 
     discoveries by demonstrating technical solutions to important 
     problems in areas including--
       ``(1) cybersecurity;
       ``(2) health care;
       ``(3) energy management and low-power systems and devices;
       ``(4) transportation, including surface and air 
     transportation;
       ``(5) cyber-physical systems;
       ``(6) large-scale data analysis and modeling of physical 
     phenomena;
       ``(7) large scale data analysis and modeling of behavioral 
     phenomena;
       ``(8) supply chain quality and security; and
       ``(9) privacy protection and protected disclosure of 
     confidential data.
       ``(c) Recommendations.--The advisory committee under 
     section 101(b) shall make recommendations to the Program for 
     candidate research and development areas for support under 
     this section.
       ``(d) Characteristics.--
       ``(1) In general.--Research and development activities 
     under this section--
       ``(A) shall include projects selected on the basis of 
     applications for support through a competitive, merit-based 
     process;
       ``(B) shall leverage, when possible, Federal investments 
     through collaboration with related State initiatives;
       ``(C) shall include a plan for fostering the transfer of 
     research discoveries and the results of technology 
     demonstration activities, including from institutions of 
     higher education and Federal laboratories, to industry for 
     commercial development;
       ``(D) shall involve collaborations among researchers in 
     institutions of higher education and industry; and
       ``(E) may involve collaborations among nonprofit research 
     institutions and Federal laboratories, as appropriate.
       ``(2) Cost-sharing.--In selecting applications for support, 
     the agencies under section 101(a)(3)(B) shall give special 
     consideration to projects that include cost sharing from non-
     Federal sources.
       ``(3) Multidisciplinary research centers.--Research and 
     development activities under this section shall be supported 
     through multidisciplinary research centers, including Federal 
     laboratories, that are organized to investigate basic 
     research questions and carry out technology demonstration 
     activities in areas described in subsection (a). Research may 
     be carried out through existing multidisciplinary centers, 
     including those authorized under section 7024(b)(2) of the 
     America COMPETES Act (42 U.S.C. 1862o-10(2)).''.
       (b) Cyber-Physical Systems.--Section 101(a)(1) of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is 
     amended--
       (1) in subparagraph (H), by striking ``and'' after the 
     semicolon;
       (2) in subparagraph (I), by striking the period at the end 
     and inserting a semicolon; and
       (3) by adding at the end the following:
       ``(J) provide for increased understanding of the scientific 
     principles of cyber-physical systems and improve the methods 
     available for the design, development, and operation of 
     cyber-physical systems that are characterized by high 
     reliability, safety, and security; and
       ``(K) provide for research and development on human-
     computer interactions, visualization, and big data.''.
       (c) Task Force.--Title I of the High-Performance Computing 
     Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section 
     402(a) of this Act, is amended by adding at the end the 
     following:

     ``SEC. 105. TASK FORCE.

       ``(a) Establishment.--Not later than 180 days after the 
     date of enactment the Strengthening and Enhancing 
     Cybersecurity by Using Research, Education, Information, and 
     Technology Act of 2012, the Director of the Office of Science 
     and Technology Policy under section 102 shall convene a task 
     force

[[Page 12410]]

     to explore mechanisms for carrying out collaborative research 
     and development activities for cyber-physical systems 
     (including the related technologies required to enable these 
     systems) through a consortium or other appropriate entity 
     with participants from institutions of higher education, 
     Federal laboratories, and industry.
       ``(b) Functions.--The task force shall--
       ``(1) develop options for a collaborative model and an 
     organizational structure for such entity under which the 
     joint research and development activities could be planned, 
     managed, and conducted effectively, including mechanisms for 
     the allocation of resources among the participants in such 
     entity for support of such activities;
       ``(2) propose a process for developing a research and 
     development agenda for such entity, including guidelines to 
     ensure an appropriate scope of work focused on nationally 
     significant challenges and requiring collaboration and to 
     ensure the development of related scientific and 
     technological milestones;
       ``(3) define the roles and responsibilities for the 
     participants from institutions of higher education, Federal 
     laboratories, and industry in such entity;
       ``(4) propose guidelines for assigning intellectual 
     property rights and for transferring research results to the 
     private sector; and
       ``(5) make recommendations for how such entity could be 
     funded from Federal, State, and non-governmental sources.
       ``(c) Composition.--In establishing the task force under 
     subsection (a), the Director of the Office of Science and 
     Technology Policy shall appoint an equal number of 
     individuals from institutions of higher education and from 
     industry with knowledge and expertise in cyber-physical 
     systems, and may appoint not more than 2 individuals from 
     Federal laboratories.
       ``(d) Report.--Not later than 1 year after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the Director of the Office of Science and Technology 
     Policy shall transmit to the Committee on Commerce, Science, 
     and Transportation of the Senate and the Committee on Science 
     and Technology of the House of Representatives a report 
     describing the findings and recommendations of the task 
     force.
       ``(e) Termination.--The task force shall terminate upon 
     transmittal of the report required under subsection (d).
       ``(f) Compensation and Expenses.--Members of the task force 
     shall serve without compensation.''.

     SEC. 403. PROGRAM IMPROVEMENTS.

       Section 102 of the High-Performance Computing Act of 1991 
     (15 U.S.C. 5512) is amended to read as follows:

     ``SEC. 102. PROGRAM IMPROVEMENTS.

       ``(a) Functions.--The Director of the Office of Science and 
     Technology Policy shall continue--
       ``(1) to provide technical and administrative support to--
       ``(A) the agencies participating in planning and 
     implementing the Program, including support needed to develop 
     the strategic plan under section 101(e); and
       ``(B) the advisory committee under section 101(b);
       ``(2) to serve as the primary point of contact on Federal 
     networking and information technology activities for 
     government agencies, academia, industry, professional 
     societies, State computing and networking technology 
     programs, interested citizen groups, and others to exchange 
     technical and programmatic information;
       ``(3) to solicit input and recommendations from a wide 
     range of stakeholders during the development of each 
     strategic plan under section 101(e) by convening at least 1 
     workshop with invitees from academia, industry, Federal 
     laboratories, and other relevant organizations and 
     institutions;
       ``(4) to conduct public outreach, including the 
     dissemination of the advisory committee's findings and 
     recommendations, as appropriate;
       ``(5) to promote access to and early application of the 
     technologies, innovations, and expertise derived from Program 
     activities to agency missions and systems across the Federal 
     Government and to United States industry;
       ``(6) to ensure accurate and detailed budget reporting of 
     networking and information technology research and 
     development investment; and
       ``(7) to encourage agencies participating in the Program to 
     use existing programs and resources to strengthen networking 
     and information technology education and training, and 
     increase participation in such fields, including by women and 
     underrepresented minorities.
       ``(b) Source of Funding.--
       ``(1) In general.--The functions under this section shall 
     be supported by funds from each agency participating in the 
     Program.
       ``(2) Specifications.--The portion of the total budget of 
     the Office of Science and Technology Policy that is provided 
     by each agency participating in the Program for each fiscal 
     year shall be in the same proportion as each agency's share 
     of the total budget for the Program for the previous fiscal 
     year, as specified in the database under section 102(c).
       ``(c) Database.--
       ``(1) In general.--The Director of the Office of Science 
     and Technology Policy shall develop and maintain a database 
     of projects funded by each agency for the fiscal year for 
     each Program Component Area.
       ``(2) Public accessibility.--The Director of the Office of 
     Science and Technology Policy shall make the database 
     accessible to the public.
       ``(3) Database contents.--The database shall include, for 
     each project in the database--
       ``(A) a description of the project;
       ``(B) each agency, industry, institution of higher 
     education, Federal laboratory, or international institution 
     involved in the project;
       ``(C) the source funding of the project (set forth by 
     agency);
       ``(D) the funding history of the project; and
       ``(E) whether the project has been completed.''.

     SEC. 404. IMPROVING EDUCATION OF NETWORKING AND INFORMATION 
                   TECHNOLOGY, INCLUDING HIGH PERFORMANCE 
                   COMPUTING.

       Section 201(a) of the High-Performance Computing Act of 
     1991 (15 U.S.C. 5521(a)) is amended--
       (1) by redesignating paragraphs (2) through (4) as 
     paragraphs (3) through (5), respectively; and
       (2) by inserting after paragraph (1) the following:
       ``(2) the National Science Foundation shall use its 
     existing programs, in collaboration with other agencies, as 
     appropriate, to improve the teaching and learning of 
     networking and information technology at all levels of 
     education and to increase participation in networking and 
     information technology fields;''.

     SEC. 405. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH-
                   PERFORMANCE COMPUTING ACT OF 1991.

       (a) Section 3.--Section 3 of the High-Performance Computing 
     Act of 1991 (15 U.S.C. 5502) is amended--
       (1) in the matter preceding paragraph (1), by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology'';
       (2) in paragraph (1)--
       (A) in the matter preceding subparagraph (A), by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology'';
       (B) in subparagraphs (A), (F), and (G), by striking ``high-
     performance computing'' each place it appears and inserting 
     ``networking and information technology''; and
       (C) in subparagraph (H), by striking ``high-performance'' 
     and inserting ``high-end''; and
       (3) in paragraph (2)--
       (A) by striking ``high-performance computing and'' and 
     inserting ``networking and information technology, and''; and
       (B) by striking ``high-performance computing network'' and 
     inserting ``networking and information technology''.
       (b) Title Heading.--The heading of title I of the High-
     Performance Computing Act of 1991 (105 Stat. 1595) is amended 
     by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting 
     ``NETWORKING AND INFORMATION TECHNOLOGY''.
       (c) Section 101.--Section 101 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511) is amended--
       (1) in the section heading, by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology research and development'';
       (2) in subsection (a)--
       (A) in the subsection heading, by striking ``National High-
     Performance Computing'' and inserting ``Networking and 
     Information Technology Research and Development'';
       (B) in paragraph (1)--
       (i) by striking ``National High-Performance Computing 
     Program'' and inserting ``networking and information 
     technology research and development program'';
       (ii) in subparagraph (A), by striking ``high-performance 
     computing, including networking'' and inserting ``networking 
     and information technology'';
       (iii) in subparagraphs (B) and (G), by striking ``high-
     performance'' each place it appears and inserting ``high-
     end''; and
       (iv) in subparagraph (C), by striking ``high-performance 
     computing and networking'' and inserting ``high-end 
     computing, distributed, and networking''; and
       (C) in paragraph (2)--
       (i) in subparagraphs (A) and (C)--

       (I) by striking ``high-performance computing'' each place 
     it appears and inserting ``networking and information 
     technology''; and
       (II) by striking ``development, networking,'' each place it 
     appears and inserting ``development,''; and

       (ii) in subparagraphs (G) and (H), as redesignated by 
     section 401(d) of this Act, by striking ``high-performance'' 
     each place it appears and inserting ``high-end'';
       (3) in subsection (b)(1), in the matter preceding 
     subparagraph (A), by striking ``high-performance computing'' 
     each place it appears and inserting ``networking and 
     information technology''; and

[[Page 12411]]

       (4) in subsection (c)(1)(A), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology''.
       (d) Section 201.--Section 201(a)(1) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by 
     striking ``high-performance computing and advanced high-speed 
     computer networking'' and inserting ``networking and 
     information technology research and development''.
       (e) Section 202.--Section 202(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by 
     striking ``high-performance computing'' and inserting 
     ``networking and information technology''.
       (f) Section 203.--Section 203(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5523(a)) is amended--
       (1) in paragraph (1), by striking ``high-performance 
     computing and networking'' and inserting ``networking and 
     information technology''; and
       (2) in paragraph (2)(A), by striking ``high-performance'' 
     and inserting ``high-end''.
       (g) Section 204.--Section 204 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5524) is amended--
       (1) in subsection (a)(1)--
       (A) in subparagraph (A), by striking ``high-performance 
     computing systems and networks'' and inserting ``networking 
     and information technology systems and capabilities'';
       (B) in subparagraph (B), by striking ``interoperability of 
     high-performance computing systems in networks and for common 
     user interfaces to systems'' and inserting ``interoperability 
     and usability of networking and information technology 
     systems''; and
       (C) in subparagraph (C), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology''; and
       (2) in subsection (b)--
       (A) by striking ``High-Performance Computing and Network'' 
     in the heading and inserting ``Networking and Information 
     Technology''; and
       (B) by striking ``sensitive''.
       (h) Section 205.--Section 205(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by 
     striking ``computational'' and inserting ``networking and 
     information technology''.
       (i) Section 206.--Section 206(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by 
     striking ``computational research'' and inserting 
     ``networking and information technology research''.
       (j) Section 207.--Section 207 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5527) is amended by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology''.
       (k) Section 208.--Section 208 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5528) is amended--
       (1) in the section heading, by striking ``HIGH-PERFORMANCE 
     COMPUTING'' and inserting ``NETWORKING AND INFORMATION 
     TECHNOLOGY''; and
       (2) in subsection (a)--
       (A) in paragraph (1), by striking ``High-performance 
     computing and associated'' and inserting ``Networking and 
     information'';
       (B) in paragraph (2), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technologies'';
       (C) in paragraph (3), by striking ``high-performance'' and 
     inserting ``high-end'';
       (D) in paragraph (4), by striking ``high-performance 
     computers and associated'' and inserting ``networking and 
     information''; and
       (E) in paragraph (5), by striking ``high-performance 
     computing and associated'' and inserting ``networking and 
     information''.

     SEC. 406. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.

       (a) In General.--The Director of the National Science 
     Foundation, in coordination with the Secretary of Homeland 
     Security, shall carry out a Federal cyber scholarship-for-
     service program to recruit and train the next generation of 
     information technology professionals and security managers to 
     meet the needs of the cybersecurity mission for the Federal 
     government.
       (b) Program Description and Components.--The program 
     shall--
       (1) annually assess the workforce needs of the Federal 
     government for cybersecurity professionals, including network 
     engineers, software engineers, and other experts in order to 
     determine how many scholarships should be awarded annually to 
     ensure that the workforce needs following graduation match 
     the number of scholarships awarded;
       (2) provide scholarships for up to 1,000 students per year 
     in their pursuit of undergraduate or graduate degrees in the 
     cybersecurity field, in an amount that may include coverage 
     for full tuition, fees, and a stipend;
       (3) require each scholarship recipient, as a condition of 
     receiving a scholarship under the program, to serve in a 
     Federal information technology workforce for a period equal 
     to one and one-half times each year, or partial year, of 
     scholarship received, in addition to an internship in the 
     cybersecurity field, if applicable, following graduation;
       (4) provide a procedure for the National Science Foundation 
     or a Federal agency, consistent with regulations of the 
     Office of Personnel Management, to request and fund a 
     security clearance for a scholarship recipient, including 
     providing for clearance during a summer internship and upon 
     graduation; and
       (5) provide opportunities for students to receive temporary 
     appointments for meaningful employment in the Federal 
     information technology workforce during school vacation 
     periods and for internships.
       (c) Hiring Authority.--
       (1) In general.--For purposes of any law or regulation 
     governing the appointment of an individual in the Federal 
     civil service, upon the successful completion of the 
     student's studies, a student receiving a scholarship under 
     the program may--
       (A) be hired under section 213.3102(r) of title 5, Code of 
     Federal Regulations; and
       (B) be exempt from competitive service.
       (2) Competitive service.--Upon satisfactory fulfillment of 
     the service term under paragraph (1), an individual may be 
     converted to a competitive service position without 
     competition if the individual meets the requirements for that 
     position.
       (d) Eligibility.--The eligibility requirements for a 
     scholarship under this section shall include that a 
     scholarship applicant--
       (1) be a citizen of the United States;
       (2) be eligible to be granted a security clearance;
       (3) maintain a grade point average of 3.2 or above on a 4.0 
     scale for undergraduate study or a 3.5 or above on a 4.0 
     scale for postgraduate study;
       (4) demonstrate a commitment to a career in improving the 
     security of the information infrastructure; and
       (5) has demonstrated a level of proficiency in math or 
     computer sciences.
       (e) Failure to Complete Service Obligation.--
       (1) In general.--A scholarship recipient under this section 
     shall be liable to the United States under paragraph (2) if 
     the scholarship recipient--
       (A) fails to maintain an acceptable level of academic 
     standing in the educational institution in which the 
     individual is enrolled, as determined by the Director;
       (B) is dismissed from such educational institution for 
     disciplinary reasons;
       (C) withdraws from the program for which the award was made 
     before the completion of such program;
       (D) declares that the individual does not intend to fulfill 
     the service obligation under this section;
       (E) fails to fulfill the service obligation of the 
     individual under this section; or
       (F) loses a security clearance or becomes ineligible for a 
     security clearance.
       (2) Repayment amounts.--
       (A) Less than 1 year of service.--If a circumstance under 
     paragraph (1) occurs before the completion of 1 year of a 
     service obligation under this section, the total amount of 
     awards received by the individual under this section shall be 
     repaid.
       (B) One or more years of service.--If a circumstance 
     described in subparagraph (D) or (E) of paragraph (1) occurs 
     after the completion of 1 year of a service obligation under 
     this section, the total amount of scholarship awards received 
     by the individual under this section, reduced by the ratio of 
     the number of years of service completed divided by the 
     number of years of service required, shall be repaid.
       (f) Evaluation and Report.--The Director of the National 
     Science Foundation shall--
       (1) evaluate the success of recruiting individuals for 
     scholarships under this section and of hiring and retaining 
     those individuals in the public sector workforce, including 
     the annual cost and an assessment of how the program actually 
     improves the Federal workforce; and
       (2) periodically report the findings under paragraph (1) to 
     Congress.
       (g) Authorization of Appropriations.--From amounts made 
     available under section 503 of the America COMPETES 
     Reauthorization Act of 2010 (124 Stat. 4005), the Secretary 
     may use funds to carry out the requirements of this section 
     for fiscal years 2012 through 2013.

     SEC. 407. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF 
                   INFORMATION INFRASTRUCTURE PROFESSIONALS.

       (a) Study.--The President shall enter into an agreement 
     with the National Academies to conduct a comprehensive study 
     of government, academic, and private-sector accreditation, 
     training, and certification programs for personnel working in 
     information infrastructure. The agreement shall require the 
     National Academies to consult with sector coordinating 
     councils and relevant governmental agencies, regulatory 
     entities, and nongovernmental organizations in the course of 
     the study.
       (b) Scope.--The study shall include--
       (1) an evaluation of the body of knowledge and various 
     skills that specific categories of personnel working in 
     information infrastructure should possess in order to secure 
     information systems;
       (2) an assessment of whether existing government, academic, 
     and private-sector accreditation, training, and certification 
     programs provide the body of knowledge and various skills 
     described in paragraph (1);
       (3) an analysis of any barriers to the Federal Government 
     recruiting and hiring cybersecurity talent, including 
     barriers relating to compensation, the hiring process, job 
     classification, and hiring flexibility; and

[[Page 12412]]

       (4) an analysis of the sources and availability of 
     cybersecurity talent, a comparison of the skills and 
     expertise sought by the Federal Government and the private 
     sector, an examination of the current and future capacity of 
     United States institutions of higher education, including 
     community colleges, to provide current and future 
     cybersecurity professionals, through education and training 
     activities, with those skills sought by the Federal 
     Government, State and local entities, and the private sector.
       (c) Report.--Not later than 1 year after the date of 
     enactment of this Act, the National Academies shall submit to 
     the President and Congress a report on the results of the 
     study. The report shall include--
       (1) findings regarding the state of information 
     infrastructure accreditation, training, and certification 
     programs, including specific areas of deficiency and 
     demonstrable progress; and
       (2) recommendations for the improvement of information 
     infrastructure accreditation, training, and certification 
     programs.

     SEC. 408. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.

       (a) In General.--The Director of the National Institute of 
     Standards and Technology, in coordination with appropriate 
     Federal authorities, shall--
       (1) as appropriate, ensure coordination of Federal agencies 
     engaged in the development of international technical 
     standards related to information system security; and
       (2) not later than 1 year after the date of enactment of 
     this Act, develop and transmit to Congress a plan for 
     ensuring such Federal agency coordination.
       (b) Consultation With the Private Sector.--In carrying out 
     the activities under subsection (a)(1), the Director shall 
     ensure consultation with appropriate private sector 
     stakeholders.

     SEC. 409. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.

       The Director of the National Institute of Standards and 
     Technology shall continue a program to support the 
     development of technical standards, metrology, testbeds, and 
     conformance criteria, taking into account appropriate user 
     concerns--
       (1) to improve interoperability among identity management 
     technologies;
       (2) to strengthen authentication methods of identity 
     management systems;
       (3) to improve privacy protection in identity management 
     systems, including health information technology systems, 
     through authentication and security protocols; and
       (4) to improve the usability of identity management 
     systems.

     SEC. 410. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.

       (a) National Science Foundation Computer and Network 
     Security Research Grant Areas.--Section 4(a)(1) of the Cyber 
     Security Research and Development Act (15 U.S.C. 7403(a)(1)) 
     is amended--
       (1) in subparagraph (H), by striking ``and'' after the 
     semicolon;
       (2) in subparagraph (I), by striking ``property.'' and 
     inserting ``property;''; and
       (3) by adding at the end the following:
       ``(J) secure fundamental protocols that are at the heart of 
     inter-network communications and data exchange;
       ``(K) system security that addresses the building of secure 
     systems from trusted and untrusted components;
       ``(L) monitoring and detection; and
       ``(M) resiliency and rapid recovery methods.''.
       (b) National Science Foundation Computer and Network 
     Security Grants.--Section 4(a)(3) of the Cyber Security 
     Research and Development Act (15 U.S.C. 7403(a)(3)) is 
     amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Secretary finds necessary to carry out 
     the requirements of this subsection for fiscal years 2012 
     through 2013.''.
       (c) Computer and Network Security Centers.--Section 4(b)(7) 
     of the Cyber Security Research and Development Act (15 U.S.C. 
     7403(b)(7)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Secretary finds necessary to carry out 
     the requirements of this subsection for fiscal years 2012 
     through 2013.''.
       (d) Computer and Network Security Capacity Building 
     Grants.--Section 5(a)(6) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7404(a)(6)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Secretary finds necessary to carry out 
     the requirements of this subsection for fiscal years 2012 
     through 2013.''.
       (e) Scientific and Advanced Technology Act Grants.--Section 
     5(b)(2) of the Cyber Security Research and Development Act 
     (15 U.S.C. 7404(b)(2)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Secretary finds necessary to carry out 
     the requirements of this subsection for fiscal years 2012 
     through 2013.''.
       (f) Graduate Traineeships in Computer and Network Security 
     Research.--Section 5(c)(7) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7404(c)(7)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Secretary finds necessary to carry out 
     the requirements of this subsection for fiscal years 2012 
     through 2013.''.
                                 ______
                                 
  SA 2582. Mrs. HUTCHISON (for herself, Mr. McCain, Mr. Chambliss, Mr. 
Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson of 
Wisconsin) submitted an amendment intended to be proposed by her to the 
bill S. 3414, to enhance the security and resiliency of the cyber and 
communications infrastructure of the United States; which was ordered 
to lie on the table; as follows:

       Beginning on page 1, strike line 3 and all that follows 
     through page 211, line 6 and insert the following:

     SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the 
     ``Strengthening and Enhancing Cybersecurity by Using 
     Research, Education, Information, and Technology Act of 
     2012'' or ``SECURE IT''.
       (b) Table of Contents.--The table of contents of this Act 
     is as follows:

Sec. 1. Short title; table of contents.

       TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION

Sec. 101. Definitions.
Sec. 102. Authorization to share cyber threat information.
Sec. 103. Information sharing by the Federal government.
Sec. 104. Construction.
Sec. 105. Report on implementation.
Sec. 106. Inspector General review.
Sec. 107. Technical amendments.
Sec. 108. Access to classified information.

     TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY

Sec. 201. Coordination of Federal information security policy.
Sec. 202. Management of information technology.
Sec. 203. No new funding.
Sec. 204. Technical and conforming amendments.
Sec. 205. Clarification of authorities.

                     TITLE III--CRIMINAL PENALTIES

Sec. 301. Penalties for fraud and related activity in connection with 
              computers.
Sec. 302. Trafficking in passwords.
Sec. 303. Conspiracy and attempted computer fraud offenses.
Sec. 304. Criminal and civil forfeiture for fraud and related activity 
              in connection with computers.
Sec. 305. Damage to critical infrastructure computers.
Sec. 306. Limitation on actions involving unauthorized use.
Sec. 307. No new funding.

            TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT

Sec. 401. National High-Performance Computing Program planning and 
              coordination.
Sec. 402. Research in areas of national importance.
Sec. 403. Program improvements.
Sec. 404. Improving education of networking and information technology, 
              including high performance computing.
Sec. 405. Conforming and technical amendments to the High-Performance 
              Computing Act of 1991.
Sec. 406. Federal cyber scholarship-for-service program.
Sec. 407. Study and analysis of certification and training of 
              information infrastructure professionals.
Sec. 408. International cybersecurity technical standards.
Sec. 409. Identity management research and development.
Sec. 410. Federal cybersecurity research and development.

       TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION

     SEC. 101. DEFINITIONS.

       In this title:
       (1) Agency.--The term ``agency'' has the meaning given the 
     term in section 3502 of title 44, United States Code.

[[Page 12413]]

       (2) Antitrust laws.--The term ``antitrust laws''--
       (A) has the meaning given the term in section 1(a) of the 
     Clayton Act (15 U.S.C. 12(a));
       (B) includes section 5 of the Federal Trade Commission Act 
     (15 U.S.C. 45) to the extent that section 5 of that Act 
     applies to unfair methods of competition; and
       (C) includes any State law that has the same intent and 
     effect as the laws under subparagraphs (A) and (B).
       (3) Countermeasure.--The term ``countermeasure'' means an 
     automated or a manual action with defensive intent to 
     mitigate cyber threats.
       (4) Cyber threat information.--The term ``cyber threat 
     information'' means information that indicates or describes--
       (A) a technical or operation vulnerability or a cyber 
     threat mitigation measure;
       (B) an action or operation to mitigate a cyber threat;
       (C) malicious reconnaissance, including anomalous patterns 
     of network activity that appear to be transmitted for the 
     purpose of gathering technical information related to a 
     cybersecurity threat;
       (D) a method of defeating a technical control;
       (E) a method of defeating an operational control;
       (F) network activity or protocols known to be associated 
     with a malicious cyber actor or that signify malicious cyber 
     intent;
       (G) a method of causing a user with legitimate access to an 
     information system or information that is stored on, 
     processed by, or transiting an information system to 
     inadvertently enable the defeat of a technical or operational 
     control;
       (H) any other attribute of a cybersecurity threat or cyber 
     defense information that would foster situational awareness 
     of the United States cybersecurity posture, if disclosure of 
     such attribute or information is not otherwise prohibited by 
     law;
       (I) the actual or potential harm caused by a cyber 
     incident, including information exfiltrated when it is 
     necessary in order to identify or describe a cybersecurity 
     threat; or
       (J) any combination of subparagraphs (A) through (I).
       (5) Cybersecurity center.--The term ``cybersecurity 
     center'' means the Department of Defense Cyber Crime Center, 
     the Intelligence Community Incident Response Center, the 
     United States Cyber Command Joint Operations Center, the 
     National Cyber Investigative Joint Task Force, the National 
     Security Agency/Central Security Service Threat Operations 
     Center, the National Cybersecurity and Communications 
     Integration Center, and any successor center.
       (6) Cybersecurity system.--The term ``cybersecurity 
     system'' means a system designed or employed to ensure the 
     integrity, confidentiality, or availability of, or to 
     safeguard, a system or network, including measures intended 
     to protect a system or network from--
       (A) efforts to degrade, disrupt, or destroy such system or 
     network; or
       (B) theft or misappropriations of private or government 
     information, intellectual property, or personally 
     identifiable information.
       (7) Entity.--
       (A) In general.--The term ``entity'' means any private 
     entity, non-Federal government agency or department, or 
     State, tribal, or local government agency or department 
     (including an officer, employee, or agent thereof).
       (B) Inclusions.--The term ``entity'' includes a government 
     agency or department (including an officer, employee, or 
     agent thereof) of the District of Columbia, the Commonwealth 
     of Puerto Rico, the Virgin Islands, Guam, American Samoa, the 
     Northern Mariana Islands, and any other territory or 
     possession of the United States.
       (8) Federal information system.--The term ``Federal 
     information system'' means an information system of a Federal 
     department or agency used or operated by an executive agency, 
     by a contractor of an executive agency, or by another 
     organization on behalf of an executive agency.
       (9) Information security.--The term ``information 
     security'' means protecting information and information 
     systems from disruption or unauthorized access, use, 
     disclosure, modification, or destruction in order to 
     provide--
       (A) integrity, by guarding against improper information 
     modification or destruction, including by ensuring 
     information nonrepudiation and authenticity;
       (B) confidentiality, by preserving authorized restrictions 
     on access and disclosure, including means for protecting 
     personal privacy and proprietary information; or
       (C) availability, by ensuring timely and reliable access to 
     and use of information.
       (10) Information system.--The term ``information system'' 
     has the meaning given the term in section 3502 of title 44, 
     United States Code.
       (11) Local government.--The term ``local government'' means 
     any borough, city, county, parish, town, township, village, 
     or other general purpose political subdivision of a State.
       (12) Malicious reconnaissance.--The term ``malicious 
     reconnaissance'' means a method for actively probing or 
     passively monitoring an information system for the purpose of 
     discerning technical vulnerabilities of the information 
     system, if such method is associated with a known or 
     suspected cybersecurity threat.
       (13) Operational control.--The term ``operational control'' 
     means a security control for an information system that 
     primarily is implemented and executed by people.
       (14) Operational vulnerability.--The term ``operational 
     vulnerability'' means any attribute of policy, process, or 
     procedure that could enable or facilitate the defeat of an 
     operational control.
       (15) Private entity.--The term ``private entity'' means any 
     individual or any private group, organization, or 
     corporation, including an officer, employee, or agent 
     thereof.
       (16) Significant cyber incident.--The term ``significant 
     cyber incident'' means a cyber incident resulting in, or an 
     attempted cyber incident that, if successful, would have 
     resulted in--
       (A) the exfiltration from a Federal information system of 
     data that is essential to the operation of the Federal 
     information system; or
       (B) an incident in which an operational or technical 
     control essential to the security or operation of a Federal 
     information system was defeated.
       (17) Technical control.--The term ``technical control'' 
     means a hardware or software restriction on, or audit of, 
     access or use of an information system or information that is 
     stored on, processed by, or transiting an information system 
     that is intended to ensure the confidentiality, integrity, or 
     availability of that system.
       (18) Technical vulnerability.--The term ``technical 
     vulnerability'' means any attribute of hardware or software 
     that could enable or facilitate the defeat of a technical 
     control.
       (19) Tribal.--The term ``tribal'' has the meaning given the 
     term ``Indian tribe'' in section 4 of the Indian Self-
     Determination and Education Assistance Act (25 U.S.C. 450b).

     SEC. 102. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION.

       (a) Voluntary Disclosure.--
       (1) Private entities.--Notwithstanding any other provision 
     of law, a private entity may, for the purpose of preventing, 
     investigating, or otherwise mitigating threats to information 
     security, on its own networks, or as authorized by another 
     entity, on such entity's networks, employ countermeasures and 
     use cybersecurity systems in order to obtain, identify, or 
     otherwise possess cyber threat information.
       (2) Entities.--Notwithstanding any other provision of law, 
     an entity may disclose cyber threat information to--
       (A) a cybersecurity center; or
       (B) any other entity in order to assist with preventing, 
     investigating, or otherwise mitigating threats to information 
     security.
       (3) Information security providers.--If the cyber threat 
     information described in paragraph (1) is obtained, 
     identified, or otherwise possessed in the course of providing 
     information security products or services under contract to 
     another entity, that entity shall be given, at any time prior 
     to disclosure of such information, a reasonable opportunity 
     to authorize or prevent such disclosure, to request 
     anonymization of such information, or to request that 
     reasonable efforts be made to safeguard such information that 
     identifies specific persons from unauthorized access or 
     disclosure.
       (b) Significant Cyber Incidents Involving Federal 
     Information Systems.--
       (1) In general.--An entity providing electronic 
     communication services, remote computing services, or 
     information security services to a Federal department or 
     agency shall inform the Federal department or agency of a 
     significant cyber incident involving the Federal information 
     system of that Federal department or agency that--
       (A) is directly known to the entity as a result of 
     providing such services;
       (B) is directly related to the provision of such services 
     by the entity; and
       (C) as determined by the entity, has impeded or will impede 
     the performance of a critical mission of the Federal 
     department or agency.
       (2) Advance coordination.--A Federal department or agency 
     receiving the services described in paragraph (1) shall 
     coordinate in advance with an entity described in paragraph 
     (1) to develop the parameters of any information that may be 
     provided under paragraph (1), including clarification of the 
     type of significant cyber incident that will impede the 
     performance of a critical mission of the Federal department 
     or agency.
       (3) Report.--A Federal department or agency shall report 
     information provided under this subsection to a cybersecurity 
     center.
       (4) Construction.--Any information provided to a 
     cybersecurity center under paragraph (3) shall be treated in 
     the same manner as information provided to a cybersecurity 
     center under subsection (a).
       (c) Information Shared With or Provided to a Cybersecurity 
     Center.--Cyber threat information provided to a cybersecurity 
     center under this section--
       (1) may be disclosed to, retained by, and used by, 
     consistent with otherwise applicable

[[Page 12414]]

     Federal law, any Federal agency or department, component, 
     officer, employee, or agent of the Federal government for a 
     cybersecurity purpose, a national security purpose, or in 
     order to prevent, investigate, or prosecute any of the 
     offenses listed in section 2516 of title 18, United States 
     Code, and such information shall not be disclosed to, 
     retained by, or used by any Federal agency or department for 
     any use not permitted under this paragraph;
       (2) may, with the prior written consent of the entity 
     submitting such information, be disclosed to and used by a 
     State, tribal, or local government or government agency for 
     the purpose of protecting information systems, or in 
     furtherance of preventing, investigating, or prosecuting a 
     criminal act, except that if the need for immediate 
     disclosure prevents obtaining written consent, such consent 
     may be provided orally with subsequent documentation of such 
     consent;
       (3) shall be considered the commercial, financial, or 
     proprietary information of the entity providing such 
     information to the Federal government and any disclosure 
     outside the Federal government may only be made upon the 
     prior written consent by such entity and shall not constitute 
     a waiver of any applicable privilege or protection provided 
     by law, except that if the need for immediate disclosure 
     prevents obtaining written consent, such consent may be 
     provided orally with subsequent documentation of such 
     consent;
       (4) shall be deemed voluntarily shared information and 
     exempt from disclosure under section 552 of title 5, United 
     States Code, and any State, tribal, or local law requiring 
     disclosure of information or records;
       (5) shall be, without discretion, withheld from the public 
     under section 552(b)(3)(B) of title 5, United States Code, 
     and any State, tribal, or local law requiring disclosure of 
     information or records;
       (6) shall not be subject to the rules of any Federal agency 
     or department or any judicial doctrine regarding ex parte 
     communications with a decision-making official;
       (7) shall not, if subsequently provided to a State, tribal, 
     or local government or government agency, otherwise be 
     disclosed or distributed to any entity by such State, tribal, 
     or local government or government agency without the prior 
     written consent of the entity submitting such information, 
     notwithstanding any State, tribal, or local law requiring 
     disclosure of information or records, except that if the need 
     for immediate disclosure prevents obtaining written consent, 
     such consent may be provided orally with subsequent 
     documentation of such consent; and
       (8) shall not be directly used by any Federal, State, 
     tribal, or local department or agency to regulate the lawful 
     activities of an entity, including activities relating to 
     obtaining, identifying, or otherwise possessing cyber threat 
     information, except that the procedures required to be 
     developed and implemented under this title shall not be 
     considered regulations within the meaning of this paragraph.
       (d) Procedures Relating to Information Sharing With a 
     Cybersecurity Center.--Not later than 60 days after the date 
     of enactment of this Act, the heads of each department or 
     agency containing a cybersecurity center shall jointly 
     develop, promulgate, and submit to Congress procedures to 
     ensure that cyber threat information shared with or provided 
     to--
       (1) a cybersecurity center under this section--
       (A) may be submitted to a cybersecurity center by an 
     entity, to the greatest extent possible, through a uniform, 
     publicly available process or format that is easily 
     accessible on the website of such cybersecurity center, and 
     that includes the ability to provide relevant details about 
     the cyber threat information and written consent to any 
     subsequent disclosures authorized by this paragraph;
       (B) shall immediately be further shared with each 
     cybersecurity center in order to prevent, investigate, or 
     otherwise mitigate threats to information security across the 
     Federal government;
       (C) is handled by the Federal government in a reasonable 
     manner, including consideration of the need to protect the 
     privacy and civil liberties of individuals through 
     anonymization or other appropriate methods, while fully 
     accomplishing the objectives of this title, and the Federal 
     government may undertake efforts consistent with this 
     subparagraph to limit the impact on privacy and civil 
     liberties of the sharing of cyber threat information with the 
     Federal government; and
       (D) except as provided in this section, shall only be used, 
     disclosed, or handled in accordance with the provisions of 
     subsection (c); and
       (2) a Federal agency or department under subsection (b) is 
     provided immediately to a cybersecurity center in order to 
     prevent, investigate, or otherwise mitigate threats to 
     information security across the Federal government.
       (e) Information Shared Between Entities.--
       (1) In general.--An entity sharing cyber threat information 
     with another entity under this title may restrict the use or 
     sharing of such information by such other entity.
       (2) Further sharing.--Cyber threat information shared by 
     any entity with another entity under this title--
       (A) shall only be further shared in accordance with any 
     restrictions placed on the sharing of such information by the 
     entity authorizing such sharing, such as appropriate 
     anonymization of such information; and
       (B) may not be used by any entity to gain an unfair 
     competitive advantage to the detriment of the entity 
     authorizing the sharing of such information, except that the 
     conduct described in paragraph (3) shall not constitute 
     unfair competitive conduct.
       (3) Information shared with state, tribal, or local 
     government or government agency.--Cyber threat information 
     shared with a State, tribal, or local government or 
     government agency under this title--
       (A) may, with the prior written consent of the entity 
     sharing such information, be disclosed to and used by a 
     State, tribal, or local government or government agency for 
     the purpose of protecting information systems, or in 
     furtherance of preventing, investigating, or prosecuting a 
     criminal act, except if the need for immediate disclosure 
     prevents obtaining written consent, consent may be provided 
     orally with subsequent documentation of the consent;
       (B) shall be deemed voluntarily shared information and 
     exempt from disclosure under any State, tribal, or local law 
     requiring disclosure of information or records;
       (C) shall not be disclosed or distributed to any entity by 
     the State, tribal, or local government or government agency 
     without the prior written consent of the entity submitting 
     such information, notwithstanding any State, tribal, or local 
     law requiring disclosure of information or records, except if 
     the need for immediate disclosure prevents obtaining written 
     consent, consent may be provided orally with subsequent 
     documentation of the consent; and
       (D) shall not be directly used by any State, tribal, or 
     local department or agency to regulate the lawful activities 
     of an entity, including activities relating to obtaining, 
     identifying, or otherwise possessing cyber threat 
     information, except that the procedures required to be 
     developed and implemented under this title shall not be 
     considered regulations within the meaning of this 
     subparagraph.
       (4) Antitrust exemption.--The exchange or provision of 
     cyber threat information or assistance between 2 or more 
     private entities under this title shall not be considered a 
     violation of any provision of antitrust laws if exchanged or 
     provided in order to assist with--
       (A) facilitating the prevention, investigation, or 
     mitigation of threats to information security; or
       (B) communicating or disclosing of cyber threat information 
     to help prevent, investigate or otherwise mitigate the 
     effects of a threat to information security.
       (5) No right or benefit.--The provision of cyber threat 
     information to an entity under this section shall not create 
     a right or a benefit to similar information by such entity or 
     any other entity.
       (f) Federal Preemption.--
       (1) In general.--This section supersedes any statute or 
     other law of a State or political subdivision of a State that 
     restricts or otherwise expressly regulates an activity 
     authorized under this section.
       (2) State law enforcement.--Nothing in this section shall 
     be construed to supersede any statute or other law of a State 
     or political subdivision of a State concerning the use of 
     authorized law enforcement techniques.
       (3) Public disclosure.--No information shared with or 
     provided to a State, tribal, or local government or 
     government agency pursuant to this section shall be made 
     publicly available pursuant to any State, tribal, or local 
     law requiring disclosure of information or records.
       (g) Civil and Criminal Liability.--
       (1) General protections.--
       (A) Private entities.--No cause of action shall lie or be 
     maintained in any court against any private entity for--
       (i) the use of countermeasures and cybersecurity systems as 
     authorized by this title;
       (ii) the use, receipt, or disclosure of any cyber threat 
     information as authorized by this title; or
       (iii) the subsequent actions or inactions of any lawful 
     recipient of cyber threat information provided by such 
     private entity.
       (B) Entities.--No cause of action shall lie or be 
     maintained in any court against any entity for--
       (i) the use, receipt, or disclosure of any cyber threat 
     information as authorized by this title; or
       (ii) the subsequent actions or inactions of any lawful 
     recipient of cyber threat information provided by such 
     entity.
       (2) Construction.--Nothing in this subsection shall be 
     construed as creating any immunity against, or otherwise 
     affecting, any action brought by the Federal government, or 
     any agency or department thereof, to enforce any law, 
     executive order, or procedure governing the appropriate 
     handling, disclosure, and use of classified information.
       (h) Otherwise Lawful Disclosures.--Nothing in this section 
     shall be construed to

[[Page 12415]]

     limit or prohibit otherwise lawful disclosures of 
     communications, records, or other information by a private 
     entity to any other governmental or private entity not 
     covered under this section.
       (i) Whistleblower Protection.--Nothing in this Act shall be 
     construed to preempt or preclude any employee from exercising 
     rights currently provided under any whistleblower law, rule, 
     or regulation.
       (j) Relationship to Other Laws.--The submission of cyber 
     threat information under this section to a cybersecurity 
     center shall not affect any requirement under any other 
     provision of law for an entity to provide information to the 
     Federal government.

     SEC. 103. INFORMATION SHARING BY THE FEDERAL GOVERNMENT.

       (a) Classified Information.--
       (1) Procedures.--Consistent with the protection of 
     intelligence sources and methods, and as otherwise determined 
     appropriate, the Director of National Intelligence and the 
     Secretary of Defense, in consultation with the heads of the 
     appropriate Federal departments or agencies, shall develop 
     and promulgate procedures to facilitate and promote--
       (A) the immediate sharing, through the cybersecurity 
     centers, of classified cyber threat information in the 
     possession of the Federal government with appropriately 
     cleared representatives of any appropriate entity; and
       (B) the declassification and immediate sharing, through the 
     cybersecurity centers, with any entity or, if appropriate, 
     public availability of cyber threat information in the 
     possession of the Federal government;
       (2) Handling of classified information.--The procedures 
     developed under paragraph (1) shall ensure that each entity 
     receiving classified cyber threat information pursuant to 
     this section has acknowledged in writing the ongoing 
     obligation to comply with all laws, executive orders, and 
     procedures concerning the appropriate handling, disclosure, 
     or use of classified information.
       (b) Unclassified Cyber Threat Information.--The heads of 
     each department or agency containing a cybersecurity center 
     shall jointly develop and promulgate procedures that ensure 
     that, consistent with the provisions of this section, 
     unclassified, including controlled unclassified, cyber threat 
     information in the possession of the Federal government--
       (1) is shared, through the cybersecurity centers, in an 
     immediate and adequate manner with appropriate entities; and
       (2) if appropriate, is made publicly available.
       (c) Development of Procedures.--
       (1) In general.--The procedures developed under this 
     section shall incorporate, to the greatest extent possible, 
     existing processes utilized by sector specific information 
     sharing and analysis centers.
       (2) Coordination with entities.--In developing the 
     procedures required under this section, the Director of 
     National Intelligence and the heads of each department or 
     agency containing a cybersecurity center shall coordinate 
     with appropriate entities to ensure that protocols are 
     implemented that will facilitate and promote the sharing of 
     cyber threat information by the Federal government.
       (d) Additional Responsibilities of Cybersecurity Centers.--
     Consistent with section 102, a cybersecurity center shall--
       (1) facilitate information sharing, interaction, and 
     collaboration among and between cybersecurity centers and--
       (A) other Federal entities;
       (B) any entity; and
       (C) international partners, in consultation with the 
     Secretary of State;
       (2) disseminate timely and actionable cybersecurity threat, 
     vulnerability, mitigation, and warning information, including 
     alerts, advisories, indicators, signatures, and mitigation 
     and response measures, to improve the security and protection 
     of information systems; and
       (3) coordinate with other Federal entities, as appropriate, 
     to integrate information from across the Federal government 
     to provide situational awareness of the cybersecurity posture 
     of the United States.
       (e) Sharing Within the Federal Government.--The heads of 
     appropriate Federal departments and agencies shall ensure 
     that cyber threat information in the possession of such 
     Federal departments or agencies that relates to the 
     prevention, investigation, or mitigation of threats to 
     information security across the Federal government is shared 
     effectively with the cybersecurity centers.
       (f) Submission to Congress.--Not later than 60 days after 
     the date of enactment of this Act, the Director of National 
     Intelligence, in coordination with the appropriate head of a 
     department or an agency containing a cybersecurity center, 
     shall submit the procedures required by this section to 
     Congress.

     SEC. 104. CONSTRUCTION.

       (a) Information Sharing Relationships.--Nothing in this 
     title shall be construed--
       (1) to limit or modify an existing information sharing 
     relationship;
       (2) to prohibit a new information sharing relationship;
       (3) to require a new information sharing relationship 
     between any entity and the Federal government, except as 
     specified under section 102(b); or
       (4) to modify the authority of a department or agency of 
     the Federal government to protect sources and methods and the 
     national security of the United States.
       (b) Anti-tasking Restriction.--Nothing in this title shall 
     be construed to permit the Federal government--
       (1) to require an entity to share information with the 
     Federal government, except as expressly provided under 
     section 102(b); or
       (2) to condition the sharing of cyber threat information 
     with an entity on such entity's provision of cyber threat 
     information to the Federal government.
       (c) No Liability for Non-participation.--Nothing in this 
     title shall be construed to subject any entity to liability 
     for choosing not to engage in the voluntary activities 
     authorized under this title.
       (d) Use and Retention of Information.--Nothing in this 
     title shall be construed to authorize, or to modify any 
     existing authority of, a department or agency of the Federal 
     government to retain or use any information shared under 
     section 102 for any use other than a use permitted under 
     subsection 102(c)(1).
       (e) No New Funding.--An applicable Federal agency shall 
     carry out the provisions of this title with existing 
     facilities and funds otherwise available, through such means 
     as the head of the agency considers appropriate.

     SEC. 105. REPORT ON IMPLEMENTATION.

       (a) Content of Report.--Not later than 1 year after the 
     date of enactment of this Act, and biennially thereafter, the 
     heads of each department or agency containing a cybersecurity 
     center shall jointly submit, in coordination with the privacy 
     and civil liberties officials of such departments or agencies 
     and the Privacy and Civil Liberties Oversight Board, a 
     detailed report to Congress concerning the implementation of 
     this title, including--
       (1) an assessment of the sufficiency of the procedures 
     developed under section 103 of this Act in ensuring that 
     cyber threat information in the possession of the Federal 
     government is provided in an immediate and adequate manner to 
     appropriate entities or, if appropriate, is made publicly 
     available;
       (2) an assessment of whether information has been 
     appropriately classified and an accounting of the number of 
     security clearances authorized by the Federal government for 
     purposes of this title;
       (3) a review of the type of cyber threat information shared 
     with a cybersecurity center under section 102 of this Act, 
     including whether such information meets the definition of 
     cyber threat information under section 101, the degree to 
     which such information may impact the privacy and civil 
     liberties of individuals, any appropriate metrics to 
     determine any impact of the sharing of such information with 
     the Federal government on privacy and civil liberties, and 
     the adequacy of any steps taken to reduce such impact;
       (4) a review of actions taken by the Federal government 
     based on information provided to a cybersecurity center under 
     section 102 of this Act, including the appropriateness of any 
     subsequent use under section 102(c)(1) of this Act and 
     whether there was inappropriate stovepiping within the 
     Federal government of any such information;
       (5) a description of any violations of the requirements of 
     this title by the Federal government;
       (6) a classified list of entities that received classified 
     information from the Federal government under section 103 of 
     this Act and a description of any indication that such 
     information may not have been appropriately handled;
       (7) a summary of any breach of information security, if 
     known, attributable to a specific failure by any entity or 
     the Federal government to act on cyber threat information in 
     the possession of such entity or the Federal government that 
     resulted in substantial economic harm or injury to a specific 
     entity or the Federal government; and
       (8) any recommendation for improvements or modifications to 
     the authorities under this title.
       (b) Form of Report.--The report under subsection (a) shall 
     be submitted in unclassified form, but shall include a 
     classified annex.

     SEC. 106. INSPECTOR GENERAL REVIEW.

       (a) In General.--The Council of the Inspectors General on 
     Integrity and Efficiency are authorized to review compliance 
     by the cybersecurity centers, and by any Federal department 
     or agency receiving cyber threat information from such 
     cybersecurity centers, with the procedures required under 
     section 102 of this Act.
       (b) Scope of Review.--The review under subsection (a) shall 
     consider whether the Federal government has handled such 
     cyber threat information in a reasonable manner, including 
     consideration of the need to protect the privacy and civil 
     liberties of individuals through anonymization or other 
     appropriate methods, while fully accomplishing the objectives 
     of this title.
       (c) Report to Congress.--Each review conducted under this 
     section shall be provided to Congress not later than 30 days 
     after the date of completion of the review.

     SEC. 107. TECHNICAL AMENDMENTS.

       Section 552(b) of title 5, United States Code, is amended--

[[Page 12416]]

       (1) in paragraph (8), by striking ``or'';
       (2) in paragraph (9), by striking ``wells.'' and inserting 
     ``wells; or''; and
       (3) by adding at the end the following:
       ``(10) information shared with or provided to a 
     cybersecurity center under section 102 of title I of the 
     Strengthening and Enhancing Cybersecurity by Using Research, 
     Education, Information, and Technology Act of 2012.''.

     SEC. 108. ACCESS TO CLASSIFIED INFORMATION.

       (a) Authorization Required.--No person shall be provided 
     with access to classified information (as defined in section 
     6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to 
     classified national security information)) relating to cyber 
     security threats or cyber security vulnerabilities under this 
     title without the appropriate security clearances.
       (b) Security Clearances.--The appropriate Federal agencies 
     or departments shall, consistent with applicable procedures 
     and requirements, and if otherwise deemed appropriate, assist 
     an individual in timely obtaining an appropriate security 
     clearance where such individual has been determined to be 
     eligible for such clearance and has a need-to-know (as 
     defined in section 6.1 of that Executive Order) classified 
     information to carry out this title.

     TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY

     SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY 
                   POLICY.

       (a) In General.--Chapter 35 of title 44, United States 
     Code, is amended by striking subchapters II and III and 
     inserting the following:

                 ``SUBCHAPTER II--INFORMATION SECURITY

     ``Sec. 3551. Purposes

       ``The purposes of this subchapter are--
       ``(1) to provide a comprehensive framework for ensuring the 
     effectiveness of information security controls over 
     information resources that support Federal operations and 
     assets;
       ``(2) to recognize the highly networked nature of the 
     current Federal computing environment and provide effective 
     government-wide management of policies, directives, 
     standards, and guidelines, as well as effective and nimble 
     oversight of and response to information security risks, 
     including coordination of information security efforts 
     throughout the Federal civilian, national security, and law 
     enforcement communities;
       ``(3) to provide for development and maintenance of 
     controls required to protect agency information and 
     information systems and contribute to the overall improvement 
     of agency information security posture;
       ``(4) to provide for the development of tools and methods 
     to assess and respond to real-time situational risk for 
     Federal information system operations and assets; and
       ``(5) to provide a mechanism for improving agency 
     information security programs through continuous monitoring 
     of agency information systems and streamlined reporting 
     requirements rather than overly prescriptive manual 
     reporting.

     ``Sec. 3552. Definitions

       ``In this subchapter:
       ``(1) Adequate security.--The term `adequate security' 
     means security commensurate with the risk and magnitude of 
     the harm resulting from the unauthorized access to or loss, 
     misuse, destruction, or modification of information.
       ``(2) Agency.--The term `agency' has the meaning given the 
     term in section 3502 of title 44.
       ``(3) Cybersecurity center.--The term `cybersecurity 
     center' means the Department of Defense Cyber Crime Center, 
     the Intelligence Community Incident Response Center, the 
     United States Cyber Command Joint Operations Center, the 
     National Cyber Investigative Joint Task Force, the National 
     Security Agency/Central Security Service Threat Operations 
     Center, the National Cybersecurity and Communications 
     Integration Center, and any successor center.
       ``(4) Cyber threat information.--The term `cyber threat 
     information' means information that indicates or describes--
       ``(A) a technical or operation vulnerability or a cyber 
     threat mitigation measure;
       ``(B) an action or operation to mitigate a cyber threat;
       ``(C) malicious reconnaissance, including anomalous 
     patterns of network activity that appear to be transmitted 
     for the purpose of gathering technical information related to 
     a cybersecurity threat;
       ``(D) a method of defeating a technical control;
       ``(E) a method of defeating an operational control;
       ``(F) network activity or protocols known to be associated 
     with a malicious cyber actor or that signify malicious cyber 
     intent;
       ``(G) a method of causing a user with legitimate access to 
     an information system or information that is stored on, 
     processed by, or transiting an information system to 
     inadvertently enable the defeat of a technical or operational 
     control;
       ``(H) any other attribute of a cybersecurity threat or 
     cyber defense information that would foster situational 
     awareness of the United States cybersecurity posture, if 
     disclosure of such attribute or information is not otherwise 
     prohibited by law;
       ``(I) the actual or potential harm caused by a cyber 
     incident, including information exfiltrated when it is 
     necessary in order to identify or describe a cybersecurity 
     threat; or
       ``(J) any combination of subparagraphs (A) through (I).
       ``(5) Director.--The term `Director' means the Director of 
     the Office of Management and Budget unless otherwise 
     specified.
       ``(6) Environment of operation.--The term `environment of 
     operation' means the information system and environment in 
     which those systems operate, including changing threats, 
     vulnerabilities, technologies, and missions and business 
     practices.
       ``(7) Federal information system.--The term `Federal 
     information system' means an information system used or 
     operated by an executive agency, by a contractor of an 
     executive agency, or by another organization on behalf of an 
     executive agency.
       ``(8) Incident.--The term `incident' means an occurrence 
     that--
       ``(A) actually or imminently jeopardizes the integrity, 
     confidentiality, or availability of an information system or 
     the information that system controls, processes, stores, or 
     transmits; or
       ``(B) constitutes a violation of law or an imminent threat 
     of violation of a law, a security policy, a security 
     procedure, or an acceptable use policy.
       ``(9) Information resources.--The term `information 
     resources' has the meaning given the term in section 3502 of 
     title 44.
       ``(10) Information security.--The term `information 
     security' means protecting information and information 
     systems from disruption or unauthorized access, use, 
     disclosure, modification, or destruction in order to 
     provide--
       ``(A) integrity, by guarding against improper information 
     modification or destruction, including by ensuring 
     information nonrepudiation and authenticity;
       ``(B) confidentiality, by preserving authorized 
     restrictions on access and disclosure, including means for 
     protecting personal privacy and proprietary information; or
       ``(C) availability, by ensuring timely and reliable access 
     to and use of information.
       ``(11) Information system.--The term `information system' 
     has the meaning given the term in section 3502 of title 44.
       ``(12) Information technology.--The term `information 
     technology' has the meaning given the term in section 11101 
     of title 40.
       ``(13) Malicious reconnaissance.--The term `malicious 
     reconnaissance' means a method for actively probing or 
     passively monitoring an information system for the purpose of 
     discerning technical vulnerabilities of the information 
     system, if such method is associated with a known or 
     suspected cybersecurity threat.
       ``(14) National security system.--
       ``(A) In general.--The term `national security system' 
     means any information system (including any 
     telecommunications system) used or operated by an agency or 
     by a contractor of an agency, or other organization on behalf 
     of an agency--
       ``(i) the function, operation, or use of which--

       ``(I) involves intelligence activities;
       ``(II) involves cryptologic activities related to national 
     security;
       ``(III) involves command and control of military forces;
       ``(IV) involves equipment that is an integral part of a 
     weapon or weapons system; or
       ``(V) subject to subparagraph (B), is critical to the 
     direct fulfillment of military or intelligence missions; or

       ``(ii) is protected at all times by procedures established 
     for information that have been specifically authorized under 
     criteria established by an Executive Order or an Act of 
     Congress to be kept classified in the interest of national 
     defense or foreign policy.
       ``(B) Limitation.--Subparagraph (A)(i)(V) does not include 
     a system that is to be used for routine administrative and 
     business applications (including payroll, finance, logistics, 
     and personnel management applications).
       ``(15) Operational control.--The term `operational control' 
     means a security control for an information system that 
     primarily is implemented and executed by people.
       ``(16) Person.--The term `person' has the meaning given the 
     term in section 3502 of title 44.
       ``(17) Secretary.--The term `Secretary' means the Secretary 
     of Commerce unless otherwise specified.
       ``(18) Security control.--The term `security control' means 
     the management, operational, and technical controls, 
     including safeguards or countermeasures, prescribed for an 
     information system to protect the confidentiality, integrity, 
     and availability of the system and its information.
       ``(19) Significant cyber incident.--The term `significant 
     cyber incident' means a cyber incident resulting in, or an 
     attempted cyber incident that, if successful, would have 
     resulted in--
       ``(A) the exfiltration from a Federal information system of 
     data that is essential to the operation of the Federal 
     information system; or
       ``(B) an incident in which an operational or technical 
     control essential to the security or operation of a Federal 
     information system was defeated.

[[Page 12417]]

       ``(20) Technical control.--The term `technical control' 
     means a hardware or software restriction on, or audit of, 
     access or use of an information system or information that is 
     stored on, processed by, or transiting an information system 
     that is intended to ensure the confidentiality, integrity, or 
     availability of that system.

     ``Sec. 3553. Federal information security authority and 
       coordination

       ``(a) In General.--The Secretary, in consultation with the 
     Secretary of Homeland Security, shall--
       ``(1) issue compulsory and binding policies and directives 
     governing agency information security operations, and require 
     implementation of such policies and directives, including--
       ``(A) policies and directives consistent with the standards 
     and guidelines promulgated under section 11331 of title 40 to 
     identify and provide information security protections 
     prioritized and commensurate with the risk and impact 
     resulting from the unauthorized access, use, disclosure, 
     disruption, modification, or destruction of--
       ``(i) information collected or maintained by or on behalf 
     of an agency; or
       ``(ii) information systems used or operated by an agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency;
       ``(B) minimum operational requirements for Federal 
     Government to protect agency information systems and provide 
     common situational awareness across all agency information 
     systems;
       ``(C) reporting requirements, consistent with relevant law, 
     regarding information security incidents and cyber threat 
     information;
       ``(D) requirements for agencywide information security 
     programs;
       ``(E) performance requirements and metrics for the security 
     of agency information systems;
       ``(F) training requirements to ensure that agencies are 
     able to fully and timely comply with the policies and 
     directives issued by the Secretary under this subchapter;
       ``(G) training requirements regarding privacy, civil 
     rights, and civil liberties, and information oversight for 
     agency information security personnel;
       ``(H) requirements for the annual reports to the Secretary 
     under section 3554(d);
       ``(I) any other information security operations or 
     information security requirements as determined by the 
     Secretary in coordination with relevant agency heads; and
       ``(J) coordinating the development of standards and 
     guidelines under section 20 of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3) with agencies 
     and offices operating or exercising control of national 
     security systems (including the National Security Agency) to 
     assure, to the maximum extent feasible, that such standards 
     and guidelines are complementary with standards and 
     guidelines developed for national security systems;
       ``(2) review the agencywide information security programs 
     under section 3554; and
       ``(3) designate an individual or an entity at each 
     cybersecurity center, among other responsibilities--
       ``(A) to receive reports and information about information 
     security incidents, cyber threat information, and 
     deterioration of security control affecting agency 
     information systems; and
       ``(B) to act on or share the information under subparagraph 
     (A) in accordance with this subchapter.
       ``(b) Considerations.--When issuing policies and directives 
     under subsection (a), the Secretary shall consider any 
     applicable standards or guidelines developed by the National 
     Institute of Standards and Technology under section 11331 of 
     title 40.
       ``(c) Limitation of Authority.--The authorities of the 
     Secretary under this section shall not apply to national 
     security systems. Information security policies, directives, 
     standards and guidelines for national security systems shall 
     be overseen as directed by the President and, in accordance 
     with that direction, carried out under the authority of the 
     heads of agencies that operate or exercise authority over 
     such national security systems.
       ``(d) Statutory Construction.--Nothing in this subchapter 
     shall be construed to alter or amend any law regarding the 
     authority of any head of an agency over such agency.

     ``Sec. 3554. Agency responsibilities

       ``(a) In General.--The head of each agency shall--
       ``(1) be responsible for--
       ``(A) complying with the policies and directives issued 
     under section 3553;
       ``(B) providing information security protections 
     commensurate with the risk resulting from unauthorized 
     access, use, disclosure, disruption, modification, or 
     destruction of--
       ``(i) information collected or maintained by the agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency; and
       ``(ii) information systems used or operated by an agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency;
       ``(C) complying with the requirements of this subchapter, 
     including--
       ``(i) information security standards and guidelines 
     promulgated under section 11331 of title 40;
       ``(ii) for any national security systems operated or 
     controlled by that agency, information security policies, 
     directives, standards and guidelines issued as directed by 
     the President; and
       ``(iii) for any non-national security systems operated or 
     controlled by that agency, information security policies, 
     directives, standards and guidelines issued under section 
     3553;
       ``(D) ensuring that information security management 
     processes are integrated with agency strategic and 
     operational planning processes;
       ``(E) reporting and sharing, for an agency operating or 
     exercising control of a national security system, information 
     about information security incidents, cyber threat 
     information, and deterioration of security controls to the 
     individual or entity designated at each cybersecurity center 
     and to other appropriate entities consistent with policies 
     and directives for national security systems issued as 
     directed by the President; and
       ``(F) reporting and sharing, for those agencies operating 
     or exercising control of non-national security systems, 
     information about information security incidents, cyber 
     threat information, and deterioration of security controls to 
     the individual or entity designated at each cybersecurity 
     center and to other appropriate entities consistent with 
     policies and directives for non-national security systems as 
     prescribed under section 3553(a), including information to 
     assist the entity designated under section 3555(a) with the 
     ongoing security analysis under section 3555;
       ``(2) ensure that each senior agency official provides 
     information security for the information and information 
     systems that support the operations and assets under the 
     senior agency official's control, including by--
       ``(A) assessing the risk and impact that could result from 
     the unauthorized access, use, disclosure, disruption, 
     modification, or destruction of such information or 
     information systems;
       ``(B) determining the level of information security 
     appropriate to protect such information and information 
     systems in accordance with policies and directives issued 
     under section 3553(a), and standards and guidelines 
     promulgated under section 11331 of title 40 for information 
     security classifications and related requirements;
       ``(C) implementing policies, procedures, and capabilities 
     to reduce risks to an acceptable level in a cost-effective 
     manner;
       ``(D) actively monitoring the effective implementation of 
     information security controls and techniques; and
       ``(E) reporting information about information security 
     incidents, cyber threat information, and deterioration of 
     security controls in a timely and adequate manner to the 
     entity designated under section 3553(a)(3) in accordance with 
     paragraph (1);
       ``(3) assess and maintain the resiliency of information 
     technology systems critical to agency mission and operations;
       ``(4) designate the agency Inspector General (or an 
     independent entity selected in consultation with the Director 
     and the Council of Inspectors General on Integrity and 
     Efficiency if the agency does not have an Inspector General) 
     to conduct the annual independent evaluation required under 
     section 3556, and allow the agency Inspector General to 
     contract with an independent entity to perform such 
     evaluation;
       ``(5) delegate to the Chief Information Officer or 
     equivalent (or to a senior agency official who reports to the 
     Chief Information Officer or equivalent)--
       ``(A) the authority and primary responsibility to implement 
     an agencywide information security program; and
       ``(B) the authority to provide information security for the 
     information collected and maintained by the agency (or by a 
     contractor, other agency, or other source on behalf of the 
     agency) and for the information systems that support the 
     operations, assets, and mission of the agency (including any 
     information system provided or managed by a contractor, other 
     agency, or other source on behalf of the agency);
       ``(6) delegate to the appropriate agency official (who is 
     responsible for a particular agency system or subsystem) the 
     responsibility to ensure and enforce compliance with all 
     requirements of the agency's agencywide information security 
     program in coordination with the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5);
       ``(7) ensure that an agency has trained personnel who have 
     obtained any necessary security clearances to permit them to 
     assist the agency in complying with this subchapter;
       ``(8) ensure that the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5), 
     in coordination with other senior agency officials, reports 
     to the agency head on the effectiveness of the agencywide 
     information security program, including the progress of any 
     remedial actions; and

[[Page 12418]]

       ``(9) ensure that the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5) 
     has the necessary qualifications to administer the functions 
     described in this subchapter and has information security 
     duties as a primary duty of that official.
       ``(b) Chief Information Officers.--Each Chief Information 
     Officer or equivalent (or the senior agency official who 
     reports to the Chief Information Officer or equivalent) under 
     subsection (a)(5) shall--
       ``(1) establish and maintain an enterprise security 
     operations capability that on a continuous basis--
       ``(A) detects, reports, contains, mitigates, and responds 
     to information security incidents that impair adequate 
     security of the agency's information or information system in 
     a timely manner and in accordance with the policies and 
     directives under section 3553; and
       ``(B) reports any information security incident under 
     subparagraph (A) to the entity designated under section 3555;
       ``(2) develop, maintain, and oversee an agencywide 
     information security program;
       ``(3) develop, maintain, and oversee information security 
     policies, procedures, and control techniques to address 
     applicable requirements, including requirements under section 
     3553 of this title and section 11331 of title 40; and
       ``(4) train and oversee the agency personnel who have 
     significant responsibility for information security with 
     respect to that responsibility.
       ``(c) Agencywide Information Security Programs.--
       ``(1) In general.--Each agencywide information security 
     program under subsection (b)(2) shall include--
       ``(A) relevant security risk assessments, including 
     technical assessments and others related to the acquisition 
     process;
       ``(B) security testing commensurate with risk and impact;
       ``(C) mitigation of deterioration of security controls 
     commensurate with risk and impact;
       ``(D) risk-based continuous monitoring and threat 
     assessment of the operational status and security of agency 
     information systems to enable evaluation of the effectiveness 
     of and compliance with information security policies, 
     procedures, and practices, including a relevant and 
     appropriate selection of security controls of information 
     systems identified in the inventory under section 3505(c);
       ``(E) operation of appropriate technical capabilities in 
     order to detect, mitigate, report, and respond to information 
     security incidents, cyber threat information, and 
     deterioration of security controls in a manner that is 
     consistent with the policies and directives under section 
     3553, including--
       ``(i) mitigating risks associated with such information 
     security incidents;
       ``(ii) notifying and consulting with the entity designated 
     under section 3555; and
       ``(iii) notifying and consulting with, as appropriate--

       ``(I) law enforcement and the relevant Office of the 
     Inspector General; and
       ``(II) any other entity, in accordance with law and as 
     directed by the President;

       ``(F) a process to ensure that remedial action is taken to 
     address any deficiencies in the information security 
     policies, procedures, and practices of the agency; and
       ``(G) a plan and procedures to ensure the continuity of 
     operations for information systems that support the 
     operations and assets of the agency.
       ``(2) Risk management strategies.--Each agencywide 
     information security program under subsection (b)(2) shall 
     include the development and maintenance of a risk management 
     strategy for information security. The risk management 
     strategy shall include--
       ``(A) consideration of information security incidents, 
     cyber threat information, and deterioration of security 
     controls; and
       ``(B) consideration of the consequences that could result 
     from the unauthorized access, use, disclosure, disruption, 
     modification, or destruction of information and information 
     systems that support the operations and assets of the agency, 
     including any information system provided or managed by a 
     contractor, other agency, or other source on behalf of the 
     agency;
       ``(3) Policies and procedures.--Each agencywide information 
     security program under subsection (b)(2) shall include 
     policies and procedures that--
       ``(A) are based on the risk management strategy under 
     paragraph (2);
       ``(B) reduce information security risks to an acceptable 
     level in a cost-effective manner;
       ``(C) ensure that cost-effective and adequate information 
     security is addressed as part of the acquisition and ongoing 
     management of each agency information system; and
       ``(D) ensure compliance with--
       ``(i) this subchapter; and
       ``(ii) any other applicable requirements.
       ``(4) Training requirements.--Each agencywide information 
     security program under subsection (b)(2) shall include 
     information security, privacy, civil rights, civil liberties, 
     and information oversight training that meets any applicable 
     requirements under section 3553. The training shall inform 
     each information security personnel that has access to agency 
     information systems (including contractors and other users of 
     information systems that support the operations and assets of 
     the agency) of--
       ``(A) the information security risks associated with the 
     information security personnel's activities; and
       ``(B) the individual's responsibility to comply with the 
     agency policies and procedures that reduce the risks under 
     subparagraph (A).
       ``(d) Annual Report.--Each agency shall submit a report 
     annually to the Secretary of Homeland Security on its 
     agencywide information security program and information 
     systems.

     ``Sec. 3555. Multiagency ongoing threat assessment

       ``(a) Implementation.--The Director of the Office of 
     Management and Budget, in coordination with the Secretary of 
     Homeland Security, shall designate an entity to implement 
     ongoing security analysis concerning agency information 
     systems--
       ``(1) based on cyber threat information;
       ``(2) based on agency information system and environment of 
     operation changes, including--
       ``(A) an ongoing evaluation of the information system 
     security controls; and
       ``(B) the security state, risk level, and environment of 
     operation of an agency information system, including--
       ``(i) a change in risk level due to a new cyber threat;
       ``(ii) a change resulting from a new technology;
       ``(iii) a change resulting from the agency's mission; and
       ``(iv) a change resulting from the business practice; and
       ``(3) using automated processes to the maximum extent 
     possible--
       ``(A) to increase information system security;
       ``(B) to reduce paper-based reporting requirements; and
       ``(C) to maintain timely and actionable knowledge of the 
     state of the information system security.
       ``(b) Standards.--The National Institute of Standards and 
     Technology may promulgate standards, in coordination with the 
     Secretary of Homeland Security, to assist an agency with its 
     duties under this section.
       ``(c) Compliance.--The head of each appropriate department 
     and agency shall be responsible for ensuring compliance and 
     implementing necessary procedures to comply with this 
     section. The head of each appropriate department and agency, 
     in consultation with the Director of the Office of Management 
     and Budget and the Secretary of Homeland Security, shall--
       ``(1) monitor compliance under this section;
       ``(2) develop a timeline and implement for the department 
     or agency--
       ``(A) adoption of any technology, system, or method that 
     facilitates continuous monitoring and threat assessments of 
     an agency information system;
       ``(B) adoption or updating of any technology, system, or 
     method that prevents, detects, or remediates a significant 
     cyber incident to a Federal information system of the 
     department or agency that has impeded, or is reasonably 
     likely to impede, the performance of a critical mission of 
     the department or agency; and
       ``(C) adoption of any technology, system, or method that 
     satisfies a requirement under this section.
       ``(d) Limitation of Authority.--The authorities of the 
     Director of the Office of Management and Budget and of the 
     Secretary of Homeland Security under this section shall not 
     apply to national security systems.
       ``(e) Report.--Not later than 6 months after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the Government Accountability Office shall issue a 
     report evaluating each agency's status toward implementing 
     this section.

     ``Sec. 3556. Independent evaluations

       ``(a) In General.--The Council of the Inspectors General on 
     Integrity and Efficiency, in consultation with the Director 
     and the Secretary of Homeland Security, the Secretary of 
     Commerce, and the Secretary of Defense, shall issue and 
     maintain criteria for the timely, cost-effective, risk-based, 
     and independent evaluation of each agencywide information 
     security program (and practices) to determine the 
     effectiveness of the agencywide information security program 
     (and practices). The criteria shall include measures to 
     assess any conflicts of interest in the performance of the 
     evaluation and whether the agencywide information security 
     program includes appropriate safeguards against disclosure of 
     information where such disclosure may adversely affect 
     information security.
       ``(b) Annual Independent Evaluations.--Each agency shall 
     perform an annual independent evaluation of its agencywide 
     information security program (and practices) in accordance 
     with the criteria under subsection (a).
       ``(c) Distribution of Reports.--Not later than 30 days 
     after receiving an independent

[[Page 12419]]

     evaluation under subsection (b), each agency head shall 
     transmit a copy of the independent evaluation to the 
     Secretary of Homeland Security, the Secretary of Commerce, 
     and the Secretary of Defense.
       ``(d) National Security Systems.--Evaluations involving 
     national security systems shall be conducted as directed by 
     President.

     ``Sec. 3557. National security systems.

       ``The head of each agency operating or exercising control 
     of a national security system shall be responsible for 
     ensuring that the agency--
       ``(1) provides information security protections 
     commensurate with the risk and magnitude of the harm 
     resulting from the unauthorized access, use, disclosure, 
     disruption, modification, or destruction of the information 
     contained in such system; and
       ``(2) implements information security policies and 
     practices as required by standards and guidelines for 
     national security systems, issued in accordance with law and 
     as directed by the President.''.
       (b) Savings Provisions.--
       (1) Policy and compliance guidance.--Policy and compliance 
     guidance issued by the Director before the date of enactment 
     of this Act under section 3543(a)(1) of title 44, United 
     States Code (as in effect on the day before the date of 
     enactment of this Act), shall continue in effect, according 
     to its terms, until modified, terminated, superseded, or 
     repealed pursuant to section 3553(a)(1) of title 44, United 
     States Code.
       (2) Standards and guidelines.--Standards and guidelines 
     issued by the Secretary of Commerce or by the Director before 
     the date of enactment of this Act under section 11331(a)(1) 
     of title 40, United States Code, (as in effect on the day 
     before the date of enactment of this Act) shall continue in 
     effect, according to their terms, until modified, terminated, 
     superseded, or repealed pursuant to section 11331(a)(1) of 
     title 40, United States Code, as amended by this Act.
       (c) Technical and Conforming Amendments.--
       (1) Chapter analysis.--The chapter analysis for chapter 35 
     of title 44, United States Code, is amended--
       (A) by striking the items relating to sections 3531 through 
     3538;
       (B) by striking the items relating to sections 3541 through 
     3549; and
       (C) by inserting the following:

``3551. Purposes.
``3552. Definitions.
``3553. Federal information security authority and coordination.
``3554. Agency responsibilities.
``3555. Multiagency ongoing threat assessment.
``3556. Independent evaluations.
``3557. National security systems.''.
       (2) Other references.--
       (A) Section 1001(c)(1)(A) of the Homeland Security Act of 
     2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section 
     3532(3)'' and inserting ``section 3552''.
       (B) Section 2222(j)(5) of title 10, United States Code, is 
     amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (C) Section 2223(c)(3) of title 10, United States Code, is 
     amended, by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (D) Section 2315 of title 10, United States Code, is 
     amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (E) Section 20 of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-3) is amended--
       (i) in subsection (a)(2), by striking ``section 
     3532(b)(2)'' and inserting ``section 3552'';
       (ii) in subsection (c)(3), by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (iii) in subsection (d)(1), by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (iv) in subsection (d)(8) by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (v) in subsection (d)(8), by striking ``submitted to the 
     Director'' and inserting ``submitted to the Secretary'';
       (vi) in subsection (e)(2), by striking ``section 3532(1) of 
     such title'' and inserting ``section 3552 of title 44''; and
       (vii) in subsection (e)(5), by striking ``section 
     3532(b)(2) of such title'' and inserting ``section 3552 of 
     title 44''.
       (F) Section 8(d)(1) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7406(d)(1)) is amended by striking 
     ``section 3534(b)'' and inserting ``section 3554(b)(2)''.

     SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY.

       (a) In General.--Section 11331 of title 40, United States 
     Code, is amended to read as follows:

     ``Sec. 11331. Responsibilities for Federal information 
       systems standards

       ``(a) Standards and Guidelines.--
       ``(1) Authority to prescribe.--Except as provided under 
     paragraph (2), the Secretary of Commerce shall prescribe 
     standards and guidelines pertaining to Federal information 
     systems--
       ``(A) in consultation with the Secretary of Homeland 
     Security; and
       ``(B) on the basis of standards and guidelines developed by 
     the National Institute of Standards and Technology under 
     paragraphs (2) and (3) of section 20(a) of the National 
     Institute of Standards and Technology Act (15 U.S.C. 278g-
     3(a)(2) and (a)(3)).
       ``(2) National security systems.--Standards and guidelines 
     for national security systems shall be developed, prescribed, 
     enforced, and overseen as otherwise authorized by law and as 
     directed by the President.
       ``(b) Mandatory Standards and Guidelines.--
       ``(1) Authority to make mandatory standards and 
     guidelines.--The Secretary of Commerce shall make standards 
     and guidelines under subsection (a)(1) compulsory and binding 
     to the extent determined necessary by the Secretary of 
     Commerce to improve the efficiency of operation or security 
     of Federal information systems.
       ``(2) Required mandatory standards and guidelines.--
       ``(A) In general.--Standards and guidelines under 
     subsection (a)(1) shall include information security 
     standards that--
       ``(i) provide minimum information security requirements as 
     determined under section 20(b) of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3(b)); and
       ``(ii) are otherwise necessary to improve the security of 
     Federal information and information systems.
       ``(B) Binding effect.--Information security standards under 
     subparagraph (A) shall be compulsory and binding.
       ``(c) Exercise of Authority.--To ensure fiscal and policy 
     consistency, the Secretary of Commerce shall exercise the 
     authority conferred by this section subject to direction by 
     the President and in coordination with the Director.
       ``(d) Application of More Stringent Standards and 
     Guidelines.--The head of an executive agency may employ 
     standards for the cost-effective information security for 
     information systems within or under the supervision of that 
     agency that are more stringent than the standards and 
     guidelines the Secretary of Commerce prescribes under this 
     section if the more stringent standards and guidelines--
       ``(1) contain at least the applicable standards and 
     guidelines made compulsory and binding by the Secretary of 
     Commerce; and
       ``(2) are otherwise consistent with the policies, 
     directives, and implementation memoranda issued under section 
     3553(a) of title 44.
       ``(e) Decisions on Promulgation of Standards and 
     Guidelines.--The decision by the Secretary of Commerce 
     regarding the promulgation of any standard or guideline under 
     this section shall occur not later than 6 months after the 
     date of submission of the proposed standard to the Secretary 
     of Commerce by the National Institute of Standards and 
     Technology under section 20 of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3).
       ``(f) Notice and Comment.--A decision by the Secretary of 
     Commerce to significantly modify, or not promulgate, a 
     proposed standard submitted to the Secretary by the National 
     Institute of Standards and Technology under section 20 of the 
     National Institute of Standards and Technology Act (15 U.S.C. 
     278g-3) shall be made after the public is given an 
     opportunity to comment on the Secretary's proposed decision.
       ``(g) Definitions.--In this section:
       ``(1) Federal information system.--The term `Federal 
     information system' has the meaning given the term in section 
     3552 of title 44.
       ``(2) Information security.--The term `information 
     security' has the meaning given the term in section 3552 of 
     title 44.
       ``(3) National security system.--The term `national 
     security system' has the meaning given the term in section 
     3552 of title 44.''.

     SEC. 203. NO NEW FUNDING.

       An applicable Federal agency shall carry out the provisions 
     of this title with existing facilities and funds otherwise 
     available, through such means as the head of the agency 
     considers appropriate.

     SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS.

       Section 21(b) of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-4(b)) is amended--
       (1) in paragraph (2), by striking ``and the Director of the 
     Office of Management and Budget'' and inserting ``, the 
     Secretary of Commerce, and the Secretary of Homeland 
     Security''; and
       (2) in paragraph (3), by inserting ``, the Secretary of 
     Homeland Security,'' after ``the Secretary of Commerce''.

     SEC. 205. CLARIFICATION OF AUTHORITIES.

       Nothing in this title shall be construed to convey any new 
     regulatory authority to any government entity implementing or 
     complying with any provision of this title.

                     TITLE III--CRIMINAL PENALTIES

     SEC. 301. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN 
                   CONNECTION WITH COMPUTERS.

       Section 1030(c) of title 18, United States Code, is amended 
     to read as follows:
       ``(c) The punishment for an offense under subsection (a) or 
     (b) of this section is--
       ``(1) a fine under this title or imprisonment for not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(1) of this section;
       ``(2)(A) except as provided in subparagraph (B), a fine 
     under this title or imprisonment for not more than 3 years, 
     or both, in the case of an offense under subsection (a)(2); 
     or

[[Page 12420]]

       ``(B) a fine under this title or imprisonment for not more 
     than ten years, or both, in the case of an offense under 
     subsection (a)(2) of this section, if--
       ``(i) the offense was committed for purposes of commercial 
     advantage or private financial gain;
       ``(ii) the offense was committed in the furtherance of any 
     criminal or tortious act in violation of the Constitution or 
     laws of the United States, or of any State; or
       ``(iii) the value of the information obtained, or that 
     would have been obtained if the offense was completed, 
     exceeds $5,000;
       ``(3) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(3) of this section;
       ``(4) a fine under this title or imprisonment of not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(4) of this section;
       ``(5)(A) except as provided in subparagraph (C), a fine 
     under this title, imprisonment for not more than 20 years, or 
     both, in the case of an offense under subsection (a)(5)(A) of 
     this section, if the offense caused--
       ``(i) loss to 1 or more persons during any 1-year period 
     (and, for purposes of an investigation, prosecution, or other 
     proceeding brought by the United States only, loss resulting 
     from a related course of conduct affecting 1 or more other 
     protected computers) aggregating at least $5,000 in value;
       ``(ii) the modification or impairment, or potential 
     modification or impairment, of the medical examination, 
     diagnosis, treatment, or care of 1 or more individuals;
       ``(iii) physical injury to any person;
       ``(iv) a threat to public health or safety;
       ``(v) damage affecting a computer used by, or on behalf of, 
     an entity of the United States Government in furtherance of 
     the administration of justice, national defense, or national 
     security; or
       ``(vi) damage affecting 10 or more protected computers 
     during any 1-year period;
       ``(B) a fine under this title, imprisonment for not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(5)(B), if the offense caused a harm provided 
     in clause (i) through (vi) of subparagraph (A) of this 
     subsection;
       ``(C) if the offender attempts to cause or knowingly or 
     recklessly causes death from conduct in violation of 
     subsection (a)(5)(A), a fine under this title, imprisonment 
     for any term of years or for life, or both;
       ``(D) a fine under this title, imprisonment for not more 
     than 10 years, or both, for any other offense under 
     subsection (a)(5);
       ``(E) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(6) of this section; or
       ``(F) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(7) of this section.''.

     SEC. 302. TRAFFICKING IN PASSWORDS.

       Section 1030(a)(6) of title 18, United States Code, is 
     amended to read as follows:
       ``(6) knowingly and with intent to defraud traffics (as 
     defined in section 1029) in any password or similar 
     information or means of access through which a protected 
     computer (as defined in subparagraphs (A) and (B) of 
     subsection (e)(2)) may be accessed without authorization.''.

     SEC. 303. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.

       Section 1030(b) of title 18, United States Code, is amended 
     by inserting ``as if for the completed offense'' after 
     ``punished as provided''.

     SEC. 304. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED 
                   ACTIVITY IN CONNECTION WITH COMPUTERS.

       Section 1030 of title 18, United States Code, is amended by 
     striking subsections (i) and (j) and inserting the following:
       ``(i) Criminal Forfeiture.--
       ``(1) The court, in imposing sentence on any person 
     convicted of a violation of this section, or convicted of 
     conspiracy to violate this section, shall order, in addition 
     to any other sentence imposed and irrespective of any 
     provision of State law, that such person forfeit to the 
     United States--
       ``(A) such persons interest in any property, real or 
     personal, that was used, or intended to be used, to commit or 
     facilitate the commission of such violation; and
       ``(B) any property, real or personal, constituting or 
     derived from any gross proceeds, or any property traceable to 
     such property, that such person obtained, directly or 
     indirectly, as a result of such violation.
       ``(2) The criminal forfeiture of property under this 
     subsection, including any seizure and disposition of the 
     property, and any related judicial or administrative 
     proceeding, shall be governed by the provisions of section 
     413 of the Comprehensive Drug Abuse Prevention and Control 
     Act of 1970 (21 U.S.C. 853), except subsection (d) of that 
     section.
       ``(j) Civil Forfeiture.--
       ``(1) The following shall be subject to forfeiture to the 
     United States and no property right, real or personal, shall 
     exist in them:
       ``(A) Any property, real or personal, that was used, or 
     intended to be used, to commit or facilitate the commission 
     of any violation of this section, or a conspiracy to violate 
     this section.
       ``(B) Any property, real or personal, constituting or 
     derived from any gross proceeds obtained directly or 
     indirectly, or any property traceable to such property, as a 
     result of the commission of any violation of this section, or 
     a conspiracy to violate this section.
       ``(2) Seizures and forfeitures under this subsection shall 
     be governed by the provisions in chapter 46 relating to civil 
     forfeitures, except that such duties as are imposed on the 
     Secretary of the Treasury under the customs laws described in 
     section 981(d) shall be performed by such officers, agents 
     and other persons as may be designated for that purpose by 
     the Secretary of Homeland Security or the Attorney 
     General.''.

     SEC. 305. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.

       (a) In General.--Chapter 47 of title 18, United States 
     Code, is amended by inserting after section 1030 the 
     following:

     ``Sec. 1030A. Aggravated damage to a critical infrastructure 
       computer

       ``(a) Definitions.--In this section--
       ``(1) the term `computer' has the meaning given the term in 
     section 1030;
       ``(2) the term `critical infrastructure computer' means a 
     computer that manages or controls systems or assets vital to 
     national defense, national security, national economic 
     security, public health or safety, or any combination of 
     those matters, whether publicly or privately owned or 
     operated, including--
       ``(A) oil and gas production, storage, conversion, and 
     delivery systems;
       ``(B) water supply systems;
       ``(C) telecommunication networks;
       ``(D) electrical power generation and delivery systems;
       ``(E) finance and banking systems;
       ``(F) emergency services;
       ``(G) transportation systems and services; and
       ``(H) government operations that provide essential services 
     to the public; and
       ``(3) the term `damage' has the meaning given the term in 
     section 1030.
       ``(b) Offense.--It shall be unlawful, during and in 
     relation to a felony violation of section 1030, to knowingly 
     cause or attempt to cause damage to a critical infrastructure 
     computer if the damage results in (or, in the case of an 
     attempt, if completed, would have resulted in) the 
     substantial impairment--
       ``(1) of the operation of the critical infrastructure 
     computer; or
       ``(2) of the critical infrastructure associated with the 
     computer.
       ``(c) Penalty.--Any person who violates subsection (b) 
     shall be--
       ``(1) fined under this title;
       ``(2) imprisoned for not less than 3 years but not more 
     than 20 years; or
       ``(3) penalized under paragraphs (1) and (2).
       ``(d) Consecutive Sentence.--Notwithstanding any other 
     provision of law--
       ``(1) a court shall not place on probation any person 
     convicted of a violation of this section;
       ``(2) except as provided in paragraph (4), no term of 
     imprisonment imposed on a person under this section shall run 
     concurrently with any other term of imprisonment, including 
     any term of imprisonment imposed on the person under any 
     other provision of law, including any term of imprisonment 
     imposed for a felony violation of section 1030;
       ``(3) in determining any term of imprisonment to be imposed 
     for a felony violation of section 1030, a court shall not in 
     any way reduce the term to be imposed for such crime so as to 
     compensate for, or otherwise take into account, any separate 
     term of imprisonment imposed or to be imposed for a violation 
     of this section; and
       ``(4) a term of imprisonment imposed on a person for a 
     violation of this section may, in the discretion of the 
     court, run concurrently, in whole or in part, only with 
     another term of imprisonment that is imposed by the court at 
     the same time on that person for an additional violation of 
     this section, provided that such discretion shall be 
     exercised in accordance with any applicable guidelines and 
     policy statements issued by the United States Sentencing 
     Commission pursuant to section 994 of title 28.''.
       (b) Technical and Conforming Amendment.--The chapter 
     analysis for chapter 47 of title 18, United States Code, is 
     amended by inserting after the item relating to section 1030 
     the following:

``1030A. Aggravated damage to a critical infrastructure computer.''.

     SEC. 306. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.

       Section 1030(e)(6) of title 18, United States Code, is 
     amended by striking ``alter;'' and inserting ``alter, but 
     does not include access in violation of a contractual 
     obligation or agreement, such as an acceptable use policy or 
     terms of service agreement, with an Internet service 
     provider, Internet website, or non-government employer, if 
     such violation constitutes the sole basis for determining 
     that access to a protected computer is unauthorized;''.

     SEC. 307. NO NEW FUNDING.

       An applicable Federal agency shall carry out the provisions 
     of this title with existing facilities and funds otherwise 
     available, through such means as the head of the agency 
     considers appropriate.

[[Page 12421]]



            TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT

     SEC. 401. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM 
                   PLANNING AND COORDINATION.

       (a) Goals and Priorities.--Section 101 of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511) is amended 
     by adding at the end the following:
       ``(d) Goals and Priorities.--The goals and priorities for 
     Federal high-performance computing research, development, 
     networking, and other activities under subsection (a)(2)(A) 
     shall include--
       ``(1) encouraging and supporting mechanisms for 
     interdisciplinary research and development in networking and 
     information technology, including--
       ``(A) through collaborations across agencies;
       ``(B) through collaborations across Program Component 
     Areas;
       ``(C) through collaborations with industry;
       ``(D) through collaborations with institutions of higher 
     education;
       ``(E) through collaborations with Federal laboratories (as 
     defined in section 4 of the Stevenson-Wydler Technology 
     Innovation Act of 1980 (15 U.S.C. 3703)); and
       ``(F) through collaborations with international 
     organizations;
       ``(2) addressing national, multi-agency, multi-faceted 
     challenges of national importance; and
       ``(3) fostering the transfer of research and development 
     results into new technologies and applications for the 
     benefit of society.''.
       (b) Development of Strategic Plan.--Section 101 of the 
     High-Performance Computing Act of 1991 (15 U.S.C. 5511) is 
     amended by adding at the end the following:
       ``(e) Strategic Plan.--
       ``(1) In general.--Not later than 1 year after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the agencies under subsection (a)(3)(B), working 
     through the National Science and Technology Council and with 
     the assistance of the Office of Science and Technology Policy 
     shall develop a 5-year strategic plan to guide the activities 
     under subsection (a)(1).
       ``(2) Contents.--The strategic plan shall specify--
       ``(A) the near-term objectives for the Program;
       ``(B) the long-term objectives for the Program;
       ``(C) the anticipated time frame for achieving the near-
     term objectives;
       ``(D) the metrics that will be used to assess any progress 
     made toward achieving the near-term objectives and the long-
     term objectives; and
       ``(E) how the Program will achieve the goals and priorities 
     under subsection (d).
       ``(3) Implementation roadmap.--
       ``(A) In general.--The agencies under subsection (a)(3)(B) 
     shall develop and annually update an implementation roadmap 
     for the strategic plan.
       ``(B) Requirements.--The information in the implementation 
     roadmap shall be coordinated with the database under section 
     102(c) and the annual report under section 101(a)(3). The 
     implementation roadmap shall--
       ``(i) specify the role of each Federal agency in carrying 
     out or sponsoring research and development to meet the 
     research objectives of the strategic plan, including a 
     description of how progress toward the research objectives 
     will be evaluated, with consideration of any relevant 
     recommendations of the advisory committee;
       ``(ii) specify the funding allocated to each major research 
     objective of the strategic plan and the source of funding by 
     agency for the current fiscal year; and
       ``(iii) estimate the funding required for each major 
     research objective of the strategic plan for the next 3 
     fiscal years.
       ``(4) Recommendations.--The agencies under subsection 
     (a)(3)(B) shall take into consideration when developing the 
     strategic plan under paragraph (1) the recommendations of--
       ``(A) the advisory committee under subsection (b); and
       ``(B) the stakeholders under section 102(a)(3).
       ``(5) Report to congress.--The Director of the Office of 
     Science and Technology Policy shall transmit the strategic 
     plan under this subsection, including the implementation 
     roadmap and any updates under paragraph (3), to--
       ``(A) the advisory committee under subsection (b);
       ``(B) the Committee on Commerce, Science, and 
     Transportation of the Senate; and
       ``(C) the Committee on Science and Technology of the House 
     of Representatives.''.
       (c) Periodic Reviews.--Section 101 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511) is amended by adding 
     at the end the following:
       ``(f) Periodic Reviews.--The agencies under subsection 
     (a)(3)(B) shall--
       ``(1) periodically assess the contents and funding levels 
     of the Program Component Areas and restructure the Program 
     when warranted, taking into consideration any relevant 
     recommendations of the advisory committee under subsection 
     (b); and
       ``(2) ensure that the Program includes national, multi-
     agency, multi-faceted research and development activities, 
     including activities described in section 104.''.
       (d) Additional Responsibilities of Director.--Section 
     101(a)(2) of the High-Performance Computing Act of 1991 (15 
     U.S.C. 5511(a)(2)) is amended--
       (1) by redesignating subparagraphs (E) and (F) as 
     subparagraphs (G) and (H), respectively; and
       (2) by inserting after subparagraph (D) the following:
       ``(E) encourage and monitor the efforts of the agencies 
     participating in the Program to allocate the level of 
     resources and management attention necessary--
       ``(i) to ensure that the strategic plan under subsection 
     (e) is developed and executed effectively; and
       ``(ii) to ensure that the objectives of the Program are 
     met;
       ``(F) working with the Office of Management and Budget and 
     in coordination with the creation of the database under 
     section 102(c), direct the Office of Science and Technology 
     Policy and the agencies participating in the Program to 
     establish a mechanism (consistent with existing law) to track 
     all ongoing and completed research and development projects 
     and associated funding;''.
       (e) Advisory Committee.--Section 101(b) of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is 
     amended--
       (1) in paragraph (1)--
       (A) by inserting after the first sentence the following: 
     ``The co-chairs of the advisory committee shall meet the 
     qualifications of committee members and may be members of the 
     Presidents Council of Advisors on Science and Technology.''; 
     and
       (B) by striking ``high-performance'' in subparagraph (D) 
     and inserting ``high-end''; and
       (2) by amending paragraph (2) to read as follows:
       ``(2) In addition to the duties under paragraph (1), the 
     advisory committee shall conduct periodic evaluations of the 
     funding, management, coordination, implementation, and 
     activities of the Program. The advisory committee shall 
     report its findings and recommendations not less frequently 
     than once every 3 fiscal years to the Committee on Commerce, 
     Science, and Transportation of the Senate and the Committee 
     on Science and Technology of the House of Representatives. 
     The report shall be submitted in conjunction with the update 
     of the strategic plan.''.
       (f) Report.--Section 101(a)(3) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended--
       (1) in subparagraph (C)--
       (A) by striking ``is submitted,'' and inserting ``is 
     submitted, the levels for the previous fiscal year,''; and
       (B) by striking ``each Program Component Area'' and 
     inserting ``each Program Component Area and each research 
     area supported in accordance with section 104'';
       (2) in subparagraph (D)--
       (A) by striking ``each Program Component Area,'' and 
     inserting ``each Program Component Area and each research 
     area supported in accordance with section 104,'';
       (B) by striking ``is submitted,'' and inserting ``is 
     submitted, the levels for the previous fiscal year,''; and
       (C) by striking ``and'' after the semicolon;
       (3) by redesignating subparagraph (E) as subparagraph (G); 
     and
       (4) by inserting after subparagraph (D) the following:
       ``(E) include a description of how the objectives for each 
     Program Component Area, and the objectives for activities 
     that involve multiple Program Component Areas, relate to the 
     objectives of the Program identified in the strategic plan 
     under subsection (e);
       ``(F) include--
       ``(i) a description of the funding required by the Office 
     of Science and Technology Policy to perform the functions 
     under subsections (a) and (c) of section 102 for the next 
     fiscal year by category of activity;
       ``(ii) a description of the funding required by the Office 
     of Science and Technology Policy to perform the functions 
     under subsections (a) and (c) of section 102 for the current 
     fiscal year by category of activity; and
       ``(iii) the amount of funding provided for the Office of 
     Science and Technology Policy for the current fiscal year by 
     each agency participating in the Program; and''.
       (g) Definitions.--Section 4 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5503) is amended--
       (1) by redesignating paragraphs (1) and (2) as paragraphs 
     (2) and (3), respectively;
       (2) by redesignating paragraph (3) as paragraph (6);
       (3) by redesignating paragraphs (6) and (7) as paragraphs 
     (7) and (8), respectively;
       (4) by inserting before paragraph (2), as redesignated, the 
     following:
       ``(1) `cyber-physical systems' means physical or engineered 
     systems whose networking and information technology functions 
     and physical elements are deeply integrated and are actively 
     connected to the physical world through sensors, actuators, 
     or other means to perform monitoring and control 
     functions;'';
       (5) in paragraph (3), as redesignated, by striking ``high-
     performance computing'' and inserting ``networking and 
     information technology'';

[[Page 12422]]

       (6) in paragraph (6), as redesignated--
       (A) by striking ``high-performance computing'' and 
     inserting ``networking and information technology''; and
       (B) by striking ``supercomputer'' and inserting ``high-end 
     computing'';
       (7) in paragraph (5), by striking ``network referred to 
     as'' and all that follows through the semicolon and inserting 
     ``network, including advanced computer networks of Federal 
     agencies and departments''; and
       (8) in paragraph (7), as redesignated, by striking 
     ``National High-Performance Computing Program'' and inserting 
     ``networking and information technology research and 
     development program''.

     SEC. 402. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.

       (a) Research in Areas of National Importance.--Title I of 
     the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et 
     seq.) is amended by adding at the end the following:

     ``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.

       ``(a) In General.--The Program shall encourage agencies 
     under section 101(a)(3)(B) to support, maintain, and improve 
     national, multi-agency, multi-faceted, research and 
     development activities in networking and information 
     technology directed toward application areas that have the 
     potential for significant contributions to national economic 
     competitiveness and for other significant societal benefits.
       ``(b) Technical Solutions.--An activity under subsection 
     (a) shall be designed to advance the development of research 
     discoveries by demonstrating technical solutions to important 
     problems in areas including--
       ``(1) cybersecurity;
       ``(2) health care;
       ``(3) energy management and low-power systems and devices;
       ``(4) transportation, including surface and air 
     transportation;
       ``(5) cyber-physical systems;
       ``(6) large-scale data analysis and modeling of physical 
     phenomena;
       ``(7) large scale data analysis and modeling of behavioral 
     phenomena;
       ``(8) supply chain quality and security; and
       ``(9) privacy protection and protected disclosure of 
     confidential data.
       ``(c) Recommendations.--The advisory committee under 
     section 101(b) shall make recommendations to the Program for 
     candidate research and development areas for support under 
     this section.
       ``(d) Characteristics.--
       ``(1) In general.--Research and development activities 
     under this section--
       ``(A) shall include projects selected on the basis of 
     applications for support through a competitive, merit-based 
     process;
       ``(B) shall leverage, when possible, Federal investments 
     through collaboration with related State initiatives;
       ``(C) shall include a plan for fostering the transfer of 
     research discoveries and the results of technology 
     demonstration activities, including from institutions of 
     higher education and Federal laboratories, to industry for 
     commercial development;
       ``(D) shall involve collaborations among researchers in 
     institutions of higher education and industry; and
       ``(E) may involve collaborations among nonprofit research 
     institutions and Federal laboratories, as appropriate.
       ``(2) Cost-sharing.--In selecting applications for support, 
     the agencies under section 101(a)(3)(B) shall give special 
     consideration to projects that include cost sharing from non-
     Federal sources.
       ``(3) Multidisciplinary research centers.--Research and 
     development activities under this section shall be supported 
     through multidisciplinary research centers, including Federal 
     laboratories, that are organized to investigate basic 
     research questions and carry out technology demonstration 
     activities in areas described in subsection (a). Research may 
     be carried out through existing multidisciplinary centers, 
     including those authorized under section 7024(b)(2) of the 
     America COMPETES Act (42 U.S.C. 1862o-10(2)).''.
       (b) Cyber-Physical Systems.--Section 101(a)(1) of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is 
     amended--
       (1) in subparagraph (H), by striking ``and'' after the 
     semicolon;
       (2) in subparagraph (I), by striking the period at the end 
     and inserting a semicolon; and
       (3) by adding at the end the following:
       ``(J) provide for increased understanding of the scientific 
     principles of cyber-physical systems and improve the methods 
     available for the design, development, and operation of 
     cyber-physical systems that are characterized by high 
     reliability, safety, and security; and
       ``(K) provide for research and development on human-
     computer interactions, visualization, and big data.''.
       (c) Task Force.--Title I of the High-Performance Computing 
     Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section 
     402(a) of this Act, is amended by adding at the end the 
     following:

     ``SEC. 105. TASK FORCE.

       ``(a) Establishment.--Not later than 180 days after the 
     date of enactment the Strengthening and Enhancing 
     Cybersecurity by Using Research, Education, Information, and 
     Technology Act of 2012, the Director of the Office of Science 
     and Technology Policy under section 102 shall convene a task 
     force to explore mechanisms for carrying out collaborative 
     research and development activities for cyber-physical 
     systems (including the related technologies required to 
     enable these systems) through a consortium or other 
     appropriate entity with participants from institutions of 
     higher education, Federal laboratories, and industry.
       ``(b) Functions.--The task force shall--
       ``(1) develop options for a collaborative model and an 
     organizational structure for such entity under which the 
     joint research and development activities could be planned, 
     managed, and conducted effectively, including mechanisms for 
     the allocation of resources among the participants in such 
     entity for support of such activities;
       ``(2) propose a process for developing a research and 
     development agenda for such entity, including guidelines to 
     ensure an appropriate scope of work focused on nationally 
     significant challenges and requiring collaboration and to 
     ensure the development of related scientific and 
     technological milestones;
       ``(3) define the roles and responsibilities for the 
     participants from institutions of higher education, Federal 
     laboratories, and industry in such entity;
       ``(4) propose guidelines for assigning intellectual 
     property rights and for transferring research results to the 
     private sector; and
       ``(5) make recommendations for how such entity could be 
     funded from Federal, State, and non-governmental sources.
       ``(c) Composition.--In establishing the task force under 
     subsection (a), the Director of the Office of Science and 
     Technology Policy shall appoint an equal number of 
     individuals from institutions of higher education and from 
     industry with knowledge and expertise in cyber-physical 
     systems, and may appoint not more than 2 individuals from 
     Federal laboratories.
       ``(d) Report.--Not later than 1 year after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the Director of the Office of Science and Technology 
     Policy shall transmit to the Committee on Commerce, Science, 
     and Transportation of the Senate and the Committee on Science 
     and Technology of the House of Representatives a report 
     describing the findings and recommendations of the task 
     force.
       ``(e) Termination.--The task force shall terminate upon 
     transmittal of the report required under subsection (d).
       ``(f) Compensation and Expenses.--Members of the task force 
     shall serve without compensation.''.

     SEC. 403. PROGRAM IMPROVEMENTS.

       Section 102 of the High-Performance Computing Act of 1991 
     (15 U.S.C. 5512) is amended to read as follows:

     ``SEC. 102. PROGRAM IMPROVEMENTS.

       ``(a) Functions.--The Director of the Office of Science and 
     Technology Policy shall continue--
       ``(1) to provide technical and administrative support to--
       ``(A) the agencies participating in planning and 
     implementing the Program, including support needed to develop 
     the strategic plan under section 101(e); and
       ``(B) the advisory committee under section 101(b);
       ``(2) to serve as the primary point of contact on Federal 
     networking and information technology activities for 
     government agencies, academia, industry, professional 
     societies, State computing and networking technology 
     programs, interested citizen groups, and others to exchange 
     technical and programmatic information;
       ``(3) to solicit input and recommendations from a wide 
     range of stakeholders during the development of each 
     strategic plan under section 101(e) by convening at least 1 
     workshop with invitees from academia, industry, Federal 
     laboratories, and other relevant organizations and 
     institutions;
       ``(4) to conduct public outreach, including the 
     dissemination of the advisory committee's findings and 
     recommendations, as appropriate;
       ``(5) to promote access to and early application of the 
     technologies, innovations, and expertise derived from Program 
     activities to agency missions and systems across the Federal 
     Government and to United States industry;
       ``(6) to ensure accurate and detailed budget reporting of 
     networking and information technology research and 
     development investment; and
       ``(7) to encourage agencies participating in the Program to 
     use existing programs and resources to strengthen networking 
     and information technology education and training, and 
     increase participation in such fields, including by women and 
     underrepresented minorities.
       ``(b) Source of Funding.--
       ``(1) In general.--The functions under this section shall 
     be supported by funds from each agency participating in the 
     Program.
       ``(2) Specifications.--The portion of the total budget of 
     the Office of Science and Technology Policy that is provided 
     by each agency participating in the Program for each fiscal 
     year shall be in the same proportion as

[[Page 12423]]

     each agency's share of the total budget for the Program for 
     the previous fiscal year, as specified in the database under 
     section 102(c).
       ``(c) Database.--
       ``(1) In general.--The Director of the Office of Science 
     and Technology Policy shall develop and maintain a database 
     of projects funded by each agency for the fiscal year for 
     each Program Component Area.
       ``(2) Public accessibility.--The Director of the Office of 
     Science and Technology Policy shall make the database 
     accessible to the public.
       ``(3) Database contents.--The database shall include, for 
     each project in the database--
       ``(A) a description of the project;
       ``(B) each agency, industry, institution of higher 
     education, Federal laboratory, or international institution 
     involved in the project;
       ``(C) the source funding of the project (set forth by 
     agency);
       ``(D) the funding history of the project; and
       ``(E) whether the project has been completed.''.

     SEC. 404. IMPROVING EDUCATION OF NETWORKING AND INFORMATION 
                   TECHNOLOGY, INCLUDING HIGH PERFORMANCE 
                   COMPUTING.

       Section 201(a) of the High-Performance Computing Act of 
     1991 (15 U.S.C. 5521(a)) is amended--
       (1) by redesignating paragraphs (2) through (4) as 
     paragraphs (3) through (5), respectively; and
       (2) by inserting after paragraph (1) the following:
       ``(2) the National Science Foundation shall use its 
     existing programs, in collaboration with other agencies, as 
     appropriate, to improve the teaching and learning of 
     networking and information technology at all levels of 
     education and to increase participation in networking and 
     information technology fields;''.

     SEC. 405. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH-
                   PERFORMANCE COMPUTING ACT OF 1991.

       (a) Section 3.--Section 3 of the High-Performance Computing 
     Act of 1991 (15 U.S.C. 5502) is amended--
       (1) in the matter preceding paragraph (1), by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology'';
       (2) in paragraph (1)--
       (A) in the matter preceding subparagraph (A), by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology'';
       (B) in subparagraphs (A), (F), and (G), by striking ``high-
     performance computing'' each place it appears and inserting 
     ``networking and information technology''; and
       (C) in subparagraph (H), by striking ``high-performance'' 
     and inserting ``high-end''; and
       (3) in paragraph (2)--
       (A) by striking ``high-performance computing and'' and 
     inserting ``networking and information technology, and''; and
       (B) by striking ``high-performance computing network'' and 
     inserting ``networking and information technology''.
       (b) Title Heading.--The heading of title I of the High-
     Performance Computing Act of 1991 (105 Stat. 1595) is amended 
     by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting 
     ``NETWORKING AND INFORMATION TECHNOLOGY''.
       (c) Section 101.--Section 101 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511) is amended--
       (1) in the section heading, by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology research and development'';
       (2) in subsection (a)--
       (A) in the subsection heading, by striking ``National High-
     Performance Computing'' and inserting ``Networking and 
     Information Technology Research and Development'';
       (B) in paragraph (1)--
       (i) by striking ``National High-Performance Computing 
     Program'' and inserting ``networking and information 
     technology research and development program'';
       (ii) in subparagraph (A), by striking ``high-performance 
     computing, including networking'' and inserting ``networking 
     and information technology'';
       (iii) in subparagraphs (B) and (G), by striking ``high-
     performance'' each place it appears and inserting ``high-
     end''; and
       (iv) in subparagraph (C), by striking ``high-performance 
     computing and networking'' and inserting ``high-end 
     computing, distributed, and networking''; and
       (C) in paragraph (2)--
       (i) in subparagraphs (A) and (C)--

       (I) by striking ``high-performance computing'' each place 
     it appears and inserting ``networking and information 
     technology''; and
       (II) by striking ``development, networking,'' each place it 
     appears and inserting ``development,''; and

       (ii) in subparagraphs (G) and (H), as redesignated by 
     section 401(d) of this Act, by striking ``high-performance'' 
     each place it appears and inserting ``high-end'';
       (3) in subsection (b)(1), in the matter preceding 
     subparagraph (A), by striking ``high-performance computing'' 
     each place it appears and inserting ``networking and 
     information technology''; and
       (4) in subsection (c)(1)(A), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology''.
       (d) Section 201.--Section 201(a)(1) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by 
     striking ``high-performance computing and advanced high-speed 
     computer networking'' and inserting ``networking and 
     information technology research and development''.
       (e) Section 202.--Section 202(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by 
     striking ``high-performance computing'' and inserting 
     ``networking and information technology''.
       (f) Section 203.--Section 203(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5523(a)) is amended--
       (1) in paragraph (1), by striking ``high-performance 
     computing and networking'' and inserting ``networking and 
     information technology''; and
       (2) in paragraph (2)(A), by striking ``high-performance'' 
     and inserting ``high-end''.
       (g) Section 204.--Section 204 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5524) is amended--
       (1) in subsection (a)(1)--
       (A) in subparagraph (A), by striking ``high-performance 
     computing systems and networks'' and inserting ``networking 
     and information technology systems and capabilities'';
       (B) in subparagraph (B), by striking ``interoperability of 
     high-performance computing systems in networks and for common 
     user interfaces to systems'' and inserting ``interoperability 
     and usability of networking and information technology 
     systems''; and
       (C) in subparagraph (C), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology''; and
       (2) in subsection (b)--
       (A) by striking ``High-Performance Computing and Network'' 
     in the heading and inserting ``Networking and Information 
     Technology''; and
       (B) by striking ``sensitive''.
       (h) Section 205.--Section 205(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by 
     striking ``computational'' and inserting ``networking and 
     information technology''.
       (i) Section 206.--Section 206(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by 
     striking ``computational research'' and inserting 
     ``networking and information technology research''.
       (j) Section 207.--Section 207 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5527) is amended by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology''.
       (k) Section 208.--Section 208 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5528) is amended--
       (1) in the section heading, by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology''; and
       (2) in subsection (a)--
       (A) in paragraph (1), by striking ``High-performance 
     computing and associated'' and inserting ``Networking and 
     information'';
       (B) in paragraph (2), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technologies'';
       (C) in paragraph (3), by striking ``high-performance'' and 
     inserting ``high-end'';
       (D) in paragraph (4), by striking ``high-performance 
     computers and associated'' and inserting ``networking and 
     information''; and
       (E) in paragraph (5), by striking ``high-performance 
     computing and associated'' and inserting ``networking and 
     information''.

     SEC. 406. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.

       (a) In General.--The Director of the National Science 
     Foundation, in coordination with the Secretary of Homeland 
     Security, shall carry out a Federal cyber scholarship-for-
     service program to recruit and train the next generation of 
     information technology professionals and security managers to 
     meet the needs of the cybersecurity mission for the Federal 
     government.
       (b) Program Description and Components.--The program 
     shall--
       (1) annually assess the workforce needs of the Federal 
     government for cybersecurity professionals, including network 
     engineers, software engineers, and other experts in order to 
     determine how many scholarships should be awarded annually to 
     ensure that the workforce needs following graduation match 
     the number of scholarships awarded;
       (2) provide scholarships for up to 1,000 students per year 
     in their pursuit of undergraduate or graduate degrees in the 
     cybersecurity field, in an amount that may include coverage 
     for full tuition, fees, and a stipend;
       (3) require each scholarship recipient, as a condition of 
     receiving a scholarship under the program, to serve in a 
     Federal information technology workforce for a period equal 
     to one and one-half times each year, or partial year, of 
     scholarship received, in addition to an internship in the 
     cybersecurity field, if applicable, following graduation;
       (4) provide a procedure for the National Science Foundation 
     or a Federal agency, consistent with regulations of the 
     Office of

[[Page 12424]]

     Personnel Management, to request and fund a security 
     clearance for a scholarship recipient, including providing 
     for clearance during a summer internship and upon graduation; 
     and
       (5) provide opportunities for students to receive temporary 
     appointments for meaningful employment in the Federal 
     information technology workforce during school vacation 
     periods and for internships.
       (c) Hiring Authority.--
       (1) In general.--For purposes of any law or regulation 
     governing the appointment of an individual in the Federal 
     civil service, upon the successful completion of the 
     student's studies, a student receiving a scholarship under 
     the program may--
       (A) be hired under section 213.3102(r) of title 5, Code of 
     Federal Regulations; and
       (B) be exempt from competitive service.
       (2) Competitive service.--Upon satisfactory fulfillment of 
     the service term under paragraph (1), an individual may be 
     converted to a competitive service position without 
     competition if the individual meets the requirements for that 
     position.
       (d) Eligibility.--The eligibility requirements for a 
     scholarship under this section shall include that a 
     scholarship applicant--
       (1) be a citizen of the United States;
       (2) be eligible to be granted a security clearance;
       (3) maintain a grade point average of 3.2 or above on a 4.0 
     scale for undergraduate study or a 3.5 or above on a 4.0 
     scale for postgraduate study;
       (4) demonstrate a commitment to a career in improving the 
     security of the information infrastructure; and
       (5) has demonstrated a level of proficiency in math or 
     computer sciences.
       (e) Failure to Complete Service Obligation.--
       (1) In general.--A scholarship recipient under this section 
     shall be liable to the United States under paragraph (2) if 
     the scholarship recipient--
       (A) fails to maintain an acceptable level of academic 
     standing in the educational institution in which the 
     individual is enrolled, as determined by the Director;
       (B) is dismissed from such educational institution for 
     disciplinary reasons;
       (C) withdraws from the program for which the award was made 
     before the completion of such program;
       (D) declares that the individual does not intend to fulfill 
     the service obligation under this section;
       (E) fails to fulfill the service obligation of the 
     individual under this section; or
       (F) loses a security clearance or becomes ineligible for a 
     security clearance.
       (2) Repayment amounts.--
       (A) Less than 1 year of service.--If a circumstance under 
     paragraph (1) occurs before the completion of 1 year of a 
     service obligation under this section, the total amount of 
     awards received by the individual under this section shall be 
     repaid.
       (B) One or more years of service.--If a circumstance 
     described in subparagraph (D) or (E) of paragraph (1) occurs 
     after the completion of 1 year of a service obligation under 
     this section, the total amount of scholarship awards received 
     by the individual under this section, reduced by the ratio of 
     the number of years of service completed divided by the 
     number of years of service required, shall be repaid.
       (f) Evaluation and Report.--The Director of the National 
     Science Foundation shall--
       (1) evaluate the success of recruiting individuals for 
     scholarships under this section and of hiring and retaining 
     those individuals in the public sector workforce, including 
     the annual cost and an assessment of how the program actually 
     improves the Federal workforce; and
       (2) periodically report the findings under paragraph (1) to 
     Congress.
       (g) Authorization of Appropriations.--From amounts made 
     available under section 503 of the America COMPETES 
     Reauthorization Act of 2010 (124 Stat. 4005), the Secretary 
     may use funds to carry out the requirements of this section 
     for fiscal years 2012 through 2013.

     SEC. 407. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF 
                   INFORMATION INFRASTRUCTURE PROFESSIONALS.

       (a) Study.--The President shall enter into an agreement 
     with the National Academies to conduct a comprehensive study 
     of government, academic, and private-sector accreditation, 
     training, and certification programs for personnel working in 
     information infrastructure. The agreement shall require the 
     National Academies to consult with sector coordinating 
     councils and relevant governmental agencies, regulatory 
     entities, and nongovernmental organizations in the course of 
     the study.
       (b) Scope.--The study shall include--
       (1) an evaluation of the body of knowledge and various 
     skills that specific categories of personnel working in 
     information infrastructure should possess in order to secure 
     information systems;
       (2) an assessment of whether existing government, academic, 
     and private-sector accreditation, training, and certification 
     programs provide the body of knowledge and various skills 
     described in paragraph (1);
       (3) an analysis of any barriers to the Federal Government 
     recruiting and hiring cybersecurity talent, including 
     barriers relating to compensation, the hiring process, job 
     classification, and hiring flexibility; and
       (4) an analysis of the sources and availability of 
     cybersecurity talent, a comparison of the skills and 
     expertise sought by the Federal Government and the private 
     sector, an examination of the current and future capacity of 
     United States institutions of higher education, including 
     community colleges, to provide current and future 
     cybersecurity professionals, through education and training 
     activities, with those skills sought by the Federal 
     Government, State and local entities, and the private sector.
       (c) Report.--Not later than 1 year after the date of 
     enactment of this Act, the National Academies shall submit to 
     the President and Congress a report on the results of the 
     study. The report shall include--
       (1) findings regarding the state of information 
     infrastructure accreditation, training, and certification 
     programs, including specific areas of deficiency and 
     demonstrable progress; and
       (2) recommendations for the improvement of information 
     infrastructure accreditation, training, and certification 
     programs.

     SEC. 408. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.

       (a) In General.--The Director of the National Institute of 
     Standards and Technology, in coordination with appropriate 
     Federal authorities, shall--
       (1) as appropriate, ensure coordination of Federal agencies 
     engaged in the development of international technical 
     standards related to information system security; and
       (2) not later than 1 year after the date of enactment of 
     this Act, develop and transmit to Congress a plan for 
     ensuring such Federal agency coordination.
       (b) Consultation With the Private Sector.--In carrying out 
     the activities under subsection (a)(1), the Director shall 
     ensure consultation with appropriate private sector 
     stakeholders.

     SEC. 409. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.

       The Director of the National Institute of Standards and 
     Technology shall continue a program to support the 
     development of technical standards, metrology, testbeds, and 
     conformance criteria, taking into account appropriate user 
     concerns--
       (1) to improve interoperability among identity management 
     technologies;
       (2) to strengthen authentication methods of identity 
     management systems;
       (3) to improve privacy protection in identity management 
     systems, including health information technology systems, 
     through authentication and security protocols; and
       (4) to improve the usability of identity management 
     systems.

     SEC. 410. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.

       (a) National Science Foundation Computer and Network 
     Security Research Grant Areas.--Section 4(a)(1) of the Cyber 
     Security Research and Development Act (15 U.S.C. 7403(a)(1)) 
     is amended--
       (1) in subparagraph (H), by striking ``and'' after the 
     semicolon;
       (2) in subparagraph (I), by striking ``property.'' and 
     inserting ``property;''; and
       (3) by adding at the end the following:
       ``(J) secure fundamental protocols that are at the heart of 
     inter-network communications and data exchange;
       ``(K) system security that addresses the building of secure 
     systems from trusted and untrusted components;
       ``(L) monitoring and detection; and
       ``(M) resiliency and rapid recovery methods.''.
       (b) National Science Foundation Computer and Network 
     Security Grants.--Section 4(a)(3) of the Cyber Security 
     Research and Development Act (15 U.S.C. 7403(a)(3)) is 
     amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Secretary finds necessary to carry out 
     the requirements of this subsection for fiscal years 2012 
     through 2013.''.
       (c) Computer and Network Security Centers.--Section 4(b)(7) 
     of the Cyber Security Research and Development Act (15 U.S.C. 
     7403(b)(7)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Secretary finds necessary to carry out 
     the requirements of this subsection for fiscal years 2012 
     through 2013.''.
       (d) Computer and Network Security Capacity Building 
     Grants.--Section 5(a)(6) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7404(a)(6)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat.

[[Page 12425]]

     4005), as the Secretary finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (e) Scientific and Advanced Technology Act Grants.--Section 
     5(b)(2) of the Cyber Security Research and Development Act 
     (15 U.S.C. 7404(b)(2)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Secretary finds necessary to carry out 
     the requirements of this subsection for fiscal years 2012 
     through 2013.''.
       (f) Graduate Traineeships in Computer and Network Security 
     Research.--Section 5(c)(7) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7404(c)(7)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Secretary finds necessary to carry out 
     the requirements of this subsection for fiscal years 2012 
     through 2013.''.
                                 ______
                                 
  SA 2583. Mr. GRASSLEY submitted an amendment intended to be proposed 
by him to the bill S. 3414, to enhance the security and resiliency of 
the cyber and communications infrastructure of the United States; which 
was ordered to lie on the table; as follows:

       Beginning on page 192, strike line 11 and all that follows 
     through page 193, line 22.
                                 ______
                                 
  SA 2584. Mr. GRASSLEY submitted an amendment intended to be proposed 
by him to the bill S. 3414, to enhance the security and resiliency of 
the cyber and communications infrastructure of the United States; which 
was ordered to lie on the table; as follows:

       On page 18, strike line 16 and all that follows through 
     page 19, line 2, and insert the following:
       (5) Limitation.--The Council may not identify critical 
     infrastructure as a category of critical cyber infrastructure 
     under this section based solely on activities protected by 
     the first amendment to the Constitution of the United States.
                                 ______
                                 
  SA 2585. Mr. GRASSLEY submitted an amendment intended to be proposed 
by him to the bill S. 3414, to enhance the security and resiliency of 
the cyber and communications infrastructure of the United States; which 
was ordered to lie on the table; as follows:

       At the end, add the following:

                     TITLE VIII--CRIMINAL PENALTIES

     SEC. 801. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN 
                   CONNECTION WITH COMPUTERS.

       Section 1030(c) of title 18, United States Code, is amended 
     to read as follows:
       ``(c) The punishment for an offense under subsection (a) or 
     (b) of this section is--
       ``(1) a fine under this title or imprisonment for not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(1) of this section;
       ``(2)(A) except as provided in subparagraph (B), a fine 
     under this title or imprisonment for not more than 3 years, 
     or both, in the case of an offense under subsection (a)(2); 
     or
       ``(B) a fine under this title or imprisonment for not more 
     than ten years, or both, in the case of an offense under 
     subsection (a)(2) of this section, if--
       ``(i) the offense was committed for purposes of commercial 
     advantage or private financial gain;
       ``(ii) the offense was committed in the furtherance of any 
     criminal or tortious act in violation of the Constitution or 
     laws of the United States, or of any State; or
       ``(iii) the value of the information obtained, or that 
     would have been obtained if the offense was completed, 
     exceeds $5,000;
       ``(3) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(3) of this section;
       ``(4) a fine under this title or imprisonment of not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(4) of this section; and
       ``(5)(A) except as provided in subparagraph (C), a fine 
     under this title, imprisonment for not more than 20 years, or 
     both, in the case of an offense under subsection (a)(5)(A) of 
     this section, if the offense caused--
       ``(i) loss to 1 or more persons during any 1-year period 
     (and, for purposes of an investigation, prosecution, or other 
     proceeding brought by the United States only, loss resulting 
     from a related course of conduct affecting 1 or more other 
     protected computers) aggregating at least $5,000 in value;
       ``(ii) the modification or impairment, or potential 
     modification or impairment, of the medical examination, 
     diagnosis, treatment, or care of 1 or more individuals;
       ``(iii) physical injury to any person;
       ``(iv) a threat to public health or safety;
       ``(v) damage affecting a computer used by, or on behalf of, 
     an entity of the United States Government in furtherance of 
     the administration of justice, national defense, or national 
     security; or
       ``(vi) damage affecting 10 or more protected computers 
     during any 1-year period;
       ``(B) a fine under this title, imprisonment for not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(5)(B), if the offense caused a harm described 
     in clause (i) through (vi) of subparagraph (A) of this 
     subsection;
       ``(C) if the offender attempts to cause or knowingly or 
     recklessly causes death from conduct in violation of 
     subsection (a)(5)(A), a fine under this title, imprisonment 
     for any term of years or for life, or both;
       ``(D) a fine under this title, imprisonment for not more 
     than 10 years, or both, for any other offense under 
     subsection (a)(5);
       ``(E) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(6) of this section; or
       ``(F) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(7) of this section.''.

     SEC. 802. TRAFFICKING IN PASSWORDS.

       Section 1030(a)(6) of title 18, United States Code, is 
     amended to read as follows:
       ``(6) knowingly and with intent to defraud traffics (as 
     defined in section 1029) in any password or similar 
     information or means of access through which a protected 
     computer (as defined in subparagraphs (A) and (B) of 
     subsection (e)(2)) may be accessed without authorization; 
     or''.

     SEC. 803. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.

       Section 1030(b) of title 18, United States Code, is amended 
     by inserting ``as if for the completed offense'' after 
     ``punished as provided''.

     SEC. 804. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED 
                   ACTIVITY IN CONNECTION WITH COMPUTERS.

       Section 1030 of title 18, United States Code, is amended by 
     striking subsections (i) and (j) and inserting the following:
       ``(i) Criminal Forfeiture.--
       ``(1) The court, in imposing sentence on any person 
     convicted of a violation of this section, or convicted of 
     conspiracy to violate this section, shall order, in addition 
     to any other sentence imposed and irrespective of any 
     provision of State law, that such person forfeit to the 
     United States--
       ``(A) such person's interest in any property, real or 
     personal, that was used, or intended to be used, to commit or 
     facilitate the commission of such violation; and
       ``(B) any property, real or personal, constituting or 
     derived from any gross proceeds, or any property traceable to 
     such property, that such person obtained, directly or 
     indirectly, as a result of such violation.
       ``(2) The criminal forfeiture of property under this 
     subsection, including any seizure and disposition of the 
     property, and any related judicial or administrative 
     proceeding, shall be governed by the provisions of section 
     413 of the Comprehensive Drug Abuse Prevention and Control 
     Act of 1970 (21 U.S.C. 853), except subsection (d) of that 
     section.
       ``(j) Civil Forfeiture.--
       ``(1) The following shall be subject to forfeiture to the 
     United States and no property right, real or personal, shall 
     exist in them:
       ``(A) Any property, real or personal, that was used, or 
     intended to be used, to commit or facilitate the commission 
     of any violation of this section, or a conspiracy to violate 
     this section.
       ``(B) Any property, real or personal, constituting or 
     derived from any gross proceeds obtained directly or 
     indirectly, or any property traceable to such property, as a 
     result of the commission of any violation of this section, or 
     a conspiracy to violate this section.
       ``(2) Seizures and forfeitures under this subsection shall 
     be governed by the provisions in chapter 46 relating to civil 
     forfeitures, except that such duties as are imposed on the 
     Secretary of the Treasury under the customs laws described in 
     section 981(d) shall be performed by such officers, agents 
     and other persons as may be designated for that purpose by 
     the Secretary of Homeland Security or the Attorney 
     General.''.

     SEC. 805. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.

       (a) In General.--Chapter 47 of title 18, United States 
     Code, is amended by inserting after section 1030 the 
     following:

     ``Sec. 1030A. Aggravated damage to a critical infrastructure 
       computer

       ``(a) Definitions.--In this section--
       ``(1) the term `computer' has the meaning given the term in 
     section 1030;
       ``(2) the term `critical infrastructure computer' means a 
     computer that manages or controls systems or assets vital to 
     national defense, national security, national economic 
     security, public health or safety, or any combination of 
     those matters, whether publicly or privately owned or 
     operated, including--
       ``(A) oil and gas production, storage, conversion, and 
     delivery systems;
       ``(B) water supply systems;
       ``(C) telecommunication networks;
       ``(D) electrical power generation and delivery systems;
       ``(E) finance and banking systems;
       ``(F) emergency services;

[[Page 12426]]

       ``(G) transportation systems and services; and
       ``(H) government operations that provide essential services 
     to the public; and
       ``(3) the term `damage' has the meaning given the term in 
     section 1030.
       ``(b) Offense.--It shall be unlawful, during and in 
     relation to a felony violation of section 1030, to knowingly 
     cause or attempt to cause damage to a critical infrastructure 
     computer if the damage results in (or, in the case of an 
     attempt, if completed, would have resulted in) the 
     substantial impairment--
       ``(1) of the operation of the critical infrastructure 
     computer; or
       ``(2) of the critical infrastructure associated with the 
     computer.
       ``(c) Penalty.--Any person who violates subsection (b) 
     shall be fined under this title, imprisoned for not less than 
     3 years but not more than 20 years, or both.
       ``(d) Consecutive Sentence.--Notwithstanding any other 
     provision of law--
       ``(1) a court shall not place on probation any person 
     convicted of a violation of this section;
       ``(2) except as provided in paragraph (4), no term of 
     imprisonment imposed on a person under this section shall run 
     concurrently with any other term of imprisonment, including 
     any term of imprisonment imposed on the person under any 
     other provision of law, including any term of imprisonment 
     imposed for a felony violation of section 1030;
       ``(3) in determining any term of imprisonment to be imposed 
     for a felony violation of section 1030, a court shall not in 
     any way reduce the term to be imposed for such crime so as to 
     compensate for, or otherwise take into account, any separate 
     term of imprisonment imposed or to be imposed for a violation 
     of this section; and
       ``(4) a term of imprisonment imposed on a person for a 
     violation of this section may, in the discretion of the 
     court, run concurrently, in whole or in part, only with 
     another term of imprisonment that is imposed by the court at 
     the same time on that person for an additional violation of 
     this section, provided that such discretion shall be 
     exercised in accordance with any applicable guidelines and 
     policy statements issued by the United States Sentencing 
     Commission pursuant to section 994 of title 28.''.
       (b) Technical and Conforming Amendment.--The chapter 
     analysis for chapter 47 of title 18, United States Code, is 
     amended by inserting after the item relating to section 1030 
     the following:

``1030A. Aggravated damage to a critical infrastructure computer.''.

     SEC. 806. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.

       Section 1030(e)(6) of title 18, United States Code, is 
     amended by striking ``alter;'' and inserting ``alter, but 
     does not include access in violation of a contractual 
     obligation or agreement, such as an acceptable use policy or 
     terms of service agreement, with an Internet service 
     provider, Internet website, or non-government employer, if 
     such violation constitutes the sole basis for determining 
     that access to a protected computer is unauthorized;''.

     SEC. 807. NO NEW FUNDING.

       An applicable Federal agency shall carry out the provisions 
     of this title with existing facilities and funds otherwise 
     available, through such means as the head of the agency 
     considers appropriate.
                                 ______
                                 
  SA 2586. Mr. McCAIN submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       On page 22, strike lines 8 through 18.
                                 ______
                                 
  SA 2587. Mr. McCAIN submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       On page 30, after line 24, add the following:
       (C) Rule of construction.--Nothing in this paragraph shall 
     be construed to establish a civil cause of action, or a 
     presumption of negligence in a civil action, against an owner 
     that does not participate in the Voluntary Cybersecurity 
     Program for Critical Infrastructure established under this 
     section.
                                 ______
                                 
  SA 2588. Mr. McCAIN submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       On page 22, line 10, strike ``fails'' and all that follows 
     through line 18 and insert ``chooses not to propose to the 
     Council cybersecurity practices under subsection (a), not 
     later than 180 days after the date of enactment of this Act 
     the sector coordinating council shall submit a report to the 
     Council explaining why it chose not to propose cybersecurity 
     practices.''.
                                 ______
                                 
  SA 2589. Mr. McCAIN submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       On page 30, line 8, after ``106'' insert the following: 
     ``and may not be used for other regulatory purposes by the 
     Federal Government or a State or local government''.
                                 ______
                                 
  SA 2590. Mr. McCAIN submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       On page 21, strike line 8 and all that follows through page 
     22, line 7, and insert the following:
       (B) review relevant regulations or compulsory standards or 
     guidelines; and
       (C) review cybersecurity practices proposed under 
     subsection (a) to ensure sufficient protection against cyber 
     risks.
       (2) Adoption.--
       (A) In general.--Not later than 1 year after the date of 
     enactment of this Act, the Council shall--
       (i) adopt any cybersecurity practices proposed under 
     subsection (a) that adequately remediate or mitigate 
     identified cyber risks and any associated consequences 
     identified through an assessment conducted under section 
     102(a); and
       (ii) conduct a cost-benefit analysis in accordance with 
     Executive Order 13563 (5 U.S.C. 601 note; relating to 
     improving regulation and regulatory review), including 
     sections 1 and 3 of such Executive Order.
                                 ______
                                 
  SA 2591. Mr. McCAIN submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       On page 16, line 8, after ``mechanism'' insert ``, under 
     which it shall be unlawful for the Federal Government to 
     compel participation,''.
                                 ______
                                 
  SA 2592. Mr. McCAIN submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       Strike title IV.
                                 ______
                                 
  SA 2593. Mr. McCAIN submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       On page 10, line 12, after ``shall'' insert the following: 
     ``designate a Federal agency subject to full congressional 
     oversight to''.
                                 ______
                                 
  SA 2594. Mr. McCAIN submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       On page 20, line 2, after ``paragraph (1).'' insert the 
     following: ``If Congress passes a resolution of disapproval 
     of the identification of a category of critical 
     infrastructure as critical cyber infrastructure, the category 
     shall be removed from the list of identified categories of 
     critical cyber infrastructure and may not be identified as a 
     category of critical cyber infrastructure during the 2 year 
     period beginning on the date on which Congress passes the 
     resolution of disapproval.''.
                                 ______
                                 
  SA 2595. Mr. McCAIN submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       On page 23, strike line 22 and all that follows through 
     page 24, line 13, and insert the following:

     critical infrastructure may not adopt the cybersecurity 
     practices as mandatory requirements.
       (B) Rule of construction.--Nothing in
                                 ______
                                 
  SA 2596. Mr. McCAIN submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       On page 13, line 11, insert ``In addition, any authority of 
     a Federal agency under another

[[Page 12427]]

     provision of law to compel owners or operators to provide 
     information to the Federal Government may not be used in 
     furtherance of this Act.'' after the period.
                                 ______
                                 
  SA 2597. Mr. McCAIN submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       Strike title I.
                                 ______
                                 
  SA 2598. Mr. McCAIN submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       On page 16, line 21, strike ``and''.
       On page 16, line 23, strike the period and insert ``; 
     and''.
       On page 16, between lines 23 and 24, insert the following:
       (H) submit to the President and the appropriate 
     congressional committees a report, which may be in classified 
     or unclassified form, explaining the methodologies use to 
     identify and results of the identification of categories of 
     critical cyber infrastructure.
                                 ______
                                 
  SA 2599. Mr. McCAIN submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       On page 24, strike lines 3 through 12 and insert the 
     following:

     adopted the cybersecurity practices as mandatory 
     requirements, the Federal agency shall submit to the 
     appropriate congressional committees a report on the reasons 
     the Federal agency did so, including an explanation of how 
     the Federal agency conducted a detailed cost-benefit analysis 
     in accordance with Executive Order 13563 (5 U.S.C. 601 note; 
     relating to improving regulation and regulatory review), 
     including sections 1 and 3 of such Executive Order.
                                 ______
                                 
  SA 2600. Mr. McCAIN submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       Beginning on page 18, strike line 18 and all that follows 
     through page 19, line 2, and insert the following: ``under 
     this section critical infrastructure based solely on 
     activities protected by the first amendment to the 
     Constitution of the United States.''.
                                 ______
                                 
  SA 2601. Mr. McCAIN submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       On page 34, strike lines 3 through 19 and insert the 
     following:
       (1) provide additional authority for any sector-specific 
     agency or any Federal agency that is not a sector-specific 
     agency with responsibilities for regulating the security of 
     critical infrastructure to establish standards or other 
     cybersecurity measures that are applicable to the security of 
     critical infrastructure not otherwise authorized by law;
       (2) limit or restrict the authority of the Department, or 
     any other Federal agency, under any other provision of law; 
     or
       (3) permit any owner (including a certified owner) to fail 
     to comply with any other law or regulation, unless 
     specifically authorized.
                                 ______
                                 
  SA 2602. Mr. McCAIN submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       On page 173, beginning on line 14, strike ``The Secretary 
     of Homeland Security, in consultation with'' and insert ``The 
     President, in consultation with the Secretary,''.
       On page 173, line 19, strike ``civilian''.
       On page 174, line 11, strike ``Civilian''.
       On page 174, beginning on line 13, strike ``The Secretary, 
     in consultation with'' and insert ``The President, in 
     consultation with the Secretary,''.
       On page 174, line 16, strike ``civilian''.
       On page 174, beginning on line 21, strike ``civilian''.
       On page 177, line 2, strike ``civilian''.
       On page 177, line 6, strike ``Civilian''.
       On page 177, beginning on line 8, strike ``the Secretary, 
     in consultation with'' and insert ``the President, in 
     consultation with the Secretary,''.
       On page 177, line 11, strike ``civilian''.
       On page 177, line 23, strike ``the Secretary'' and insert 
     ``the President''.
       On page 178, line 21, strike ``The Secretary'' and insert 
     ``The President''.
       On page 179, beginning on line 6, strike ``The Secretary, 
     in coordination with the Director of National Intelligence, 
     the Attorney General, and the Secretary of Defense,'' and 
     insert ``The President''.
       On page 183, beginning on line 15, strike ``the Secretary 
     and approved by the Attorney General'' and insert ``the 
     President''.
       On page 184, beginning on line 19, strike ``The Secretary, 
     in consultation with privacy and civil liberties experts,'' 
     and insert ``The President, in consultation with privacy and 
     civil liberties experts, the Secretary,''.
       On page 186, strike lines 16 through 22.
       On page 186, line 24, strike ``The Secretary'' and insert 
     ``The President''.
       On page 187, beginning on line 10, strike ``The Secretary 
     and the Attorney General'' and insert ``The President, in 
     consultation with the Secretary and the Attorney General,''.
       On page 187, beginning on line 20, strike ``the Secretary 
     and approved by the Attorney General'' and insert ``the 
     President''.
       On page 187, beginning on line 23, strike ``the Attorney 
     General'' and insert ``the President''.
       On page 188, line 1, strike ``the Attorney General'' and 
     insert ``the President''.
       On page 188, line 3, strike ``the Attorney General'' and 
     insert ``the President''.
       On page 202, beginning on line 21, strike ``the Secretary, 
     the Director of National Intelligence, the Attorney General, 
     and the Secretary of Defense shall jointly'' and insert ``the 
     President, in consultation with the Secretary, the Director 
     of National Intelligence, the Attorney General, and the 
     Secretary of Defense, shall''.
                                 ______
                                 
  SA 2603. Mr. McCAIN submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       On page 173, beginning on line 14, strike ``The Secretary 
     of Homeland Security, in consultation with'' and insert ``The 
     President, in consultation with the Secretary,''.
       On page 173, line 19, strike ``civilian''.
       On page 174, line 11, strike ``Civilian''.
       On page 174, beginning on line 13, strike ``The Secretary, 
     in consultation with'' and insert ``The President, in 
     consultation with the Secretary,''.
       On page 174, line 16, strike ``civilian''.
       On page 174, beginning on line 21, strike ``civilian''.
       On page 177, line 2, strike ``civilian''.
       On page 177, line 6, strike ``Civilian''.
       On page 177, beginning on line 8, strike ``the Secretary, 
     in consultation with'' and insert ``the President, in 
     consultation with the Secretary,''.
       On page 177, line 11, strike ``civilian''.
       On page 177, line 23, strike ``the Secretary'' and insert 
     ``the President''.
       On page 178, line 21, strike ``The Secretary'' and insert 
     ``The President''.
       On page 179, beginning on line 6, strike ``The Secretary, 
     in coordination with the Director of National Intelligence, 
     the Attorney General, and the Secretary of Defense,'' and 
     insert ``The President''.
       On page 183, beginning on line 15, strike ``the Secretary 
     and approved by the Attorney General'' and insert ``the 
     President''.
       On page 184, beginning on line 19, strike ``The Secretary, 
     in consultation with privacy and civil liberties experts,'' 
     and insert ``The President, in consultation with privacy and 
     civil liberties experts, the Secretary,''.
       On page 186, strike lines 16 through 22.
       On page 186, line 24, strike ``The Secretary'' and insert 
     ``The President''.
       On page 187, beginning on line 10, strike ``The Secretary 
     and the Attorney General'' and insert ``The President, in 
     consultation with the Secretary and the Attorney General,''.
       On page 187, beginning on line 20, strike ``the Secretary 
     and approved by the Attorney General'' and insert ``the 
     President''.
       On page 187, beginning on line 23, strike ``the Attorney 
     General'' and insert ``the President''.
       On page 188, line 1, strike ``the Attorney General'' and 
     insert ``the President''.
       On page 188, line 3, strike ``the Attorney General'' and 
     insert ``the President''.
       On page 199, strike lines 12 through 17.
       On page 202, beginning on line 21, strike ``the Secretary, 
     the Director of National Intelligence, the Attorney General, 
     and the Secretary of Defense shall jointly'' and insert ``the 
     President, in consultation with the Secretary, the Director 
     of National Intelligence, the Attorney General, and the 
     Secretary of Defense, shall''.
                                 ______
                                 
  SA 2604. Mr. McCAIN submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       At the end of title I, add the following:

     SEC. 111. SUNSET.

       This title is repealed effective on the date that is 4 
     years after the date of enactment of this Act.

[[Page 12428]]


                                 ______
                                 
  SA 2605. Mr. McCAIN (for himself, Mrs. Hutchison, Mr. Chambliss, Mr. 
Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson of 
Wisconsin) submitted an amendment intended to be proposed by him to the 
bill S. 3414, to enhance the security and resiliency of the cyber and 
communications infrastructure of the United States; which was ordered 
to lie on the table; as follows:

       Strike all after the enacting clause and insert the 
     following:

     SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the 
     ``Strengthening and Enhancing Cybersecurity by Using 
     Research, Education, Information, and Technology Act of 
     2012'' or ``SECURE IT''.
       (b) Table of Contents.--The table of contents of this Act 
     is as follows:

Sec. 1. Short title; table of contents.

       TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION

Sec. 101. Definitions.
Sec. 102. Authorization to share cyber threat information.
Sec. 103. Information sharing by the Federal government.
Sec. 104. Construction.
Sec. 105. Report on implementation.
Sec. 106. Inspector General review.
Sec. 107. Technical amendments.
Sec. 108. Access to classified information.

     TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY

Sec. 201. Coordination of Federal information security policy.
Sec. 202. Management of information technology.
Sec. 203. No new funding.
Sec. 204. Technical and conforming amendments.
Sec. 205. Clarification of authorities.

                     TITLE III--CRIMINAL PENALTIES

Sec. 301. Penalties for fraud and related activity in connection with 
              computers.
Sec. 302. Trafficking in passwords.
Sec. 303. Conspiracy and attempted computer fraud offenses.
Sec. 304. Criminal and civil forfeiture for fraud and related activity 
              in connection with computers.
Sec. 305. Damage to critical infrastructure computers.
Sec. 306. Limitation on actions involving unauthorized use.
Sec. 307. No new funding.

            TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT

Sec. 401. National High-Performance Computing Program planning and 
              coordination.
Sec. 402. Research in areas of national importance.
Sec. 403. Program improvements.
Sec. 404. Improving education of networking and information technology, 
              including high performance computing.
Sec. 405. Conforming and technical amendments to the High-Performance 
              Computing Act of 1991.
Sec. 406. Federal cyber scholarship-for-service program.
Sec. 407. Study and analysis of certification and training of 
              information infrastructure professionals.
Sec. 408. International cybersecurity technical standards.
Sec. 409. Identity management research and development.
Sec. 410. Federal cybersecurity research and development.

       TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION

     SEC. 101. DEFINITIONS.

       In this title:
       (1) Agency.--The term ``agency'' has the meaning given the 
     term in section 3502 of title 44, United States Code.
       (2) Antitrust laws.--The term ``antitrust laws''--
       (A) has the meaning given the term in section 1(a) of the 
     Clayton Act (15 U.S.C. 12(a));
       (B) includes section 5 of the Federal Trade Commission Act 
     (15 U.S.C. 45) to the extent that section 5 of that Act 
     applies to unfair methods of competition; and
       (C) includes any State law that has the same intent and 
     effect as the laws under subparagraphs (A) and (B).
       (3) Countermeasure.--The term ``countermeasure'' means an 
     automated or a manual action with defensive intent to 
     mitigate cyber threats.
       (4) Cyber threat information.--The term ``cyber threat 
     information'' means information that indicates or describes--
       (A) a technical or operation vulnerability or a cyber 
     threat mitigation measure;
       (B) an action or operation to mitigate a cyber threat;
       (C) malicious reconnaissance, including anomalous patterns 
     of network activity that appear to be transmitted for the 
     purpose of gathering technical information related to a 
     cybersecurity threat;
       (D) a method of defeating a technical control;
       (E) a method of defeating an operational control;
       (F) network activity or protocols known to be associated 
     with a malicious cyber actor or that signify malicious cyber 
     intent;
       (G) a method of causing a user with legitimate access to an 
     information system or information that is stored on, 
     processed by, or transiting an information system to 
     inadvertently enable the defeat of a technical or operational 
     control;
       (H) any other attribute of a cybersecurity threat or cyber 
     defense information that would foster situational awareness 
     of the United States cybersecurity posture, if disclosure of 
     such attribute or information is not otherwise prohibited by 
     law;
       (I) the actual or potential harm caused by a cyber 
     incident, including information exfiltrated when it is 
     necessary in order to identify or describe a cybersecurity 
     threat; or
       (J) any combination of subparagraphs (A) through (I).
       (5) Cybersecurity center.--The term ``cybersecurity 
     center'' means the Department of Defense Cyber Crime Center, 
     the Intelligence Community Incident Response Center, the 
     United States Cyber Command Joint Operations Center, the 
     National Cyber Investigative Joint Task Force, the National 
     Security Agency/Central Security Service Threat Operations 
     Center, the National Cybersecurity and Communications 
     Integration Center, and any successor center.
       (6) Cybersecurity system.--The term ``cybersecurity 
     system'' means a system designed or employed to ensure the 
     integrity, confidentiality, or availability of, or to 
     safeguard, a system or network, including measures intended 
     to protect a system or network from--
       (A) efforts to degrade, disrupt, or destroy such system or 
     network; or
       (B) theft or misappropriations of private or government 
     information, intellectual property, or personally 
     identifiable information.
       (7) Entity.--
       (A) In general.--The term ``entity'' means any private 
     entity, non-Federal government agency or department, or 
     State, tribal, or local government agency or department 
     (including an officer, employee, or agent thereof).
       (B) Inclusions.--The term ``entity'' includes a government 
     agency or department (including an officer, employee, or 
     agent thereof) of the District of Columbia, the Commonwealth 
     of Puerto Rico, the Virgin Islands, Guam, American Samoa, the 
     Northern Mariana Islands, and any other territory or 
     possession of the United States.
       (8) Federal information system.--The term ``Federal 
     information system'' means an information system of a Federal 
     department or agency used or operated by an executive agency, 
     by a contractor of an executive agency, or by another 
     organization on behalf of an executive agency.
       (9) Information security.--The term ``information 
     security'' means protecting information and information 
     systems from disruption or unauthorized access, use, 
     disclosure, modification, or destruction in order to 
     provide--
       (A) integrity, by guarding against improper information 
     modification or destruction, including by ensuring 
     information nonrepudiation and authenticity;
       (B) confidentiality, by preserving authorized restrictions 
     on access and disclosure, including means for protecting 
     personal privacy and proprietary information; or
       (C) availability, by ensuring timely and reliable access to 
     and use of information.
       (10) Information system.--The term ``information system'' 
     has the meaning given the term in section 3502 of title 44, 
     United States Code.
       (11) Local government.--The term ``local government'' means 
     any borough, city, county, parish, town, township, village, 
     or other general purpose political subdivision of a State.
       (12) Malicious reconnaissance.--The term ``malicious 
     reconnaissance'' means a method for actively probing or 
     passively monitoring an information system for the purpose of 
     discerning technical vulnerabilities of the information 
     system, if such method is associated with a known or 
     suspected cybersecurity threat.
       (13) Operational control.--The term ``operational control'' 
     means a security control for an information system that 
     primarily is implemented and executed by people.
       (14) Operational vulnerability.--The term ``operational 
     vulnerability'' means any attribute of policy, process, or 
     procedure that could enable or facilitate the defeat of an 
     operational control.
       (15) Private entity.--The term ``private entity'' means any 
     individual or any private group, organization, or 
     corporation, including an officer, employee, or agent 
     thereof.
       (16) Significant cyber incident.--The term ``significant 
     cyber incident'' means a cyber incident resulting in, or an 
     attempted cyber incident that, if successful, would have 
     resulted in--
       (A) the exfiltration from a Federal information system of 
     data that is essential to the operation of the Federal 
     information system; or
       (B) an incident in which an operational or technical 
     control essential to the security or operation of a Federal 
     information system was defeated.

[[Page 12429]]

       (17) Technical control.--The term ``technical control'' 
     means a hardware or software restriction on, or audit of, 
     access or use of an information system or information that is 
     stored on, processed by, or transiting an information system 
     that is intended to ensure the confidentiality, integrity, or 
     availability of that system.
       (18) Technical vulnerability.--The term ``technical 
     vulnerability'' means any attribute of hardware or software 
     that could enable or facilitate the defeat of a technical 
     control.
       (19) Tribal.--The term ``tribal'' has the meaning given the 
     term ``Indian tribe'' in section 4 of the Indian Self-
     Determination and Education Assistance Act (25 U.S.C. 450b).

     SEC. 102. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION.

       (a) Voluntary Disclosure.--
       (1) Private entities.--Notwithstanding any other provision 
     of law, a private entity may, for the purpose of preventing, 
     investigating, or otherwise mitigating threats to information 
     security, on its own networks, or as authorized by another 
     entity, on such entity's networks, employ countermeasures and 
     use cybersecurity systems in order to obtain, identify, or 
     otherwise possess cyber threat information.
       (2) Entities.--Notwithstanding any other provision of law, 
     an entity may disclose cyber threat information to--
       (A) a cybersecurity center; or
       (B) any other entity in order to assist with preventing, 
     investigating, or otherwise mitigating threats to information 
     security.
       (3) Information security providers.--If the cyber threat 
     information described in paragraph (1) is obtained, 
     identified, or otherwise possessed in the course of providing 
     information security products or services under contract to 
     another entity, that entity shall be given, at any time prior 
     to disclosure of such information, a reasonable opportunity 
     to authorize or prevent such disclosure, to request 
     anonymization of such information, or to request that 
     reasonable efforts be made to safeguard such information that 
     identifies specific persons from unauthorized access or 
     disclosure.
       (b) Significant Cyber Incidents Involving Federal 
     Information Systems.--
       (1) In general.--An entity providing electronic 
     communication services, remote computing services, or 
     information security services to a Federal department or 
     agency shall inform the Federal department or agency of a 
     significant cyber incident involving the Federal information 
     system of that Federal department or agency that--
       (A) is directly known to the entity as a result of 
     providing such services;
       (B) is directly related to the provision of such services 
     by the entity; and
       (C) as determined by the entity, has impeded or will impede 
     the performance of a critical mission of the Federal 
     department or agency.
       (2) Advance coordination.--A Federal department or agency 
     receiving the services described in paragraph (1) shall 
     coordinate in advance with an entity described in paragraph 
     (1) to develop the parameters of any information that may be 
     provided under paragraph (1), including clarification of the 
     type of significant cyber incident that will impede the 
     performance of a critical mission of the Federal department 
     or agency.
       (3) Report.--A Federal department or agency shall report 
     information provided under this subsection to a cybersecurity 
     center.
       (4) Construction.--Any information provided to a 
     cybersecurity center under paragraph (3) shall be treated in 
     the same manner as information provided to a cybersecurity 
     center under subsection (a).
       (c) Information Shared With or Provided to a Cybersecurity 
     Center.--Cyber threat information provided to a cybersecurity 
     center under this section--
       (1) may be disclosed to, retained by, and used by, 
     consistent with otherwise applicable Federal law, any Federal 
     agency or department, component, officer, employee, or agent 
     of the Federal government for a cybersecurity purpose, a 
     national security purpose, or in order to prevent, 
     investigate, or prosecute any of the offenses listed in 
     section 2516 of title 18, United States Code, and such 
     information shall not be disclosed to, retained by, or used 
     by any Federal agency or department for any use not permitted 
     under this paragraph;
       (2) may, with the prior written consent of the entity 
     submitting such information, be disclosed to and used by a 
     State, tribal, or local government or government agency for 
     the purpose of protecting information systems, or in 
     furtherance of preventing, investigating, or prosecuting a 
     criminal act, except that if the need for immediate 
     disclosure prevents obtaining written consent, such consent 
     may be provided orally with subsequent documentation of such 
     consent;
       (3) shall be considered the commercial, financial, or 
     proprietary information of the entity providing such 
     information to the Federal government and any disclosure 
     outside the Federal government may only be made upon the 
     prior written consent by such entity and shall not constitute 
     a waiver of any applicable privilege or protection provided 
     by law, except that if the need for immediate disclosure 
     prevents obtaining written consent, such consent may be 
     provided orally with subsequent documentation of such 
     consent;
       (4) shall be deemed voluntarily shared information and 
     exempt from disclosure under section 552 of title 5, United 
     States Code, and any State, tribal, or local law requiring 
     disclosure of information or records;
       (5) shall be, without discretion, withheld from the public 
     under section 552(b)(3)(B) of title 5, United States Code, 
     and any State, tribal, or local law requiring disclosure of 
     information or records;
       (6) shall not be subject to the rules of any Federal agency 
     or department or any judicial doctrine regarding ex parte 
     communications with a decision-making official;
       (7) shall not, if subsequently provided to a State, tribal, 
     or local government or government agency, otherwise be 
     disclosed or distributed to any entity by such State, tribal, 
     or local government or government agency without the prior 
     written consent of the entity submitting such information, 
     notwithstanding any State, tribal, or local law requiring 
     disclosure of information or records, except that if the need 
     for immediate disclosure prevents obtaining written consent, 
     such consent may be provided orally with subsequent 
     documentation of such consent; and
       (8) shall not be directly used by any Federal, State, 
     tribal, or local department or agency to regulate the lawful 
     activities of an entity, including activities relating to 
     obtaining, identifying, or otherwise possessing cyber threat 
     information, except that the procedures required to be 
     developed and implemented under this title shall not be 
     considered regulations within the meaning of this paragraph.
       (d) Procedures Relating to Information Sharing With a 
     Cybersecurity Center.--Not later than 60 days after the date 
     of enactment of this Act, the heads of each department or 
     agency containing a cybersecurity center shall jointly 
     develop, promulgate, and submit to Congress procedures to 
     ensure that cyber threat information shared with or provided 
     to--
       (1) a cybersecurity center under this section--
       (A) may be submitted to a cybersecurity center by an 
     entity, to the greatest extent possible, through a uniform, 
     publicly available process or format that is easily 
     accessible on the website of such cybersecurity center, and 
     that includes the ability to provide relevant details about 
     the cyber threat information and written consent to any 
     subsequent disclosures authorized by this paragraph;
       (B) shall immediately be further shared with each 
     cybersecurity center in order to prevent, investigate, or 
     otherwise mitigate threats to information security across the 
     Federal government;
       (C) is handled by the Federal government in a reasonable 
     manner, including consideration of the need to protect the 
     privacy and civil liberties of individuals through 
     anonymization or other appropriate methods, while fully 
     accomplishing the objectives of this title, and the Federal 
     government may undertake efforts consistent with this 
     subparagraph to limit the impact on privacy and civil 
     liberties of the sharing of cyber threat information with the 
     Federal government; and
       (D) except as provided in this section, shall only be used, 
     disclosed, or handled in accordance with the provisions of 
     subsection (c); and
       (2) a Federal agency or department under subsection (b) is 
     provided immediately to a cybersecurity center in order to 
     prevent, investigate, or otherwise mitigate threats to 
     information security across the Federal government.
       (e) Information Shared Between Entities.--
       (1) In general.--An entity sharing cyber threat information 
     with another entity under this title may restrict the use or 
     sharing of such information by such other entity.
       (2) Further sharing.--Cyber threat information shared by 
     any entity with another entity under this title--
       (A) shall only be further shared in accordance with any 
     restrictions placed on the sharing of such information by the 
     entity authorizing such sharing, such as appropriate 
     anonymization of such information; and
       (B) may not be used by any entity to gain an unfair 
     competitive advantage to the detriment of the entity 
     authorizing the sharing of such information, except that the 
     conduct described in paragraph (3) shall not constitute 
     unfair competitive conduct.
       (3) Information shared with state, tribal, or local 
     government or government agency.--Cyber threat information 
     shared with a State, tribal, or local government or 
     government agency under this title--
       (A) may, with the prior written consent of the entity 
     sharing such information, be disclosed to and used by a 
     State, tribal, or local government or government agency for 
     the purpose of protecting information systems, or in 
     furtherance of preventing, investigating, or prosecuting a 
     criminal act, except if the need for immediate disclosure 
     prevents obtaining written consent, consent may be provided 
     orally with subsequent documentation of the consent;

[[Page 12430]]

       (B) shall be deemed voluntarily shared information and 
     exempt from disclosure under any State, tribal, or local law 
     requiring disclosure of information or records;
       (C) shall not be disclosed or distributed to any entity by 
     the State, tribal, or local government or government agency 
     without the prior written consent of the entity submitting 
     such information, notwithstanding any State, tribal, or local 
     law requiring disclosure of information or records, except if 
     the need for immediate disclosure prevents obtaining written 
     consent, consent may be provided orally with subsequent 
     documentation of the consent; and
       (D) shall not be directly used by any State, tribal, or 
     local department or agency to regulate the lawful activities 
     of an entity, including activities relating to obtaining, 
     identifying, or otherwise possessing cyber threat 
     information, except that the procedures required to be 
     developed and implemented under this title shall not be 
     considered regulations within the meaning of this 
     subparagraph.
       (4) Antitrust exemption.--The exchange or provision of 
     cyber threat information or assistance between 2 or more 
     private entities under this title shall not be considered a 
     violation of any provision of antitrust laws if exchanged or 
     provided in order to assist with--
       (A) facilitating the prevention, investigation, or 
     mitigation of threats to information security; or
       (B) communicating or disclosing of cyber threat information 
     to help prevent, investigate or otherwise mitigate the 
     effects of a threat to information security.
       (5) No right or benefit.--The provision of cyber threat 
     information to an entity under this section shall not create 
     a right or a benefit to similar information by such entity or 
     any other entity.
       (f) Federal Preemption.--
       (1) In general.--This section supersedes any statute or 
     other law of a State or political subdivision of a State that 
     restricts or otherwise expressly regulates an activity 
     authorized under this section.
       (2) State law enforcement.--Nothing in this section shall 
     be construed to supersede any statute or other law of a State 
     or political subdivision of a State concerning the use of 
     authorized law enforcement techniques.
       (3) Public disclosure.--No information shared with or 
     provided to a State, tribal, or local government or 
     government agency pursuant to this section shall be made 
     publicly available pursuant to any State, tribal, or local 
     law requiring disclosure of information or records.
       (g) Civil and Criminal Liability.--
       (1) General protections.--
       (A) Private entities.--No cause of action shall lie or be 
     maintained in any court against any private entity for--
       (i) the use of countermeasures and cybersecurity systems as 
     authorized by this title;
       (ii) the use, receipt, or disclosure of any cyber threat 
     information as authorized by this title; or
       (iii) the subsequent actions or inactions of any lawful 
     recipient of cyber threat information provided by such 
     private entity.
       (B) Entities.--No cause of action shall lie or be 
     maintained in any court against any entity for--
       (i) the use, receipt, or disclosure of any cyber threat 
     information as authorized by this title; or
       (ii) the subsequent actions or inactions of any lawful 
     recipient of cyber threat information provided by such 
     entity.
       (2) Construction.--Nothing in this subsection shall be 
     construed as creating any immunity against, or otherwise 
     affecting, any action brought by the Federal government, or 
     any agency or department thereof, to enforce any law, 
     executive order, or procedure governing the appropriate 
     handling, disclosure, and use of classified information.
       (h) Otherwise Lawful Disclosures.--Nothing in this section 
     shall be construed to limit or prohibit otherwise lawful 
     disclosures of communications, records, or other information 
     by a private entity to any other governmental or private 
     entity not covered under this section.
       (i) Whistleblower Protection.--Nothing in this Act shall be 
     construed to preempt or preclude any employee from exercising 
     rights currently provided under any whistleblower law, rule, 
     or regulation.
       (j) Relationship to Other Laws.--The submission of cyber 
     threat information under this section to a cybersecurity 
     center shall not affect any requirement under any other 
     provision of law for an entity to provide information to the 
     Federal government.

     SEC. 103. INFORMATION SHARING BY THE FEDERAL GOVERNMENT.

       (a) Classified Information.--
       (1) Procedures.--Consistent with the protection of 
     intelligence sources and methods, and as otherwise determined 
     appropriate, the Director of National Intelligence and the 
     Secretary of Defense, in consultation with the heads of the 
     appropriate Federal departments or agencies, shall develop 
     and promulgate procedures to facilitate and promote--
       (A) the immediate sharing, through the cybersecurity 
     centers, of classified cyber threat information in the 
     possession of the Federal government with appropriately 
     cleared representatives of any appropriate entity; and
       (B) the declassification and immediate sharing, through the 
     cybersecurity centers, with any entity or, if appropriate, 
     public availability of cyber threat information in the 
     possession of the Federal government;
       (2) Handling of classified information.--The procedures 
     developed under paragraph (1) shall ensure that each entity 
     receiving classified cyber threat information pursuant to 
     this section has acknowledged in writing the ongoing 
     obligation to comply with all laws, executive orders, and 
     procedures concerning the appropriate handling, disclosure, 
     or use of classified information.
       (b) Unclassified Cyber Threat Information.--The heads of 
     each department or agency containing a cybersecurity center 
     shall jointly develop and promulgate procedures that ensure 
     that, consistent with the provisions of this section, 
     unclassified, including controlled unclassified, cyber threat 
     information in the possession of the Federal government--
       (1) is shared, through the cybersecurity centers, in an 
     immediate and adequate manner with appropriate entities; and
       (2) if appropriate, is made publicly available.
       (c) Development of Procedures.--
       (1) In general.--The procedures developed under this 
     section shall incorporate, to the greatest extent possible, 
     existing processes utilized by sector specific information 
     sharing and analysis centers.
       (2) Coordination with entities.--In developing the 
     procedures required under this section, the Director of 
     National Intelligence and the heads of each department or 
     agency containing a cybersecurity center shall coordinate 
     with appropriate entities to ensure that protocols are 
     implemented that will facilitate and promote the sharing of 
     cyber threat information by the Federal government.
       (d) Additional Responsibilities of Cybersecurity Centers.--
     Consistent with section 102, a cybersecurity center shall--
       (1) facilitate information sharing, interaction, and 
     collaboration among and between cybersecurity centers and--
       (A) other Federal entities;
       (B) any entity; and
       (C) international partners, in consultation with the 
     Secretary of State;
       (2) disseminate timely and actionable cybersecurity threat, 
     vulnerability, mitigation, and warning information, including 
     alerts, advisories, indicators, signatures, and mitigation 
     and response measures, to improve the security and protection 
     of information systems; and
       (3) coordinate with other Federal entities, as appropriate, 
     to integrate information from across the Federal government 
     to provide situational awareness of the cybersecurity posture 
     of the United States.
       (e) Sharing Within the Federal Government.--The heads of 
     appropriate Federal departments and agencies shall ensure 
     that cyber threat information in the possession of such 
     Federal departments or agencies that relates to the 
     prevention, investigation, or mitigation of threats to 
     information security across the Federal government is shared 
     effectively with the cybersecurity centers.
       (f) Submission to Congress.--Not later than 60 days after 
     the date of enactment of this Act, the Director of National 
     Intelligence, in coordination with the appropriate head of a 
     department or an agency containing a cybersecurity center, 
     shall submit the procedures required by this section to 
     Congress.

     SEC. 104. CONSTRUCTION.

       (a) Information Sharing Relationships.--Nothing in this 
     title shall be construed--
       (1) to limit or modify an existing information sharing 
     relationship;
       (2) to prohibit a new information sharing relationship;
       (3) to require a new information sharing relationship 
     between any entity and the Federal government, except as 
     specified under section 102(b); or
       (4) to modify the authority of a department or agency of 
     the Federal government to protect sources and methods and the 
     national security of the United States.
       (b) Anti-tasking Restriction.--Nothing in this title shall 
     be construed to permit the Federal government--
       (1) to require an entity to share information with the 
     Federal government, except as expressly provided under 
     section 102(b); or
       (2) to condition the sharing of cyber threat information 
     with an entity on such entity's provision of cyber threat 
     information to the Federal government.
       (c) No Liability for Non-participation.--Nothing in this 
     title shall be construed to subject any entity to liability 
     for choosing not to engage in the voluntary activities 
     authorized under this title.
       (d) Use and Retention of Information.--Nothing in this 
     title shall be construed to authorize, or to modify any 
     existing authority of, a department or agency of the Federal 
     government to retain or use any information shared under 
     section 102 for any use other than a use permitted under 
     subsection 102(c)(1).
       (e) No New Funding.--An applicable Federal agency shall 
     carry out the provisions of this title with existing 
     facilities and funds otherwise available, through such means 
     as the head of the agency considers appropriate.

[[Page 12431]]



     SEC. 105. REPORT ON IMPLEMENTATION.

       (a) Content of Report.--Not later than 1 year after the 
     date of enactment of this Act, and biennially thereafter, the 
     heads of each department or agency containing a cybersecurity 
     center shall jointly submit, in coordination with the privacy 
     and civil liberties officials of such departments or agencies 
     and the Privacy and Civil Liberties Oversight Board, a 
     detailed report to Congress concerning the implementation of 
     this title, including--
       (1) an assessment of the sufficiency of the procedures 
     developed under section 103 of this Act in ensuring that 
     cyber threat information in the possession of the Federal 
     government is provided in an immediate and adequate manner to 
     appropriate entities or, if appropriate, is made publicly 
     available;
       (2) an assessment of whether information has been 
     appropriately classified and an accounting of the number of 
     security clearances authorized by the Federal government for 
     purposes of this title;
       (3) a review of the type of cyber threat information shared 
     with a cybersecurity center under section 102 of this Act, 
     including whether such information meets the definition of 
     cyber threat information under section 101, the degree to 
     which such information may impact the privacy and civil 
     liberties of individuals, any appropriate metrics to 
     determine any impact of the sharing of such information with 
     the Federal government on privacy and civil liberties, and 
     the adequacy of any steps taken to reduce such impact;
       (4) a review of actions taken by the Federal government 
     based on information provided to a cybersecurity center under 
     section 102 of this Act, including the appropriateness of any 
     subsequent use under section 102(c)(1) of this Act and 
     whether there was inappropriate stovepiping within the 
     Federal government of any such information;
       (5) a description of any violations of the requirements of 
     this title by the Federal government;
       (6) a classified list of entities that received classified 
     information from the Federal government under section 103 of 
     this Act and a description of any indication that such 
     information may not have been appropriately handled;
       (7) a summary of any breach of information security, if 
     known, attributable to a specific failure by any entity or 
     the Federal government to act on cyber threat information in 
     the possession of such entity or the Federal government that 
     resulted in substantial economic harm or injury to a specific 
     entity or the Federal government; and
       (8) any recommendation for improvements or modifications to 
     the authorities under this title.
       (b) Form of Report.--The report under subsection (a) shall 
     be submitted in unclassified form, but shall include a 
     classified annex.

     SEC. 106. INSPECTOR GENERAL REVIEW.

       (a) In General.--The Council of the Inspectors General on 
     Integrity and Efficiency are authorized to review compliance 
     by the cybersecurity centers, and by any Federal department 
     or agency receiving cyber threat information from such 
     cybersecurity centers, with the procedures required under 
     section 102 of this Act.
       (b) Scope of Review.--The review under subsection (a) shall 
     consider whether the Federal government has handled such 
     cyber threat information in a reasonable manner, including 
     consideration of the need to protect the privacy and civil 
     liberties of individuals through anonymization or other 
     appropriate methods, while fully accomplishing the objectives 
     of this title.
       (c) Report to Congress.--Each review conducted under this 
     section shall be provided to Congress not later than 30 days 
     after the date of completion of the review.

     SEC. 107. TECHNICAL AMENDMENTS.

       Section 552(b) of title 5, United States Code, is amended--
       (1) in paragraph (8), by striking ``or'';
       (2) in paragraph (9), by striking ``wells.'' and inserting 
     ``wells; or''; and
       (3) by adding at the end the following:
       ``(10) information shared with or provided to a 
     cybersecurity center under section 102 of title I of the 
     Strengthening and Enhancing Cybersecurity by Using Research, 
     Education, Information, and Technology Act of 2012.''.

     SEC. 108. ACCESS TO CLASSIFIED INFORMATION.

       (a) Authorization Required.--No person shall be provided 
     with access to classified information (as defined in section 
     6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to 
     classified national security information)) relating to cyber 
     security threats or cyber security vulnerabilities under this 
     title without the appropriate security clearances.
       (b) Security Clearances.--The appropriate Federal agencies 
     or departments shall, consistent with applicable procedures 
     and requirements, and if otherwise deemed appropriate, assist 
     an individual in timely obtaining an appropriate security 
     clearance where such individual has been determined to be 
     eligible for such clearance and has a need-to-know (as 
     defined in section 6.1 of that Executive Order) classified 
     information to carry out this title.

     TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY

     SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY 
                   POLICY.

       (a) In General.--Chapter 35 of title 44, United States 
     Code, is amended by striking subchapters II and III and 
     inserting the following:

                 ``SUBCHAPTER II--INFORMATION SECURITY

     ``Sec. 3551. Purposes

       ``The purposes of this subchapter are--
       ``(1) to provide a comprehensive framework for ensuring the 
     effectiveness of information security controls over 
     information resources that support Federal operations and 
     assets;
       ``(2) to recognize the highly networked nature of the 
     current Federal computing environment and provide effective 
     government-wide management of policies, directives, 
     standards, and guidelines, as well as effective and nimble 
     oversight of and response to information security risks, 
     including coordination of information security efforts 
     throughout the Federal civilian, national security, and law 
     enforcement communities;
       ``(3) to provide for development and maintenance of 
     controls required to protect agency information and 
     information systems and contribute to the overall improvement 
     of agency information security posture;
       ``(4) to provide for the development of tools and methods 
     to assess and respond to real-time situational risk for 
     Federal information system operations and assets; and
       ``(5) to provide a mechanism for improving agency 
     information security programs through continuous monitoring 
     of agency information systems and streamlined reporting 
     requirements rather than overly prescriptive manual 
     reporting.

     ``Sec. 3552. Definitions

       ``In this subchapter:
       ``(1) Adequate security.--The term `adequate security' 
     means security commensurate with the risk and magnitude of 
     the harm resulting from the unauthorized access to or loss, 
     misuse, destruction, or modification of information.
       ``(2) Agency.--The term `agency' has the meaning given the 
     term in section 3502 of title 44.
       ``(3) Cybersecurity center.--The term `cybersecurity 
     center' means the Department of Defense Cyber Crime Center, 
     the Intelligence Community Incident Response Center, the 
     United States Cyber Command Joint Operations Center, the 
     National Cyber Investigative Joint Task Force, the National 
     Security Agency/Central Security Service Threat Operations 
     Center, the National Cybersecurity and Communications 
     Integration Center, and any successor center.
       ``(4) Cyber threat information.--The term `cyber threat 
     information' means information that indicates or describes--
       ``(A) a technical or operation vulnerability or a cyber 
     threat mitigation measure;
       ``(B) an action or operation to mitigate a cyber threat;
       ``(C) malicious reconnaissance, including anomalous 
     patterns of network activity that appear to be transmitted 
     for the purpose of gathering technical information related to 
     a cybersecurity threat;
       ``(D) a method of defeating a technical control;
       ``(E) a method of defeating an operational control;
       ``(F) network activity or protocols known to be associated 
     with a malicious cyber actor or that signify malicious cyber 
     intent;
       ``(G) a method of causing a user with legitimate access to 
     an information system or information that is stored on, 
     processed by, or transiting an information system to 
     inadvertently enable the defeat of a technical or operational 
     control;
       ``(H) any other attribute of a cybersecurity threat or 
     cyber defense information that would foster situational 
     awareness of the United States cybersecurity posture, if 
     disclosure of such attribute or information is not otherwise 
     prohibited by law;
       ``(I) the actual or potential harm caused by a cyber 
     incident, including information exfiltrated when it is 
     necessary in order to identify or describe a cybersecurity 
     threat; or
       ``(J) any combination of subparagraphs (A) through (I).
       ``(5) Director.--The term `Director' means the Director of 
     the Office of Management and Budget unless otherwise 
     specified.
       ``(6) Environment of operation.--The term `environment of 
     operation' means the information system and environment in 
     which those systems operate, including changing threats, 
     vulnerabilities, technologies, and missions and business 
     practices.
       ``(7) Federal information system.--The term `Federal 
     information system' means an information system used or 
     operated by an executive agency, by a contractor of an 
     executive agency, or by another organization on behalf of an 
     executive agency.
       ``(8) Incident.--The term `incident' means an occurrence 
     that--
       ``(A) actually or imminently jeopardizes the integrity, 
     confidentiality, or availability of an information system or 
     the information that system controls, processes, stores, or 
     transmits; or
       ``(B) constitutes a violation of law or an imminent threat 
     of violation of a law, a security policy, a security 
     procedure, or an acceptable use policy.

[[Page 12432]]

       ``(9) Information resources.--The term `information 
     resources' has the meaning given the term in section 3502 of 
     title 44.
       ``(10) Information security.--The term `information 
     security' means protecting information and information 
     systems from disruption or unauthorized access, use, 
     disclosure, modification, or destruction in order to 
     provide--
       ``(A) integrity, by guarding against improper information 
     modification or destruction, including by ensuring 
     information nonrepudiation and authenticity;
       ``(B) confidentiality, by preserving authorized 
     restrictions on access and disclosure, including means for 
     protecting personal privacy and proprietary information; or
       ``(C) availability, by ensuring timely and reliable access 
     to and use of information.
       ``(11) Information system.--The term `information system' 
     has the meaning given the term in section 3502 of title 44.
       ``(12) Information technology.--The term `information 
     technology' has the meaning given the term in section 11101 
     of title 40.
       ``(13) Malicious reconnaissance.--The term `malicious 
     reconnaissance' means a method for actively probing or 
     passively monitoring an information system for the purpose of 
     discerning technical vulnerabilities of the information 
     system, if such method is associated with a known or 
     suspected cybersecurity threat.
       ``(14) National security system.--
       ``(A) In general.--The term `national security system' 
     means any information system (including any 
     telecommunications system) used or operated by an agency or 
     by a contractor of an agency, or other organization on behalf 
     of an agency--
       ``(i) the function, operation, or use of which--

       ``(I) involves intelligence activities;
       ``(II) involves cryptologic activities related to national 
     security;
       ``(III) involves command and control of military forces;
       ``(IV) involves equipment that is an integral part of a 
     weapon or weapons system; or
       ``(V) subject to subparagraph (B), is critical to the 
     direct fulfillment of military or intelligence missions; or

       ``(ii) is protected at all times by procedures established 
     for information that have been specifically authorized under 
     criteria established by an Executive Order or an Act of 
     Congress to be kept classified in the interest of national 
     defense or foreign policy.
       ``(B) Limitation.--Subparagraph (A)(i)(V) does not include 
     a system that is to be used for routine administrative and 
     business applications (including payroll, finance, logistics, 
     and personnel management applications).
       ``(15) Operational control.--The term `operational control' 
     means a security control for an information system that 
     primarily is implemented and executed by people.
       ``(16) Person.--The term `person' has the meaning given the 
     term in section 3502 of title 44.
       ``(17) Secretary.--The term `Secretary' means the Secretary 
     of Commerce unless otherwise specified.
       ``(18) Security control.--The term `security control' means 
     the management, operational, and technical controls, 
     including safeguards or countermeasures, prescribed for an 
     information system to protect the confidentiality, integrity, 
     and availability of the system and its information.
       ``(19) Significant cyber incident.--The term `significant 
     cyber incident' means a cyber incident resulting in, or an 
     attempted cyber incident that, if successful, would have 
     resulted in--
       ``(A) the exfiltration from a Federal information system of 
     data that is essential to the operation of the Federal 
     information system; or
       ``(B) an incident in which an operational or technical 
     control essential to the security or operation of a Federal 
     information system was defeated.
       ``(20) Technical control.--The term `technical control' 
     means a hardware or software restriction on, or audit of, 
     access or use of an information system or information that is 
     stored on, processed by, or transiting an information system 
     that is intended to ensure the confidentiality, integrity, or 
     availability of that system.

     ``Sec. 3553. Federal information security authority and 
       coordination

       ``(a) In General.--The Secretary, in consultation with the 
     Secretary of Homeland Security, shall--
       ``(1) issue compulsory and binding policies and directives 
     governing agency information security operations, and require 
     implementation of such policies and directives, including--
       ``(A) policies and directives consistent with the standards 
     and guidelines promulgated under section 11331 of title 40 to 
     identify and provide information security protections 
     prioritized and commensurate with the risk and impact 
     resulting from the unauthorized access, use, disclosure, 
     disruption, modification, or destruction of--
       ``(i) information collected or maintained by or on behalf 
     of an agency; or
       ``(ii) information systems used or operated by an agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency;
       ``(B) minimum operational requirements for Federal 
     Government to protect agency information systems and provide 
     common situational awareness across all agency information 
     systems;
       ``(C) reporting requirements, consistent with relevant law, 
     regarding information security incidents and cyber threat 
     information;
       ``(D) requirements for agencywide information security 
     programs;
       ``(E) performance requirements and metrics for the security 
     of agency information systems;
       ``(F) training requirements to ensure that agencies are 
     able to fully and timely comply with the policies and 
     directives issued by the Secretary under this subchapter;
       ``(G) training requirements regarding privacy, civil 
     rights, and civil liberties, and information oversight for 
     agency information security personnel;
       ``(H) requirements for the annual reports to the Secretary 
     under section 3554(d);
       ``(I) any other information security operations or 
     information security requirements as determined by the 
     Secretary in coordination with relevant agency heads; and
       ``(J) coordinating the development of standards and 
     guidelines under section 20 of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3) with agencies 
     and offices operating or exercising control of national 
     security systems (including the National Security Agency) to 
     assure, to the maximum extent feasible, that such standards 
     and guidelines are complementary with standards and 
     guidelines developed for national security systems;
       ``(2) review the agencywide information security programs 
     under section 3554; and
       ``(3) designate an individual or an entity at each 
     cybersecurity center, among other responsibilities--
       ``(A) to receive reports and information about information 
     security incidents, cyber threat information, and 
     deterioration of security control affecting agency 
     information systems; and
       ``(B) to act on or share the information under subparagraph 
     (A) in accordance with this subchapter.
       ``(b) Considerations.--When issuing policies and directives 
     under subsection (a), the Secretary shall consider any 
     applicable standards or guidelines developed by the National 
     Institute of Standards and Technology under section 11331 of 
     title 40.
       ``(c) Limitation of Authority.--The authorities of the 
     Secretary under this section shall not apply to national 
     security systems. Information security policies, directives, 
     standards and guidelines for national security systems shall 
     be overseen as directed by the President and, in accordance 
     with that direction, carried out under the authority of the 
     heads of agencies that operate or exercise authority over 
     such national security systems.
       ``(d) Statutory Construction.--Nothing in this subchapter 
     shall be construed to alter or amend any law regarding the 
     authority of any head of an agency over such agency.

     ``Sec. 3554. Agency responsibilities

       ``(a) In General.--The head of each agency shall--
       ``(1) be responsible for--
       ``(A) complying with the policies and directives issued 
     under section 3553;
       ``(B) providing information security protections 
     commensurate with the risk resulting from unauthorized 
     access, use, disclosure, disruption, modification, or 
     destruction of--
       ``(i) information collected or maintained by the agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency; and
       ``(ii) information systems used or operated by an agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency;
       ``(C) complying with the requirements of this subchapter, 
     including--
       ``(i) information security standards and guidelines 
     promulgated under section 11331 of title 40;
       ``(ii) for any national security systems operated or 
     controlled by that agency, information security policies, 
     directives, standards and guidelines issued as directed by 
     the President; and
       ``(iii) for any non-national security systems operated or 
     controlled by that agency, information security policies, 
     directives, standards and guidelines issued under section 
     3553;
       ``(D) ensuring that information security management 
     processes are integrated with agency strategic and 
     operational planning processes;
       ``(E) reporting and sharing, for an agency operating or 
     exercising control of a national security system, information 
     about information security incidents, cyber threat 
     information, and deterioration of security controls to the 
     individual or entity designated at each cybersecurity center 
     and to other appropriate entities consistent with policies 
     and directives for national security systems issued as 
     directed by the President; and
       ``(F) reporting and sharing, for those agencies operating 
     or exercising control of non-national security systems, 
     information about information security incidents, cyber 
     threat information, and deterioration of security controls to 
     the individual or entity

[[Page 12433]]

     designated at each cybersecurity center and to other 
     appropriate entities consistent with policies and directives 
     for non-national security systems as prescribed under section 
     3553(a), including information to assist the entity 
     designated under section 3555(a) with the ongoing security 
     analysis under section 3555;
       ``(2) ensure that each senior agency official provides 
     information security for the information and information 
     systems that support the operations and assets under the 
     senior agency official's control, including by--
       ``(A) assessing the risk and impact that could result from 
     the unauthorized access, use, disclosure, disruption, 
     modification, or destruction of such information or 
     information systems;
       ``(B) determining the level of information security 
     appropriate to protect such information and information 
     systems in accordance with policies and directives issued 
     under section 3553(a), and standards and guidelines 
     promulgated under section 11331 of title 40 for information 
     security classifications and related requirements;
       ``(C) implementing policies, procedures, and capabilities 
     to reduce risks to an acceptable level in a cost-effective 
     manner;
       ``(D) actively monitoring the effective implementation of 
     information security controls and techniques; and
       ``(E) reporting information about information security 
     incidents, cyber threat information, and deterioration of 
     security controls in a timely and adequate manner to the 
     entity designated under section 3553(a)(3) in accordance with 
     paragraph (1);
       ``(3) assess and maintain the resiliency of information 
     technology systems critical to agency mission and operations;
       ``(4) designate the agency Inspector General (or an 
     independent entity selected in consultation with the Director 
     and the Council of Inspectors General on Integrity and 
     Efficiency if the agency does not have an Inspector General) 
     to conduct the annual independent evaluation required under 
     section 3556, and allow the agency Inspector General to 
     contract with an independent entity to perform such 
     evaluation;
       ``(5) delegate to the Chief Information Officer or 
     equivalent (or to a senior agency official who reports to the 
     Chief Information Officer or equivalent)--
       ``(A) the authority and primary responsibility to implement 
     an agencywide information security program; and
       ``(B) the authority to provide information security for the 
     information collected and maintained by the agency (or by a 
     contractor, other agency, or other source on behalf of the 
     agency) and for the information systems that support the 
     operations, assets, and mission of the agency (including any 
     information system provided or managed by a contractor, other 
     agency, or other source on behalf of the agency);
       ``(6) delegate to the appropriate agency official (who is 
     responsible for a particular agency system or subsystem) the 
     responsibility to ensure and enforce compliance with all 
     requirements of the agency's agencywide information security 
     program in coordination with the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5);
       ``(7) ensure that an agency has trained personnel who have 
     obtained any necessary security clearances to permit them to 
     assist the agency in complying with this subchapter;
       ``(8) ensure that the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5), 
     in coordination with other senior agency officials, reports 
     to the agency head on the effectiveness of the agencywide 
     information security program, including the progress of any 
     remedial actions; and
       ``(9) ensure that the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5) 
     has the necessary qualifications to administer the functions 
     described in this subchapter and has information security 
     duties as a primary duty of that official.
       ``(b) Chief Information Officers.--Each Chief Information 
     Officer or equivalent (or the senior agency official who 
     reports to the Chief Information Officer or equivalent) under 
     subsection (a)(5) shall--
       ``(1) establish and maintain an enterprise security 
     operations capability that on a continuous basis--
       ``(A) detects, reports, contains, mitigates, and responds 
     to information security incidents that impair adequate 
     security of the agency's information or information system in 
     a timely manner and in accordance with the policies and 
     directives under section 3553; and
       ``(B) reports any information security incident under 
     subparagraph (A) to the entity designated under section 3555;
       ``(2) develop, maintain, and oversee an agencywide 
     information security program;
       ``(3) develop, maintain, and oversee information security 
     policies, procedures, and control techniques to address 
     applicable requirements, including requirements under section 
     3553 of this title and section 11331 of title 40; and
       ``(4) train and oversee the agency personnel who have 
     significant responsibility for information security with 
     respect to that responsibility.
       ``(c) Agencywide Information Security Programs.--
       ``(1) In general.--Each agencywide information security 
     program under subsection (b)(2) shall include--
       ``(A) relevant security risk assessments, including 
     technical assessments and others related to the acquisition 
     process;
       ``(B) security testing commensurate with risk and impact;
       ``(C) mitigation of deterioration of security controls 
     commensurate with risk and impact;
       ``(D) risk-based continuous monitoring and threat 
     assessment of the operational status and security of agency 
     information systems to enable evaluation of the effectiveness 
     of and compliance with information security policies, 
     procedures, and practices, including a relevant and 
     appropriate selection of security controls of information 
     systems identified in the inventory under section 3505(c);
       ``(E) operation of appropriate technical capabilities in 
     order to detect, mitigate, report, and respond to information 
     security incidents, cyber threat information, and 
     deterioration of security controls in a manner that is 
     consistent with the policies and directives under section 
     3553, including--
       ``(i) mitigating risks associated with such information 
     security incidents;
       ``(ii) notifying and consulting with the entity designated 
     under section 3555; and
       ``(iii) notifying and consulting with, as appropriate--

       ``(I) law enforcement and the relevant Office of the 
     Inspector General; and
       ``(II) any other entity, in accordance with law and as 
     directed by the President;

       ``(F) a process to ensure that remedial action is taken to 
     address any deficiencies in the information security 
     policies, procedures, and practices of the agency; and
       ``(G) a plan and procedures to ensure the continuity of 
     operations for information systems that support the 
     operations and assets of the agency.
       ``(2) Risk management strategies.--Each agencywide 
     information security program under subsection (b)(2) shall 
     include the development and maintenance of a risk management 
     strategy for information security. The risk management 
     strategy shall include--
       ``(A) consideration of information security incidents, 
     cyber threat information, and deterioration of security 
     controls; and
       ``(B) consideration of the consequences that could result 
     from the unauthorized access, use, disclosure, disruption, 
     modification, or destruction of information and information 
     systems that support the operations and assets of the agency, 
     including any information system provided or managed by a 
     contractor, other agency, or other source on behalf of the 
     agency;
       ``(3) Policies and procedures.--Each agencywide information 
     security program under subsection (b)(2) shall include 
     policies and procedures that--
       ``(A) are based on the risk management strategy under 
     paragraph (2);
       ``(B) reduce information security risks to an acceptable 
     level in a cost-effective manner;
       ``(C) ensure that cost-effective and adequate information 
     security is addressed as part of the acquisition and ongoing 
     management of each agency information system; and
       ``(D) ensure compliance with--
       ``(i) this subchapter; and
       ``(ii) any other applicable requirements.
       ``(4) Training requirements.--Each agencywide information 
     security program under subsection (b)(2) shall include 
     information security, privacy, civil rights, civil liberties, 
     and information oversight training that meets any applicable 
     requirements under section 3553. The training shall inform 
     each information security personnel that has access to agency 
     information systems (including contractors and other users of 
     information systems that support the operations and assets of 
     the agency) of--
       ``(A) the information security risks associated with the 
     information security personnel's activities; and
       ``(B) the individual's responsibility to comply with the 
     agency policies and procedures that reduce the risks under 
     subparagraph (A).
       ``(d) Annual Report.--Each agency shall submit a report 
     annually to the Secretary of Homeland Security on its 
     agencywide information security program and information 
     systems.

     ``Sec. 3555. Multiagency ongoing threat assessment

       ``(a) Implementation.--The Director of the Office of 
     Management and Budget, in coordination with the Secretary of 
     Homeland Security, shall designate an entity to implement 
     ongoing security analysis concerning agency information 
     systems--
       ``(1) based on cyber threat information;
       ``(2) based on agency information system and environment of 
     operation changes, including--
       ``(A) an ongoing evaluation of the information system 
     security controls; and

[[Page 12434]]

       ``(B) the security state, risk level, and environment of 
     operation of an agency information system, including--
       ``(i) a change in risk level due to a new cyber threat;
       ``(ii) a change resulting from a new technology;
       ``(iii) a change resulting from the agency's mission; and
       ``(iv) a change resulting from the business practice; and
       ``(3) using automated processes to the maximum extent 
     possible--
       ``(A) to increase information system security;
       ``(B) to reduce paper-based reporting requirements; and
       ``(C) to maintain timely and actionable knowledge of the 
     state of the information system security.
       ``(b) Standards.--The National Institute of Standards and 
     Technology may promulgate standards, in coordination with the 
     Secretary of Homeland Security, to assist an agency with its 
     duties under this section.
       ``(c) Compliance.--The head of each appropriate department 
     and agency shall be responsible for ensuring compliance and 
     implementing necessary procedures to comply with this 
     section. The head of each appropriate department and agency, 
     in consultation with the Director of the Office of Management 
     and Budget and the Secretary of Homeland Security, shall--
       ``(1) monitor compliance under this section;
       ``(2) develop a timeline and implement for the department 
     or agency--
       ``(A) adoption of any technology, system, or method that 
     facilitates continuous monitoring and threat assessments of 
     an agency information system;
       ``(B) adoption or updating of any technology, system, or 
     method that prevents, detects, or remediates a significant 
     cyber incident to a Federal information system of the 
     department or agency that has impeded, or is reasonably 
     likely to impede, the performance of a critical mission of 
     the department or agency; and
       ``(C) adoption of any technology, system, or method that 
     satisfies a requirement under this section.
       ``(d) Limitation of Authority.--The authorities of the 
     Director of the Office of Management and Budget and of the 
     Secretary of Homeland Security under this section shall not 
     apply to national security systems.
       ``(e) Report.--Not later than 6 months after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the Government Accountability Office shall issue a 
     report evaluating each agency's status toward implementing 
     this section.

     ``Sec. 3556. Independent evaluations

       ``(a) In General.--The Council of the Inspectors General on 
     Integrity and Efficiency, in consultation with the Director 
     and the Secretary of Homeland Security, the Secretary of 
     Commerce, and the Secretary of Defense, shall issue and 
     maintain criteria for the timely, cost-effective, risk-based, 
     and independent evaluation of each agencywide information 
     security program (and practices) to determine the 
     effectiveness of the agencywide information security program 
     (and practices). The criteria shall include measures to 
     assess any conflicts of interest in the performance of the 
     evaluation and whether the agencywide information security 
     program includes appropriate safeguards against disclosure of 
     information where such disclosure may adversely affect 
     information security.
       ``(b) Annual Independent Evaluations.--Each agency shall 
     perform an annual independent evaluation of its agencywide 
     information security program (and practices) in accordance 
     with the criteria under subsection (a).
       ``(c) Distribution of Reports.--Not later than 30 days 
     after receiving an independent evaluation under subsection 
     (b), each agency head shall transmit a copy of the 
     independent evaluation to the Secretary of Homeland Security, 
     the Secretary of Commerce, and the Secretary of Defense.
       ``(d) National Security Systems.--Evaluations involving 
     national security systems shall be conducted as directed by 
     President.

     ``Sec. 3557. National security systems.

       ``The head of each agency operating or exercising control 
     of a national security system shall be responsible for 
     ensuring that the agency--
       ``(1) provides information security protections 
     commensurate with the risk and magnitude of the harm 
     resulting from the unauthorized access, use, disclosure, 
     disruption, modification, or destruction of the information 
     contained in such system; and
       ``(2) implements information security policies and 
     practices as required by standards and guidelines for 
     national security systems, issued in accordance with law and 
     as directed by the President.''.
       (b) Savings Provisions.--
       (1) Policy and compliance guidance.--Policy and compliance 
     guidance issued by the Director before the date of enactment 
     of this Act under section 3543(a)(1) of title 44, United 
     States Code (as in effect on the day before the date of 
     enactment of this Act), shall continue in effect, according 
     to its terms, until modified, terminated, superseded, or 
     repealed pursuant to section 3553(a)(1) of title 44, United 
     States Code.
       (2) Standards and guidelines.--Standards and guidelines 
     issued by the Secretary of Commerce or by the Director before 
     the date of enactment of this Act under section 11331(a)(1) 
     of title 40, United States Code, (as in effect on the day 
     before the date of enactment of this Act) shall continue in 
     effect, according to their terms, until modified, terminated, 
     superseded, or repealed pursuant to section 11331(a)(1) of 
     title 40, United States Code, as amended by this Act.
       (c) Technical and Conforming Amendments.--
       (1) Chapter analysis.--The chapter analysis for chapter 35 
     of title 44, United States Code, is amended--
       (A) by striking the items relating to sections 3531 through 
     3538;
       (B) by striking the items relating to sections 3541 through 
     3549; and
       (C) by inserting the following:

``3551. Purposes.
``3552. Definitions.
``3553. Federal information security authority and coordination.
``3554. Agency responsibilities.
``3555. Multiagency ongoing threat assessment.
``3556. Independent evaluations.
``3557. National security systems.''.
       (2) Other references.--
       (A) Section 1001(c)(1)(A) of the Homeland Security Act of 
     2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section 
     3532(3)'' and inserting ``section 3552''.
       (B) Section 2222(j)(5) of title 10, United States Code, is 
     amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (C) Section 2223(c)(3) of title 10, United States Code, is 
     amended, by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (D) Section 2315 of title 10, United States Code, is 
     amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (E) Section 20 of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-3) is amended--
       (i) in subsection (a)(2), by striking ``section 
     3532(b)(2)'' and inserting ``section 3552'';
       (ii) in subsection (c)(3), by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (iii) in subsection (d)(1), by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (iv) in subsection (d)(8) by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (v) in subsection (d)(8), by striking ``submitted to the 
     Director'' and inserting ``submitted to the Secretary'';
       (vi) in subsection (e)(2), by striking ``section 3532(1) of 
     such title'' and inserting ``section 3552 of title 44''; and
       (vii) in subsection (e)(5), by striking ``section 
     3532(b)(2) of such title'' and inserting ``section 3552 of 
     title 44''.
       (F) Section 8(d)(1) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7406(d)(1)) is amended by striking 
     ``section 3534(b)'' and inserting ``section 3554(b)(2)''.

     SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY.

       (a) In General.--Section 11331 of title 40, United States 
     Code, is amended to read as follows:

     ``Sec. 11331. Responsibilities for Federal information 
       systems standards

       ``(a) Standards and Guidelines.--
       ``(1) Authority to prescribe.--Except as provided under 
     paragraph (2), the Secretary of Commerce shall prescribe 
     standards and guidelines pertaining to Federal information 
     systems--
       ``(A) in consultation with the Secretary of Homeland 
     Security; and
       ``(B) on the basis of standards and guidelines developed by 
     the National Institute of Standards and Technology under 
     paragraphs (2) and (3) of section 20(a) of the National 
     Institute of Standards and Technology Act (15 U.S.C. 278g-
     3(a)(2) and (a)(3)).
       ``(2) National security systems.--Standards and guidelines 
     for national security systems shall be developed, prescribed, 
     enforced, and overseen as otherwise authorized by law and as 
     directed by the President.
       ``(b) Mandatory Standards and Guidelines.--
       ``(1) Authority to make mandatory standards and 
     guidelines.--The Secretary of Commerce shall make standards 
     and guidelines under subsection (a)(1) compulsory and binding 
     to the extent determined necessary by the Secretary of 
     Commerce to improve the efficiency of operation or security 
     of Federal information systems.
       ``(2) Required mandatory standards and guidelines.--
       ``(A) In general.--Standards and guidelines under 
     subsection (a)(1) shall include information security 
     standards that--
       ``(i) provide minimum information security requirements as 
     determined under section 20(b) of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3(b)); and
       ``(ii) are otherwise necessary to improve the security of 
     Federal information and information systems.

[[Page 12435]]

       ``(B) Binding effect.--Information security standards under 
     subparagraph (A) shall be compulsory and binding.
       ``(c) Exercise of Authority.--To ensure fiscal and policy 
     consistency, the Secretary of Commerce shall exercise the 
     authority conferred by this section subject to direction by 
     the President and in coordination with the Director.
       ``(d) Application of More Stringent Standards and 
     Guidelines.--The head of an executive agency may employ 
     standards for the cost-effective information security for 
     information systems within or under the supervision of that 
     agency that are more stringent than the standards and 
     guidelines the Secretary of Commerce prescribes under this 
     section if the more stringent standards and guidelines--
       ``(1) contain at least the applicable standards and 
     guidelines made compulsory and binding by the Secretary of 
     Commerce; and
       ``(2) are otherwise consistent with the policies, 
     directives, and implementation memoranda issued under section 
     3553(a) of title 44.
       ``(e) Decisions on Promulgation of Standards and 
     Guidelines.--The decision by the Secretary of Commerce 
     regarding the promulgation of any standard or guideline under 
     this section shall occur not later than 6 months after the 
     date of submission of the proposed standard to the Secretary 
     of Commerce by the National Institute of Standards and 
     Technology under section 20 of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3).
       ``(f) Notice and Comment.--A decision by the Secretary of 
     Commerce to significantly modify, or not promulgate, a 
     proposed standard submitted to the Secretary by the National 
     Institute of Standards and Technology under section 20 of the 
     National Institute of Standards and Technology Act (15 U.S.C. 
     278g-3) shall be made after the public is given an 
     opportunity to comment on the Secretary's proposed decision.
       ``(g) Definitions.--In this section:
       ``(1) Federal information system.--The term `Federal 
     information system' has the meaning given the term in section 
     3552 of title 44.
       ``(2) Information security.--The term `information 
     security' has the meaning given the term in section 3552 of 
     title 44.
       ``(3) National security system.--The term `national 
     security system' has the meaning given the term in section 
     3552 of title 44.''.

     SEC. 203. NO NEW FUNDING.

       An applicable Federal agency shall carry out the provisions 
     of this title with existing facilities and funds otherwise 
     available, through such means as the head of the agency 
     considers appropriate.

     SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS.

       Section 21(b) of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-4(b)) is amended--
       (1) in paragraph (2), by striking ``and the Director of the 
     Office of Management and Budget'' and inserting ``, the 
     Secretary of Commerce, and the Secretary of Homeland 
     Security''; and
       (2) in paragraph (3), by inserting ``, the Secretary of 
     Homeland Security,'' after ``the Secretary of Commerce''.

     SEC. 205. CLARIFICATION OF AUTHORITIES.

       Nothing in this title shall be construed to convey any new 
     regulatory authority to any government entity implementing or 
     complying with any provision of this title.

                     TITLE III--CRIMINAL PENALTIES

     SEC. 301. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN 
                   CONNECTION WITH COMPUTERS.

       Section 1030(c) of title 18, United States Code, is amended 
     to read as follows:
       ``(c) The punishment for an offense under subsection (a) or 
     (b) of this section is--
       ``(1) a fine under this title or imprisonment for not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(1) of this section;
       ``(2)(A) except as provided in subparagraph (B), a fine 
     under this title or imprisonment for not more than 3 years, 
     or both, in the case of an offense under subsection (a)(2); 
     or
       ``(B) a fine under this title or imprisonment for not more 
     than ten years, or both, in the case of an offense under 
     subsection (a)(2) of this section, if--
       ``(i) the offense was committed for purposes of commercial 
     advantage or private financial gain;
       ``(ii) the offense was committed in the furtherance of any 
     criminal or tortious act in violation of the Constitution or 
     laws of the United States, or of any State; or
       ``(iii) the value of the information obtained, or that 
     would have been obtained if the offense was completed, 
     exceeds $5,000;
       ``(3) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(3) of this section;
       ``(4) a fine under this title or imprisonment of not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(4) of this section;
       ``(5)(A) except as provided in subparagraph (C), a fine 
     under this title, imprisonment for not more than 20 years, or 
     both, in the case of an offense under subsection (a)(5)(A) of 
     this section, if the offense caused--
       ``(i) loss to 1 or more persons during any 1-year period 
     (and, for purposes of an investigation, prosecution, or other 
     proceeding brought by the United States only, loss resulting 
     from a related course of conduct affecting 1 or more other 
     protected computers) aggregating at least $5,000 in value;
       ``(ii) the modification or impairment, or potential 
     modification or impairment, of the medical examination, 
     diagnosis, treatment, or care of 1 or more individuals;
       ``(iii) physical injury to any person;
       ``(iv) a threat to public health or safety;
       ``(v) damage affecting a computer used by, or on behalf of, 
     an entity of the United States Government in furtherance of 
     the administration of justice, national defense, or national 
     security; or
       ``(vi) damage affecting 10 or more protected computers 
     during any 1-year period;
       ``(B) a fine under this title, imprisonment for not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(5)(B), if the offense caused a harm provided 
     in clause (i) through (vi) of subparagraph (A) of this 
     subsection;
       ``(C) if the offender attempts to cause or knowingly or 
     recklessly causes death from conduct in violation of 
     subsection (a)(5)(A), a fine under this title, imprisonment 
     for any term of years or for life, or both;
       ``(D) a fine under this title, imprisonment for not more 
     than 10 years, or both, for any other offense under 
     subsection (a)(5);
       ``(E) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(6) of this section; or
       ``(F) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(7) of this section.''.

     SEC. 302. TRAFFICKING IN PASSWORDS.

       Section 1030(a)(6) of title 18, United States Code, is 
     amended to read as follows:
       ``(6) knowingly and with intent to defraud traffics (as 
     defined in section 1029) in any password or similar 
     information or means of access through which a protected 
     computer (as defined in subparagraphs (A) and (B) of 
     subsection (e)(2)) may be accessed without authorization.''.

     SEC. 303. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.

       Section 1030(b) of title 18, United States Code, is amended 
     by inserting ``as if for the completed offense'' after 
     ``punished as provided''.

     SEC. 304. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED 
                   ACTIVITY IN CONNECTION WITH COMPUTERS.

       Section 1030 of title 18, United States Code, is amended by 
     striking subsections (i) and (j) and inserting the following:
       ``(i) Criminal Forfeiture.--
       ``(1) The court, in imposing sentence on any person 
     convicted of a violation of this section, or convicted of 
     conspiracy to violate this section, shall order, in addition 
     to any other sentence imposed and irrespective of any 
     provision of State law, that such person forfeit to the 
     United States--
       ``(A) such person's interest in any property, real or 
     personal, that was used, or intended to be used, to commit or 
     facilitate the commission of such violation; and
       ``(B) any property, real or personal, constituting or 
     derived from any gross proceeds, or any property traceable to 
     such property, that such person obtained, directly or 
     indirectly, as a result of such violation.
       ``(2) The criminal forfeiture of property under this 
     subsection, including any seizure and disposition of the 
     property, and any related judicial or administrative 
     proceeding, shall be governed by the provisions of section 
     413 of the Comprehensive Drug Abuse Prevention and Control 
     Act of 1970 (21 U.S.C. 853), except subsection (d) of that 
     section.
       ``(j) Civil Forfeiture.--
       ``(1) The following shall be subject to forfeiture to the 
     United States and no property right, real or personal, shall 
     exist in them:
       ``(A) Any property, real or personal, that was used, or 
     intended to be used, to commit or facilitate the commission 
     of any violation of this section, or a conspiracy to violate 
     this section.
       ``(B) Any property, real or personal, constituting or 
     derived from any gross proceeds obtained directly or 
     indirectly, or any property traceable to such property, as a 
     result of the commission of any violation of this section, or 
     a conspiracy to violate this section.
       ``(2) Seizures and forfeitures under this subsection shall 
     be governed by the provisions in chapter 46 relating to civil 
     forfeitures, except that such duties as are imposed on the 
     Secretary of the Treasury under the customs laws described in 
     section 981(d) shall be performed by such officers, agents 
     and other persons as may be designated for that purpose by 
     the Secretary of Homeland Security or the Attorney 
     General.''.

     SEC. 305. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.

       (a) In General.--Chapter 47 of title 18, United States 
     Code, is amended by inserting after section 1030 the 
     following:

     ``Sec. 1030A. Aggravated damage to a critical infrastructure 
       computer

       ``(a) Definitions.--In this section--
       ``(1) the term `computer' has the meaning given the term in 
     section 1030;
       ``(2) the term `critical infrastructure computer' means a 
     computer that manages or

[[Page 12436]]

     controls systems or assets vital to national defense, 
     national security, national economic security, public health 
     or safety, or any combination of those matters, whether 
     publicly or privately owned or operated, including--
       ``(A) oil and gas production, storage, conversion, and 
     delivery systems;
       ``(B) water supply systems;
       ``(C) telecommunication networks;
       ``(D) electrical power generation and delivery systems;
       ``(E) finance and banking systems;
       ``(F) emergency services;
       ``(G) transportation systems and services; and
       ``(H) government operations that provide essential services 
     to the public; and
       ``(3) the term `damage' has the meaning given the term in 
     section 1030.
       ``(b) Offense.--It shall be unlawful, during and in 
     relation to a felony violation of section 1030, to knowingly 
     cause or attempt to cause damage to a critical infrastructure 
     computer if the damage results in (or, in the case of an 
     attempt, if completed, would have resulted in) the 
     substantial impairment--
       ``(1) of the operation of the critical infrastructure 
     computer; or
       ``(2) of the critical infrastructure associated with the 
     computer.
       ``(c) Penalty.--Any person who violates subsection (b) 
     shall be--
       ``(1) fined under this title;
       ``(2) imprisoned for not less than 3 years but not more 
     than 20 years; or
       ``(3) penalized under paragraphs (1) and (2).
       ``(d) Consecutive Sentence.--Notwithstanding any other 
     provision of law--
       ``(1) a court shall not place on probation any person 
     convicted of a violation of this section;
       ``(2) except as provided in paragraph (4), no term of 
     imprisonment imposed on a person under this section shall run 
     concurrently with any other term of imprisonment, including 
     any term of imprisonment imposed on the person under any 
     other provision of law, including any term of imprisonment 
     imposed for a felony violation of section 1030;
       ``(3) in determining any term of imprisonment to be imposed 
     for a felony violation of section 1030, a court shall not in 
     any way reduce the term to be imposed for such crime so as to 
     compensate for, or otherwise take into account, any separate 
     term of imprisonment imposed or to be imposed for a violation 
     of this section; and
       ``(4) a term of imprisonment imposed on a person for a 
     violation of this section may, in the discretion of the 
     court, run concurrently, in whole or in part, only with 
     another term of imprisonment that is imposed by the court at 
     the same time on that person for an additional violation of 
     this section, provided that such discretion shall be 
     exercised in accordance with any applicable guidelines and 
     policy statements issued by the United States Sentencing 
     Commission pursuant to section 994 of title 28.''.
       (b) Technical and Conforming Amendment.--The chapter 
     analysis for chapter 47 of title 18, United States Code, is 
     amended by inserting after the item relating to section 1030 
     the following:

``1030A. Aggravated damage to a critical infrastructure computer.''.

     SEC. 306. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.

       Section 1030(e)(6) of title 18, United States Code, is 
     amended by striking ``alter;'' and inserting ``alter, but 
     does not include access in violation of a contractual 
     obligation or agreement, such as an acceptable use policy or 
     terms of service agreement, with an Internet service 
     provider, Internet website, or non-government employer, if 
     such violation constitutes the sole basis for determining 
     that access to a protected computer is unauthorized;''.

     SEC. 307. NO NEW FUNDING.

       An applicable Federal agency shall carry out the provisions 
     of this title with existing facilities and funds otherwise 
     available, through such means as the head of the agency 
     considers appropriate.

            TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT

     SEC. 401. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM 
                   PLANNING AND COORDINATION.

       (a) Goals and Priorities.--Section 101 of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511) is amended 
     by adding at the end the following:
       ``(d) Goals and Priorities.--The goals and priorities for 
     Federal high-performance computing research, development, 
     networking, and other activities under subsection (a)(2)(A) 
     shall include--
       ``(1) encouraging and supporting mechanisms for 
     interdisciplinary research and development in networking and 
     information technology, including--
       ``(A) through collaborations across agencies;
       ``(B) through collaborations across Program Component 
     Areas;
       ``(C) through collaborations with industry;
       ``(D) through collaborations with institutions of higher 
     education;
       ``(E) through collaborations with Federal laboratories (as 
     defined in section 4 of the Stevenson-Wydler Technology 
     Innovation Act of 1980 (15 U.S.C. 3703)); and
       ``(F) through collaborations with international 
     organizations;
       ``(2) addressing national, multi-agency, multi-faceted 
     challenges of national importance; and
       ``(3) fostering the transfer of research and development 
     results into new technologies and applications for the 
     benefit of society.''.
       (b) Development of Strategic Plan.--Section 101 of the 
     High-Performance Computing Act of 1991 (15 U.S.C. 5511) is 
     amended by adding at the end the following:
       ``(e) Strategic Plan.--
       ``(1) In general.--Not later than 1 year after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the agencies under subsection (a)(3)(B), working 
     through the National Science and Technology Council and with 
     the assistance of the Office of Science and Technology Policy 
     shall develop a 5-year strategic plan to guide the activities 
     under subsection (a)(1).
       ``(2) Contents.--The strategic plan shall specify--
       ``(A) the near-term objectives for the Program;
       ``(B) the long-term objectives for the Program;
       ``(C) the anticipated time frame for achieving the near-
     term objectives;
       ``(D) the metrics that will be used to assess any progress 
     made toward achieving the near-term objectives and the long-
     term objectives; and
       ``(E) how the Program will achieve the goals and priorities 
     under subsection (d).
       ``(3) Implementation roadmap.--
       ``(A) In general.--The agencies under subsection (a)(3)(B) 
     shall develop and annually update an implementation roadmap 
     for the strategic plan.
       ``(B) Requirements.--The information in the implementation 
     roadmap shall be coordinated with the database under section 
     102(c) and the annual report under section 101(a)(3). The 
     implementation roadmap shall--
       ``(i) specify the role of each Federal agency in carrying 
     out or sponsoring research and development to meet the 
     research objectives of the strategic plan, including a 
     description of how progress toward the research objectives 
     will be evaluated, with consideration of any relevant 
     recommendations of the advisory committee;
       ``(ii) specify the funding allocated to each major research 
     objective of the strategic plan and the source of funding by 
     agency for the current fiscal year; and
       ``(iii) estimate the funding required for each major 
     research objective of the strategic plan for the next 3 
     fiscal years.
       ``(4) Recommendations.--The agencies under subsection 
     (a)(3)(B) shall take into consideration when developing the 
     strategic plan under paragraph (1) the recommendations of--
       ``(A) the advisory committee under subsection (b); and
       ``(B) the stakeholders under section 102(a)(3).
       ``(5) Report to congress.--The Director of the Office of 
     Science and Technology Policy shall transmit the strategic 
     plan under this subsection, including the implementation 
     roadmap and any updates under paragraph (3), to--
       ``(A) the advisory committee under subsection (b);
       ``(B) the Committee on Commerce, Science, and 
     Transportation of the Senate; and
       ``(C) the Committee on Science and Technology of the House 
     of Representatives.''.
       (c) Periodic Reviews.--Section 101 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511) is amended by adding 
     at the end the following:
       ``(f) Periodic Reviews.--The agencies under subsection 
     (a)(3)(B) shall--
       ``(1) periodically assess the contents and funding levels 
     of the Program Component Areas and restructure the Program 
     when warranted, taking into consideration any relevant 
     recommendations of the advisory committee under subsection 
     (b); and
       ``(2) ensure that the Program includes national, multi-
     agency, multi-faceted research and development activities, 
     including activities described in section 104.''.
       (d) Additional Responsibilities of Director.--Section 
     101(a)(2) of the High-Performance Computing Act of 1991 (15 
     U.S.C. 5511(a)(2)) is amended--
       (1) by redesignating subparagraphs (E) and (F) as 
     subparagraphs (G) and (H), respectively; and
       (2) by inserting after subparagraph (D) the following:
       ``(E) encourage and monitor the efforts of the agencies 
     participating in the Program to allocate the level of 
     resources and management attention necessary--
       ``(i) to ensure that the strategic plan under subsection 
     (e) is developed and executed effectively; and
       ``(ii) to ensure that the objectives of the Program are 
     met;
       ``(F) working with the Office of Management and Budget and 
     in coordination with the creation of the database under 
     section 102(c), direct the Office of Science and Technology 
     Policy and the agencies participating in the Program to 
     establish a mechanism (consistent with existing law) to track 
     all ongoing and completed research and development projects 
     and associated funding;''.

[[Page 12437]]

       (e) Advisory Committee.--Section 101(b) of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is 
     amended--
       (1) in paragraph (1)--
       (A) by inserting after the first sentence the following: 
     ``The co-chairs of the advisory committee shall meet the 
     qualifications of committee members and may be members of the 
     Presidents Council of Advisors on Science and Technology.''; 
     and
       (B) by striking ``high-performance'' in subparagraph (D) 
     and inserting ``high-end''; and
       (2) by amending paragraph (2) to read as follows:
       ``(2) In addition to the duties under paragraph (1), the 
     advisory committee shall conduct periodic evaluations of the 
     funding, management, coordination, implementation, and 
     activities of the Program. The advisory committee shall 
     report its findings and recommendations not less frequently 
     than once every 3 fiscal years to the Committee on Commerce, 
     Science, and Transportation of the Senate and the Committee 
     on Science and Technology of the House of Representatives. 
     The report shall be submitted in conjunction with the update 
     of the strategic plan.''.
       (f) Report.--Section 101(a)(3) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended--
       (1) in subparagraph (C)--
       (A) by striking ``is submitted,'' and inserting ``is 
     submitted, the levels for the previous fiscal year,''; and
       (B) by striking ``each Program Component Area'' and 
     inserting ``each Program Component Area and each research 
     area supported in accordance with section 104'';
       (2) in subparagraph (D)--
       (A) by striking ``each Program Component Area,'' and 
     inserting ``each Program Component Area and each research 
     area supported in accordance with section 104,'';
       (B) by striking ``is submitted,'' and inserting ``is 
     submitted, the levels for the previous fiscal year,''; and
       (C) by striking ``and'' after the semicolon;
       (3) by redesignating subparagraph (E) as subparagraph (G); 
     and
       (4) by inserting after subparagraph (D) the following:
       ``(E) include a description of how the objectives for each 
     Program Component Area, and the objectives for activities 
     that involve multiple Program Component Areas, relate to the 
     objectives of the Program identified in the strategic plan 
     under subsection (e);
       ``(F) include--
       ``(i) a description of the funding required by the Office 
     of Science and Technology Policy to perform the functions 
     under subsections (a) and (c) of section 102 for the next 
     fiscal year by category of activity;
       ``(ii) a description of the funding required by the Office 
     of Science and Technology Policy to perform the functions 
     under subsections (a) and (c) of section 102 for the current 
     fiscal year by category of activity; and
       ``(iii) the amount of funding provided for the Office of 
     Science and Technology Policy for the current fiscal year by 
     each agency participating in the Program; and''.
       (g) Definitions.--Section 4 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5503) is amended--
       (1) by redesignating paragraphs (1) and (2) as paragraphs 
     (2) and (3), respectively;
       (2) by redesignating paragraph (3) as paragraph (6);
       (3) by redesignating paragraphs (6) and (7) as paragraphs 
     (7) and (8), respectively;
       (4) by inserting before paragraph (2), as redesignated, the 
     following:
       ``(1) `cyber-physical systems' means physical or engineered 
     systems whose networking and information technology functions 
     and physical elements are deeply integrated and are actively 
     connected to the physical world through sensors, actuators, 
     or other means to perform monitoring and control 
     functions;'';
       (5) in paragraph (3), as redesignated, by striking ``high-
     performance computing'' and inserting ``networking and 
     information technology'';
       (6) in paragraph (6), as redesignated--
       (A) by striking ``high-performance computing'' and 
     inserting ``networking and information technology''; and
       (B) by striking ``supercomputer'' and inserting ``high-end 
     computing'';
       (7) in paragraph (5), by striking ``network referred to 
     as'' and all that follows through the semicolon and inserting 
     ``network, including advanced computer networks of Federal 
     agencies and departments''; and
       (8) in paragraph (7), as redesignated, by striking 
     ``National High-Performance Computing Program'' and inserting 
     ``networking and information technology research and 
     development program''.

     SEC. 402. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.

       (a) Research in Areas of National Importance.--Title I of 
     the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et 
     seq.) is amended by adding at the end the following:

     ``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.

       ``(a) In General.--The Program shall encourage agencies 
     under section 101(a)(3)(B) to support, maintain, and improve 
     national, multi-agency, multi-faceted, research and 
     development activities in networking and information 
     technology directed toward application areas that have the 
     potential for significant contributions to national economic 
     competitiveness and for other significant societal benefits.
       ``(b) Technical Solutions.--An activity under subsection 
     (a) shall be designed to advance the development of research 
     discoveries by demonstrating technical solutions to important 
     problems in areas including--
       ``(1) cybersecurity;
       ``(2) health care;
       ``(3) energy management and low-power systems and devices;
       ``(4) transportation, including surface and air 
     transportation;
       ``(5) cyber-physical systems;
       ``(6) large-scale data analysis and modeling of physical 
     phenomena;
       ``(7) large scale data analysis and modeling of behavioral 
     phenomena;
       ``(8) supply chain quality and security; and
       ``(9) privacy protection and protected disclosure of 
     confidential data.
       ``(c) Recommendations.--The advisory committee under 
     section 101(b) shall make recommendations to the Program for 
     candidate research and development areas for support under 
     this section.
       ``(d) Characteristics.--
       ``(1) In general.--Research and development activities 
     under this section--
       ``(A) shall include projects selected on the basis of 
     applications for support through a competitive, merit-based 
     process;
       ``(B) shall leverage, when possible, Federal investments 
     through collaboration with related State initiatives;
       ``(C) shall include a plan for fostering the transfer of 
     research discoveries and the results of technology 
     demonstration activities, including from institutions of 
     higher education and Federal laboratories, to industry for 
     commercial development;
       ``(D) shall involve collaborations among researchers in 
     institutions of higher education and industry; and
       ``(E) may involve collaborations among nonprofit research 
     institutions and Federal laboratories, as appropriate.
       ``(2) Cost-sharing.--In selecting applications for support, 
     the agencies under section 101(a)(3)(B) shall give special 
     consideration to projects that include cost sharing from non-
     Federal sources.
       ``(3) Multidisciplinary research centers.--Research and 
     development activities under this section shall be supported 
     through multidisciplinary research centers, including Federal 
     laboratories, that are organized to investigate basic 
     research questions and carry out technology demonstration 
     activities in areas described in subsection (a). Research may 
     be carried out through existing multidisciplinary centers, 
     including those authorized under section 7024(b)(2) of the 
     America COMPETES Act (42 U.S.C. 1862o-10(2)).''.
       (b) Cyber-Physical Systems.--Section 101(a)(1) of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is 
     amended--
       (1) in subparagraph (H), by striking ``and'' after the 
     semicolon;
       (2) in subparagraph (I), by striking the period at the end 
     and inserting a semicolon; and
       (3) by adding at the end the following:
       ``(J) provide for increased understanding of the scientific 
     principles of cyber-physical systems and improve the methods 
     available for the design, development, and operation of 
     cyber-physical systems that are characterized by high 
     reliability, safety, and security; and
       ``(K) provide for research and development on human-
     computer interactions, visualization, and big data.''.
       (c) Task Force.--Title I of the High-Performance Computing 
     Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section 
     402(a) of this Act, is amended by adding at the end the 
     following:

     ``SEC. 105. TASK FORCE.

       ``(a) Establishment.--Not later than 180 days after the 
     date of enactment the Strengthening and Enhancing 
     Cybersecurity by Using Research, Education, Information, and 
     Technology Act of 2012, the Director of the Office of Science 
     and Technology Policy under section 102 shall convene a task 
     force to explore mechanisms for carrying out collaborative 
     research and development activities for cyber-physical 
     systems (including the related technologies required to 
     enable these systems) through a consortium or other 
     appropriate entity with participants from institutions of 
     higher education, Federal laboratories, and industry.
       ``(b) Functions.--The task force shall--
       ``(1) develop options for a collaborative model and an 
     organizational structure for such entity under which the 
     joint research and development activities could be planned, 
     managed, and conducted effectively, including mechanisms for 
     the allocation of resources among the participants in such 
     entity for support of such activities;
       ``(2) propose a process for developing a research and 
     development agenda for such entity, including guidelines to 
     ensure an appropriate scope of work focused on nationally 
     significant challenges and requiring collaboration and to 
     ensure the development of related scientific and 
     technological milestones;
       ``(3) define the roles and responsibilities for the 
     participants from institutions of higher

[[Page 12438]]

     education, Federal laboratories, and industry in such entity;
       ``(4) propose guidelines for assigning intellectual 
     property rights and for transferring research results to the 
     private sector; and
       ``(5) make recommendations for how such entity could be 
     funded from Federal, State, and non-governmental sources.
       ``(c) Composition.--In establishing the task force under 
     subsection (a), the Director of the Office of Science and 
     Technology Policy shall appoint an equal number of 
     individuals from institutions of higher education and from 
     industry with knowledge and expertise in cyber-physical 
     systems, and may appoint not more than 2 individuals from 
     Federal laboratories.
       ``(d) Report.--Not later than 1 year after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the Director of the Office of Science and Technology 
     Policy shall transmit to the Committee on Commerce, Science, 
     and Transportation of the Senate and the Committee on Science 
     and Technology of the House of Representatives a report 
     describing the findings and recommendations of the task 
     force.
       ``(e) Termination.--The task force shall terminate upon 
     transmittal of the report required under subsection (d).
       ``(f) Compensation and Expenses.--Members of the task force 
     shall serve without compensation.''.

     SEC. 403. PROGRAM IMPROVEMENTS.

       Section 102 of the High-Performance Computing Act of 1991 
     (15 U.S.C. 5512) is amended to read as follows:

     ``SEC. 102. PROGRAM IMPROVEMENTS.

       ``(a) Functions.--The Director of the Office of Science and 
     Technology Policy shall continue--
       ``(1) to provide technical and administrative support to--
       ``(A) the agencies participating in planning and 
     implementing the Program, including support needed to develop 
     the strategic plan under section 101(e); and
       ``(B) the advisory committee under section 101(b);
                                 ______
                                 
  SA 2606. Mr. McCAIN (for himself, Mrs. Hutchison, Mr. Chambliss, Mr. 
Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson of 
Wisconsin) submitted an amendment intended to be proposed by him to the 
bill S. 3414, to enhance the security and resiliency of the cyber and 
communications infrastructure of the United States; which was ordered 
to lie on the table; as follows:

       Beginning on page 1, strike line 3 and all that follows 
     through page 211, line 6 and insert the following:

     SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the 
     ``Strengthening and Enhancing Cybersecurity by Using 
     Research, Education, Information, and Technology Act of 
     2012'' or ``SECURE IT''.
       (b) Table of Contents.--The table of contents of this Act 
     is as follows:

Sec. 1. Short title; table of contents.

       TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION

Sec. 101. Definitions.
Sec. 102. Authorization to share cyber threat information.
Sec. 103. Information sharing by the Federal government.
Sec. 104. Construction.
Sec. 105. Report on implementation.
Sec. 106. Inspector General review.
Sec. 107. Technical amendments.
Sec. 108. Access to classified information.

     TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY

Sec. 201. Coordination of Federal information security policy.
Sec. 202. Management of information technology.
Sec. 203. No new funding.
Sec. 204. Technical and conforming amendments.
Sec. 205. Clarification of authorities.

                     TITLE III--CRIMINAL PENALTIES

Sec. 301. Penalties for fraud and related activity in connection with 
              computers.
Sec. 302. Trafficking in passwords.
Sec. 303. Conspiracy and attempted computer fraud offenses.
Sec. 304. Criminal and civil forfeiture for fraud and related activity 
              in connection with computers.
Sec. 305. Damage to critical infrastructure computers.
Sec. 306. Limitation on actions involving unauthorized use.
Sec. 307. No new funding.

            TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT

Sec. 401. National High-Performance Computing Program planning and 
              coordination.
Sec. 402. Research in areas of national importance.
Sec. 403. Program improvements.
Sec. 404. Improving education of networking and information technology, 
              including high performance computing.
Sec. 405. Conforming and technical amendments to the High-Performance 
              Computing Act of 1991.
Sec. 406. Federal cyber scholarship-for-service program.
Sec. 407. Study and analysis of certification and training of 
              information infrastructure professionals.
Sec. 408. International cybersecurity technical standards.
Sec. 409. Identity management research and development.
Sec. 410. Federal cybersecurity research and development.

       TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION

     SEC. 101. DEFINITIONS.

       In this title:
       (1) Agency.--The term ``agency'' has the meaning given the 
     term in section 3502 of title 44, United States Code.
       (2) Antitrust laws.--The term ``antitrust laws''--
       (A) has the meaning given the term in section 1(a) of the 
     Clayton Act (15 U.S.C. 12(a));
       (B) includes section 5 of the Federal Trade Commission Act 
     (15 U.S.C. 45) to the extent that section 5 of that Act 
     applies to unfair methods of competition; and
       (C) includes any State law that has the same intent and 
     effect as the laws under subparagraphs (A) and (B).
       (3) Countermeasure.--The term ``countermeasure'' means an 
     automated or a manual action with defensive intent to 
     mitigate cyber threats.
       (4) Cyber threat information.--The term ``cyber threat 
     information'' means information that indicates or describes--
       (A) a technical or operation vulnerability or a cyber 
     threat mitigation measure;
       (B) an action or operation to mitigate a cyber threat;
       (C) malicious reconnaissance, including anomalous patterns 
     of network activity that appear to be transmitted for the 
     purpose of gathering technical information related to a 
     cybersecurity threat;
       (D) a method of defeating a technical control;
       (E) a method of defeating an operational control;
       (F) network activity or protocols known to be associated 
     with a malicious cyber actor or that signify malicious cyber 
     intent;
       (G) a method of causing a user with legitimate access to an 
     information system or information that is stored on, 
     processed by, or transiting an information system to 
     inadvertently enable the defeat of a technical or operational 
     control;
       (H) any other attribute of a cybersecurity threat or cyber 
     defense information that would foster situational awareness 
     of the United States cybersecurity posture, if disclosure of 
     such attribute or information is not otherwise prohibited by 
     law;
       (I) the actual or potential harm caused by a cyber 
     incident, including information exfiltrated when it is 
     necessary in order to identify or describe a cybersecurity 
     threat; or
       (J) any combination of subparagraphs (A) through (I).
       (5) Cybersecurity center.--The term ``cybersecurity 
     center'' means the Department of Defense Cyber Crime Center, 
     the Intelligence Community Incident Response Center, the 
     United States Cyber Command Joint Operations Center, the 
     National Cyber Investigative Joint Task Force, the National 
     Security Agency/Central Security Service Threat Operations 
     Center, the National Cybersecurity and Communications 
     Integration Center, and any successor center.
       (6) Cybersecurity system.--The term ``cybersecurity 
     system'' means a system designed or employed to ensure the 
     integrity, confidentiality, or availability of, or to 
     safeguard, a system or network, including measures intended 
     to protect a system or network from--
       (A) efforts to degrade, disrupt, or destroy such system or 
     network; or
       (B) theft or misappropriations of private or government 
     information, intellectual property, or personally 
     identifiable information.
       (7) Entity.--
       (A) In general.--The term ``entity'' means any private 
     entity, non-Federal government agency or department, or 
     State, tribal, or local government agency or department 
     (including an officer, employee, or agent thereof).
       (B) Inclusions.--The term ``entity'' includes a government 
     agency or department (including an officer, employee, or 
     agent thereof) of the District of Columbia, the Commonwealth 
     of Puerto Rico, the Virgin Islands, Guam, American Samoa, the 
     Northern Mariana Islands, and any other territory or 
     possession of the United States.
       (8) Federal information system.--The term ``Federal 
     information system'' means an information system of a Federal 
     department or agency used or operated by an executive agency, 
     by a contractor of an executive agency, or by another 
     organization on behalf of an executive agency.
       (9) Information security.--The term ``information 
     security'' means protecting information and information 
     systems from disruption or unauthorized access, use, 
     disclosure, modification, or destruction in order to 
     provide--

[[Page 12439]]

       (A) integrity, by guarding against improper information 
     modification or destruction, including by ensuring 
     information nonrepudiation and authenticity;
       (B) confidentiality, by preserving authorized restrictions 
     on access and disclosure, including means for protecting 
     personal privacy and proprietary information; or
       (C) availability, by ensuring timely and reliable access to 
     and use of information.
       (10) Information system.--The term ``information system'' 
     has the meaning given the term in section 3502 of title 44, 
     United States Code.
       (11) Local government.--The term ``local government'' means 
     any borough, city, county, parish, town, township, village, 
     or other general purpose political subdivision of a State.
       (12) Malicious reconnaissance.--The term ``malicious 
     reconnaissance'' means a method for actively probing or 
     passively monitoring an information system for the purpose of 
     discerning technical vulnerabilities of the information 
     system, if such method is associated with a known or 
     suspected cybersecurity threat.
       (13) Operational control.--The term ``operational control'' 
     means a security control for an information system that 
     primarily is implemented and executed by people.
       (14) Operational vulnerability.--The term ``operational 
     vulnerability'' means any attribute of policy, process, or 
     procedure that could enable or facilitate the defeat of an 
     operational control.
       (15) Private entity.--The term ``private entity'' means any 
     individual or any private group, organization, or 
     corporation, including an officer, employee, or agent 
     thereof.
       (16) Significant cyber incident.--The term ``significant 
     cyber incident'' means a cyber incident resulting in, or an 
     attempted cyber incident that, if successful, would have 
     resulted in--
       (A) the exfiltration from a Federal information system of 
     data that is essential to the operation of the Federal 
     information system; or
       (B) an incident in which an operational or technical 
     control essential to the security or operation of a Federal 
     information system was defeated.
       (17) Technical control.--The term ``technical control'' 
     means a hardware or software restriction on, or audit of, 
     access or use of an information system or information that is 
     stored on, processed by, or transiting an information system 
     that is intended to ensure the confidentiality, integrity, or 
     availability of that system.
       (18) Technical vulnerability.--The term ``technical 
     vulnerability'' means any attribute of hardware or software 
     that could enable or facilitate the defeat of a technical 
     control.
       (19) Tribal.--The term ``tribal'' has the meaning given the 
     term ``Indian tribe'' in section 4 of the Indian Self-
     Determination and Education Assistance Act (25 U.S.C. 450b).

     SEC. 102. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION.

       (a) Voluntary Disclosure.--
       (1) Private entities.--Notwithstanding any other provision 
     of law, a private entity may, for the purpose of preventing, 
     investigating, or otherwise mitigating threats to information 
     security, on its own networks, or as authorized by another 
     entity, on such entity's networks, employ countermeasures and 
     use cybersecurity systems in order to obtain, identify, or 
     otherwise possess cyber threat information.
       (2) Entities.--Notwithstanding any other provision of law, 
     an entity may disclose cyber threat information to--
       (A) a cybersecurity center; or
       (B) any other entity in order to assist with preventing, 
     investigating, or otherwise mitigating threats to information 
     security.
       (3) Information security providers.--If the cyber threat 
     information described in paragraph (1) is obtained, 
     identified, or otherwise possessed in the course of providing 
     information security products or services under contract to 
     another entity, that entity shall be given, at any time prior 
     to disclosure of such information, a reasonable opportunity 
     to authorize or prevent such disclosure, to request 
     anonymization of such information, or to request that 
     reasonable efforts be made to safeguard such information that 
     identifies specific persons from unauthorized access or 
     disclosure.
       (b) Significant Cyber Incidents Involving Federal 
     Information Systems.--
       (1) In general.--An entity providing electronic 
     communication services, remote computing services, or 
     information security services to a Federal department or 
     agency shall inform the Federal department or agency of a 
     significant cyber incident involving the Federal information 
     system of that Federal department or agency that--
       (A) is directly known to the entity as a result of 
     providing such services;
       (B) is directly related to the provision of such services 
     by the entity; and
       (C) as determined by the entity, has impeded or will impede 
     the performance of a critical mission of the Federal 
     department or agency.
       (2) Advance coordination.--A Federal department or agency 
     receiving the services described in paragraph (1) shall 
     coordinate in advance with an entity described in paragraph 
     (1) to develop the parameters of any information that may be 
     provided under paragraph (1), including clarification of the 
     type of significant cyber incident that will impede the 
     performance of a critical mission of the Federal department 
     or agency.
       (3) Report.--A Federal department or agency shall report 
     information provided under this subsection to a cybersecurity 
     center.
       (4) Construction.--Any information provided to a 
     cybersecurity center under paragraph (3) shall be treated in 
     the same manner as information provided to a cybersecurity 
     center under subsection (a).
       (c) Information Shared With or Provided to a Cybersecurity 
     Center.--Cyber threat information provided to a cybersecurity 
     center under this section--
       (1) may be disclosed to, retained by, and used by, 
     consistent with otherwise applicable Federal law, any Federal 
     agency or department, component, officer, employee, or agent 
     of the Federal government for a cybersecurity purpose, a 
     national security purpose, or in order to prevent, 
     investigate, or prosecute any of the offenses listed in 
     section 2516 of title 18, United States Code, and such 
     information shall not be disclosed to, retained by, or used 
     by any Federal agency or department for any use not permitted 
     under this paragraph;
       (2) may, with the prior written consent of the entity 
     submitting such information, be disclosed to and used by a 
     State, tribal, or local government or government agency for 
     the purpose of protecting information systems, or in 
     furtherance of preventing, investigating, or prosecuting a 
     criminal act, except that if the need for immediate 
     disclosure prevents obtaining written consent, such consent 
     may be provided orally with subsequent documentation of such 
     consent;
       (3) shall be considered the commercial, financial, or 
     proprietary information of the entity providing such 
     information to the Federal government and any disclosure 
     outside the Federal government may only be made upon the 
     prior written consent by such entity and shall not constitute 
     a waiver of any applicable privilege or protection provided 
     by law, except that if the need for immediate disclosure 
     prevents obtaining written consent, such consent may be 
     provided orally with subsequent documentation of such 
     consent;
       (4) shall be deemed voluntarily shared information and 
     exempt from disclosure under section 552 of title 5, United 
     States Code, and any State, tribal, or local law requiring 
     disclosure of information or records;
       (5) shall be, without discretion, withheld from the public 
     under section 552(b)(3)(B) of title 5, United States Code, 
     and any State, tribal, or local law requiring disclosure of 
     information or records;
       (6) shall not be subject to the rules of any Federal agency 
     or department or any judicial doctrine regarding ex parte 
     communications with a decision-making official;
       (7) shall not, if subsequently provided to a State, tribal, 
     or local government or government agency, otherwise be 
     disclosed or distributed to any entity by such State, tribal, 
     or local government or government agency without the prior 
     written consent of the entity submitting such information, 
     notwithstanding any State, tribal, or local law requiring 
     disclosure of information or records, except that if the need 
     for immediate disclosure prevents obtaining written consent, 
     such consent may be provided orally with subsequent 
     documentation of such consent; and
       (8) shall not be directly used by any Federal, State, 
     tribal, or local department or agency to regulate the lawful 
     activities of an entity, including activities relating to 
     obtaining, identifying, or otherwise possessing cyber threat 
     information, except that the procedures required to be 
     developed and implemented under this title shall not be 
     considered regulations within the meaning of this paragraph.
       (d) Procedures Relating to Information Sharing With a 
     Cybersecurity Center.--Not later than 60 days after the date 
     of enactment of this Act, the heads of each department or 
     agency containing a cybersecurity center shall jointly 
     develop, promulgate, and submit to Congress procedures to 
     ensure that cyber threat information shared with or provided 
     to--
       (1) a cybersecurity center under this section--
       (A) may be submitted to a cybersecurity center by an 
     entity, to the greatest extent possible, through a uniform, 
     publicly available process or format that is easily 
     accessible on the website of such cybersecurity center, and 
     that includes the ability to provide relevant details about 
     the cyber threat information and written consent to any 
     subsequent disclosures authorized by this paragraph;
       (B) shall immediately be further shared with each 
     cybersecurity center in order to prevent, investigate, or 
     otherwise mitigate threats to information security across the 
     Federal government;
       (C) is handled by the Federal government in a reasonable 
     manner, including consideration of the need to protect the 
     privacy and civil liberties of individuals through 
     anonymization or other appropriate methods, while fully 
     accomplishing the objectives

[[Page 12440]]

     of this title, and the Federal government may undertake 
     efforts consistent with this subparagraph to limit the impact 
     on privacy and civil liberties of the sharing of cyber threat 
     information with the Federal government; and
       (D) except as provided in this section, shall only be used, 
     disclosed, or handled in accordance with the provisions of 
     subsection (c); and
       (2) a Federal agency or department under subsection (b) is 
     provided immediately to a cybersecurity center in order to 
     prevent, investigate, or otherwise mitigate threats to 
     information security across the Federal government.
       (e) Information Shared Between Entities.--
       (1) In general.--An entity sharing cyber threat information 
     with another entity under this title may restrict the use or 
     sharing of such information by such other entity.
       (2) Further sharing.--Cyber threat information shared by 
     any entity with another entity under this title--
       (A) shall only be further shared in accordance with any 
     restrictions placed on the sharing of such information by the 
     entity authorizing such sharing, such as appropriate 
     anonymization of such information; and
       (B) may not be used by any entity to gain an unfair 
     competitive advantage to the detriment of the entity 
     authorizing the sharing of such information, except that the 
     conduct described in paragraph (3) shall not constitute 
     unfair competitive conduct.
       (3) Information shared with state, tribal, or local 
     government or government agency.--Cyber threat information 
     shared with a State, tribal, or local government or 
     government agency under this title--
       (A) may, with the prior written consent of the entity 
     sharing such information, be disclosed to and used by a 
     State, tribal, or local government or government agency for 
     the purpose of protecting information systems, or in 
     furtherance of preventing, investigating, or prosecuting a 
     criminal act, except if the need for immediate disclosure 
     prevents obtaining written consent, consent may be provided 
     orally with subsequent documentation of the consent;
       (B) shall be deemed voluntarily shared information and 
     exempt from disclosure under any State, tribal, or local law 
     requiring disclosure of information or records;
       (C) shall not be disclosed or distributed to any entity by 
     the State, tribal, or local government or government agency 
     without the prior written consent of the entity submitting 
     such information, notwithstanding any State, tribal, or local 
     law requiring disclosure of information or records, except if 
     the need for immediate disclosure prevents obtaining written 
     consent, consent may be provided orally with subsequent 
     documentation of the consent; and
       (D) shall not be directly used by any State, tribal, or 
     local department or agency to regulate the lawful activities 
     of an entity, including activities relating to obtaining, 
     identifying, or otherwise possessing cyber threat 
     information, except that the procedures required to be 
     developed and implemented under this title shall not be 
     considered regulations within the meaning of this 
     subparagraph.
       (4) Antitrust exemption.--The exchange or provision of 
     cyber threat information or assistance between 2 or more 
     private entities under this title shall not be considered a 
     violation of any provision of antitrust laws if exchanged or 
     provided in order to assist with--
       (A) facilitating the prevention, investigation, or 
     mitigation of threats to information security; or
       (B) communicating or disclosing of cyber threat information 
     to help prevent, investigate or otherwise mitigate the 
     effects of a threat to information security.
       (5) No right or benefit.--The provision of cyber threat 
     information to an entity under this section shall not create 
     a right or a benefit to similar information by such entity or 
     any other entity.
       (f) Federal Preemption.--
       (1) In general.--This section supersedes any statute or 
     other law of a State or political subdivision of a State that 
     restricts or otherwise expressly regulates an activity 
     authorized under this section.
       (2) State law enforcement.--Nothing in this section shall 
     be construed to supersede any statute or other law of a State 
     or political subdivision of a State concerning the use of 
     authorized law enforcement techniques.
       (3) Public disclosure.--No information shared with or 
     provided to a State, tribal, or local government or 
     government agency pursuant to this section shall be made 
     publicly available pursuant to any State, tribal, or local 
     law requiring disclosure of information or records.
       (g) Civil and Criminal Liability.--
       (1) General protections.--
       (A) Private entities.--No cause of action shall lie or be 
     maintained in any court against any private entity for--
       (i) the use of countermeasures and cybersecurity systems as 
     authorized by this title;
       (ii) the use, receipt, or disclosure of any cyber threat 
     information as authorized by this title; or
       (iii) the subsequent actions or inactions of any lawful 
     recipient of cyber threat information provided by such 
     private entity.
       (B) Entities.--No cause of action shall lie or be 
     maintained in any court against any entity for--
       (i) the use, receipt, or disclosure of any cyber threat 
     information as authorized by this title; or
       (ii) the subsequent actions or inactions of any lawful 
     recipient of cyber threat information provided by such 
     entity.
       (2) Construction.--Nothing in this subsection shall be 
     construed as creating any immunity against, or otherwise 
     affecting, any action brought by the Federal government, or 
     any agency or department thereof, to enforce any law, 
     executive order, or procedure governing the appropriate 
     handling, disclosure, and use of classified information.
       (h) Otherwise Lawful Disclosures.--Nothing in this section 
     shall be construed to limit or prohibit otherwise lawful 
     disclosures of communications, records, or other information 
     by a private entity to any other governmental or private 
     entity not covered under this section.
       (i) Whistleblower Protection.--Nothing in this Act shall be 
     construed to preempt or preclude any employee from exercising 
     rights currently provided under any whistleblower law, rule, 
     or regulation.
       (j) Relationship to Other Laws.--The submission of cyber 
     threat information under this section to a cybersecurity 
     center shall not affect any requirement under any other 
     provision of law for an entity to provide information to the 
     Federal government.

     SEC. 103. INFORMATION SHARING BY THE FEDERAL GOVERNMENT.

       (a) Classified Information.--
       (1) Procedures.--Consistent with the protection of 
     intelligence sources and methods, and as otherwise determined 
     appropriate, the Director of National Intelligence and the 
     Secretary of Defense, in consultation with the heads of the 
     appropriate Federal departments or agencies, shall develop 
     and promulgate procedures to facilitate and promote--
       (A) the immediate sharing, through the cybersecurity 
     centers, of classified cyber threat information in the 
     possession of the Federal government with appropriately 
     cleared representatives of any appropriate entity; and
       (B) the declassification and immediate sharing, through the 
     cybersecurity centers, with any entity or, if appropriate, 
     public availability of cyber threat information in the 
     possession of the Federal government;
       (2) Handling of classified information.--The procedures 
     developed under paragraph (1) shall ensure that each entity 
     receiving classified cyber threat information pursuant to 
     this section has acknowledged in writing the ongoing 
     obligation to comply with all laws, executive orders, and 
     procedures concerning the appropriate handling, disclosure, 
     or use of classified information.
       (b) Unclassified Cyber Threat Information.--The heads of 
     each department or agency containing a cybersecurity center 
     shall jointly develop and promulgate procedures that ensure 
     that, consistent with the provisions of this section, 
     unclassified, including controlled unclassified, cyber threat 
     information in the possession of the Federal government--
       (1) is shared, through the cybersecurity centers, in an 
     immediate and adequate manner with appropriate entities; and
       (2) if appropriate, is made publicly available.
       (c) Development of Procedures.--
       (1) In general.--The procedures developed under this 
     section shall incorporate, to the greatest extent possible, 
     existing processes utilized by sector specific information 
     sharing and analysis centers.
       (2) Coordination with entities.--In developing the 
     procedures required under this section, the Director of 
     National Intelligence and the heads of each department or 
     agency containing a cybersecurity center shall coordinate 
     with appropriate entities to ensure that protocols are 
     implemented that will facilitate and promote the sharing of 
     cyber threat information by the Federal government.
       (d) Additional Responsibilities of Cybersecurity Centers.--
     Consistent with section 102, a cybersecurity center shall--
       (1) facilitate information sharing, interaction, and 
     collaboration among and between cybersecurity centers and--
       (A) other Federal entities;
       (B) any entity; and
       (C) international partners, in consultation with the 
     Secretary of State;
       (2) disseminate timely and actionable cybersecurity threat, 
     vulnerability, mitigation, and warning information, including 
     alerts, advisories, indicators, signatures, and mitigation 
     and response measures, to improve the security and protection 
     of information systems; and
       (3) coordinate with other Federal entities, as appropriate, 
     to integrate information from across the Federal government 
     to provide situational awareness of the cybersecurity posture 
     of the United States.
       (e) Sharing Within the Federal Government.--The heads of 
     appropriate Federal departments and agencies shall ensure 
     that cyber threat information in the possession of such 
     Federal departments or agencies that relates to the 
     prevention, investigation, or

[[Page 12441]]

     mitigation of threats to information security across the 
     Federal government is shared effectively with the 
     cybersecurity centers.
       (f) Submission to Congress.--Not later than 60 days after 
     the date of enactment of this Act, the Director of National 
     Intelligence, in coordination with the appropriate head of a 
     department or an agency containing a cybersecurity center, 
     shall submit the procedures required by this section to 
     Congress.

     SEC. 104. CONSTRUCTION.

       (a) Information Sharing Relationships.--Nothing in this 
     title shall be construed--
       (1) to limit or modify an existing information sharing 
     relationship;
       (2) to prohibit a new information sharing relationship;
       (3) to require a new information sharing relationship 
     between any entity and the Federal government, except as 
     specified under section 102(b); or
       (4) to modify the authority of a department or agency of 
     the Federal government to protect sources and methods and the 
     national security of the United States.
       (b) Anti-tasking Restriction.--Nothing in this title shall 
     be construed to permit the Federal government--
       (1) to require an entity to share information with the 
     Federal government, except as expressly provided under 
     section 102(b); or
       (2) to condition the sharing of cyber threat information 
     with an entity on such entity's provision of cyber threat 
     information to the Federal government.
       (c) No Liability for Non-participation.--Nothing in this 
     title shall be construed to subject any entity to liability 
     for choosing not to engage in the voluntary activities 
     authorized under this title.
       (d) Use and Retention of Information.--Nothing in this 
     title shall be construed to authorize, or to modify any 
     existing authority of, a department or agency of the Federal 
     government to retain or use any information shared under 
     section 102 for any use other than a use permitted under 
     subsection 102(c)(1).
       (e) No New Funding.--An applicable Federal agency shall 
     carry out the provisions of this title with existing 
     facilities and funds otherwise available, through such means 
     as the head of the agency considers appropriate.

     SEC. 105. REPORT ON IMPLEMENTATION.

       (a) Content of Report.--Not later than 1 year after the 
     date of enactment of this Act, and biennially thereafter, the 
     heads of each department or agency containing a cybersecurity 
     center shall jointly submit, in coordination with the privacy 
     and civil liberties officials of such departments or agencies 
     and the Privacy and Civil Liberties Oversight Board, a 
     detailed report to Congress concerning the implementation of 
     this title, including--
       (1) an assessment of the sufficiency of the procedures 
     developed under section 103 of this Act in ensuring that 
     cyber threat information in the possession of the Federal 
     government is provided in an immediate and adequate manner to 
     appropriate entities or, if appropriate, is made publicly 
     available;
       (2) an assessment of whether information has been 
     appropriately classified and an accounting of the number of 
     security clearances authorized by the Federal government for 
     purposes of this title;
       (3) a review of the type of cyber threat information shared 
     with a cybersecurity center under section 102 of this Act, 
     including whether such information meets the definition of 
     cyber threat information under section 101, the degree to 
     which such information may impact the privacy and civil 
     liberties of individuals, any appropriate metrics to 
     determine any impact of the sharing of such information with 
     the Federal government on privacy and civil liberties, and 
     the adequacy of any steps taken to reduce such impact;
       (4) a review of actions taken by the Federal government 
     based on information provided to a cybersecurity center under 
     section 102 of this Act, including the appropriateness of any 
     subsequent use under section 102(c)(1) of this Act and 
     whether there was inappropriate stovepiping within the 
     Federal government of any such information;
       (5) a description of any violations of the requirements of 
     this title by the Federal government;
       (6) a classified list of entities that received classified 
     information from the Federal government under section 103 of 
     this Act and a description of any indication that such 
     information may not have been appropriately handled;
       (7) a summary of any breach of information security, if 
     known, attributable to a specific failure by any entity or 
     the Federal government to act on cyber threat information in 
     the possession of such entity or the Federal government that 
     resulted in substantial economic harm or injury to a specific 
     entity or the Federal government; and
       (8) any recommendation for improvements or modifications to 
     the authorities under this title.
       (b) Form of Report.--The report under subsection (a) shall 
     be submitted in unclassified form, but shall include a 
     classified annex.

     SEC. 106. INSPECTOR GENERAL REVIEW.

       (a) In General.--The Council of the Inspectors General on 
     Integrity and Efficiency are authorized to review compliance 
     by the cybersecurity centers, and by any Federal department 
     or agency receiving cyber threat information from such 
     cybersecurity centers, with the procedures required under 
     section 102 of this Act.
       (b) Scope of Review.--The review under subsection (a) shall 
     consider whether the Federal government has handled such 
     cyber threat information in a reasonable manner, including 
     consideration of the need to protect the privacy and civil 
     liberties of individuals through anonymization or other 
     appropriate methods, while fully accomplishing the objectives 
     of this title.
       (c) Report to Congress.--Each review conducted under this 
     section shall be provided to Congress not later than 30 days 
     after the date of completion of the review.

     SEC. 107. TECHNICAL AMENDMENTS.

       Section 552(b) of title 5, United States Code, is amended--
       (1) in paragraph (8), by striking ``or'';
       (2) in paragraph (9), by striking ``wells.'' and inserting 
     ``wells; or''; and
       (3) by adding at the end the following:
       ``(10) information shared with or provided to a 
     cybersecurity center under section 102 of title I of the 
     Strengthening and Enhancing Cybersecurity by Using Research, 
     Education, Information, and Technology Act of 2012.''.

     SEC. 108. ACCESS TO CLASSIFIED INFORMATION.

       (a) Authorization Required.--No person shall be provided 
     with access to classified information (as defined in section 
     6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to 
     classified national security information)) relating to cyber 
     security threats or cyber security vulnerabilities under this 
     title without the appropriate security clearances.
       (b) Security Clearances.--The appropriate Federal agencies 
     or departments shall, consistent with applicable procedures 
     and requirements, and if otherwise deemed appropriate, assist 
     an individual in timely obtaining an appropriate security 
     clearance where such individual has been determined to be 
     eligible for such clearance and has a need-to-know (as 
     defined in section 6.1 of that Executive Order) classified 
     information to carry out this title.

     TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY

     SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY 
                   POLICY.

       (a) In General.--Chapter 35 of title 44, United States 
     Code, is amended by striking subchapters II and III and 
     inserting the following:

                 ``SUBCHAPTER II--INFORMATION SECURITY

     ``Sec. 3551. Purposes

       ``The purposes of this subchapter are--
       ``(1) to provide a comprehensive framework for ensuring the 
     effectiveness of information security controls over 
     information resources that support Federal operations and 
     assets;
       ``(2) to recognize the highly networked nature of the 
     current Federal computing environment and provide effective 
     government-wide management of policies, directives, 
     standards, and guidelines, as well as effective and nimble 
     oversight of and response to information security risks, 
     including coordination of information security efforts 
     throughout the Federal civilian, national security, and law 
     enforcement communities;
       ``(3) to provide for development and maintenance of 
     controls required to protect agency information and 
     information systems and contribute to the overall improvement 
     of agency information security posture;
       ``(4) to provide for the development of tools and methods 
     to assess and respond to real-time situational risk for 
     Federal information system operations and assets; and
       ``(5) to provide a mechanism for improving agency 
     information security programs through continuous monitoring 
     of agency information systems and streamlined reporting 
     requirements rather than overly prescriptive manual 
     reporting.

     ``Sec. 3552. Definitions

       ``In this subchapter:
       ``(1) Adequate security.--The term `adequate security' 
     means security commensurate with the risk and magnitude of 
     the harm resulting from the unauthorized access to or loss, 
     misuse, destruction, or modification of information.
       ``(2) Agency.--The term `agency' has the meaning given the 
     term in section 3502 of title 44.
       ``(3) Cybersecurity center.--The term `cybersecurity 
     center' means the Department of Defense Cyber Crime Center, 
     the Intelligence Community Incident Response Center, the 
     United States Cyber Command Joint Operations Center, the 
     National Cyber Investigative Joint Task Force, the National 
     Security Agency/Central Security Service Threat Operations 
     Center, the National Cybersecurity and Communications 
     Integration Center, and any successor center.
       ``(4) Cyber threat information.--The term `cyber threat 
     information' means information that indicates or describes--
       ``(A) a technical or operation vulnerability or a cyber 
     threat mitigation measure;
       ``(B) an action or operation to mitigate a cyber threat;
       ``(C) malicious reconnaissance, including anomalous 
     patterns of network activity that appear to be transmitted 
     for the purpose of gathering technical information related to 
     a cybersecurity threat;

[[Page 12442]]

       ``(D) a method of defeating a technical control;
       ``(E) a method of defeating an operational control;
       ``(F) network activity or protocols known to be associated 
     with a malicious cyber actor or that signify malicious cyber 
     intent;
       ``(G) a method of causing a user with legitimate access to 
     an information system or information that is stored on, 
     processed by, or transiting an information system to 
     inadvertently enable the defeat of a technical or operational 
     control;
       ``(H) any other attribute of a cybersecurity threat or 
     cyber defense information that would foster situational 
     awareness of the United States cybersecurity posture, if 
     disclosure of such attribute or information is not otherwise 
     prohibited by law;
       ``(I) the actual or potential harm caused by a cyber 
     incident, including information exfiltrated when it is 
     necessary in order to identify or describe a cybersecurity 
     threat; or
       ``(J) any combination of subparagraphs (A) through (I).
       ``(5) Director.--The term `Director' means the Director of 
     the Office of Management and Budget unless otherwise 
     specified.
       ``(6) Environment of operation.--The term `environment of 
     operation' means the information system and environment in 
     which those systems operate, including changing threats, 
     vulnerabilities, technologies, and missions and business 
     practices.
       ``(7) Federal information system.--The term `Federal 
     information system' means an information system used or 
     operated by an executive agency, by a contractor of an 
     executive agency, or by another organization on behalf of an 
     executive agency.
       ``(8) Incident.--The term `incident' means an occurrence 
     that--
       ``(A) actually or imminently jeopardizes the integrity, 
     confidentiality, or availability of an information system or 
     the information that system controls, processes, stores, or 
     transmits; or
       ``(B) constitutes a violation of law or an imminent threat 
     of violation of a law, a security policy, a security 
     procedure, or an acceptable use policy.
       ``(9) Information resources.--The term `information 
     resources' has the meaning given the term in section 3502 of 
     title 44.
       ``(10) Information security.--The term `information 
     security' means protecting information and information 
     systems from disruption or unauthorized access, use, 
     disclosure, modification, or destruction in order to 
     provide--
       ``(A) integrity, by guarding against improper information 
     modification or destruction, including by ensuring 
     information nonrepudiation and authenticity;
       ``(B) confidentiality, by preserving authorized 
     restrictions on access and disclosure, including means for 
     protecting personal privacy and proprietary information; or
       ``(C) availability, by ensuring timely and reliable access 
     to and use of information.
       ``(11) Information system.--The term `information system' 
     has the meaning given the term in section 3502 of title 44.
       ``(12) Information technology.--The term `information 
     technology' has the meaning given the term in section 11101 
     of title 40.
       ``(13) Malicious reconnaissance.--The term `malicious 
     reconnaissance' means a method for actively probing or 
     passively monitoring an information system for the purpose of 
     discerning technical vulnerabilities of the information 
     system, if such method is associated with a known or 
     suspected cybersecurity threat.
       ``(14) National security system.--
       ``(A) In general.--The term `national security system' 
     means any information system (including any 
     telecommunications system) used or operated by an agency or 
     by a contractor of an agency, or other organization on behalf 
     of an agency--
       ``(i) the function, operation, or use of which--

       ``(I) involves intelligence activities;
       ``(II) involves cryptologic activities related to national 
     security;
       ``(III) involves command and control of military forces;
       ``(IV) involves equipment that is an integral part of a 
     weapon or weapons system; or
       ``(V) subject to subparagraph (B), is critical to the 
     direct fulfillment of military or intelligence missions; or

       ``(ii) is protected at all times by procedures established 
     for information that have been specifically authorized under 
     criteria established by an Executive Order or an Act of 
     Congress to be kept classified in the interest of national 
     defense or foreign policy.
       ``(B) Limitation.--Subparagraph (A)(i)(V) does not include 
     a system that is to be used for routine administrative and 
     business applications (including payroll, finance, logistics, 
     and personnel management applications).
       ``(15) Operational control.--The term `operational control' 
     means a security control for an information system that 
     primarily is implemented and executed by people.
       ``(16) Person.--The term `person' has the meaning given the 
     term in section 3502 of title 44.
       ``(17) Secretary.--The term `Secretary' means the Secretary 
     of Commerce unless otherwise specified.
       ``(18) Security control.--The term `security control' means 
     the management, operational, and technical controls, 
     including safeguards or countermeasures, prescribed for an 
     information system to protect the confidentiality, integrity, 
     and availability of the system and its information.
       ``(19) Significant cyber incident.--The term `significant 
     cyber incident' means a cyber incident resulting in, or an 
     attempted cyber incident that, if successful, would have 
     resulted in--
       ``(A) the exfiltration from a Federal information system of 
     data that is essential to the operation of the Federal 
     information system; or
       ``(B) an incident in which an operational or technical 
     control essential to the security or operation of a Federal 
     information system was defeated.
       ``(20) Technical control.--The term `technical control' 
     means a hardware or software restriction on, or audit of, 
     access or use of an information system or information that is 
     stored on, processed by, or transiting an information system 
     that is intended to ensure the confidentiality, integrity, or 
     availability of that system.

     ``Sec. 3553. Federal information security authority and 
       coordination

       ``(a) In General.--The Secretary, in consultation with the 
     Secretary of Homeland Security, shall--
       ``(1) issue compulsory and binding policies and directives 
     governing agency information security operations, and require 
     implementation of such policies and directives, including--
       ``(A) policies and directives consistent with the standards 
     and guidelines promulgated under section 11331 of title 40 to 
     identify and provide information security protections 
     prioritized and commensurate with the risk and impact 
     resulting from the unauthorized access, use, disclosure, 
     disruption, modification, or destruction of--
       ``(i) information collected or maintained by or on behalf 
     of an agency; or
       ``(ii) information systems used or operated by an agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency;
       ``(B) minimum operational requirements for Federal 
     Government to protect agency information systems and provide 
     common situational awareness across all agency information 
     systems;
       ``(C) reporting requirements, consistent with relevant law, 
     regarding information security incidents and cyber threat 
     information;
       ``(D) requirements for agencywide information security 
     programs;
       ``(E) performance requirements and metrics for the security 
     of agency information systems;
       ``(F) training requirements to ensure that agencies are 
     able to fully and timely comply with the policies and 
     directives issued by the Secretary under this subchapter;
       ``(G) training requirements regarding privacy, civil 
     rights, and civil liberties, and information oversight for 
     agency information security personnel;
       ``(H) requirements for the annual reports to the Secretary 
     under section 3554(d);
       ``(I) any other information security operations or 
     information security requirements as determined by the 
     Secretary in coordination with relevant agency heads; and
       ``(J) coordinating the development of standards and 
     guidelines under section 20 of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3) with agencies 
     and offices operating or exercising control of national 
     security systems (including the National Security Agency) to 
     assure, to the maximum extent feasible, that such standards 
     and guidelines are complementary with standards and 
     guidelines developed for national security systems;
       ``(2) review the agencywide information security programs 
     under section 3554; and
       ``(3) designate an individual or an entity at each 
     cybersecurity center, among other responsibilities--
       ``(A) to receive reports and information about information 
     security incidents, cyber threat information, and 
     deterioration of security control affecting agency 
     information systems; and
       ``(B) to act on or share the information under subparagraph 
     (A) in accordance with this subchapter.
       ``(b) Considerations.--When issuing policies and directives 
     under subsection (a), the Secretary shall consider any 
     applicable standards or guidelines developed by the National 
     Institute of Standards and Technology under section 11331 of 
     title 40.
       ``(c) Limitation of Authority.--The authorities of the 
     Secretary under this section shall not apply to national 
     security systems. Information security policies, directives, 
     standards and guidelines for national security systems shall 
     be overseen as directed by the President and, in accordance 
     with that direction, carried out under the authority of the 
     heads of agencies that operate or exercise authority over 
     such national security systems.
       ``(d) Statutory Construction.--Nothing in this subchapter 
     shall be construed to alter or amend any law regarding the 
     authority of any head of an agency over such agency.

[[Page 12443]]



     ``Sec. 3554. Agency responsibilities

       ``(a) In General.--The head of each agency shall--
       ``(1) be responsible for--
       ``(A) complying with the policies and directives issued 
     under section 3553;
       ``(B) providing information security protections 
     commensurate with the risk resulting from unauthorized 
     access, use, disclosure, disruption, modification, or 
     destruction of--
       ``(i) information collected or maintained by the agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency; and
       ``(ii) information systems used or operated by an agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency;
       ``(C) complying with the requirements of this subchapter, 
     including--
       ``(i) information security standards and guidelines 
     promulgated under section 11331 of title 40;
       ``(ii) for any national security systems operated or 
     controlled by that agency, information security policies, 
     directives, standards and guidelines issued as directed by 
     the President; and
       ``(iii) for any non-national security systems operated or 
     controlled by that agency, information security policies, 
     directives, standards and guidelines issued under section 
     3553;
       ``(D) ensuring that information security management 
     processes are integrated with agency strategic and 
     operational planning processes;
       ``(E) reporting and sharing, for an agency operating or 
     exercising control of a national security system, information 
     about information security incidents, cyber threat 
     information, and deterioration of security controls to the 
     individual or entity designated at each cybersecurity center 
     and to other appropriate entities consistent with policies 
     and directives for national security systems issued as 
     directed by the President; and
       ``(F) reporting and sharing, for those agencies operating 
     or exercising control of non-national security systems, 
     information about information security incidents, cyber 
     threat information, and deterioration of security controls to 
     the individual or entity designated at each cybersecurity 
     center and to other appropriate entities consistent with 
     policies and directives for non-national security systems as 
     prescribed under section 3553(a), including information to 
     assist the entity designated under section 3555(a) with the 
     ongoing security analysis under section 3555;
       ``(2) ensure that each senior agency official provides 
     information security for the information and information 
     systems that support the operations and assets under the 
     senior agency official's control, including by--
       ``(A) assessing the risk and impact that could result from 
     the unauthorized access, use, disclosure, disruption, 
     modification, or destruction of such information or 
     information systems;
       ``(B) determining the level of information security 
     appropriate to protect such information and information 
     systems in accordance with policies and directives issued 
     under section 3553(a), and standards and guidelines 
     promulgated under section 11331 of title 40 for information 
     security classifications and related requirements;
       ``(C) implementing policies, procedures, and capabilities 
     to reduce risks to an acceptable level in a cost-effective 
     manner;
       ``(D) actively monitoring the effective implementation of 
     information security controls and techniques; and
       ``(E) reporting information about information security 
     incidents, cyber threat information, and deterioration of 
     security controls in a timely and adequate manner to the 
     entity designated under section 3553(a)(3) in accordance with 
     paragraph (1);
       ``(3) assess and maintain the resiliency of information 
     technology systems critical to agency mission and operations;
       ``(4) designate the agency Inspector General (or an 
     independent entity selected in consultation with the Director 
     and the Council of Inspectors General on Integrity and 
     Efficiency if the agency does not have an Inspector General) 
     to conduct the annual independent evaluation required under 
     section 3556, and allow the agency Inspector General to 
     contract with an independent entity to perform such 
     evaluation;
       ``(5) delegate to the Chief Information Officer or 
     equivalent (or to a senior agency official who reports to the 
     Chief Information Officer or equivalent)--
       ``(A) the authority and primary responsibility to implement 
     an agencywide information security program; and
       ``(B) the authority to provide information security for the 
     information collected and maintained by the agency (or by a 
     contractor, other agency, or other source on behalf of the 
     agency) and for the information systems that support the 
     operations, assets, and mission of the agency (including any 
     information system provided or managed by a contractor, other 
     agency, or other source on behalf of the agency);
       ``(6) delegate to the appropriate agency official (who is 
     responsible for a particular agency system or subsystem) the 
     responsibility to ensure and enforce compliance with all 
     requirements of the agency's agencywide information security 
     program in coordination with the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5);
       ``(7) ensure that an agency has trained personnel who have 
     obtained any necessary security clearances to permit them to 
     assist the agency in complying with this subchapter;
       ``(8) ensure that the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5), 
     in coordination with other senior agency officials, reports 
     to the agency head on the effectiveness of the agencywide 
     information security program, including the progress of any 
     remedial actions; and
       ``(9) ensure that the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5) 
     has the necessary qualifications to administer the functions 
     described in this subchapter and has information security 
     duties as a primary duty of that official.
       ``(b) Chief Information Officers.--Each Chief Information 
     Officer or equivalent (or the senior agency official who 
     reports to the Chief Information Officer or equivalent) under 
     subsection (a)(5) shall--
       ``(1) establish and maintain an enterprise security 
     operations capability that on a continuous basis--
       ``(A) detects, reports, contains, mitigates, and responds 
     to information security incidents that impair adequate 
     security of the agency's information or information system in 
     a timely manner and in accordance with the policies and 
     directives under section 3553; and
       ``(B) reports any information security incident under 
     subparagraph (A) to the entity designated under section 3555;
       ``(2) develop, maintain, and oversee an agencywide 
     information security program;
       ``(3) develop, maintain, and oversee information security 
     policies, procedures, and control techniques to address 
     applicable requirements, including requirements under section 
     3553 of this title and section 11331 of title 40; and
       ``(4) train and oversee the agency personnel who have 
     significant responsibility for information security with 
     respect to that responsibility.
       ``(c) Agencywide Information Security Programs.--
       ``(1) In general.--Each agencywide information security 
     program under subsection (b)(2) shall include--
       ``(A) relevant security risk assessments, including 
     technical assessments and others related to the acquisition 
     process;
       ``(B) security testing commensurate with risk and impact;
       ``(C) mitigation of deterioration of security controls 
     commensurate with risk and impact;
       ``(D) risk-based continuous monitoring and threat 
     assessment of the operational status and security of agency 
     information systems to enable evaluation of the effectiveness 
     of and compliance with information security policies, 
     procedures, and practices, including a relevant and 
     appropriate selection of security controls of information 
     systems identified in the inventory under section 3505(c);
       ``(E) operation of appropriate technical capabilities in 
     order to detect, mitigate, report, and respond to information 
     security incidents, cyber threat information, and 
     deterioration of security controls in a manner that is 
     consistent with the policies and directives under section 
     3553, including--
       ``(i) mitigating risks associated with such information 
     security incidents;
       ``(ii) notifying and consulting with the entity designated 
     under section 3555; and
       ``(iii) notifying and consulting with, as appropriate--

       ``(I) law enforcement and the relevant Office of the 
     Inspector General; and
       ``(II) any other entity, in accordance with law and as 
     directed by the President;

       ``(F) a process to ensure that remedial action is taken to 
     address any deficiencies in the information security 
     policies, procedures, and practices of the agency; and
       ``(G) a plan and procedures to ensure the continuity of 
     operations for information systems that support the 
     operations and assets of the agency.
       ``(2) Risk management strategies.--Each agencywide 
     information security program under subsection (b)(2) shall 
     include the development and maintenance of a risk management 
     strategy for information security. The risk management 
     strategy shall include--
       ``(A) consideration of information security incidents, 
     cyber threat information, and deterioration of security 
     controls; and
       ``(B) consideration of the consequences that could result 
     from the unauthorized access, use, disclosure, disruption, 
     modification, or destruction of information and information 
     systems that support the operations and assets of the agency, 
     including any information system provided or managed by a 
     contractor, other agency, or other source on behalf of the 
     agency;
       ``(3) Policies and procedures.--Each agencywide information 
     security program under

[[Page 12444]]

     subsection (b)(2) shall include policies and procedures 
     that--
       ``(A) are based on the risk management strategy under 
     paragraph (2);
       ``(B) reduce information security risks to an acceptable 
     level in a cost-effective manner;
       ``(C) ensure that cost-effective and adequate information 
     security is addressed as part of the acquisition and ongoing 
     management of each agency information system; and
       ``(D) ensure compliance with--
       ``(i) this subchapter; and
       ``(ii) any other applicable requirements.
       ``(4) Training requirements.--Each agencywide information 
     security program under subsection (b)(2) shall include 
     information security, privacy, civil rights, civil liberties, 
     and information oversight training that meets any applicable 
     requirements under section 3553. The training shall inform 
     each information security personnel that has access to agency 
     information systems (including contractors and other users of 
     information systems that support the operations and assets of 
     the agency) of--
       ``(A) the information security risks associated with the 
     information security personnel's activities; and
       ``(B) the individual's responsibility to comply with the 
     agency policies and procedures that reduce the risks under 
     subparagraph (A).
       ``(d) Annual Report.--Each agency shall submit a report 
     annually to the Secretary of Homeland Security on its 
     agencywide information security program and information 
     systems.

     ``Sec. 3555. Multiagency ongoing threat assessment

       ``(a) Implementation.--The Director of the Office of 
     Management and Budget, in coordination with the Secretary of 
     Homeland Security, shall designate an entity to implement 
     ongoing security analysis concerning agency information 
     systems--
       ``(1) based on cyber threat information;
       ``(2) based on agency information system and environment of 
     operation changes, including--
       ``(A) an ongoing evaluation of the information system 
     security controls; and
       ``(B) the security state, risk level, and environment of 
     operation of an agency information system, including--
       ``(i) a change in risk level due to a new cyber threat;
       ``(ii) a change resulting from a new technology;
       ``(iii) a change resulting from the agency's mission; and
       ``(iv) a change resulting from the business practice; and
       ``(3) using automated processes to the maximum extent 
     possible--
       ``(A) to increase information system security;
       ``(B) to reduce paper-based reporting requirements; and
       ``(C) to maintain timely and actionable knowledge of the 
     state of the information system security.
       ``(b) Standards.--The National Institute of Standards and 
     Technology may promulgate standards, in coordination with the 
     Secretary of Homeland Security, to assist an agency with its 
     duties under this section.
       ``(c) Compliance.--The head of each appropriate department 
     and agency shall be responsible for ensuring compliance and 
     implementing necessary procedures to comply with this 
     section. The head of each appropriate department and agency, 
     in consultation with the Director of the Office of Management 
     and Budget and the Secretary of Homeland Security, shall--
       ``(1) monitor compliance under this section;
       ``(2) develop a timeline and implement for the department 
     or agency--
       ``(A) adoption of any technology, system, or method that 
     facilitates continuous monitoring and threat assessments of 
     an agency information system;
       ``(B) adoption or updating of any technology, system, or 
     method that prevents, detects, or remediates a significant 
     cyber incident to a Federal information system of the 
     department or agency that has impeded, or is reasonably 
     likely to impede, the performance of a critical mission of 
     the department or agency; and
       ``(C) adoption of any technology, system, or method that 
     satisfies a requirement under this section.
       ``(d) Limitation of Authority.--The authorities of the 
     Director of the Office of Management and Budget and of the 
     Secretary of Homeland Security under this section shall not 
     apply to national security systems.
       ``(e) Report.--Not later than 6 months after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the Government Accountability Office shall issue a 
     report evaluating each agency's status toward implementing 
     this section.

     ``Sec. 3556. Independent evaluations

       ``(a) In General.--The Council of the Inspectors General on 
     Integrity and Efficiency, in consultation with the Director 
     and the Secretary of Homeland Security, the Secretary of 
     Commerce, and the Secretary of Defense, shall issue and 
     maintain criteria for the timely, cost-effective, risk-based, 
     and independent evaluation of each agencywide information 
     security program (and practices) to determine the 
     effectiveness of the agencywide information security program 
     (and practices). The criteria shall include measures to 
     assess any conflicts of interest in the performance of the 
     evaluation and whether the agencywide information security 
     program includes appropriate safeguards against disclosure of 
     information where such disclosure may adversely affect 
     information security.
       ``(b) Annual Independent Evaluations.--Each agency shall 
     perform an annual independent evaluation of its agencywide 
     information security program (and practices) in accordance 
     with the criteria under subsection (a).
       ``(c) Distribution of Reports.--Not later than 30 days 
     after receiving an independent evaluation under subsection 
     (b), each agency head shall transmit a copy of the 
     independent evaluation to the Secretary of Homeland Security, 
     the Secretary of Commerce, and the Secretary of Defense.
       ``(d) National Security Systems.--Evaluations involving 
     national security systems shall be conducted as directed by 
     President.

     ``Sec. 3557. National security systems.

       ``The head of each agency operating or exercising control 
     of a national security system shall be responsible for 
     ensuring that the agency--
       ``(1) provides information security protections 
     commensurate with the risk and magnitude of the harm 
     resulting from the unauthorized access, use, disclosure, 
     disruption, modification, or destruction of the information 
     contained in such system; and
       ``(2) implements information security policies and 
     practices as required by standards and guidelines for 
     national security systems, issued in accordance with law and 
     as directed by the President.''.
       (b) Savings Provisions.--
       (1) Policy and compliance guidance.--Policy and compliance 
     guidance issued by the Director before the date of enactment 
     of this Act under section 3543(a)(1) of title 44, United 
     States Code (as in effect on the day before the date of 
     enactment of this Act), shall continue in effect, according 
     to its terms, until modified, terminated, superseded, or 
     repealed pursuant to section 3553(a)(1) of title 44, United 
     States Code.
       (2) Standards and guidelines.--Standards and guidelines 
     issued by the Secretary of Commerce or by the Director before 
     the date of enactment of this Act under section 11331(a)(1) 
     of title 40, United States Code, (as in effect on the day 
     before the date of enactment of this Act) shall continue in 
     effect, according to their terms, until modified, terminated, 
     superseded, or repealed pursuant to section 11331(a)(1) of 
     title 40, United States Code, as amended by this Act.
       (c) Technical and Conforming Amendments.--
       (1) Chapter analysis.--The chapter analysis for chapter 35 
     of title 44, United States Code, is amended--
       (A) by striking the items relating to sections 3531 through 
     3538;
       (B) by striking the items relating to sections 3541 through 
     3549; and
       (C) by inserting the following:

``3551. Purposes.
``3552. Definitions.
``3553. Federal information security authority and coordination.
``3554. Agency responsibilities.
``3555. Multiagency ongoing threat assessment.
``3556. Independent evaluations.
``3557. National security systems.''.
       (2) Other references.--
       (A) Section 1001(c)(1)(A) of the Homeland Security Act of 
     2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section 
     3532(3)'' and inserting ``section 3552''.
       (B) Section 2222(j)(5) of title 10, United States Code, is 
     amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (C) Section 2223(c)(3) of title 10, United States Code, is 
     amended, by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (D) Section 2315 of title 10, United States Code, is 
     amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (E) Section 20 of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-3) is amended--
       (i) in subsection (a)(2), by striking ``section 
     3532(b)(2)'' and inserting ``section 3552'';
       (ii) in subsection (c)(3), by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (iii) in subsection (d)(1), by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (iv) in subsection (d)(8) by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (v) in subsection (d)(8), by striking ``submitted to the 
     Director'' and inserting ``submitted to the Secretary'';
       (vi) in subsection (e)(2), by striking ``section 3532(1) of 
     such title'' and inserting ``section 3552 of title 44''; and
       (vii) in subsection (e)(5), by striking ``section 
     3532(b)(2) of such title'' and inserting ``section 3552 of 
     title 44''.
       (F) Section 8(d)(1) of the Cyber Security Research and 
     Development Act (15 U.S.C.

[[Page 12445]]

     7406(d)(1)) is amended by striking ``section 3534(b)'' and 
     inserting ``section 3554(b)(2)''.

     SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY.

       (a) In General.--Section 11331 of title 40, United States 
     Code, is amended to read as follows:

     ``Sec. 11331. Responsibilities for Federal information 
       systems standards

       ``(a) Standards and Guidelines.--
       ``(1) Authority to prescribe.--Except as provided under 
     paragraph (2), the Secretary of Commerce shall prescribe 
     standards and guidelines pertaining to Federal information 
     systems--
       ``(A) in consultation with the Secretary of Homeland 
     Security; and
       ``(B) on the basis of standards and guidelines developed by 
     the National Institute of Standards and Technology under 
     paragraphs (2) and (3) of section 20(a) of the National 
     Institute of Standards and Technology Act (15 U.S.C. 278g-
     3(a)(2) and (a)(3)).
       ``(2) National security systems.--Standards and guidelines 
     for national security systems shall be developed, prescribed, 
     enforced, and overseen as otherwise authorized by law and as 
     directed by the President.
       ``(b) Mandatory Standards and Guidelines.--
       ``(1) Authority to make mandatory standards and 
     guidelines.--The Secretary of Commerce shall make standards 
     and guidelines under subsection (a)(1) compulsory and binding 
     to the extent determined necessary by the Secretary of 
     Commerce to improve the efficiency of operation or security 
     of Federal information systems.
       ``(2) Required mandatory standards and guidelines.--
       ``(A) In general.--Standards and guidelines under 
     subsection (a)(1) shall include information security 
     standards that--
       ``(i) provide minimum information security requirements as 
     determined under section 20(b) of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3(b)); and
       ``(ii) are otherwise necessary to improve the security of 
     Federal information and information systems.
       ``(B) Binding effect.--Information security standards under 
     subparagraph (A) shall be compulsory and binding.
       ``(c) Exercise of Authority.--To ensure fiscal and policy 
     consistency, the Secretary of Commerce shall exercise the 
     authority conferred by this section subject to direction by 
     the President and in coordination with the Director.
       ``(d) Application of More Stringent Standards and 
     Guidelines.--The head of an executive agency may employ 
     standards for the cost-effective information security for 
     information systems within or under the supervision of that 
     agency that are more stringent than the standards and 
     guidelines the Secretary of Commerce prescribes under this 
     section if the more stringent standards and guidelines--
       ``(1) contain at least the applicable standards and 
     guidelines made compulsory and binding by the Secretary of 
     Commerce; and
       ``(2) are otherwise consistent with the policies, 
     directives, and implementation memoranda issued under section 
     3553(a) of title 44.
       ``(e) Decisions on Promulgation of Standards and 
     Guidelines.--The decision by the Secretary of Commerce 
     regarding the promulgation of any standard or guideline under 
     this section shall occur not later than 6 months after the 
     date of submission of the proposed standard to the Secretary 
     of Commerce by the National Institute of Standards and 
     Technology under section 20 of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3).
       ``(f) Notice and Comment.--A decision by the Secretary of 
     Commerce to significantly modify, or not promulgate, a 
     proposed standard submitted to the Secretary by the National 
     Institute of Standards and Technology under section 20 of the 
     National Institute of Standards and Technology Act (15 U.S.C. 
     278g-3) shall be made after the public is given an 
     opportunity to comment on the Secretary's proposed decision.
       ``(g) Definitions.--In this section:
       ``(1) Federal information system.--The term `Federal 
     information system' has the meaning given the term in section 
     3552 of title 44.
       ``(2) Information security.--The term `information 
     security' has the meaning given the term in section 3552 of 
     title 44.
       ``(3) National security system.--The term `national 
     security system' has the meaning given the term in section 
     3552 of title 44.''.

     SEC. 203. NO NEW FUNDING.

       An applicable Federal agency shall carry out the provisions 
     of this title with existing facilities and funds otherwise 
     available, through such means as the head of the agency 
     considers appropriate.

     SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS.

       Section 21(b) of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-4(b)) is amended--
       (1) in paragraph (2), by striking ``and the Director of the 
     Office of Management and Budget'' and inserting ``, the 
     Secretary of Commerce, and the Secretary of Homeland 
     Security''; and
       (2) in paragraph (3), by inserting ``, the Secretary of 
     Homeland Security,'' after ``the Secretary of Commerce''.

     SEC. 205. CLARIFICATION OF AUTHORITIES.

       Nothing in this title shall be construed to convey any new 
     regulatory authority to any government entity implementing or 
     complying with any provision of this title.

                     TITLE III--CRIMINAL PENALTIES

     SEC. 301. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN 
                   CONNECTION WITH COMPUTERS.

       Section 1030(c) of title 18, United States Code, is amended 
     to read as follows:
       ``(c) The punishment for an offense under subsection (a) or 
     (b) of this section is--
       ``(1) a fine under this title or imprisonment for not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(1) of this section;
       ``(2)(A) except as provided in subparagraph (B), a fine 
     under this title or imprisonment for not more than 3 years, 
     or both, in the case of an offense under subsection (a)(2); 
     or
       ``(B) a fine under this title or imprisonment for not more 
     than ten years, or both, in the case of an offense under 
     subsection (a)(2) of this section, if--
       ``(i) the offense was committed for purposes of commercial 
     advantage or private financial gain;
       ``(ii) the offense was committed in the furtherance of any 
     criminal or tortious act in violation of the Constitution or 
     laws of the United States, or of any State; or
       ``(iii) the value of the information obtained, or that 
     would have been obtained if the offense was completed, 
     exceeds $5,000;
       ``(3) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(3) of this section;
       ``(4) a fine under this title or imprisonment of not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(4) of this section;
       ``(5)(A) except as provided in subparagraph (C), a fine 
     under this title, imprisonment for not more than 20 years, or 
     both, in the case of an offense under subsection (a)(5)(A) of 
     this section, if the offense caused--
       ``(i) loss to 1 or more persons during any 1-year period 
     (and, for purposes of an investigation, prosecution, or other 
     proceeding brought by the United States only, loss resulting 
     from a related course of conduct affecting 1 or more other 
     protected computers) aggregating at least $5,000 in value;
       ``(ii) the modification or impairment, or potential 
     modification or impairment, of the medical examination, 
     diagnosis, treatment, or care of 1 or more individuals;
       ``(iii) physical injury to any person;
       ``(iv) a threat to public health or safety;
       ``(v) damage affecting a computer used by, or on behalf of, 
     an entity of the United States Government in furtherance of 
     the administration of justice, national defense, or national 
     security; or
       ``(vi) damage affecting 10 or more protected computers 
     during any 1-year period;
       ``(B) a fine under this title, imprisonment for not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(5)(B), if the offense caused a harm provided 
     in clause (i) through (vi) of subparagraph (A) of this 
     subsection;
       ``(C) if the offender attempts to cause or knowingly or 
     recklessly causes death from conduct in violation of 
     subsection (a)(5)(A), a fine under this title, imprisonment 
     for any term of years or for life, or both;
       ``(D) a fine under this title, imprisonment for not more 
     than 10 years, or both, for any other offense under 
     subsection (a)(5);
       ``(E) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(6) of this section; or
       ``(F) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(7) of this section.''.

     SEC. 302. TRAFFICKING IN PASSWORDS.

       Section 1030(a)(6) of title 18, United States Code, is 
     amended to read as follows:
       ``(6) knowingly and with intent to defraud traffics (as 
     defined in section 1029) in any password or similar 
     information or means of access through which a protected 
     computer (as defined in subparagraphs (A) and (B) of 
     subsection (e)(2)) may be accessed without authorization.''.

     SEC. 303. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.

       Section 1030(b) of title 18, United States Code, is amended 
     by inserting ``as if for the completed offense'' after 
     ``punished as provided''.

     SEC. 304. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED 
                   ACTIVITY IN CONNECTION WITH COMPUTERS.

       Section 1030 of title 18, United States Code, is amended by 
     striking subsections (i) and (j) and inserting the following:
       ``(i) Criminal Forfeiture.--
       ``(1) The court, in imposing sentence on any person 
     convicted of a violation of this section, or convicted of 
     conspiracy to violate this section, shall order, in addition 
     to any other sentence imposed and irrespective of any 
     provision of State law, that such person forfeit to the 
     United States--
       ``(A) such persons interest in any property, real or 
     personal, that was used, or intended to be used, to commit or 
     facilitate the commission of such violation; and
       ``(B) any property, real or personal, constituting or 
     derived from any gross proceeds, or

[[Page 12446]]

     any property traceable to such property, that such person 
     obtained, directly or indirectly, as a result of such 
     violation.
       ``(2) The criminal forfeiture of property under this 
     subsection, including any seizure and disposition of the 
     property, and any related judicial or administrative 
     proceeding, shall be governed by the provisions of section 
     413 of the Comprehensive Drug Abuse Prevention and Control 
     Act of 1970 (21 U.S.C. 853), except subsection (d) of that 
     section.
       ``(j) Civil Forfeiture.--
       ``(1) The following shall be subject to forfeiture to the 
     United States and no property right, real or personal, shall 
     exist in them:
       ``(A) Any property, real or personal, that was used, or 
     intended to be used, to commit or facilitate the commission 
     of any violation of this section, or a conspiracy to violate 
     this section.
       ``(B) Any property, real or personal, constituting or 
     derived from any gross proceeds obtained directly or 
     indirectly, or any property traceable to such property, as a 
     result of the commission of any violation of this section, or 
     a conspiracy to violate this section.
       ``(2) Seizures and forfeitures under this subsection shall 
     be governed by the provisions in chapter 46 relating to civil 
     forfeitures, except that such duties as are imposed on the 
     Secretary of the Treasury under the customs laws described in 
     section 981(d) shall be performed by such officers, agents 
     and other persons as may be designated for that purpose by 
     the Secretary of Homeland Security or the Attorney 
     General.''.

     SEC. 305. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.

       (a) In General.--Chapter 47 of title 18, United States 
     Code, is amended by inserting after section 1030 the 
     following:

     ``Sec. 1030A. Aggravated damage to a critical infrastructure 
       computer

       ``(a) Definitions.--In this section--
       ``(1) the term `computer' has the meaning given the term in 
     section 1030;
       ``(2) the term `critical infrastructure computer' means a 
     computer that manages or controls systems or assets vital to 
     national defense, national security, national economic 
     security, public health or safety, or any combination of 
     those matters, whether publicly or privately owned or 
     operated, including--
       ``(A) oil and gas production, storage, conversion, and 
     delivery systems;
       ``(B) water supply systems;
       ``(C) telecommunication networks;
       ``(D) electrical power generation and delivery systems;
       ``(E) finance and banking systems;
       ``(F) emergency services;
       ``(G) transportation systems and services; and
       ``(H) government operations that provide essential services 
     to the public; and
       ``(3) the term `damage' has the meaning given the term in 
     section 1030.
       ``(b) Offense.--It shall be unlawful, during and in 
     relation to a felony violation of section 1030, to knowingly 
     cause or attempt to cause damage to a critical infrastructure 
     computer if the damage results in (or, in the case of an 
     attempt, if completed, would have resulted in) the 
     substantial impairment--
       ``(1) of the operation of the critical infrastructure 
     computer; or
       ``(2) of the critical infrastructure associated with the 
     computer.
       ``(c) Penalty.--Any person who violates subsection (b) 
     shall be--
       ``(1) fined under this title;
       ``(2) imprisoned for not less than 3 years but not more 
     than 20 years; or
       ``(3) penalized under paragraphs (1) and (2).
       ``(d) Consecutive Sentence.--Notwithstanding any other 
     provision of law--
       ``(1) a court shall not place on probation any person 
     convicted of a violation of this section;
       ``(2) except as provided in paragraph (4), no term of 
     imprisonment imposed on a person under this section shall run 
     concurrently with any other term of imprisonment, including 
     any term of imprisonment imposed on the person under any 
     other provision of law, including any term of imprisonment 
     imposed for a felony violation of section 1030;
       ``(3) in determining any term of imprisonment to be imposed 
     for a felony violation of section 1030, a court shall not in 
     any way reduce the term to be imposed for such crime so as to 
     compensate for, or otherwise take into account, any separate 
     term of imprisonment imposed or to be imposed for a violation 
     of this section; and
       ``(4) a term of imprisonment imposed on a person for a 
     violation of this section may, in the discretion of the 
     court, run concurrently, in whole or in part, only with 
     another term of imprisonment that is imposed by the court at 
     the same time on that person for an additional violation of 
     this section, provided that such discretion shall be 
     exercised in accordance with any applicable guidelines and 
     policy statements issued by the United States Sentencing 
     Commission pursuant to section 994 of title 28.''.
       (b) Technical and Conforming Amendment.--The chapter 
     analysis for chapter 47 of title 18, United States Code, is 
     amended by inserting after the item relating to section 1030 
     the following:

``1030A. Aggravated damage to a critical infrastructure computer.''.

     SEC. 306. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.

       Section 1030(e)(6) of title 18, United States Code, is 
     amended by striking ``alter;'' and inserting ``alter, but 
     does not include access in violation of a contractual 
     obligation or agreement, such as an acceptable use policy or 
     terms of service agreement, with an Internet service 
     provider, Internet website, or non-government employer, if 
     such violation constitutes the sole basis for determining 
     that access to a protected computer is unauthorized;''.

     SEC. 307. NO NEW FUNDING.

       An applicable Federal agency shall carry out the provisions 
     of this title with existing facilities and funds otherwise 
     available, through such means as the head of the agency 
     considers appropriate.

            TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT

     SEC. 401. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM 
                   PLANNING AND COORDINATION.

       (a) Goals and Priorities.--Section 101 of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511) is amended 
     by adding at the end the following:
       ``(d) Goals and Priorities.--The goals and priorities for 
     Federal high-performance computing research, development, 
     networking, and other activities under subsection (a)(2)(A) 
     shall include--
       ``(1) encouraging and supporting mechanisms for 
     interdisciplinary research and development in networking and 
     information technology, including--
       ``(A) through collaborations across agencies;
       ``(B) through collaborations across Program Component 
     Areas;
       ``(C) through collaborations with industry;
       ``(D) through collaborations with institutions of higher 
     education;
       ``(E) through collaborations with Federal laboratories (as 
     defined in section 4 of the Stevenson-Wydler Technology 
     Innovation Act of 1980 (15 U.S.C. 3703)); and
       ``(F) through collaborations with international 
     organizations;
       ``(2) addressing national, multi-agency, multi-faceted 
     challenges of national importance; and
       ``(3) fostering the transfer of research and development 
     results into new technologies and applications for the 
     benefit of society.''.
       (b) Development of Strategic Plan.--Section 101 of the 
     High-Performance Computing Act of 1991 (15 U.S.C. 5511) is 
     amended by adding at the end the following:
       ``(e) Strategic Plan.--
       ``(1) In general.--Not later than 1 year after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the agencies under subsection (a)(3)(B), working 
     through the National Science and Technology Council and with 
     the assistance of the Office of Science and Technology Policy 
     shall develop a 5-year strategic plan to guide the activities 
     under subsection (a)(1).
       ``(2) Contents.--The strategic plan shall specify--
       ``(A) the near-term objectives for the Program;
       ``(B) the long-term objectives for the Program;
       ``(C) the anticipated time frame for achieving the near-
     term objectives;
       ``(D) the metrics that will be used to assess any progress 
     made toward achieving the near-term objectives and the long-
     term objectives; and
       ``(E) how the Program will achieve the goals and priorities 
     under subsection (d).
       ``(3) Implementation roadmap.--
       ``(A) In general.--The agencies under subsection (a)(3)(B) 
     shall develop and annually update an implementation roadmap 
     for the strategic plan.
       ``(B) Requirements.--The information in the implementation 
     roadmap shall be coordinated with the database under section 
     102(c) and the annual report under section 101(a)(3). The 
     implementation roadmap shall--
       ``(i) specify the role of each Federal agency in carrying 
     out or sponsoring research and development to meet the 
     research objectives of the strategic plan, including a 
     description of how progress toward the research objectives 
     will be evaluated, with consideration of any relevant 
     recommendations of the advisory committee;
       ``(ii) specify the funding allocated to each major research 
     objective of the strategic plan and the source of funding by 
     agency for the current fiscal year; and
       ``(iii) estimate the funding required for each major 
     research objective of the strategic plan for the next 3 
     fiscal years.
       ``(4) Recommendations.--The agencies under subsection 
     (a)(3)(B) shall take into consideration when developing the 
     strategic plan under paragraph (1) the recommendations of--
       ``(A) the advisory committee under subsection (b); and
       ``(B) the stakeholders under section 102(a)(3).
       ``(5) Report to congress.--The Director of the Office of 
     Science and Technology Policy shall transmit the strategic 
     plan under this subsection, including the implementation 
     roadmap and any updates under paragraph (3), to--

[[Page 12447]]

       ``(A) the advisory committee under subsection (b);
       ``(B) the Committee on Commerce, Science, and 
     Transportation of the Senate; and
       ``(C) the Committee on Science and Technology of the House 
     of Representatives.''.
       (c) Periodic Reviews.--Section 101 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511) is amended by adding 
     at the end the following:
       ``(f) Periodic Reviews.--The agencies under subsection 
     (a)(3)(B) shall--
       ``(1) periodically assess the contents and funding levels 
     of the Program Component Areas and restructure the Program 
     when warranted, taking into consideration any relevant 
     recommendations of the advisory committee under subsection 
     (b); and
       ``(2) ensure that the Program includes national, multi-
     agency, multi-faceted research and development activities, 
     including activities described in section 104.''.
       (d) Additional Responsibilities of Director.--Section 
     101(a)(2) of the High-Performance Computing Act of 1991 (15 
     U.S.C. 5511(a)(2)) is amended--
       (1) by redesignating subparagraphs (E) and (F) as 
     subparagraphs (G) and (H), respectively; and
       (2) by inserting after subparagraph (D) the following:
       ``(E) encourage and monitor the efforts of the agencies 
     participating in the Program to allocate the level of 
     resources and management attention necessary--
       ``(i) to ensure that the strategic plan under subsection 
     (e) is developed and executed effectively; and
       ``(ii) to ensure that the objectives of the Program are 
     met;
       ``(F) working with the Office of Management and Budget and 
     in coordination with the creation of the database under 
     section 102(c), direct the Office of Science and Technology 
     Policy and the agencies participating in the Program to 
     establish a mechanism (consistent with existing law) to track 
     all ongoing and completed research and development projects 
     and associated funding;''.
       (e) Advisory Committee.--Section 101(b) of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is 
     amended--
       (1) in paragraph (1)--
       (A) by inserting after the first sentence the following: 
     ``The co-chairs of the advisory committee shall meet the 
     qualifications of committee members and may be members of the 
     Presidents Council of Advisors on Science and Technology.''; 
     and
       (B) by striking ``high-performance'' in subparagraph (D) 
     and inserting ``high-end''; and
       (2) by amending paragraph (2) to read as follows:
       ``(2) In addition to the duties under paragraph (1), the 
     advisory committee shall conduct periodic evaluations of the 
     funding, management, coordination, implementation, and 
     activities of the Program. The advisory committee shall 
     report its findings and recommendations not less frequently 
     than once every 3 fiscal years to the Committee on Commerce, 
     Science, and Transportation of the Senate and the Committee 
     on Science and Technology of the House of Representatives. 
     The report shall be submitted in conjunction with the update 
     of the strategic plan.''.
       (f) Report.--Section 101(a)(3) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended--
       (1) in subparagraph (C)--
       (A) by striking ``is submitted,'' and inserting ``is 
     submitted, the levels for the previous fiscal year,''; and
       (B) by striking ``each Program Component Area'' and 
     inserting ``each Program Component Area and each research 
     area supported in accordance with section 104'';
       (2) in subparagraph (D)--
       (A) by striking ``each Program Component Area,'' and 
     inserting ``each Program Component Area and each research 
     area supported in accordance with section 104,'';
       (B) by striking ``is submitted,'' and inserting ``is 
     submitted, the levels for the previous fiscal year,''; and
       (C) by striking ``and'' after the semicolon;
       (3) by redesignating subparagraph (E) as subparagraph (G); 
     and
       (4) by inserting after subparagraph (D) the following:
       ``(E) include a description of how the objectives for each 
     Program Component Area, and the objectives for activities 
     that involve multiple Program Component Areas, relate to the 
     objectives of the Program identified in the strategic plan 
     under subsection (e);
       ``(F) include--
       ``(i) a description of the funding required by the Office 
     of Science and Technology Policy to perform the functions 
     under subsections (a) and (c) of section 102 for the next 
     fiscal year by category of activity;
       ``(ii) a description of the funding required by the Office 
     of Science and Technology Policy to perform the functions 
     under subsections (a) and (c) of section 102 for the current 
     fiscal year by category of activity; and
       ``(iii) the amount of funding provided for the Office of 
     Science and Technology Policy for the current fiscal year by 
     each agency participating in the Program; and''.
       (g) Definitions.--Section 4 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5503) is amended--
       (1) by redesignating paragraphs (1) and (2) as paragraphs 
     (2) and (3), respectively;
       (2) by redesignating paragraph (3) as paragraph (6);
       (3) by redesignating paragraphs (6) and (7) as paragraphs 
     (7) and (8), respectively;
       (4) by inserting before paragraph (2), as redesignated, the 
     following:
       ``(1) `cyber-physical systems' means physical or engineered 
     systems whose networking and information technology functions 
     and physical elements are deeply integrated and are actively 
     connected to the physical world through sensors, actuators, 
     or other means to perform monitoring and control 
     functions;'';
       (5) in paragraph (3), as redesignated, by striking ``high-
     performance computing'' and inserting ``networking and 
     information technology'';
       (6) in paragraph (6), as redesignated--
       (A) by striking ``high-performance computing'' and 
     inserting ``networking and information technology''; and
       (B) by striking ``supercomputer'' and inserting ``high-end 
     computing'';
       (7) in paragraph (5), by striking ``network referred to 
     as'' and all that follows through the semicolon and inserting 
     ``network, including advanced computer networks of Federal 
     agencies and departments''; and
       (8) in paragraph (7), as redesignated, by striking 
     ``National High-Performance Computing Program'' and inserting 
     ``networking and information technology research and 
     development program''.

     SEC. 402. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.

       (a) Research in Areas of National Importance.--Title I of 
     the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et 
     seq.) is amended by adding at the end the following:

     ``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.

       ``(a) In General.--The Program shall encourage agencies 
     under section 101(a)(3)(B) to support, maintain, and improve 
     national, multi-agency, multi-faceted, research and 
     development activities in networking and information 
     technology directed toward application areas that have the 
     potential for significant contributions to national economic 
     competitiveness and for other significant societal benefits.
       ``(b) Technical Solutions.--An activity under subsection 
     (a) shall be designed to advance the development of research 
     discoveries by demonstrating technical solutions to important 
     problems in areas including--
       ``(1) cybersecurity;
       ``(2) health care;
       ``(3) energy management and low-power systems and devices;
       ``(4) transportation, including surface and air 
     transportation;
       ``(5) cyber-physical systems;
       ``(6) large-scale data analysis and modeling of physical 
     phenomena;
       ``(7) large scale data analysis and modeling of behavioral 
     phenomena;
       ``(8) supply chain quality and security; and
       ``(9) privacy protection and protected disclosure of 
     confidential data.
       ``(c) Recommendations.--The advisory committee under 
     section 101(b) shall make recommendations to the Program for 
     candidate research and development areas for support under 
     this section.
       ``(d) Characteristics.--
       ``(1) In general.--Research and development activities 
     under this section--
       ``(A) shall include projects selected on the basis of 
     applications for support through a competitive, merit-based 
     process;
       ``(B) shall leverage, when possible, Federal investments 
     through collaboration with related State initiatives;
       ``(C) shall include a plan for fostering the transfer of 
     research discoveries and the results of technology 
     demonstration activities, including from institutions of 
     higher education and Federal laboratories, to industry for 
     commercial development;
       ``(D) shall involve collaborations among researchers in 
     institutions of higher education and industry; and
       ``(E) may involve collaborations among nonprofit research 
     institutions and Federal laboratories, as appropriate.
       ``(2) Cost-sharing.--In selecting applications for support, 
     the agencies under section 101(a)(3)(B) shall give special 
     consideration to projects that include cost sharing from non-
     Federal sources.
       ``(3) Multidisciplinary research centers.--Research and 
     development activities under this section shall be supported 
     through multidisciplinary research centers, including Federal 
     laboratories, that are organized to investigate basic 
     research questions and carry out technology demonstration 
     activities in areas described in subsection (a). Research may 
     be carried out through existing multidisciplinary centers, 
     including those authorized under section 7024(b)(2) of the 
     America COMPETES Act (42 U.S.C. 1862o-10(2)).''.
       (b) Cyber-Physical Systems.--Section 101(a)(1) of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is 
     amended--
       (1) in subparagraph (H), by striking ``and'' after the 
     semicolon;
       (2) in subparagraph (I), by striking the period at the end 
     and inserting a semicolon; and
       (3) by adding at the end the following:

[[Page 12448]]

       ``(J) provide for increased understanding of the scientific 
     principles of cyber-physical systems and improve the methods 
     available for the design, development, and operation of 
     cyber-physical systems that are characterized by high 
     reliability, safety, and security; and
       ``(K) provide for research and development on human-
     computer interactions, visualization, and big data.''.
       (c) Task Force.--Title I of the High-Performance Computing 
     Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section 
     402(a) of this Act, is amended by adding at the end the 
     following:

     ``SEC. 105. TASK FORCE.

       ``(a) Establishment.--Not later than 180 days after the 
     date of enactment the Strengthening and Enhancing 
     Cybersecurity by Using Research, Education, Information, and 
     Technology Act of 2012, the Director of the Office of Science 
     and Technology Policy under section 102 shall convene a task 
     force to explore mechanisms for carrying out collaborative 
     research and development activities for cyber-physical 
     systems (including the related technologies required to 
     enable these systems) through a consortium or other 
     appropriate entity with participants from institutions of 
     higher education, Federal laboratories, and industry.
       ``(b) Functions.--The task force shall--
       ``(1) develop options for a collaborative model and an 
     organizational structure for such entity under which the 
     joint research and development activities could be planned, 
     managed, and conducted effectively, including mechanisms for 
     the allocation of resources among the participants in such 
     entity for support of such activities;
       ``(2) propose a process for developing a research and 
     development agenda for such entity, including guidelines to 
     ensure an appropriate scope of work focused on nationally 
     significant challenges and requiring collaboration and to 
     ensure the development of related scientific and 
     technological milestones;
       ``(3) define the roles and responsibilities for the 
     participants from institutions of higher education, Federal 
     laboratories, and industry in such entity;
       ``(4) propose guidelines for assigning intellectual 
     property rights and for transferring research results to the 
     private sector; and
       ``(5) make recommendations for how such entity could be 
     funded from Federal, State, and non-governmental sources.
       ``(c) Composition.--In establishing the task force under 
     subsection (a), the Director of the Office of Science and 
     Technology Policy shall appoint an equal number of 
     individuals from institutions of higher education and from 
     industry with knowledge and expertise in cyber-physical 
     systems, and may appoint not more than 2 individuals from 
     Federal laboratories.
       ``(d) Report.--Not later than 1 year after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the Director of the Office of Science and Technology 
     Policy shall transmit to the Committee on Commerce, Science, 
     and Transportation of the Senate and the Committee on Science 
     and Technology of the House of Representatives a report 
     describing the findings and recommendations of the task 
     force.
       ``(e) Termination.--The task force shall terminate upon 
     transmittal of the report required under subsection (d).
       ``(f) Compensation and Expenses.--Members of the task force 
     shall serve without compensation.''.

     SEC. 403. PROGRAM IMPROVEMENTS.

       Section 102 of the High-Performance Computing Act of 1991 
     (15 U.S.C. 5512) is amended to read as follows:

     ``SEC. 102. PROGRAM IMPROVEMENTS.

       ``(a) Functions.--The Director of the Office of Science and 
     Technology Policy shall continue--
       ``(1) to provide technical and administrative support to--
       ``(A) the agencies participating in planning and 
     implementing the Program, including support needed to develop 
     the strategic plan under section 101(e); and
       ``(B) the advisory committee under section 101(b);
       ``(2) to serve as the primary point of contact on Federal 
     networking and information technology activities for 
     government agencies, academia, industry, professional 
     societies, State computing and networking technology 
     programs, interested citizen groups, and others to exchange 
     technical and programmatic information;
       ``(3) to solicit input and recommendations from a wide 
     range of stakeholders during the development of each 
     strategic plan under section 101(e) by convening at least 1 
     workshop with invitees from academia, industry, Federal 
     laboratories, and other relevant organizations and 
     institutions;
       ``(4) to conduct public outreach, including the 
     dissemination of the advisory committee's findings and 
     recommendations, as appropriate;
       ``(5) to promote access to and early application of the 
     technologies, innovations, and expertise derived from Program 
     activities to agency missions and systems across the Federal 
     Government and to United States industry;
       ``(6) to ensure accurate and detailed budget reporting of 
     networking and information technology research and 
     development investment; and
       ``(7) to encourage agencies participating in the Program to 
     use existing programs and resources to strengthen networking 
     and information technology education and training, and 
     increase participation in such fields, including by women and 
     underrepresented minorities.
       ``(b) Source of Funding.--
       ``(1) In general.--The functions under this section shall 
     be supported by funds from each agency participating in the 
     Program.
       ``(2) Specifications.--The portion of the total budget of 
     the Office of Science and Technology Policy that is provided 
     by each agency participating in the Program for each fiscal 
     year shall be in the same proportion as each agency's share 
     of the total budget for the Program for the previous fiscal 
     year, as specified in the database under section 102(c).
       ``(c) Database.--
       ``(1) In general.--The Director of the Office of Science 
     and Technology Policy shall develop and maintain a database 
     of projects funded by each agency for the fiscal year for 
     each Program Component Area.
       ``(2) Public accessibility.--The Director of the Office of 
     Science and Technology Policy shall make the database 
     accessible to the public.
       ``(3) Database contents.--The database shall include, for 
     each project in the database--
       ``(A) a description of the project;
       ``(B) each agency, industry, institution of higher 
     education, Federal laboratory, or international institution 
     involved in the project;
       ``(C) the source funding of the project (set forth by 
     agency);
       ``(D) the funding history of the project; and
       ``(E) whether the project has been completed.''.

     SEC. 404. IMPROVING EDUCATION OF NETWORKING AND INFORMATION 
                   TECHNOLOGY, INCLUDING HIGH PERFORMANCE 
                   COMPUTING.

       Section 201(a) of the High-Performance Computing Act of 
     1991 (15 U.S.C. 5521(a)) is amended--
       (1) by redesignating paragraphs (2) through (4) as 
     paragraphs (3) through (5), respectively; and
       (2) by inserting after paragraph (1) the following:
       ``(2) the National Science Foundation shall use its 
     existing programs, in collaboration with other agencies, as 
     appropriate, to improve the teaching and learning of 
     networking and information technology at all levels of 
     education and to increase participation in networking and 
     information technology fields;''.

     SEC. 405. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH-
                   PERFORMANCE COMPUTING ACT OF 1991.

       (a) Section 3.--Section 3 of the High-Performance Computing 
     Act of 1991 (15 U.S.C. 5502) is amended--
       (1) in the matter preceding paragraph (1), by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology'';
       (2) in paragraph (1)--
       (A) in the matter preceding subparagraph (A), by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology'';
       (B) in subparagraphs (A), (F), and (G), by striking ``high-
     performance computing'' each place it appears and inserting 
     ``networking and information technology''; and
       (C) in subparagraph (H), by striking ``high-performance'' 
     and inserting ``high-end''; and
       (3) in paragraph (2)--
       (A) by striking ``high-performance computing and'' and 
     inserting ``networking and information technology, and''; and
       (B) by striking ``high-performance computing network'' and 
     inserting ``networking and information technology''.
       (b) Title Heading.--The heading of title I of the High-
     Performance Computing Act of 1991 (105 Stat. 1595) is amended 
     by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting 
     ``NETWORKING AND INFORMATION TECHNOLOGY''.
       (c) Section 101.--Section 101 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511) is amended--
       (1) in the section heading, by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology research and development'';
       (2) in subsection (a)--
       (A) in the subsection heading, by striking ``National High-
     Performance Computing'' and inserting ``Networking and 
     Information Technology Research and Development'';
       (B) in paragraph (1)--
       (i) by striking ``National High-Performance Computing 
     Program'' and inserting ``networking and information 
     technology research and development program'';
       (ii) in subparagraph (A), by striking ``high-performance 
     computing, including networking'' and inserting ``networking 
     and information technology'';
       (iii) in subparagraphs (B) and (G), by striking ``high-
     performance'' each place it appears and inserting ``high-
     end''; and
       (iv) in subparagraph (C), by striking ``high-performance 
     computing and networking'' and inserting ``high-end 
     computing, distributed, and networking''; and

[[Page 12449]]

       (C) in paragraph (2)--
       (i) in subparagraphs (A) and (C)--

       (I) by striking ``high-performance computing'' each place 
     it appears and inserting ``networking and information 
     technology''; and
       (II) by striking ``development, networking,'' each place it 
     appears and inserting ``development,''; and

       (ii) in subparagraphs (G) and (H), as redesignated by 
     section 401(d) of this Act, by striking ``high-performance'' 
     each place it appears and inserting ``high-end'';
       (3) in subsection (b)(1), in the matter preceding 
     subparagraph (A), by striking ``high-performance computing'' 
     each place it appears and inserting ``networking and 
     information technology''; and
       (4) in subsection (c)(1)(A), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology''.
       (d) Section 201.--Section 201(a)(1) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by 
     striking ``high-performance computing and advanced high-speed 
     computer networking'' and inserting ``networking and 
     information technology research and development''.
       (e) Section 202.--Section 202(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by 
     striking ``high-performance computing'' and inserting 
     ``networking and information technology''.
       (f) Section 203.--Section 203(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5523(a)) is amended--
       (1) in paragraph (1), by striking ``high-performance 
     computing and networking'' and inserting ``networking and 
     information technology''; and
       (2) in paragraph (2)(A), by striking ``high-performance'' 
     and inserting ``high-end''.
       (g) Section 204.--Section 204 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5524) is amended--
       (1) in subsection (a)(1)--
       (A) in subparagraph (A), by striking ``high-performance 
     computing systems and networks'' and inserting ``networking 
     and information technology systems and capabilities'';
       (B) in subparagraph (B), by striking ``interoperability of 
     high-performance computing systems in networks and for common 
     user interfaces to systems'' and inserting ``interoperability 
     and usability of networking and information technology 
     systems''; and
       (C) in subparagraph (C), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology''; and
       (2) in subsection (b)--
       (A) by striking ``High-Performance Computing and Network'' 
     in the heading and inserting ``Networking and Information 
     Technology''; and
       (B) by striking ``sensitive''.
       (h) Section 205.--Section 205(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by 
     striking ``computational'' and inserting ``networking and 
     information technology''.
       (i) Section 206.--Section 206(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by 
     striking ``computational research'' and inserting 
     ``networking and information technology research''.
       (j) Section 207.--Section 207 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5527) is amended by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology''.
       (k) Section 208.--Section 208 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5528) is amended--
       (1) in the section heading, by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology''; and
       (2) in subsection (a)--
       (A) in paragraph (1), by striking ``High-performance 
     computing and associated'' and inserting ``Networking and 
     information'';
       (B) in paragraph (2), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technologies'';
       (C) in paragraph (3), by striking ``high-performance'' and 
     inserting ``high-end'';
       (D) in paragraph (4), by striking ``high-performance 
     computers and associated'' and inserting ``networking and 
     information''; and
       (E) in paragraph (5), by striking ``high-performance 
     computing and associated'' and inserting ``networking and 
     information''.

     SEC. 406. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.

       (a) In General.--The Director of the National Science 
     Foundation, in coordination with the Secretary of Homeland 
     Security, shall carry out a Federal cyber scholarship-for-
     service program to recruit and train the next generation of 
     information technology professionals and security managers to 
     meet the needs of the cybersecurity mission for the Federal 
     government.
       (b) Program Description and Components.--The program 
     shall--
       (1) annually assess the workforce needs of the Federal 
     government for cybersecurity professionals, including network 
     engineers, software engineers, and other experts in order to 
     determine how many scholarships should be awarded annually to 
     ensure that the workforce needs following graduation match 
     the number of scholarships awarded;
       (2) provide scholarships for up to 1,000 students per year 
     in their pursuit of undergraduate or graduate degrees in the 
     cybersecurity field, in an amount that may include coverage 
     for full tuition, fees, and a stipend;
       (3) require each scholarship recipient, as a condition of 
     receiving a scholarship under the program, to serve in a 
     Federal information technology workforce for a period equal 
     to one and one-half times each year, or partial year, of 
     scholarship received, in addition to an internship in the 
     cybersecurity field, if applicable, following graduation;
       (4) provide a procedure for the National Science Foundation 
     or a Federal agency, consistent with regulations of the 
     Office of Personnel Management, to request and fund a 
     security clearance for a scholarship recipient, including 
     providing for clearance during a summer internship and upon 
     graduation; and
       (5) provide opportunities for students to receive temporary 
     appointments for meaningful employment in the Federal 
     information technology workforce during school vacation 
     periods and for internships.
       (c) Hiring Authority.--
       (1) In general.--For purposes of any law or regulation 
     governing the appointment of an individual in the Federal 
     civil service, upon the successful completion of the 
     student's studies, a student receiving a scholarship under 
     the program may--
       (A) be hired under section 213.3102(r) of title 5, Code of 
     Federal Regulations; and
       (B) be exempt from competitive service.
       (2) Competitive service.--Upon satisfactory fulfillment of 
     the service term under paragraph (1), an individual may be 
     converted to a competitive service position without 
     competition if the individual meets the requirements for that 
     position.
       (d) Eligibility.--The eligibility requirements for a 
     scholarship under this section shall include that a 
     scholarship applicant--
       (1) be a citizen of the United States;
       (2) be eligible to be granted a security clearance;
       (3) maintain a grade point average of 3.2 or above on a 4.0 
     scale for undergraduate study or a 3.5 or above on a 4.0 
     scale for postgraduate study;
       (4) demonstrate a commitment to a career in improving the 
     security of the information infrastructure; and
       (5) has demonstrated a level of proficiency in math or 
     computer sciences.
       (e) Failure to Complete Service Obligation.--
       (1) In general.--A scholarship recipient under this section 
     shall be liable to the United States under paragraph (2) if 
     the scholarship recipient--
       (A) fails to maintain an acceptable level of academic 
     standing in the educational institution in which the 
     individual is enrolled, as determined by the Director;
       (B) is dismissed from such educational institution for 
     disciplinary reasons;
       (C) withdraws from the program for which the award was made 
     before the completion of such program;
       (D) declares that the individual does not intend to fulfill 
     the service obligation under this section;
       (E) fails to fulfill the service obligation of the 
     individual under this section; or
       (F) loses a security clearance or becomes ineligible for a 
     security clearance.
       (2) Repayment amounts.--
       (A) Less than 1 year of service.--If a circumstance under 
     paragraph (1) occurs before the completion of 1 year of a 
     service obligation under this section, the total amount of 
     awards received by the individual under this section shall be 
     repaid.
       (B) One or more years of service.--If a circumstance 
     described in subparagraph (D) or (E) of paragraph (1) occurs 
     after the completion of 1 year of a service obligation under 
     this section, the total amount of scholarship awards received 
     by the individual under this section, reduced by the ratio of 
     the number of years of service completed divided by the 
     number of years of service required, shall be repaid.
       (f) Evaluation and Report.--The Director of the National 
     Science Foundation shall--
       (1) evaluate the success of recruiting individuals for 
     scholarships under this section and of hiring and retaining 
     those individuals in the public sector workforce, including 
     the annual cost and an assessment of how the program actually 
     improves the Federal workforce; and
       (2) periodically report the findings under paragraph (1) to 
     Congress.
       (g) Authorization of Appropriations.--From amounts made 
     available under section 503 of the America COMPETES 
     Reauthorization Act of 2010 (124 Stat. 4005), the Secretary 
     may use funds to carry out the requirements of this section 
     for fiscal years 2012 through 2013.

     SEC. 407. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF 
                   INFORMATION INFRASTRUCTURE PROFESSIONALS.

       (a) Study.--The President shall enter into an agreement 
     with the National Academies to conduct a comprehensive study 
     of government, academic, and private-sector accreditation, 
     training, and certification programs for personnel working in 
     information infrastructure. The agreement shall require the 
     National Academies to consult with sector coordinating 
     councils and relevant governmental agencies, regulatory 
     entities, and nongovernmental organizations in the course of 
     the study.

[[Page 12450]]

       (b) Scope.--The study shall include--
       (1) an evaluation of the body of knowledge and various 
     skills that specific categories of personnel working in 
     information infrastructure should possess in order to secure 
     information systems;
       (2) an assessment of whether existing government, academic, 
     and private-sector accreditation, training, and certification 
     programs provide the body of knowledge and various skills 
     described in paragraph (1);
       (3) an analysis of any barriers to the Federal Government 
     recruiting and hiring cybersecurity talent, including 
     barriers relating to compensation, the hiring process, job 
     classification, and hiring flexibility; and
       (4) an analysis of the sources and availability of 
     cybersecurity talent, a comparison of the skills and 
     expertise sought by the Federal Government and the private 
     sector, an examination of the current and future capacity of 
     United States institutions of higher education, including 
     community colleges, to provide current and future 
     cybersecurity professionals, through education and training 
     activities, with those skills sought by the Federal 
     Government, State and local entities, and the private sector.
       (c) Report.--Not later than 1 year after the date of 
     enactment of this Act, the National Academies shall submit to 
     the President and Congress a report on the results of the 
     study. The report shall include--
       (1) findings regarding the state of information 
     infrastructure accreditation, training, and certification 
     programs, including specific areas of deficiency and 
     demonstrable progress; and
       (2) recommendations for the improvement of information 
     infrastructure accreditation, training, and certification 
     programs.

     SEC. 408. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.

       (a) In General.--The Director of the National Institute of 
     Standards and Technology, in coordination with appropriate 
     Federal authorities, shall--
       (1) as appropriate, ensure coordination of Federal agencies 
     engaged in the development of international technical 
     standards related to information system security; and
       (2) not later than 1 year after the date of enactment of 
     this Act, develop and transmit to Congress a plan for 
     ensuring such Federal agency coordination.
       (b) Consultation With the Private Sector.--In carrying out 
     the activities under subsection (a)(1), the Director shall 
     ensure consultation with appropriate private sector 
     stakeholders.

     SEC. 409. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.

       The Director of the National Institute of Standards and 
     Technology shall continue a program to support the 
     development of technical standards, metrology, testbeds, and 
     conformance criteria, taking into account appropriate user 
     concerns--
       (1) to improve interoperability among identity management 
     technologies;
       (2) to strengthen authentication methods of identity 
     management systems;
       (3) to improve privacy protection in identity management 
     systems, including health information technology systems, 
     through authentication and security protocols; and
       (4) to improve the usability of identity management 
     systems.

     SEC. 410. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.

       (a) National Science Foundation Computer and Network 
     Security Research Grant Areas.--Section 4(a)(1) of the Cyber 
     Security Research and Development Act (15 U.S.C. 7403(a)(1)) 
     is amended--
       (1) in subparagraph (H), by striking ``and'' after the 
     semicolon;
       (2) in subparagraph (I), by striking ``property.'' and 
     inserting ``property;''; and
       (3) by adding at the end the following:
       ``(J) secure fundamental protocols that are at the heart of 
     inter-network communications and data exchange;
       ``(K) system security that addresses the building of secure 
     systems from trusted and untrusted components;
       ``(L) monitoring and detection; and
       ``(M) resiliency and rapid recovery methods.''.
       (b) National Science Foundation Computer and Network 
     Security Grants.--Section 4(a)(3) of the Cyber Security 
     Research and Development Act (15 U.S.C. 7403(a)(3)) is 
     amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Secretary finds necessary to carry out 
     the requirements of this subsection for fiscal years 2012 
     through 2013.''.
       (c) Computer and Network Security Centers.--Section 4(b)(7) 
     of the Cyber Security Research and Development Act (15 U.S.C. 
     7403(b)(7)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Secretary finds necessary to carry out 
     the requirements of this subsection for fiscal years 2012 
     through 2013.''.
       (d) Computer and Network Security Capacity Building 
     Grants.--Section 5(a)(6) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7404(a)(6)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Secretary finds necessary to carry out 
     the requirements of this subsection for fiscal years 2012 
     through 2013.''.
       (e) Scientific and Advanced Technology Act Grants.--Section 
     5(b)(2) of the Cyber Security Research and Development Act 
     (15 U.S.C. 7404(b)(2)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Secretary finds necessary to carry out 
     the requirements of this subsection for fiscal years 2012 
     through 2013.''.
       (f) Graduate Traineeships in Computer and Network Security 
     Research.--Section 5(c)(7) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7404(c)(7)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Secretary finds necessary to carry out 
     the requirements of this subsection for fiscal years 2012 
     through 2013.''.
                                 ______
                                 
  SA 2607. Mr. McCAIN (for himself, Mrs. Hutchison, Mr. Chambliss, Mr. 
Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson of 
Wisconsin) submitted an amendment intended to be proposed by him to the 
bill S. 3414, to enhance the security and resiliency of the cyber and 
communications infrastructure of the United States; which was ordered 
to lie on the table; as follows:

       Beginning on page 1, strike line 3 and all that follows 
     through page 211, line 6 and insert the following:

     SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the 
     ``Strengthening and Enhancing Cybersecurity by Using 
     Research, Education, Information, and Technology Act of 
     2012'' or ``SECURE IT''.
       (b) Table of Contents.--The table of contents of this Act 
     is as follows:

Sec. 1. Short title; table of contents.

       TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION

Sec. 101. Definitions.
Sec. 102. Authorization to share cyber threat information.
Sec. 103. Information sharing by the Federal government.
Sec. 104. Construction.
Sec. 105. Report on implementation.
Sec. 106. Inspector General review.
Sec. 107. Technical amendments.
Sec. 108. Access to classified information.

     TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY

Sec. 201. Coordination of Federal information security policy.
Sec. 202. Management of information technology.
Sec. 203. No new funding.
Sec. 204. Technical and conforming amendments.
Sec. 205. Clarification of authorities.

                     TITLE III--CRIMINAL PENALTIES

Sec. 301. Penalties for fraud and related activity in connection with 
              computers.
Sec. 302. Trafficking in passwords.
Sec. 303. Conspiracy and attempted computer fraud offenses.
Sec. 304. Criminal and civil forfeiture for fraud and related activity 
              in connection with computers.
Sec. 305. Damage to critical infrastructure computers.
Sec. 306. Limitation on actions involving unauthorized use.
Sec. 307. No new funding.

            TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT

Sec. 401. National High-Performance Computing Program planning and 
              coordination.
Sec. 402. Research in areas of national importance.
Sec. 403. Program improvements.
Sec. 404. Improving education of networking and information technology, 
              including high performance computing.
Sec. 405. Conforming and technical amendments to the High-Performance 
              Computing Act of 1991.
Sec. 406. Federal cyber scholarship-for-service program.

[[Page 12451]]

Sec. 407. Study and analysis of certification and training of 
              information infrastructure professionals.
Sec. 408. International cybersecurity technical standards.
Sec. 409. Identity management research and development.
Sec. 410. Federal cybersecurity research and development.

       TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION

     SEC. 101. DEFINITIONS.

       In this title:
       (1) Agency.--The term ``agency'' has the meaning given the 
     term in section 3502 of title 44, United States Code.
       (2) Antitrust laws.--The term ``antitrust laws''--
       (A) has the meaning given the term in section 1(a) of the 
     Clayton Act (15 U.S.C. 12(a));
       (B) includes section 5 of the Federal Trade Commission Act 
     (15 U.S.C. 45) to the extent that section 5 of that Act 
     applies to unfair methods of competition; and
       (C) includes any State law that has the same intent and 
     effect as the laws under subparagraphs (A) and (B).
       (3) Countermeasure.--The term ``countermeasure'' means an 
     automated or a manual action with defensive intent to 
     mitigate cyber threats.
       (4) Cyber threat information.--The term ``cyber threat 
     information'' means information that indicates or describes--
       (A) a technical or operation vulnerability or a cyber 
     threat mitigation measure;
       (B) an action or operation to mitigate a cyber threat;
       (C) malicious reconnaissance, including anomalous patterns 
     of network activity that appear to be transmitted for the 
     purpose of gathering technical information related to a 
     cybersecurity threat;
       (D) a method of defeating a technical control;
       (E) a method of defeating an operational control;
       (F) network activity or protocols known to be associated 
     with a malicious cyber actor or that signify malicious cyber 
     intent;
       (G) a method of causing a user with legitimate access to an 
     information system or information that is stored on, 
     processed by, or transiting an information system to 
     inadvertently enable the defeat of a technical or operational 
     control;
       (H) any other attribute of a cybersecurity threat or cyber 
     defense information that would foster situational awareness 
     of the United States cybersecurity posture, if disclosure of 
     such attribute or information is not otherwise prohibited by 
     law;
       (I) the actual or potential harm caused by a cyber 
     incident, including information exfiltrated when it is 
     necessary in order to identify or describe a cybersecurity 
     threat; or
       (J) any combination of subparagraphs (A) through (I).
       (5) Cybersecurity center.--The term ``cybersecurity 
     center'' means the Department of Defense Cyber Crime Center, 
     the Intelligence Community Incident Response Center, the 
     United States Cyber Command Joint Operations Center, the 
     National Cyber Investigative Joint Task Force, the National 
     Security Agency/Central Security Service Threat Operations 
     Center, the National Cybersecurity and Communications 
     Integration Center, and any successor center.
       (6) Cybersecurity system.--The term ``cybersecurity 
     system'' means a system designed or employed to ensure the 
     integrity, confidentiality, or availability of, or to 
     safeguard, a system or network, including measures intended 
     to protect a system or network from--
       (A) efforts to degrade, disrupt, or destroy such system or 
     network; or
       (B) theft or misappropriations of private or government 
     information, intellectual property, or personally 
     identifiable information.
       (7) Entity.--
       (A) In general.--The term ``entity'' means any private 
     entity, non-Federal government agency or department, or 
     State, tribal, or local government agency or department 
     (including an officer, employee, or agent thereof).
       (B) Inclusions.--The term ``entity'' includes a government 
     agency or department (including an officer, employee, or 
     agent thereof) of the District of Columbia, the Commonwealth 
     of Puerto Rico, the Virgin Islands, Guam, American Samoa, the 
     Northern Mariana Islands, and any other territory or 
     possession of the United States.
       (8) Federal information system.--The term ``Federal 
     information system'' means an information system of a Federal 
     department or agency used or operated by an executive agency, 
     by a contractor of an executive agency, or by another 
     organization on behalf of an executive agency.
       (9) Information security.--The term ``information 
     security'' means protecting information and information 
     systems from disruption or unauthorized access, use, 
     disclosure, modification, or destruction in order to 
     provide--
       (A) integrity, by guarding against improper information 
     modification or destruction, including by ensuring 
     information nonrepudiation and authenticity;
       (B) confidentiality, by preserving authorized restrictions 
     on access and disclosure, including means for protecting 
     personal privacy and proprietary information; or
       (C) availability, by ensuring timely and reliable access to 
     and use of information.
       (10) Information system.--The term ``information system'' 
     has the meaning given the term in section 3502 of title 44, 
     United States Code.
       (11) Local government.--The term ``local government'' means 
     any borough, city, county, parish, town, township, village, 
     or other general purpose political subdivision of a State.
       (12) Malicious reconnaissance.--The term ``malicious 
     reconnaissance'' means a method for actively probing or 
     passively monitoring an information system for the purpose of 
     discerning technical vulnerabilities of the information 
     system, if such method is associated with a known or 
     suspected cybersecurity threat.
       (13) Operational control.--The term ``operational control'' 
     means a security control for an information system that 
     primarily is implemented and executed by people.
       (14) Operational vulnerability.--The term ``operational 
     vulnerability'' means any attribute of policy, process, or 
     procedure that could enable or facilitate the defeat of an 
     operational control.
       (15) Private entity.--The term ``private entity'' means any 
     individual or any private group, organization, or 
     corporation, including an officer, employee, or agent 
     thereof.
       (16) Significant cyber incident.--The term ``significant 
     cyber incident'' means a cyber incident resulting in, or an 
     attempted cyber incident that, if successful, would have 
     resulted in--
       (A) the exfiltration from a Federal information system of 
     data that is essential to the operation of the Federal 
     information system; or
       (B) an incident in which an operational or technical 
     control essential to the security or operation of a Federal 
     information system was defeated.
       (17) Technical control.--The term ``technical control'' 
     means a hardware or software restriction on, or audit of, 
     access or use of an information system or information that is 
     stored on, processed by, or transiting an information system 
     that is intended to ensure the confidentiality, integrity, or 
     availability of that system.
       (18) Technical vulnerability.--The term ``technical 
     vulnerability'' means any attribute of hardware or software 
     that could enable or facilitate the defeat of a technical 
     control.
       (19) Tribal.--The term ``tribal'' has the meaning given the 
     term ``Indian tribe'' in section 4 of the Indian Self-
     Determination and Education Assistance Act (25 U.S.C. 450b).

     SEC. 102. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION.

       (a) Voluntary Disclosure.--
       (1) Private entities.--Notwithstanding any other provision 
     of law, a private entity may, for the purpose of preventing, 
     investigating, or otherwise mitigating threats to information 
     security, on its own networks, or as authorized by another 
     entity, on such entity's networks, employ countermeasures and 
     use cybersecurity systems in order to obtain, identify, or 
     otherwise possess cyber threat information.
       (2) Entities.--Notwithstanding any other provision of law, 
     an entity may disclose cyber threat information to--
       (A) a cybersecurity center; or
       (B) any other entity in order to assist with preventing, 
     investigating, or otherwise mitigating threats to information 
     security.
       (3) Information security providers.--If the cyber threat 
     information described in paragraph (1) is obtained, 
     identified, or otherwise possessed in the course of providing 
     information security products or services under contract to 
     another entity, that entity shall be given, at any time prior 
     to disclosure of such information, a reasonable opportunity 
     to authorize or prevent such disclosure, to request 
     anonymization of such information, or to request that 
     reasonable efforts be made to safeguard such information that 
     identifies specific persons from unauthorized access or 
     disclosure.
       (b) Significant Cyber Incidents Involving Federal 
     Information Systems.--
       (1) In general.--An entity providing electronic 
     communication services, remote computing services, or 
     information security services to a Federal department or 
     agency shall inform the Federal department or agency of a 
     significant cyber incident involving the Federal information 
     system of that Federal department or agency that--
       (A) is directly known to the entity as a result of 
     providing such services;
       (B) is directly related to the provision of such services 
     by the entity; and
       (C) as determined by the entity, has impeded or will impede 
     the performance of a critical mission of the Federal 
     department or agency.
       (2) Advance coordination.--A Federal department or agency 
     receiving the services described in paragraph (1) shall 
     coordinate in advance with an entity described in paragraph 
     (1) to develop the parameters of any information that may be 
     provided under paragraph (1), including clarification of the 
     type of significant cyber incident that will

[[Page 12452]]

     impede the performance of a critical mission of the Federal 
     department or agency.
       (3) Report.--A Federal department or agency shall report 
     information provided under this subsection to a cybersecurity 
     center.
       (4) Construction.--Any information provided to a 
     cybersecurity center under paragraph (3) shall be treated in 
     the same manner as information provided to a cybersecurity 
     center under subsection (a).
       (c) Information Shared With or Provided to a Cybersecurity 
     Center.--Cyber threat information provided to a cybersecurity 
     center under this section--
       (1) may be disclosed to, retained by, and used by, 
     consistent with otherwise applicable Federal law, any Federal 
     agency or department, component, officer, employee, or agent 
     of the Federal government for a cybersecurity purpose, a 
     national security purpose, or in order to prevent, 
     investigate, or prosecute any of the offenses listed in 
     section 2516 of title 18, United States Code, and such 
     information shall not be disclosed to, retained by, or used 
     by any Federal agency or department for any use not permitted 
     under this paragraph;
       (2) may, with the prior written consent of the entity 
     submitting such information, be disclosed to and used by a 
     State, tribal, or local government or government agency for 
     the purpose of protecting information systems, or in 
     furtherance of preventing, investigating, or prosecuting a 
     criminal act, except that if the need for immediate 
     disclosure prevents obtaining written consent, such consent 
     may be provided orally with subsequent documentation of such 
     consent;
       (3) shall be considered the commercial, financial, or 
     proprietary information of the entity providing such 
     information to the Federal government and any disclosure 
     outside the Federal government may only be made upon the 
     prior written consent by such entity and shall not constitute 
     a waiver of any applicable privilege or protection provided 
     by law, except that if the need for immediate disclosure 
     prevents obtaining written consent, such consent may be 
     provided orally with subsequent documentation of such 
     consent;
       (4) shall be deemed voluntarily shared information and 
     exempt from disclosure under section 552 of title 5, United 
     States Code, and any State, tribal, or local law requiring 
     disclosure of information or records;
       (5) shall be, without discretion, withheld from the public 
     under section 552(b)(3)(B) of title 5, United States Code, 
     and any State, tribal, or local law requiring disclosure of 
     information or records;
       (6) shall not be subject to the rules of any Federal agency 
     or department or any judicial doctrine regarding ex parte 
     communications with a decision-making official;
       (7) shall not, if subsequently provided to a State, tribal, 
     or local government or government agency, otherwise be 
     disclosed or distributed to any entity by such State, tribal, 
     or local government or government agency without the prior 
     written consent of the entity submitting such information, 
     notwithstanding any State, tribal, or local law requiring 
     disclosure of information or records, except that if the need 
     for immediate disclosure prevents obtaining written consent, 
     such consent may be provided orally with subsequent 
     documentation of such consent; and
       (8) shall not be directly used by any Federal, State, 
     tribal, or local department or agency to regulate the lawful 
     activities of an entity, including activities relating to 
     obtaining, identifying, or otherwise possessing cyber threat 
     information, except that the procedures required to be 
     developed and implemented under this title shall not be 
     considered regulations within the meaning of this paragraph.
       (d) Procedures Relating to Information Sharing With a 
     Cybersecurity Center.--Not later than 60 days after the date 
     of enactment of this Act, the heads of each department or 
     agency containing a cybersecurity center shall jointly 
     develop, promulgate, and submit to Congress procedures to 
     ensure that cyber threat information shared with or provided 
     to--
       (1) a cybersecurity center under this section--
       (A) may be submitted to a cybersecurity center by an 
     entity, to the greatest extent possible, through a uniform, 
     publicly available process or format that is easily 
     accessible on the website of such cybersecurity center, and 
     that includes the ability to provide relevant details about 
     the cyber threat information and written consent to any 
     subsequent disclosures authorized by this paragraph;
       (B) shall immediately be further shared with each 
     cybersecurity center in order to prevent, investigate, or 
     otherwise mitigate threats to information security across the 
     Federal government;
       (C) is handled by the Federal government in a reasonable 
     manner, including consideration of the need to protect the 
     privacy and civil liberties of individuals through 
     anonymization or other appropriate methods, while fully 
     accomplishing the objectives of this title, and the Federal 
     government may undertake efforts consistent with this 
     subparagraph to limit the impact on privacy and civil 
     liberties of the sharing of cyber threat information with the 
     Federal government; and
       (D) except as provided in this section, shall only be used, 
     disclosed, or handled in accordance with the provisions of 
     subsection (c); and
       (2) a Federal agency or department under subsection (b) is 
     provided immediately to a cybersecurity center in order to 
     prevent, investigate, or otherwise mitigate threats to 
     information security across the Federal government.
       (e) Information Shared Between Entities.--
       (1) In general.--An entity sharing cyber threat information 
     with another entity under this title may restrict the use or 
     sharing of such information by such other entity.
       (2) Further sharing.--Cyber threat information shared by 
     any entity with another entity under this title--
       (A) shall only be further shared in accordance with any 
     restrictions placed on the sharing of such information by the 
     entity authorizing such sharing, such as appropriate 
     anonymization of such information; and
       (B) may not be used by any entity to gain an unfair 
     competitive advantage to the detriment of the entity 
     authorizing the sharing of such information, except that the 
     conduct described in paragraph (3) shall not constitute 
     unfair competitive conduct.
       (3) Information shared with state, tribal, or local 
     government or government agency.--Cyber threat information 
     shared with a State, tribal, or local government or 
     government agency under this title--
       (A) may, with the prior written consent of the entity 
     sharing such information, be disclosed to and used by a 
     State, tribal, or local government or government agency for 
     the purpose of protecting information systems, or in 
     furtherance of preventing, investigating, or prosecuting a 
     criminal act, except if the need for immediate disclosure 
     prevents obtaining written consent, consent may be provided 
     orally with subsequent documentation of the consent;
       (B) shall be deemed voluntarily shared information and 
     exempt from disclosure under any State, tribal, or local law 
     requiring disclosure of information or records;
       (C) shall not be disclosed or distributed to any entity by 
     the State, tribal, or local government or government agency 
     without the prior written consent of the entity submitting 
     such information, notwithstanding any State, tribal, or local 
     law requiring disclosure of information or records, except if 
     the need for immediate disclosure prevents obtaining written 
     consent, consent may be provided orally with subsequent 
     documentation of the consent; and
       (D) shall not be directly used by any State, tribal, or 
     local department or agency to regulate the lawful activities 
     of an entity, including activities relating to obtaining, 
     identifying, or otherwise possessing cyber threat 
     information, except that the procedures required to be 
     developed and implemented under this title shall not be 
     considered regulations within the meaning of this 
     subparagraph.
       (4) Antitrust exemption.--The exchange or provision of 
     cyber threat information or assistance between 2 or more 
     private entities under this title shall not be considered a 
     violation of any provision of antitrust laws if exchanged or 
     provided in order to assist with--
       (A) facilitating the prevention, investigation, or 
     mitigation of threats to information security; or
       (B) communicating or disclosing of cyber threat information 
     to help prevent, investigate or otherwise mitigate the 
     effects of a threat to information security.
       (5) No right or benefit.--The provision of cyber threat 
     information to an entity under this section shall not create 
     a right or a benefit to similar information by such entity or 
     any other entity.
       (f) Federal Preemption.--
       (1) In general.--This section supersedes any statute or 
     other law of a State or political subdivision of a State that 
     restricts or otherwise expressly regulates an activity 
     authorized under this section.
       (2) State law enforcement.--Nothing in this section shall 
     be construed to supersede any statute or other law of a State 
     or political subdivision of a State concerning the use of 
     authorized law enforcement techniques.
       (3) Public disclosure.--No information shared with or 
     provided to a State, tribal, or local government or 
     government agency pursuant to this section shall be made 
     publicly available pursuant to any State, tribal, or local 
     law requiring disclosure of information or records.
       (g) Civil and Criminal Liability.--
       (1) General protections.--
       (A) Private entities.--No cause of action shall lie or be 
     maintained in any court against any private entity for--
       (i) the use of countermeasures and cybersecurity systems as 
     authorized by this title;
       (ii) the use, receipt, or disclosure of any cyber threat 
     information as authorized by this title; or
       (iii) the subsequent actions or inactions of any lawful 
     recipient of cyber threat information provided by such 
     private entity.

[[Page 12453]]

       (B) Entities.--No cause of action shall lie or be 
     maintained in any court against any entity for--
       (i) the use, receipt, or disclosure of any cyber threat 
     information as authorized by this title; or
       (ii) the subsequent actions or inactions of any lawful 
     recipient of cyber threat information provided by such 
     entity.
       (2) Construction.--Nothing in this subsection shall be 
     construed as creating any immunity against, or otherwise 
     affecting, any action brought by the Federal government, or 
     any agency or department thereof, to enforce any law, 
     executive order, or procedure governing the appropriate 
     handling, disclosure, and use of classified information.
       (h) Otherwise Lawful Disclosures.--Nothing in this section 
     shall be construed to limit or prohibit otherwise lawful 
     disclosures of communications, records, or other information 
     by a private entity to any other governmental or private 
     entity not covered under this section.
       (i) Whistleblower Protection.--Nothing in this Act shall be 
     construed to preempt or preclude any employee from exercising 
     rights currently provided under any whistleblower law, rule, 
     or regulation.
       (j) Relationship to Other Laws.--The submission of cyber 
     threat information under this section to a cybersecurity 
     center shall not affect any requirement under any other 
     provision of law for an entity to provide information to the 
     Federal government.

     SEC. 103. INFORMATION SHARING BY THE FEDERAL GOVERNMENT.

       (a) Classified Information.--
       (1) Procedures.--Consistent with the protection of 
     intelligence sources and methods, and as otherwise determined 
     appropriate, the Director of National Intelligence and the 
     Secretary of Defense, in consultation with the heads of the 
     appropriate Federal departments or agencies, shall develop 
     and promulgate procedures to facilitate and promote--
       (A) the immediate sharing, through the cybersecurity 
     centers, of classified cyber threat information in the 
     possession of the Federal government with appropriately 
     cleared representatives of any appropriate entity; and
       (B) the declassification and immediate sharing, through the 
     cybersecurity centers, with any entity or, if appropriate, 
     public availability of cyber threat information in the 
     possession of the Federal government;
       (2) Handling of classified information.--The procedures 
     developed under paragraph (1) shall ensure that each entity 
     receiving classified cyber threat information pursuant to 
     this section has acknowledged in writing the ongoing 
     obligation to comply with all laws, executive orders, and 
     procedures concerning the appropriate handling, disclosure, 
     or use of classified information.
       (b) Unclassified Cyber Threat Information.--The heads of 
     each department or agency containing a cybersecurity center 
     shall jointly develop and promulgate procedures that ensure 
     that, consistent with the provisions of this section, 
     unclassified, including controlled unclassified, cyber threat 
     information in the possession of the Federal government--
       (1) is shared, through the cybersecurity centers, in an 
     immediate and adequate manner with appropriate entities; and
       (2) if appropriate, is made publicly available.
       (c) Development of Procedures.--
       (1) In general.--The procedures developed under this 
     section shall incorporate, to the greatest extent possible, 
     existing processes utilized by sector specific information 
     sharing and analysis centers.
       (2) Coordination with entities.--In developing the 
     procedures required under this section, the Director of 
     National Intelligence and the heads of each department or 
     agency containing a cybersecurity center shall coordinate 
     with appropriate entities to ensure that protocols are 
     implemented that will facilitate and promote the sharing of 
     cyber threat information by the Federal government.
       (d) Additional Responsibilities of Cybersecurity Centers.--
     Consistent with section 102, a cybersecurity center shall--
       (1) facilitate information sharing, interaction, and 
     collaboration among and between cybersecurity centers and--
       (A) other Federal entities;
       (B) any entity; and
       (C) international partners, in consultation with the 
     Secretary of State;
       (2) disseminate timely and actionable cybersecurity threat, 
     vulnerability, mitigation, and warning information, including 
     alerts, advisories, indicators, signatures, and mitigation 
     and response measures, to improve the security and protection 
     of information systems; and
       (3) coordinate with other Federal entities, as appropriate, 
     to integrate information from across the Federal government 
     to provide situational awareness of the cybersecurity posture 
     of the United States.
       (e) Sharing Within the Federal Government.--The heads of 
     appropriate Federal departments and agencies shall ensure 
     that cyber threat information in the possession of such 
     Federal departments or agencies that relates to the 
     prevention, investigation, or mitigation of threats to 
     information security across the Federal government is shared 
     effectively with the cybersecurity centers.
       (f) Submission to Congress.--Not later than 60 days after 
     the date of enactment of this Act, the Director of National 
     Intelligence, in coordination with the appropriate head of a 
     department or an agency containing a cybersecurity center, 
     shall submit the procedures required by this section to 
     Congress.

     SEC. 104. CONSTRUCTION.

       (a) Information Sharing Relationships.--Nothing in this 
     title shall be construed--
       (1) to limit or modify an existing information sharing 
     relationship;
       (2) to prohibit a new information sharing relationship;
       (3) to require a new information sharing relationship 
     between any entity and the Federal government, except as 
     specified under section 102(b); or
       (4) to modify the authority of a department or agency of 
     the Federal government to protect sources and methods and the 
     national security of the United States.
       (b) Anti-tasking Restriction.--Nothing in this title shall 
     be construed to permit the Federal government--
       (1) to require an entity to share information with the 
     Federal government, except as expressly provided under 
     section 102(b); or
       (2) to condition the sharing of cyber threat information 
     with an entity on such entity's provision of cyber threat 
     information to the Federal government.
       (c) No Liability for Non-participation.--Nothing in this 
     title shall be construed to subject any entity to liability 
     for choosing not to engage in the voluntary activities 
     authorized under this title.
       (d) Use and Retention of Information.--Nothing in this 
     title shall be construed to authorize, or to modify any 
     existing authority of, a department or agency of the Federal 
     government to retain or use any information shared under 
     section 102 for any use other than a use permitted under 
     subsection 102(c)(1).
       (e) No New Funding.--An applicable Federal agency shall 
     carry out the provisions of this title with existing 
     facilities and funds otherwise available, through such means 
     as the head of the agency considers appropriate.

     SEC. 105. REPORT ON IMPLEMENTATION.

       (a) Content of Report.--Not later than 1 year after the 
     date of enactment of this Act, and biennially thereafter, the 
     heads of each department or agency containing a cybersecurity 
     center shall jointly submit, in coordination with the privacy 
     and civil liberties officials of such departments or agencies 
     and the Privacy and Civil Liberties Oversight Board, a 
     detailed report to Congress concerning the implementation of 
     this title, including--
       (1) an assessment of the sufficiency of the procedures 
     developed under section 103 of this Act in ensuring that 
     cyber threat information in the possession of the Federal 
     government is provided in an immediate and adequate manner to 
     appropriate entities or, if appropriate, is made publicly 
     available;
       (2) an assessment of whether information has been 
     appropriately classified and an accounting of the number of 
     security clearances authorized by the Federal government for 
     purposes of this title;
       (3) a review of the type of cyber threat information shared 
     with a cybersecurity center under section 102 of this Act, 
     including whether such information meets the definition of 
     cyber threat information under section 101, the degree to 
     which such information may impact the privacy and civil 
     liberties of individuals, any appropriate metrics to 
     determine any impact of the sharing of such information with 
     the Federal government on privacy and civil liberties, and 
     the adequacy of any steps taken to reduce such impact;
       (4) a review of actions taken by the Federal government 
     based on information provided to a cybersecurity center under 
     section 102 of this Act, including the appropriateness of any 
     subsequent use under section 102(c)(1) of this Act and 
     whether there was inappropriate stovepiping within the 
     Federal government of any such information;
       (5) a description of any violations of the requirements of 
     this title by the Federal government;
       (6) a classified list of entities that received classified 
     information from the Federal government under section 103 of 
     this Act and a description of any indication that such 
     information may not have been appropriately handled;
       (7) a summary of any breach of information security, if 
     known, attributable to a specific failure by any entity or 
     the Federal government to act on cyber threat information in 
     the possession of such entity or the Federal government that 
     resulted in substantial economic harm or injury to a specific 
     entity or the Federal government; and
       (8) any recommendation for improvements or modifications to 
     the authorities under this title.
       (b) Form of Report.--The report under subsection (a) shall 
     be submitted in unclassified form, but shall include a 
     classified annex.

     SEC. 106. INSPECTOR GENERAL REVIEW.

       (a) In General.--The Council of the Inspectors General on 
     Integrity and Efficiency are authorized to review compliance 
     by the cybersecurity centers, and by any Federal

[[Page 12454]]

     department or agency receiving cyber threat information from 
     such cybersecurity centers, with the procedures required 
     under section 102 of this Act.
       (b) Scope of Review.--The review under subsection (a) shall 
     consider whether the Federal government has handled such 
     cyber threat information in a reasonable manner, including 
     consideration of the need to protect the privacy and civil 
     liberties of individuals through anonymization or other 
     appropriate methods, while fully accomplishing the objectives 
     of this title.
       (c) Report to Congress.--Each review conducted under this 
     section shall be provided to Congress not later than 30 days 
     after the date of completion of the review.

     SEC. 107. TECHNICAL AMENDMENTS.

       Section 552(b) of title 5, United States Code, is amended--
       (1) in paragraph (8), by striking ``or'';
       (2) in paragraph (9), by striking ``wells.'' and inserting 
     ``wells; or''; and
       (3) by adding at the end the following:
       ``(10) information shared with or provided to a 
     cybersecurity center under section 102 of title I of the 
     Strengthening and Enhancing Cybersecurity by Using Research, 
     Education, Information, and Technology Act of 2012.''.

     SEC. 108. ACCESS TO CLASSIFIED INFORMATION.

       (a) Authorization Required.--No person shall be provided 
     with access to classified information (as defined in section 
     6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to 
     classified national security information)) relating to cyber 
     security threats or cyber security vulnerabilities under this 
     title without the appropriate security clearances.
       (b) Security Clearances.--The appropriate Federal agencies 
     or departments shall, consistent with applicable procedures 
     and requirements, and if otherwise deemed appropriate, assist 
     an individual in timely obtaining an appropriate security 
     clearance where such individual has been determined to be 
     eligible for such clearance and has a need-to-know (as 
     defined in section 6.1 of that Executive Order) classified 
     information to carry out this title.

     TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY

     SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY 
                   POLICY.

       (a) In General.--Chapter 35 of title 44, United States 
     Code, is amended by striking subchapters II and III and 
     inserting the following:

                 ``SUBCHAPTER II--INFORMATION SECURITY

     ``Sec. 3551. Purposes

       ``The purposes of this subchapter are--
       ``(1) to provide a comprehensive framework for ensuring the 
     effectiveness of information security controls over 
     information resources that support Federal operations and 
     assets;
       ``(2) to recognize the highly networked nature of the 
     current Federal computing environment and provide effective 
     government-wide management of policies, directives, 
     standards, and guidelines, as well as effective and nimble 
     oversight of and response to information security risks, 
     including coordination of information security efforts 
     throughout the Federal civilian, national security, and law 
     enforcement communities;
       ``(3) to provide for development and maintenance of 
     controls required to protect agency information and 
     information systems and contribute to the overall improvement 
     of agency information security posture;
       ``(4) to provide for the development of tools and methods 
     to assess and respond to real-time situational risk for 
     Federal information system operations and assets; and
       ``(5) to provide a mechanism for improving agency 
     information security programs through continuous monitoring 
     of agency information systems and streamlined reporting 
     requirements rather than overly prescriptive manual 
     reporting.

     ``Sec. 3552. Definitions

       ``In this subchapter:
       ``(1) Adequate security.--The term `adequate security' 
     means security commensurate with the risk and magnitude of 
     the harm resulting from the unauthorized access to or loss, 
     misuse, destruction, or modification of information.
       ``(2) Agency.--The term `agency' has the meaning given the 
     term in section 3502 of title 44.
       ``(3) Cybersecurity center.--The term `cybersecurity 
     center' means the Department of Defense Cyber Crime Center, 
     the Intelligence Community Incident Response Center, the 
     United States Cyber Command Joint Operations Center, the 
     National Cyber Investigative Joint Task Force, the National 
     Security Agency/Central Security Service Threat Operations 
     Center, the National Cybersecurity and Communications 
     Integration Center, and any successor center.
       ``(4) Cyber threat information.--The term `cyber threat 
     information' means information that indicates or describes--
       ``(A) a technical or operation vulnerability or a cyber 
     threat mitigation measure;
       ``(B) an action or operation to mitigate a cyber threat;
       ``(C) malicious reconnaissance, including anomalous 
     patterns of network activity that appear to be transmitted 
     for the purpose of gathering technical information related to 
     a cybersecurity threat;
       ``(D) a method of defeating a technical control;
       ``(E) a method of defeating an operational control;
       ``(F) network activity or protocols known to be associated 
     with a malicious cyber actor or that signify malicious cyber 
     intent;
       ``(G) a method of causing a user with legitimate access to 
     an information system or information that is stored on, 
     processed by, or transiting an information system to 
     inadvertently enable the defeat of a technical or operational 
     control;
       ``(H) any other attribute of a cybersecurity threat or 
     cyber defense information that would foster situational 
     awareness of the United States cybersecurity posture, if 
     disclosure of such attribute or information is not otherwise 
     prohibited by law;
       ``(I) the actual or potential harm caused by a cyber 
     incident, including information exfiltrated when it is 
     necessary in order to identify or describe a cybersecurity 
     threat; or
       ``(J) any combination of subparagraphs (A) through (I).
       ``(5) Director.--The term `Director' means the Director of 
     the Office of Management and Budget unless otherwise 
     specified.
       ``(6) Environment of operation.--The term `environment of 
     operation' means the information system and environment in 
     which those systems operate, including changing threats, 
     vulnerabilities, technologies, and missions and business 
     practices.
       ``(7) Federal information system.--The term `Federal 
     information system' means an information system used or 
     operated by an executive agency, by a contractor of an 
     executive agency, or by another organization on behalf of an 
     executive agency.
       ``(8) Incident.--The term `incident' means an occurrence 
     that--
       ``(A) actually or imminently jeopardizes the integrity, 
     confidentiality, or availability of an information system or 
     the information that system controls, processes, stores, or 
     transmits; or
       ``(B) constitutes a violation of law or an imminent threat 
     of violation of a law, a security policy, a security 
     procedure, or an acceptable use policy.
       ``(9) Information resources.--The term `information 
     resources' has the meaning given the term in section 3502 of 
     title 44.
       ``(10) Information security.--The term `information 
     security' means protecting information and information 
     systems from disruption or unauthorized access, use, 
     disclosure, modification, or destruction in order to 
     provide--
       ``(A) integrity, by guarding against improper information 
     modification or destruction, including by ensuring 
     information nonrepudiation and authenticity;
       ``(B) confidentiality, by preserving authorized 
     restrictions on access and disclosure, including means for 
     protecting personal privacy and proprietary information; or
       ``(C) availability, by ensuring timely and reliable access 
     to and use of information.
       ``(11) Information system.--The term `information system' 
     has the meaning given the term in section 3502 of title 44.
       ``(12) Information technology.--The term `information 
     technology' has the meaning given the term in section 11101 
     of title 40.
       ``(13) Malicious reconnaissance.--The term `malicious 
     reconnaissance' means a method for actively probing or 
     passively monitoring an information system for the purpose of 
     discerning technical vulnerabilities of the information 
     system, if such method is associated with a known or 
     suspected cybersecurity threat.
       ``(14) National security system.--
       ``(A) In general.--The term `national security system' 
     means any information system (including any 
     telecommunications system) used or operated by an agency or 
     by a contractor of an agency, or other organization on behalf 
     of an agency--
       ``(i) the function, operation, or use of which--

       ``(I) involves intelligence activities;
       ``(II) involves cryptologic activities related to national 
     security;
       ``(III) involves command and control of military forces;
       ``(IV) involves equipment that is an integral part of a 
     weapon or weapons system; or
       ``(V) subject to subparagraph (B), is critical to the 
     direct fulfillment of military or intelligence missions; or

       ``(ii) is protected at all times by procedures established 
     for information that have been specifically authorized under 
     criteria established by an Executive Order or an Act of 
     Congress to be kept classified in the interest of national 
     defense or foreign policy.
       ``(B) Limitation.--Subparagraph (A)(i)(V) does not include 
     a system that is to be used for routine administrative and 
     business applications (including payroll, finance, logistics, 
     and personnel management applications).
       ``(15) Operational control.--The term `operational control' 
     means a security control for an information system that 
     primarily is implemented and executed by people.
       ``(16) Person.--The term `person' has the meaning given the 
     term in section 3502 of title 44.
       ``(17) Secretary.--The term `Secretary' means the Secretary 
     of Commerce unless otherwise specified.

[[Page 12455]]

       ``(18) Security control.--The term `security control' means 
     the management, operational, and technical controls, 
     including safeguards or countermeasures, prescribed for an 
     information system to protect the confidentiality, integrity, 
     and availability of the system and its information.
       ``(19) Significant cyber incident.--The term `significant 
     cyber incident' means a cyber incident resulting in, or an 
     attempted cyber incident that, if successful, would have 
     resulted in--
       ``(A) the exfiltration from a Federal information system of 
     data that is essential to the operation of the Federal 
     information system; or
       ``(B) an incident in which an operational or technical 
     control essential to the security or operation of a Federal 
     information system was defeated.
       ``(20) Technical control.--The term `technical control' 
     means a hardware or software restriction on, or audit of, 
     access or use of an information system or information that is 
     stored on, processed by, or transiting an information system 
     that is intended to ensure the confidentiality, integrity, or 
     availability of that system.

     ``Sec. 3553. Federal information security authority and 
       coordination

       ``(a) In General.--The Secretary, in consultation with the 
     Secretary of Homeland Security, shall--
       ``(1) issue compulsory and binding policies and directives 
     governing agency information security operations, and require 
     implementation of such policies and directives, including--
       ``(A) policies and directives consistent with the standards 
     and guidelines promulgated under section 11331 of title 40 to 
     identify and provide information security protections 
     prioritized and commensurate with the risk and impact 
     resulting from the unauthorized access, use, disclosure, 
     disruption, modification, or destruction of--
       ``(i) information collected or maintained by or on behalf 
     of an agency; or
       ``(ii) information systems used or operated by an agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency;
       ``(B) minimum operational requirements for Federal 
     Government to protect agency information systems and provide 
     common situational awareness across all agency information 
     systems;
       ``(C) reporting requirements, consistent with relevant law, 
     regarding information security incidents and cyber threat 
     information;
       ``(D) requirements for agencywide information security 
     programs;
       ``(E) performance requirements and metrics for the security 
     of agency information systems;
       ``(F) training requirements to ensure that agencies are 
     able to fully and timely comply with the policies and 
     directives issued by the Secretary under this subchapter;
       ``(G) training requirements regarding privacy, civil 
     rights, and civil liberties, and information oversight for 
     agency information security personnel;
       ``(H) requirements for the annual reports to the Secretary 
     under section 3554(d);
       ``(I) any other information security operations or 
     information security requirements as determined by the 
     Secretary in coordination with relevant agency heads; and
       ``(J) coordinating the development of standards and 
     guidelines under section 20 of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3) with agencies 
     and offices operating or exercising control of national 
     security systems (including the National Security Agency) to 
     assure, to the maximum extent feasible, that such standards 
     and guidelines are complementary with standards and 
     guidelines developed for national security systems;
       ``(2) review the agencywide information security programs 
     under section 3554; and
       ``(3) designate an individual or an entity at each 
     cybersecurity center, among other responsibilities--
       ``(A) to receive reports and information about information 
     security incidents, cyber threat information, and 
     deterioration of security control affecting agency 
     information systems; and
       ``(B) to act on or share the information under subparagraph 
     (A) in accordance with this subchapter.
       ``(b) Considerations.--When issuing policies and directives 
     under subsection (a), the Secretary shall consider any 
     applicable standards or guidelines developed by the National 
     Institute of Standards and Technology under section 11331 of 
     title 40.
       ``(c) Limitation of Authority.--The authorities of the 
     Secretary under this section shall not apply to national 
     security systems. Information security policies, directives, 
     standards and guidelines for national security systems shall 
     be overseen as directed by the President and, in accordance 
     with that direction, carried out under the authority of the 
     heads of agencies that operate or exercise authority over 
     such national security systems.
       ``(d) Statutory Construction.--Nothing in this subchapter 
     shall be construed to alter or amend any law regarding the 
     authority of any head of an agency over such agency.

     ``Sec. 3554. Agency responsibilities

       ``(a) In General.--The head of each agency shall--
       ``(1) be responsible for--
       ``(A) complying with the policies and directives issued 
     under section 3553;
       ``(B) providing information security protections 
     commensurate with the risk resulting from unauthorized 
     access, use, disclosure, disruption, modification, or 
     destruction of--
       ``(i) information collected or maintained by the agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency; and
       ``(ii) information systems used or operated by an agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency;
       ``(C) complying with the requirements of this subchapter, 
     including--
       ``(i) information security standards and guidelines 
     promulgated under section 11331 of title 40;
       ``(ii) for any national security systems operated or 
     controlled by that agency, information security policies, 
     directives, standards and guidelines issued as directed by 
     the President; and
       ``(iii) for any non-national security systems operated or 
     controlled by that agency, information security policies, 
     directives, standards and guidelines issued under section 
     3553;
       ``(D) ensuring that information security management 
     processes are integrated with agency strategic and 
     operational planning processes;
       ``(E) reporting and sharing, for an agency operating or 
     exercising control of a national security system, information 
     about information security incidents, cyber threat 
     information, and deterioration of security controls to the 
     individual or entity designated at each cybersecurity center 
     and to other appropriate entities consistent with policies 
     and directives for national security systems issued as 
     directed by the President; and
       ``(F) reporting and sharing, for those agencies operating 
     or exercising control of non-national security systems, 
     information about information security incidents, cyber 
     threat information, and deterioration of security controls to 
     the individual or entity designated at each cybersecurity 
     center and to other appropriate entities consistent with 
     policies and directives for non-national security systems as 
     prescribed under section 3553(a), including information to 
     assist the entity designated under section 3555(a) with the 
     ongoing security analysis under section 3555;
       ``(2) ensure that each senior agency official provides 
     information security for the information and information 
     systems that support the operations and assets under the 
     senior agency official's control, including by--
       ``(A) assessing the risk and impact that could result from 
     the unauthorized access, use, disclosure, disruption, 
     modification, or destruction of such information or 
     information systems;
       ``(B) determining the level of information security 
     appropriate to protect such information and information 
     systems in accordance with policies and directives issued 
     under section 3553(a), and standards and guidelines 
     promulgated under section 11331 of title 40 for information 
     security classifications and related requirements;
       ``(C) implementing policies, procedures, and capabilities 
     to reduce risks to an acceptable level in a cost-effective 
     manner;
       ``(D) actively monitoring the effective implementation of 
     information security controls and techniques; and
       ``(E) reporting information about information security 
     incidents, cyber threat information, and deterioration of 
     security controls in a timely and adequate manner to the 
     entity designated under section 3553(a)(3) in accordance with 
     paragraph (1);
       ``(3) assess and maintain the resiliency of information 
     technology systems critical to agency mission and operations;
       ``(4) designate the agency Inspector General (or an 
     independent entity selected in consultation with the Director 
     and the Council of Inspectors General on Integrity and 
     Efficiency if the agency does not have an Inspector General) 
     to conduct the annual independent evaluation required under 
     section 3556, and allow the agency Inspector General to 
     contract with an independent entity to perform such 
     evaluation;
       ``(5) delegate to the Chief Information Officer or 
     equivalent (or to a senior agency official who reports to the 
     Chief Information Officer or equivalent)--
       ``(A) the authority and primary responsibility to implement 
     an agencywide information security program; and
       ``(B) the authority to provide information security for the 
     information collected and maintained by the agency (or by a 
     contractor, other agency, or other source on behalf of the 
     agency) and for the information systems that support the 
     operations, assets, and mission of the agency (including any 
     information system provided or managed by a contractor, other 
     agency, or other source on behalf of the agency);
       ``(6) delegate to the appropriate agency official (who is 
     responsible for a particular agency system or subsystem) the 
     responsibility to ensure and enforce compliance with all 
     requirements of the agency's agencywide information security 
     program in coordination with the Chief Information Officer or

[[Page 12456]]

     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5);
       ``(7) ensure that an agency has trained personnel who have 
     obtained any necessary security clearances to permit them to 
     assist the agency in complying with this subchapter;
       ``(8) ensure that the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5), 
     in coordination with other senior agency officials, reports 
     to the agency head on the effectiveness of the agencywide 
     information security program, including the progress of any 
     remedial actions; and
       ``(9) ensure that the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5) 
     has the necessary qualifications to administer the functions 
     described in this subchapter and has information security 
     duties as a primary duty of that official.
       ``(b) Chief Information Officers.--Each Chief Information 
     Officer or equivalent (or the senior agency official who 
     reports to the Chief Information Officer or equivalent) under 
     subsection (a)(5) shall--
       ``(1) establish and maintain an enterprise security 
     operations capability that on a continuous basis--
       ``(A) detects, reports, contains, mitigates, and responds 
     to information security incidents that impair adequate 
     security of the agency's information or information system in 
     a timely manner and in accordance with the policies and 
     directives under section 3553; and
       ``(B) reports any information security incident under 
     subparagraph (A) to the entity designated under section 3555;
       ``(2) develop, maintain, and oversee an agencywide 
     information security program;
       ``(3) develop, maintain, and oversee information security 
     policies, procedures, and control techniques to address 
     applicable requirements, including requirements under section 
     3553 of this title and section 11331 of title 40; and
       ``(4) train and oversee the agency personnel who have 
     significant responsibility for information security with 
     respect to that responsibility.
       ``(c) Agencywide Information Security Programs.--
       ``(1) In general.--Each agencywide information security 
     program under subsection (b)(2) shall include--
       ``(A) relevant security risk assessments, including 
     technical assessments and others related to the acquisition 
     process;
       ``(B) security testing commensurate with risk and impact;
       ``(C) mitigation of deterioration of security controls 
     commensurate with risk and impact;
       ``(D) risk-based continuous monitoring and threat 
     assessment of the operational status and security of agency 
     information systems to enable evaluation of the effectiveness 
     of and compliance with information security policies, 
     procedures, and practices, including a relevant and 
     appropriate selection of security controls of information 
     systems identified in the inventory under section 3505(c);
       ``(E) operation of appropriate technical capabilities in 
     order to detect, mitigate, report, and respond to information 
     security incidents, cyber threat information, and 
     deterioration of security controls in a manner that is 
     consistent with the policies and directives under section 
     3553, including--
       ``(i) mitigating risks associated with such information 
     security incidents;
       ``(ii) notifying and consulting with the entity designated 
     under section 3555; and
       ``(iii) notifying and consulting with, as appropriate--

       ``(I) law enforcement and the relevant Office of the 
     Inspector General; and
       ``(II) any other entity, in accordance with law and as 
     directed by the President;

       ``(F) a process to ensure that remedial action is taken to 
     address any deficiencies in the information security 
     policies, procedures, and practices of the agency; and
       ``(G) a plan and procedures to ensure the continuity of 
     operations for information systems that support the 
     operations and assets of the agency.
       ``(2) Risk management strategies.--Each agencywide 
     information security program under subsection (b)(2) shall 
     include the development and maintenance of a risk management 
     strategy for information security. The risk management 
     strategy shall include--
       ``(A) consideration of information security incidents, 
     cyber threat information, and deterioration of security 
     controls; and
       ``(B) consideration of the consequences that could result 
     from the unauthorized access, use, disclosure, disruption, 
     modification, or destruction of information and information 
     systems that support the operations and assets of the agency, 
     including any information system provided or managed by a 
     contractor, other agency, or other source on behalf of the 
     agency;
       ``(3) Policies and procedures.--Each agencywide information 
     security program under subsection (b)(2) shall include 
     policies and procedures that--
       ``(A) are based on the risk management strategy under 
     paragraph (2);
       ``(B) reduce information security risks to an acceptable 
     level in a cost-effective manner;
       ``(C) ensure that cost-effective and adequate information 
     security is addressed as part of the acquisition and ongoing 
     management of each agency information system; and
       ``(D) ensure compliance with--
       ``(i) this subchapter; and
       ``(ii) any other applicable requirements.
       ``(4) Training requirements.--Each agencywide information 
     security program under subsection (b)(2) shall include 
     information security, privacy, civil rights, civil liberties, 
     and information oversight training that meets any applicable 
     requirements under section 3553. The training shall inform 
     each information security personnel that has access to agency 
     information systems (including contractors and other users of 
     information systems that support the operations and assets of 
     the agency) of--
       ``(A) the information security risks associated with the 
     information security personnel's activities; and
       ``(B) the individual's responsibility to comply with the 
     agency policies and procedures that reduce the risks under 
     subparagraph (A).
       ``(d) Annual Report.--Each agency shall submit a report 
     annually to the Secretary of Homeland Security on its 
     agencywide information security program and information 
     systems.

     ``Sec. 3555. Multiagency ongoing threat assessment

       ``(a) Implementation.--The Director of the Office of 
     Management and Budget, in coordination with the Secretary of 
     Homeland Security, shall designate an entity to implement 
     ongoing security analysis concerning agency information 
     systems--
       ``(1) based on cyber threat information;
       ``(2) based on agency information system and environment of 
     operation changes, including--
       ``(A) an ongoing evaluation of the information system 
     security controls; and
       ``(B) the security state, risk level, and environment of 
     operation of an agency information system, including--
       ``(i) a change in risk level due to a new cyber threat;
       ``(ii) a change resulting from a new technology;
       ``(iii) a change resulting from the agency's mission; and
       ``(iv) a change resulting from the business practice; and
       ``(3) using automated processes to the maximum extent 
     possible--
       ``(A) to increase information system security;
       ``(B) to reduce paper-based reporting requirements; and
       ``(C) to maintain timely and actionable knowledge of the 
     state of the information system security.
       ``(b) Standards.--The National Institute of Standards and 
     Technology may promulgate standards, in coordination with the 
     Secretary of Homeland Security, to assist an agency with its 
     duties under this section.
       ``(c) Compliance.--The head of each appropriate department 
     and agency shall be responsible for ensuring compliance and 
     implementing necessary procedures to comply with this 
     section. The head of each appropriate department and agency, 
     in consultation with the Director of the Office of Management 
     and Budget and the Secretary of Homeland Security, shall--
       ``(1) monitor compliance under this section;
       ``(2) develop a timeline and implement for the department 
     or agency--
       ``(A) adoption of any technology, system, or method that 
     facilitates continuous monitoring and threat assessments of 
     an agency information system;
       ``(B) adoption or updating of any technology, system, or 
     method that prevents, detects, or remediates a significant 
     cyber incident to a Federal information system of the 
     department or agency that has impeded, or is reasonably 
     likely to impede, the performance of a critical mission of 
     the department or agency; and
       ``(C) adoption of any technology, system, or method that 
     satisfies a requirement under this section.
       ``(d) Limitation of Authority.--The authorities of the 
     Director of the Office of Management and Budget and of the 
     Secretary of Homeland Security under this section shall not 
     apply to national security systems.
       ``(e) Report.--Not later than 6 months after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the Government Accountability Office shall issue a 
     report evaluating each agency's status toward implementing 
     this section.

     ``Sec. 3556. Independent evaluations

       ``(a) In General.--The Council of the Inspectors General on 
     Integrity and Efficiency, in consultation with the Director 
     and the Secretary of Homeland Security, the Secretary of 
     Commerce, and the Secretary of Defense, shall issue and 
     maintain criteria for the timely, cost-effective, risk-based, 
     and independent evaluation of each agencywide information 
     security program (and practices) to determine the 
     effectiveness of the

[[Page 12457]]

     agencywide information security program (and practices). The 
     criteria shall include measures to assess any conflicts of 
     interest in the performance of the evaluation and whether the 
     agencywide information security program includes appropriate 
     safeguards against disclosure of information where such 
     disclosure may adversely affect information security.
       ``(b) Annual Independent Evaluations.--Each agency shall 
     perform an annual independent evaluation of its agencywide 
     information security program (and practices) in accordance 
     with the criteria under subsection (a).
       ``(c) Distribution of Reports.--Not later than 30 days 
     after receiving an independent evaluation under subsection 
     (b), each agency head shall transmit a copy of the 
     independent evaluation to the Secretary of Homeland Security, 
     the Secretary of Commerce, and the Secretary of Defense.
       ``(d) National Security Systems.--Evaluations involving 
     national security systems shall be conducted as directed by 
     President.

     ``Sec. 3557. National security systems.

       ``The head of each agency operating or exercising control 
     of a national security system shall be responsible for 
     ensuring that the agency--
       ``(1) provides information security protections 
     commensurate with the risk and magnitude of the harm 
     resulting from the unauthorized access, use, disclosure, 
     disruption, modification, or destruction of the information 
     contained in such system; and
       ``(2) implements information security policies and 
     practices as required by standards and guidelines for 
     national security systems, issued in accordance with law and 
     as directed by the President.''.
       (b) Savings Provisions.--
       (1) Policy and compliance guidance.--Policy and compliance 
     guidance issued by the Director before the date of enactment 
     of this Act under section 3543(a)(1) of title 44, United 
     States Code (as in effect on the day before the date of 
     enactment of this Act), shall continue in effect, according 
     to its terms, until modified, terminated, superseded, or 
     repealed pursuant to section 3553(a)(1) of title 44, United 
     States Code.
       (2) Standards and guidelines.--Standards and guidelines 
     issued by the Secretary of Commerce or by the Director before 
     the date of enactment of this Act under section 11331(a)(1) 
     of title 40, United States Code, (as in effect on the day 
     before the date of enactment of this Act) shall continue in 
     effect, according to their terms, until modified, terminated, 
     superseded, or repealed pursuant to section 11331(a)(1) of 
     title 40, United States Code, as amended by this Act.
       (c) Technical and Conforming Amendments.--
       (1) Chapter analysis.--The chapter analysis for chapter 35 
     of title 44, United States Code, is amended--
       (A) by striking the items relating to sections 3531 through 
     3538;
       (B) by striking the items relating to sections 3541 through 
     3549; and
       (C) by inserting the following:

``3551. Purposes.
``3552. Definitions.
``3553. Federal information security authority and coordination.
``3554. Agency responsibilities.
``3555. Multiagency ongoing threat assessment.
``3556. Independent evaluations.
``3557. National security systems.''.
       (2) Other references.--
       (A) Section 1001(c)(1)(A) of the Homeland Security Act of 
     2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section 
     3532(3)'' and inserting ``section 3552''.
       (B) Section 2222(j)(5) of title 10, United States Code, is 
     amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (C) Section 2223(c)(3) of title 10, United States Code, is 
     amended, by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (D) Section 2315 of title 10, United States Code, is 
     amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (E) Section 20 of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-3) is amended--
       (i) in subsection (a)(2), by striking ``section 
     3532(b)(2)'' and inserting ``section 3552'';
       (ii) in subsection (c)(3), by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (iii) in subsection (d)(1), by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (iv) in subsection (d)(8) by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (v) in subsection (d)(8), by striking ``submitted to the 
     Director'' and inserting ``submitted to the Secretary'';
       (vi) in subsection (e)(2), by striking ``section 3532(1) of 
     such title'' and inserting ``section 3552 of title 44''; and
       (vii) in subsection (e)(5), by striking ``section 
     3532(b)(2) of such title'' and inserting ``section 3552 of 
     title 44''.
       (F) Section 8(d)(1) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7406(d)(1)) is amended by striking 
     ``section 3534(b)'' and inserting ``section 3554(b)(2)''.

     SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY.

       (a) In General.--Section 11331 of title 40, United States 
     Code, is amended to read as follows:

     ``Sec. 11331. Responsibilities for Federal information 
       systems standards

       ``(a) Standards and Guidelines.--
       ``(1) Authority to prescribe.--Except as provided under 
     paragraph (2), the Secretary of Commerce shall prescribe 
     standards and guidelines pertaining to Federal information 
     systems--
       ``(A) in consultation with the Secretary of Homeland 
     Security; and
       ``(B) on the basis of standards and guidelines developed by 
     the National Institute of Standards and Technology under 
     paragraphs (2) and (3) of section 20(a) of the National 
     Institute of Standards and Technology Act (15 U.S.C. 278g-
     3(a)(2) and (a)(3)).
       ``(2) National security systems.--Standards and guidelines 
     for national security systems shall be developed, prescribed, 
     enforced, and overseen as otherwise authorized by law and as 
     directed by the President.
       ``(b) Mandatory Standards and Guidelines.--
       ``(1) Authority to make mandatory standards and 
     guidelines.--The Secretary of Commerce shall make standards 
     and guidelines under subsection (a)(1) compulsory and binding 
     to the extent determined necessary by the Secretary of 
     Commerce to improve the efficiency of operation or security 
     of Federal information systems.
       ``(2) Required mandatory standards and guidelines.--
       ``(A) In general.--Standards and guidelines under 
     subsection (a)(1) shall include information security 
     standards that--
       ``(i) provide minimum information security requirements as 
     determined under section 20(b) of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3(b)); and
       ``(ii) are otherwise necessary to improve the security of 
     Federal information and information systems.
       ``(B) Binding effect.--Information security standards under 
     subparagraph (A) shall be compulsory and binding.
       ``(c) Exercise of Authority.--To ensure fiscal and policy 
     consistency, the Secretary of Commerce shall exercise the 
     authority conferred by this section subject to direction by 
     the President and in coordination with the Director.
       ``(d) Application of More Stringent Standards and 
     Guidelines.--The head of an executive agency may employ 
     standards for the cost-effective information security for 
     information systems within or under the supervision of that 
     agency that are more stringent than the standards and 
     guidelines the Secretary of Commerce prescribes under this 
     section if the more stringent standards and guidelines--
       ``(1) contain at least the applicable standards and 
     guidelines made compulsory and binding by the Secretary of 
     Commerce; and
       ``(2) are otherwise consistent with the policies, 
     directives, and implementation memoranda issued under section 
     3553(a) of title 44.
       ``(e) Decisions on Promulgation of Standards and 
     Guidelines.--The decision by the Secretary of Commerce 
     regarding the promulgation of any standard or guideline under 
     this section shall occur not later than 6 months after the 
     date of submission of the proposed standard to the Secretary 
     of Commerce by the National Institute of Standards and 
     Technology under section 20 of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3).
       ``(f) Notice and Comment.--A decision by the Secretary of 
     Commerce to significantly modify, or not promulgate, a 
     proposed standard submitted to the Secretary by the National 
     Institute of Standards and Technology under section 20 of the 
     National Institute of Standards and Technology Act (15 U.S.C. 
     278g-3) shall be made after the public is given an 
     opportunity to comment on the Secretary's proposed decision.
       ``(g) Definitions.--In this section:
       ``(1) Federal information system.--The term `Federal 
     information system' has the meaning given the term in section 
     3552 of title 44.
       ``(2) Information security.--The term `information 
     security' has the meaning given the term in section 3552 of 
     title 44.
       ``(3) National security system.--The term `national 
     security system' has the meaning given the term in section 
     3552 of title 44.''.

     SEC. 203. NO NEW FUNDING.

       An applicable Federal agency shall carry out the provisions 
     of this title with existing facilities and funds otherwise 
     available, through such means as the head of the agency 
     considers appropriate.

     SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS.

       Section 21(b) of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-4(b)) is amended--
       (1) in paragraph (2), by striking ``and the Director of the 
     Office of Management and Budget'' and inserting ``, the 
     Secretary of Commerce, and the Secretary of Homeland 
     Security''; and
       (2) in paragraph (3), by inserting ``, the Secretary of 
     Homeland Security,'' after ``the Secretary of Commerce''.

     SEC. 205. CLARIFICATION OF AUTHORITIES.

       Nothing in this title shall be construed to convey any new 
     regulatory authority to any government entity implementing or 
     complying with any provision of this title.

[[Page 12458]]



                     TITLE III--CRIMINAL PENALTIES

     SEC. 301. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN 
                   CONNECTION WITH COMPUTERS.

       Section 1030(c) of title 18, United States Code, is amended 
     to read as follows:
       ``(c) The punishment for an offense under subsection (a) or 
     (b) of this section is--
       ``(1) a fine under this title or imprisonment for not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(1) of this section;
       ``(2)(A) except as provided in subparagraph (B), a fine 
     under this title or imprisonment for not more than 3 years, 
     or both, in the case of an offense under subsection (a)(2); 
     or
       ``(B) a fine under this title or imprisonment for not more 
     than ten years, or both, in the case of an offense under 
     subsection (a)(2) of this section, if--
       ``(i) the offense was committed for purposes of commercial 
     advantage or private financial gain;
       ``(ii) the offense was committed in the furtherance of any 
     criminal or tortious act in violation of the Constitution or 
     laws of the United States, or of any State; or
       ``(iii) the value of the information obtained, or that 
     would have been obtained if the offense was completed, 
     exceeds $5,000;
       ``(3) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(3) of this section;
       ``(4) a fine under this title or imprisonment of not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(4) of this section;
       ``(5)(A) except as provided in subparagraph (C), a fine 
     under this title, imprisonment for not more than 20 years, or 
     both, in the case of an offense under subsection (a)(5)(A) of 
     this section, if the offense caused--
       ``(i) loss to 1 or more persons during any 1-year period 
     (and, for purposes of an investigation, prosecution, or other 
     proceeding brought by the United States only, loss resulting 
     from a related course of conduct affecting 1 or more other 
     protected computers) aggregating at least $5,000 in value;
       ``(ii) the modification or impairment, or potential 
     modification or impairment, of the medical examination, 
     diagnosis, treatment, or care of 1 or more individuals;
       ``(iii) physical injury to any person;
       ``(iv) a threat to public health or safety;
       ``(v) damage affecting a computer used by, or on behalf of, 
     an entity of the United States Government in furtherance of 
     the administration of justice, national defense, or national 
     security; or
       ``(vi) damage affecting 10 or more protected computers 
     during any 1-year period;
       ``(B) a fine under this title, imprisonment for not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(5)(B), if the offense caused a harm provided 
     in clause (i) through (vi) of subparagraph (A) of this 
     subsection;
       ``(C) if the offender attempts to cause or knowingly or 
     recklessly causes death from conduct in violation of 
     subsection (a)(5)(A), a fine under this title, imprisonment 
     for any term of years or for life, or both;
       ``(D) a fine under this title, imprisonment for not more 
     than 10 years, or both, for any other offense under 
     subsection (a)(5);
       ``(E) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(6) of this section; or
       ``(F) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(7) of this section.''.

     SEC. 302. TRAFFICKING IN PASSWORDS.

       Section 1030(a)(6) of title 18, United States Code, is 
     amended to read as follows:
       ``(6) knowingly and with intent to defraud traffics (as 
     defined in section 1029) in any password or similar 
     information or means of access through which a protected 
     computer (as defined in subparagraphs (A) and (B) of 
     subsection (e)(2)) may be accessed without authorization.''.

     SEC. 303. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.

       Section 1030(b) of title 18, United States Code, is amended 
     by inserting ``as if for the completed offense'' after 
     ``punished as provided''.

     SEC. 304. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED 
                   ACTIVITY IN CONNECTION WITH COMPUTERS.

       Section 1030 of title 18, United States Code, is amended by 
     striking subsections (i) and (j) and inserting the following:
       ``(i) Criminal Forfeiture.--
       ``(1) The court, in imposing sentence on any person 
     convicted of a violation of this section, or convicted of 
     conspiracy to violate this section, shall order, in addition 
     to any other sentence imposed and irrespective of any 
     provision of State law, that such person forfeit to the 
     United States--
       ``(A) such persons interest in any property, real or 
     personal, that was used, or intended to be used, to commit or 
     facilitate the commission of such violation; and
       ``(B) any property, real or personal, constituting or 
     derived from any gross proceeds, or any property traceable to 
     such property, that such person obtained, directly or 
     indirectly, as a result of such violation.
       ``(2) The criminal forfeiture of property under this 
     subsection, including any seizure and disposition of the 
     property, and any related judicial or administrative 
     proceeding, shall be governed by the provisions of section 
     413 of the Comprehensive Drug Abuse Prevention and Control 
     Act of 1970 (21 U.S.C. 853), except subsection (d) of that 
     section.
       ``(j) Civil Forfeiture.--
       ``(1) The following shall be subject to forfeiture to the 
     United States and no property right, real or personal, shall 
     exist in them:
       ``(A) Any property, real or personal, that was used, or 
     intended to be used, to commit or facilitate the commission 
     of any violation of this section, or a conspiracy to violate 
     this section.
       ``(B) Any property, real or personal, constituting or 
     derived from any gross proceeds obtained directly or 
     indirectly, or any property traceable to such property, as a 
     result of the commission of any violation of this section, or 
     a conspiracy to violate this section.
       ``(2) Seizures and forfeitures under this subsection shall 
     be governed by the provisions in chapter 46 relating to civil 
     forfeitures, except that such duties as are imposed on the 
     Secretary of the Treasury under the customs laws described in 
     section 981(d) shall be performed by such officers, agents 
     and other persons as may be designated for that purpose by 
     the Secretary of Homeland Security or the Attorney 
     General.''.

     SEC. 305. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.

       (a) In General.--Chapter 47 of title 18, United States 
     Code, is amended by inserting after section 1030 the 
     following:

     ``Sec. 1030A. Aggravated damage to a critical infrastructure 
       computer

       ``(a) Definitions.--In this section--
       ``(1) the term `computer' has the meaning given the term in 
     section 1030;
       ``(2) the term `critical infrastructure computer' means a 
     computer that manages or controls systems or assets vital to 
     national defense, national security, national economic 
     security, public health or safety, or any combination of 
     those matters, whether publicly or privately owned or 
     operated, including--
       ``(A) oil and gas production, storage, conversion, and 
     delivery systems;
       ``(B) water supply systems;
       ``(C) telecommunication networks;
       ``(D) electrical power generation and delivery systems;
       ``(E) finance and banking systems;
       ``(F) emergency services;
       ``(G) transportation systems and services; and
       ``(H) government operations that provide essential services 
     to the public; and
       ``(3) the term `damage' has the meaning given the term in 
     section 1030.
       ``(b) Offense.--It shall be unlawful, during and in 
     relation to a felony violation of section 1030, to knowingly 
     cause or attempt to cause damage to a critical infrastructure 
     computer if the damage results in (or, in the case of an 
     attempt, if completed, would have resulted in) the 
     substantial impairment--
       ``(1) of the operation of the critical infrastructure 
     computer; or
       ``(2) of the critical infrastructure associated with the 
     computer.
       ``(c) Penalty.--Any person who violates subsection (b) 
     shall be--
       ``(1) fined under this title;
       ``(2) imprisoned for not less than 3 years but not more 
     than 20 years; or
       ``(3) penalized under paragraphs (1) and (2).
       ``(d) Consecutive Sentence.--Notwithstanding any other 
     provision of law--
       ``(1) a court shall not place on probation any person 
     convicted of a violation of this section;
       ``(2) except as provided in paragraph (4), no term of 
     imprisonment imposed on a person under this section shall run 
     concurrently with any other term of imprisonment, including 
     any term of imprisonment imposed on the person under any 
     other provision of law, including any term of imprisonment 
     imposed for a felony violation of section 1030;
       ``(3) in determining any term of imprisonment to be imposed 
     for a felony violation of section 1030, a court shall not in 
     any way reduce the term to be imposed for such crime so as to 
     compensate for, or otherwise take into account, any separate 
     term of imprisonment imposed or to be imposed for a violation 
     of this section; and
       ``(4) a term of imprisonment imposed on a person for a 
     violation of this section may, in the discretion of the 
     court, run concurrently, in whole or in part, only with 
     another term of imprisonment that is imposed by the court at 
     the same time on that person for an additional violation of 
     this section, provided that such discretion shall be 
     exercised in accordance with any applicable guidelines and 
     policy statements issued by the United States Sentencing 
     Commission pursuant to section 994 of title 28.''.
       (b) Technical and Conforming Amendment.--The chapter 
     analysis for chapter 47 of title 18, United States Code, is 
     amended by inserting after the item relating to section 1030 
     the following:

``1030A. Aggravated damage to a critical infrastructure computer.''.

     SEC. 306. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.

       Section 1030(e)(6) of title 18, United States Code, is 
     amended by striking ``alter;'' and inserting ``alter, but 
     does not include access in violation of a contractual 
     obligation or agreement, such as an acceptable use policy

[[Page 12459]]

     or terms of service agreement, with an Internet service 
     provider, Internet website, or non-government employer, if 
     such violation constitutes the sole basis for determining 
     that access to a protected computer is unauthorized;''.

     SEC. 307. NO NEW FUNDING.

       An applicable Federal agency shall carry out the provisions 
     of this title with existing facilities and funds otherwise 
     available, through such means as the head of the agency 
     considers appropriate.

            TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT

     SEC. 401. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM 
                   PLANNING AND COORDINATION.

       (a) Goals and Priorities.--Section 101 of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511) is amended 
     by adding at the end the following:
       ``(d) Goals and Priorities.--The goals and priorities for 
     Federal high-performance computing research, development, 
     networking, and other activities under subsection (a)(2)(A) 
     shall include--
       ``(1) encouraging and supporting mechanisms for 
     interdisciplinary research and development in networking and 
     information technology, including--
       ``(A) through collaborations across agencies;
       ``(B) through collaborations across Program Component 
     Areas;
       ``(C) through collaborations with industry;
       ``(D) through collaborations with institutions of higher 
     education;
       ``(E) through collaborations with Federal laboratories (as 
     defined in section 4 of the Stevenson-Wydler Technology 
     Innovation Act of 1980 (15 U.S.C. 3703)); and
       ``(F) through collaborations with international 
     organizations;
       ``(2) addressing national, multi-agency, multi-faceted 
     challenges of national importance; and
       ``(3) fostering the transfer of research and development 
     results into new technologies and applications for the 
     benefit of society.''.
       (b) Development of Strategic Plan.--Section 101 of the 
     High-Performance Computing Act of 1991 (15 U.S.C. 5511) is 
     amended by adding at the end the following:
       ``(e) Strategic Plan.--
       ``(1) In general.--Not later than 1 year after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the agencies under subsection (a)(3)(B), working 
     through the National Science and Technology Council and with 
     the assistance of the Office of Science and Technology Policy 
     shall develop a 5-year strategic plan to guide the activities 
     under subsection (a)(1).
       ``(2) Contents.--The strategic plan shall specify--
       ``(A) the near-term objectives for the Program;
       ``(B) the long-term objectives for the Program;
       ``(C) the anticipated time frame for achieving the near-
     term objectives;
       ``(D) the metrics that will be used to assess any progress 
     made toward achieving the near-term objectives and the long-
     term objectives; and
       ``(E) how the Program will achieve the goals and priorities 
     under subsection (d).
       ``(3) Implementation roadmap.--
       ``(A) In general.--The agencies under subsection (a)(3)(B) 
     shall develop and annually update an implementation roadmap 
     for the strategic plan.
       ``(B) Requirements.--The information in the implementation 
     roadmap shall be coordinated with the database under section 
     102(c) and the annual report under section 101(a)(3). The 
     implementation roadmap shall--
       ``(i) specify the role of each Federal agency in carrying 
     out or sponsoring research and development to meet the 
     research objectives of the strategic plan, including a 
     description of how progress toward the research objectives 
     will be evaluated, with consideration of any relevant 
     recommendations of the advisory committee;
       ``(ii) specify the funding allocated to each major research 
     objective of the strategic plan and the source of funding by 
     agency for the current fiscal year; and
       ``(iii) estimate the funding required for each major 
     research objective of the strategic plan for the next 3 
     fiscal years.
       ``(4) Recommendations.--The agencies under subsection 
     (a)(3)(B) shall take into consideration when developing the 
     strategic plan under paragraph (1) the recommendations of--
       ``(A) the advisory committee under subsection (b); and
       ``(B) the stakeholders under section 102(a)(3).
       ``(5) Report to congress.--The Director of the Office of 
     Science and Technology Policy shall transmit the strategic 
     plan under this subsection, including the implementation 
     roadmap and any updates under paragraph (3), to--
       ``(A) the advisory committee under subsection (b);
       ``(B) the Committee on Commerce, Science, and 
     Transportation of the Senate; and
       ``(C) the Committee on Science and Technology of the House 
     of Representatives.''.
       (c) Periodic Reviews.--Section 101 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511) is amended by adding 
     at the end the following:
       ``(f) Periodic Reviews.--The agencies under subsection 
     (a)(3)(B) shall--
       ``(1) periodically assess the contents and funding levels 
     of the Program Component Areas and restructure the Program 
     when warranted, taking into consideration any relevant 
     recommendations of the advisory committee under subsection 
     (b); and
       ``(2) ensure that the Program includes national, multi-
     agency, multi-faceted research and development activities, 
     including activities described in section 104.''.
       (d) Additional Responsibilities of Director.--Section 
     101(a)(2) of the High-Performance Computing Act of 1991 (15 
     U.S.C. 5511(a)(2)) is amended--
       (1) by redesignating subparagraphs (E) and (F) as 
     subparagraphs (G) and (H), respectively; and
       (2) by inserting after subparagraph (D) the following:
       ``(E) encourage and monitor the efforts of the agencies 
     participating in the Program to allocate the level of 
     resources and management attention necessary--
       ``(i) to ensure that the strategic plan under subsection 
     (e) is developed and executed effectively; and
       ``(ii) to ensure that the objectives of the Program are 
     met;
       ``(F) working with the Office of Management and Budget and 
     in coordination with the creation of the database under 
     section 102(c), direct the Office of Science and Technology 
     Policy and the agencies participating in the Program to 
     establish a mechanism (consistent with existing law) to track 
     all ongoing and completed research and development projects 
     and associated funding;''.
       (e) Advisory Committee.--Section 101(b) of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is 
     amended--
       (1) in paragraph (1)--
       (A) by inserting after the first sentence the following: 
     ``The co-chairs of the advisory committee shall meet the 
     qualifications of committee members and may be members of the 
     Presidents Council of Advisors on Science and Technology.''; 
     and
       (B) by striking ``high-performance'' in subparagraph (D) 
     and inserting ``high-end''; and
       (2) by amending paragraph (2) to read as follows:
       ``(2) In addition to the duties under paragraph (1), the 
     advisory committee shall conduct periodic evaluations of the 
     funding, management, coordination, implementation, and 
     activities of the Program. The advisory committee shall 
     report its findings and recommendations not less frequently 
     than once every 3 fiscal years to the Committee on Commerce, 
     Science, and Transportation of the Senate and the Committee 
     on Science and Technology of the House of Representatives. 
     The report shall be submitted in conjunction with the update 
     of the strategic plan.''.
       (f) Report.--Section 101(a)(3) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended--
       (1) in subparagraph (C)--
       (A) by striking ``is submitted,'' and inserting ``is 
     submitted, the levels for the previous fiscal year,''; and
       (B) by striking ``each Program Component Area'' and 
     inserting ``each Program Component Area and each research 
     area supported in accordance with section 104'';
       (2) in subparagraph (D)--
       (A) by striking ``each Program Component Area,'' and 
     inserting ``each Program Component Area and each research 
     area supported in accordance with section 104,'';
       (B) by striking ``is submitted,'' and inserting ``is 
     submitted, the levels for the previous fiscal year,''; and
       (C) by striking ``and'' after the semicolon;
       (3) by redesignating subparagraph (E) as subparagraph (G); 
     and
       (4) by inserting after subparagraph (D) the following:
       ``(E) include a description of how the objectives for each 
     Program Component Area, and the objectives for activities 
     that involve multiple Program Component Areas, relate to the 
     objectives of the Program identified in the strategic plan 
     under subsection (e);
       ``(F) include--
       ``(i) a description of the funding required by the Office 
     of Science and Technology Policy to perform the functions 
     under subsections (a) and (c) of section 102 for the next 
     fiscal year by category of activity;
       ``(ii) a description of the funding required by the Office 
     of Science and Technology Policy to perform the functions 
     under subsections (a) and (c) of section 102 for the current 
     fiscal year by category of activity; and
       ``(iii) the amount of funding provided for the Office of 
     Science and Technology Policy for the current fiscal year by 
     each agency participating in the Program; and''.
       (g) Definitions.--Section 4 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5503) is amended--
       (1) by redesignating paragraphs (1) and (2) as paragraphs 
     (2) and (3), respectively;
       (2) by redesignating paragraph (3) as paragraph (6);
       (3) by redesignating paragraphs (6) and (7) as paragraphs 
     (7) and (8), respectively;
       (4) by inserting before paragraph (2), as redesignated, the 
     following:

[[Page 12460]]

       ``(1) `cyber-physical systems' means physical or engineered 
     systems whose networking and information technology functions 
     and physical elements are deeply integrated and are actively 
     connected to the physical world through sensors, actuators, 
     or other means to perform monitoring and control 
     functions;'';
       (5) in paragraph (3), as redesignated, by striking ``high-
     performance computing'' and inserting ``networking and 
     information technology'';
       (6) in paragraph (6), as redesignated--
       (A) by striking ``high-performance computing'' and 
     inserting ``networking and information technology''; and
       (B) by striking ``supercomputer'' and inserting ``high-end 
     computing'';
       (7) in paragraph (5), by striking ``network referred to 
     as'' and all that follows through the semicolon and inserting 
     ``network, including advanced computer networks of Federal 
     agencies and departments''; and
       (8) in paragraph (7), as redesignated, by striking 
     ``National High-Performance Computing Program'' and inserting 
     ``networking and information technology research and 
     development program''.

     SEC. 402. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.

       (a) Research in Areas of National Importance.--Title I of 
     the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et 
     seq.) is amended by adding at the end the following:

     ``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.

       ``(a) In General.--The Program shall encourage agencies 
     under section 101(a)(3)(B) to support, maintain, and improve 
     national, multi-agency, multi-faceted, research and 
     development activities in networking and information 
     technology directed toward application areas that have the 
     potential for significant contributions to national economic 
     competitiveness and for other significant societal benefits.
       ``(b) Technical Solutions.--An activity under subsection 
     (a) shall be designed to advance the development of research 
     discoveries by demonstrating technical solutions to important 
     problems in areas including--
       ``(1) cybersecurity;
       ``(2) health care;
       ``(3) energy management and low-power systems and devices;
       ``(4) transportation, including surface and air 
     transportation;
       ``(5) cyber-physical systems;
       ``(6) large-scale data analysis and modeling of physical 
     phenomena;
       ``(7) large scale data analysis and modeling of behavioral 
     phenomena;
       ``(8) supply chain quality and security; and
       ``(9) privacy protection and protected disclosure of 
     confidential data.
       ``(c) Recommendations.--The advisory committee under 
     section 101(b) shall make recommendations to the Program for 
     candidate research and development areas for support under 
     this section.
       ``(d) Characteristics.--
       ``(1) In general.--Research and development activities 
     under this section--
       ``(A) shall include projects selected on the basis of 
     applications for support through a competitive, merit-based 
     process;
       ``(B) shall leverage, when possible, Federal investments 
     through collaboration with related State initiatives;
       ``(C) shall include a plan for fostering the transfer of 
     research discoveries and the results of technology 
     demonstration activities, including from institutions of 
     higher education and Federal laboratories, to industry for 
     commercial development;
       ``(D) shall involve collaborations among researchers in 
     institutions of higher education and industry; and
       ``(E) may involve collaborations among nonprofit research 
     institutions and Federal laboratories, as appropriate.
       ``(2) Cost-sharing.--In selecting applications for support, 
     the agencies under section 101(a)(3)(B) shall give special 
     consideration to projects that include cost sharing from non-
     Federal sources.
       ``(3) Multidisciplinary research centers.--Research and 
     development activities under this section shall be supported 
     through multidisciplinary research centers, including Federal 
     laboratories, that are organized to investigate basic 
     research questions and carry out technology demonstration 
     activities in areas described in subsection (a). Research may 
     be carried out through existing multidisciplinary centers, 
     including those authorized under section 7024(b)(2) of the 
     America COMPETES Act (42 U.S.C. 1862o-10(2)).''.
       (b) Cyber-Physical Systems.--Section 101(a)(1) of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is 
     amended--
       (1) in subparagraph (H), by striking ``and'' after the 
     semicolon;
       (2) in subparagraph (I), by striking the period at the end 
     and inserting a semicolon; and
       (3) by adding at the end the following:
       ``(J) provide for increased understanding of the scientific 
     principles of cyber-physical systems and improve the methods 
     available for the design, development, and operation of 
     cyber-physical systems that are characterized by high 
     reliability, safety, and security; and
       ``(K) provide for research and development on human-
     computer interactions, visualization, and big data.''.
       (c) Task Force.--Title I of the High-Performance Computing 
     Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section 
     402(a) of this Act, is amended by adding at the end the 
     following:

     ``SEC. 105. TASK FORCE.

       ``(a) Establishment.--Not later than 180 days after the 
     date of enactment the Strengthening and Enhancing 
     Cybersecurity by Using Research, Education, Information, and 
     Technology Act of 2012, the Director of the Office of Science 
     and Technology Policy under section 102 shall convene a task 
     force to explore mechanisms for carrying out collaborative 
     research and development activities for cyber-physical 
     systems (including the related technologies required to 
     enable these systems) through a consortium or other 
     appropriate entity with participants from institutions of 
     higher education, Federal laboratories, and industry.
       ``(b) Functions.--The task force shall--
       ``(1) develop options for a collaborative model and an 
     organizational structure for such entity under which the 
     joint research and development activities could be planned, 
     managed, and conducted effectively, including mechanisms for 
     the allocation of resources among the participants in such 
     entity for support of such activities;
       ``(2) propose a process for developing a research and 
     development agenda for such entity, including guidelines to 
     ensure an appropriate scope of work focused on nationally 
     significant challenges and requiring collaboration and to 
     ensure the development of related scientific and 
     technological milestones;
       ``(3) define the roles and responsibilities for the 
     participants from institutions of higher education, Federal 
     laboratories, and industry in such entity;
       ``(4) propose guidelines for assigning intellectual 
     property rights and for transferring research results to the 
     private sector; and
       ``(5) make recommendations for how such entity could be 
     funded from Federal, State, and non-governmental sources.
       ``(c) Composition.--In establishing the task force under 
     subsection (a), the Director of the Office of Science and 
     Technology Policy shall appoint an equal number of 
     individuals from institutions of higher education and from 
     industry with knowledge and expertise in cyber-physical 
     systems, and may appoint not more than 2 individuals from 
     Federal laboratories.
       ``(d) Report.--Not later than 1 year after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the Director of the Office of Science and Technology 
     Policy shall transmit to the Committee on Commerce, Science, 
     and Transportation of the Senate and the Committee on Science 
     and Technology of the House of Representatives a report 
     describing the findings and recommendations of the task 
     force.
       ``(e) Termination.--The task force shall terminate upon 
     transmittal of the report required under subsection (d).
       ``(f) Compensation and Expenses.--Members of the task force 
     shall serve without compensation.''.

     SEC. 403. PROGRAM IMPROVEMENTS.

       Section 102 of the High-Performance Computing Act of 1991 
     (15 U.S.C. 5512) is amended to read as follows:

     ``SEC. 102. PROGRAM IMPROVEMENTS.

       ``(a) Functions.--The Director of the Office of Science and 
     Technology Policy shall continue--
       ``(1) to provide technical and administrative support to--
       ``(A) the agencies participating in planning and 
     implementing the Program, including support needed to develop 
     the strategic plan under section 101(e); and
       ``(B) the advisory committee under section 101(b);
       ``(2) to serve as the primary point of contact on Federal 
     networking and information technology activities for 
     government agencies, academia, industry, professional 
     societies, State computing and networking technology 
     programs, interested citizen groups, and others to exchange 
     technical and programmatic information;
       ``(3) to solicit input and recommendations from a wide 
     range of stakeholders during the development of each 
     strategic plan under section 101(e) by convening at least 1 
     workshop with invitees from academia, industry, Federal 
     laboratories, and other relevant organizations and 
     institutions;
       ``(4) to conduct public outreach, including the 
     dissemination of the advisory committee's findings and 
     recommendations, as appropriate;
       ``(5) to promote access to and early application of the 
     technologies, innovations, and expertise derived from Program 
     activities to agency missions and systems across the Federal 
     Government and to United States industry;
       ``(6) to ensure accurate and detailed budget reporting of 
     networking and information technology research and 
     development investment; and
       ``(7) to encourage agencies participating in the Program to 
     use existing programs and resources to strengthen networking 
     and information technology education and training, and 
     increase participation in such fields,

[[Page 12461]]

     including by women and underrepresented minorities.
       ``(b) Source of Funding.--
       ``(1) In general.--The functions under this section shall 
     be supported by funds from each agency participating in the 
     Program.
       ``(2) Specifications.--The portion of the total budget of 
     the Office of Science and Technology Policy that is provided 
     by each agency participating in the Program for each fiscal 
     year shall be in the same proportion as each agency's share 
     of the total budget for the Program for the previous fiscal 
     year, as specified in the database under section 102(c).
       ``(c) Database.--
       ``(1) In general.--The Director of the Office of Science 
     and Technology Policy shall develop and maintain a database 
     of projects funded by each agency for the fiscal year for 
     each Program Component Area.
       ``(2) Public accessibility.--The Director of the Office of 
     Science and Technology Policy shall make the database 
     accessible to the public.
       ``(3) Database contents.--The database shall include, for 
     each project in the database--
       ``(A) a description of the project;
       ``(B) each agency, industry, institution of higher 
     education, Federal laboratory, or international institution 
     involved in the project;
       ``(C) the source funding of the project (set forth by 
     agency);
       ``(D) the funding history of the project; and
       ``(E) whether the project has been completed.''.

     SEC. 404. IMPROVING EDUCATION OF NETWORKING AND INFORMATION 
                   TECHNOLOGY, INCLUDING HIGH PERFORMANCE 
                   COMPUTING.

       Section 201(a) of the High-Performance Computing Act of 
     1991 (15 U.S.C. 5521(a)) is amended--
       (1) by redesignating paragraphs (2) through (4) as 
     paragraphs (3) through (5), respectively; and
       (2) by inserting after paragraph (1) the following:
       ``(2) the National Science Foundation shall use its 
     existing programs, in collaboration with other agencies, as 
     appropriate, to improve the teaching and learning of 
     networking and information technology at all levels of 
     education and to increase participation in networking and 
     information technology fields;''.

     SEC. 405. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH-
                   PERFORMANCE COMPUTING ACT OF 1991.

       (a) Section 3.--Section 3 of the High-Performance Computing 
     Act of 1991 (15 U.S.C. 5502) is amended--
       (1) in the matter preceding paragraph (1), by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology'';
       (2) in paragraph (1)--
       (A) in the matter preceding subparagraph (A), by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology'';
       (B) in subparagraphs (A), (F), and (G), by striking ``high-
     performance computing'' each place it appears and inserting 
     ``networking and information technology''; and
       (C) in subparagraph (H), by striking ``high-performance'' 
     and inserting ``high-end''; and
       (3) in paragraph (2)--
       (A) by striking ``high-performance computing and'' and 
     inserting ``networking and information technology, and''; and
       (B) by striking ``high-performance computing network'' and 
     inserting ``networking and information technology''.
       (b) Title Heading.--The heading of title I of the High-
     Performance Computing Act of 1991 (105 Stat. 1595) is amended 
     by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting 
     ``NETWORKING AND INFORMATION TECHNOLOGY''.
       (c) Section 101.--Section 101 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511) is amended--
       (1) in the section heading, by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology research and development'';
       (2) in subsection (a)--
       (A) in the subsection heading, by striking ``National High-
     Performance Computing'' and inserting ``Networking and 
     Information Technology Research and Development'';
       (B) in paragraph (1)--
       (i) by striking ``National High-Performance Computing 
     Program'' and inserting ``networking and information 
     technology research and development program'';
       (ii) in subparagraph (A), by striking ``high-performance 
     computing, including networking'' and inserting ``networking 
     and information technology'';
       (iii) in subparagraphs (B) and (G), by striking ``high-
     performance'' each place it appears and inserting ``high-
     end''; and
       (iv) in subparagraph (C), by striking ``high-performance 
     computing and networking'' and inserting ``high-end 
     computing, distributed, and networking''; and
       (C) in paragraph (2)--
       (i) in subparagraphs (A) and (C)--

       (I) by striking ``high-performance computing'' each place 
     it appears and inserting ``networking and information 
     technology''; and
       (II) by striking ``development, networking,'' each place it 
     appears and inserting ``development,''; and

       (ii) in subparagraphs (G) and (H), as redesignated by 
     section 401(d) of this Act, by striking ``high-performance'' 
     each place it appears and inserting ``high-end'';
       (3) in subsection (b)(1), in the matter preceding 
     subparagraph (A), by striking ``high-performance computing'' 
     each place it appears and inserting ``networking and 
     information technology''; and
       (4) in subsection (c)(1)(A), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology''.
       (d) Section 201.--Section 201(a)(1) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by 
     striking ``high-performance computing and advanced high-speed 
     computer networking'' and inserting ``networking and 
     information technology research and development''.
       (e) Section 202.--Section 202(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by 
     striking ``high-performance computing'' and inserting 
     ``networking and information technology''.
       (f) Section 203.--Section 203(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5523(a)) is amended--
       (1) in paragraph (1), by striking ``high-performance 
     computing and networking'' and inserting ``networking and 
     information technology''; and
       (2) in paragraph (2)(A), by striking ``high-performance'' 
     and inserting ``high-end''.
       (g) Section 204.--Section 204 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5524) is amended--
       (1) in subsection (a)(1)--
       (A) in subparagraph (A), by striking ``high-performance 
     computing systems and networks'' and inserting ``networking 
     and information technology systems and capabilities'';
       (B) in subparagraph (B), by striking ``interoperability of 
     high-performance computing systems in networks and for common 
     user interfaces to systems'' and inserting ``interoperability 
     and usability of networking and information technology 
     systems''; and
       (C) in subparagraph (C), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology''; and
       (2) in subsection (b)--
       (A) by striking ``High-Performance Computing and Network'' 
     in the heading and inserting ``Networking and Information 
     Technology''; and
       (B) by striking ``sensitive''.
       (h) Section 205.--Section 205(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by 
     striking ``computational'' and inserting ``networking and 
     information technology''.
       (i) Section 206.--Section 206(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by 
     striking ``computational research'' and inserting 
     ``networking and information technology research''.
       (j) Section 207.--Section 207 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5527) is amended by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology''.
       (k) Section 208.--Section 208 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5528) is amended--
       (1) in the section heading, by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology''; and
       (2) in subsection (a)--
       (A) in paragraph (1), by striking ``High-performance 
     computing and associated'' and inserting ``Networking and 
     information'';
       (B) in paragraph (2), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technologies'';
       (C) in paragraph (3), by striking ``high-performance'' and 
     inserting ``high-end'';
       (D) in paragraph (4), by striking ``high-performance 
     computers and associated'' and inserting ``networking and 
     information''; and
       (E) in paragraph (5), by striking ``high-performance 
     computing and associated'' and inserting ``networking and 
     information''.

     SEC. 406. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.

       (a) In General.--The Director of the National Science 
     Foundation, in coordination with the Secretary of Homeland 
     Security, shall carry out a Federal cyber scholarship-for-
     service program to recruit and train the next generation of 
     information technology professionals and security managers to 
     meet the needs of the cybersecurity mission for the Federal 
     government.
       (b) Program Description and Components.--The program 
     shall--
       (1) annually assess the workforce needs of the Federal 
     government for cybersecurity professionals, including network 
     engineers, software engineers, and other experts in order to 
     determine how many scholarships should be awarded annually to 
     ensure that the workforce needs following graduation match 
     the number of scholarships awarded;
       (2) provide scholarships for up to 1,000 students per year 
     in their pursuit of undergraduate or graduate degrees in the 
     cybersecurity field, in an amount that may include coverage 
     for full tuition, fees, and a stipend;

[[Page 12462]]

       (3) require each scholarship recipient, as a condition of 
     receiving a scholarship under the program, to serve in a 
     Federal information technology workforce for a period equal 
     to one and one-half times each year, or partial year, of 
     scholarship received, in addition to an internship in the 
     cybersecurity field, if applicable, following graduation;
       (4) provide a procedure for the National Science Foundation 
     or a Federal agency, consistent with regulations of the 
     Office of Personnel Management, to request and fund a 
     security clearance for a scholarship recipient, including 
     providing for clearance during a summer internship and upon 
     graduation; and
       (5) provide opportunities for students to receive temporary 
     appointments for meaningful employment in the Federal 
     information technology workforce during school vacation 
     periods and for internships.
       (c) Hiring Authority.--
       (1) In general.--For purposes of any law or regulation 
     governing the appointment of an individual in the Federal 
     civil service, upon the successful completion of the 
     student's studies, a student receiving a scholarship under 
     the program may--
       (A) be hired under section 213.3102(r) of title 5, Code of 
     Federal Regulations; and
       (B) be exempt from competitive service.
       (2) Competitive service.--Upon satisfactory fulfillment of 
     the service term under paragraph (1), an individual may be 
     converted to a competitive service position without 
     competition if the individual meets the requirements for that 
     position.
       (d) Eligibility.--The eligibility requirements for a 
     scholarship under this section shall include that a 
     scholarship applicant--
       (1) be a citizen of the United States;
       (2) be eligible to be granted a security clearance;
       (3) maintain a grade point average of 3.2 or above on a 4.0 
     scale for undergraduate study or a 3.5 or above on a 4.0 
     scale for postgraduate study;
       (4) demonstrate a commitment to a career in improving the 
     security of the information infrastructure; and
       (5) has demonstrated a level of proficiency in math or 
     computer sciences.
       (e) Failure to Complete Service Obligation.--
       (1) In general.--A scholarship recipient under this section 
     shall be liable to the United States under paragraph (2) if 
     the scholarship recipient--
       (A) fails to maintain an acceptable level of academic 
     standing in the educational institution in which the 
     individual is enrolled, as determined by the Director;
       (B) is dismissed from such educational institution for 
     disciplinary reasons;
       (C) withdraws from the program for which the award was made 
     before the completion of such program;
       (D) declares that the individual does not intend to fulfill 
     the service obligation under this section;
       (E) fails to fulfill the service obligation of the 
     individual under this section; or
       (F) loses a security clearance or becomes ineligible for a 
     security clearance.
       (2) Repayment amounts.--
       (A) Less than 1 year of service.--If a circumstance under 
     paragraph (1) occurs before the completion of 1 year of a 
     service obligation under this section, the total amount of 
     awards received by the individual under this section shall be 
     repaid.
       (B) One or more years of service.--If a circumstance 
     described in subparagraph (D) or (E) of paragraph (1) occurs 
     after the completion of 1 year of a service obligation under 
     this section, the total amount of scholarship awards received 
     by the individual under this section, reduced by the ratio of 
     the number of years of service completed divided by the 
     number of years of service required, shall be repaid.
       (f) Evaluation and Report.--The Director of the National 
     Science Foundation shall--
       (1) evaluate the success of recruiting individuals for 
     scholarships under this section and of hiring and retaining 
     those individuals in the public sector workforce, including 
     the annual cost and an assessment of how the program actually 
     improves the Federal workforce; and
       (2) periodically report the findings under paragraph (1) to 
     Congress.
       (g) Authorization of Appropriations.--From amounts made 
     available under section 503 of the America COMPETES 
     Reauthorization Act of 2010 (124 Stat. 4005), the Director 
     may use funds to carry out the requirements of this section 
     for fiscal years 2012 through 2013.

     SEC. 407. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF 
                   INFORMATION INFRASTRUCTURE PROFESSIONALS.

       (a) Study.--The President shall enter into an agreement 
     with the National Academies to conduct a comprehensive study 
     of government, academic, and private-sector accreditation, 
     training, and certification programs for personnel working in 
     information infrastructure. The agreement shall require the 
     National Academies to consult with sector coordinating 
     councils and relevant governmental agencies, regulatory 
     entities, and nongovernmental organizations in the course of 
     the study.
       (b) Scope.--The study shall include--
       (1) an evaluation of the body of knowledge and various 
     skills that specific categories of personnel working in 
     information infrastructure should possess in order to secure 
     information systems;
       (2) an assessment of whether existing government, academic, 
     and private-sector accreditation, training, and certification 
     programs provide the body of knowledge and various skills 
     described in paragraph (1);
       (3) an analysis of any barriers to the Federal Government 
     recruiting and hiring cybersecurity talent, including 
     barriers relating to compensation, the hiring process, job 
     classification, and hiring flexibility; and
       (4) an analysis of the sources and availability of 
     cybersecurity talent, a comparison of the skills and 
     expertise sought by the Federal Government and the private 
     sector, an examination of the current and future capacity of 
     United States institutions of higher education, including 
     community colleges, to provide current and future 
     cybersecurity professionals, through education and training 
     activities, with those skills sought by the Federal 
     Government, State and local entities, and the private sector.
       (c) Report.--Not later than 1 year after the date of 
     enactment of this Act, the National Academies shall submit to 
     the President and Congress a report on the results of the 
     study. The report shall include--
       (1) findings regarding the state of information 
     infrastructure accreditation, training, and certification 
     programs, including specific areas of deficiency and 
     demonstrable progress; and
       (2) recommendations for the improvement of information 
     infrastructure accreditation, training, and certification 
     programs.

     SEC. 408. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.

       (a) In General.--The Director of the National Institute of 
     Standards and Technology, in coordination with appropriate 
     Federal authorities, shall--
       (1) as appropriate, ensure coordination of Federal agencies 
     engaged in the development of international technical 
     standards related to information system security; and
       (2) not later than 1 year after the date of enactment of 
     this Act, develop and transmit to Congress a plan for 
     ensuring such Federal agency coordination.
       (b) Consultation With the Private Sector.--In carrying out 
     the activities under subsection (a)(1), the Director shall 
     ensure consultation with appropriate private sector 
     stakeholders.

     SEC. 409. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.

       The Director of the National Institute of Standards and 
     Technology shall continue a program to support the 
     development of technical standards, metrology, testbeds, and 
     conformance criteria, taking into account appropriate user 
     concerns--
       (1) to improve interoperability among identity management 
     technologies;
       (2) to strengthen authentication methods of identity 
     management systems;
       (3) to improve privacy protection in identity management 
     systems, including health information technology systems, 
     through authentication and security protocols; and
       (4) to improve the usability of identity management 
     systems.

     SEC. 410. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.

       (a) National Science Foundation Computer and Network 
     Security Research Grant Areas.--Section 4(a)(1) of the Cyber 
     Security Research and Development Act (15 U.S.C. 7403(a)(1)) 
     is amended--
       (1) in subparagraph (H), by striking ``and'' after the 
     semicolon;
       (2) in subparagraph (I), by striking ``property.'' and 
     inserting ``property;''; and
       (3) by adding at the end the following:
       ``(J) secure fundamental protocols that are at the heart of 
     inter-network communications and data exchange;
       ``(K) system security that addresses the building of secure 
     systems from trusted and untrusted components;
       ``(L) monitoring and detection; and
       ``(M) resiliency and rapid recovery methods.''.
       (b) National Science Foundation Computer and Network 
     Security Grants.--Section 4(a)(3) of the Cyber Security 
     Research and Development Act (15 U.S.C. 7403(a)(3)) is 
     amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (c) Computer and Network Security Centers.--Section 4(b)(7) 
     of the Cyber Security Research and Development Act (15 U.S.C. 
     7403(b)(7)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (d) Computer and Network Security Capacity Building 
     Grants.--Section 5(a)(6) of

[[Page 12463]]

     the Cyber Security Research and Development Act (15 U.S.C. 
     7404(a)(6)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (e) Scientific and Advanced Technology Act Grants.--Section 
     5(b)(2) of the Cyber Security Research and Development Act 
     (15 U.S.C. 7404(b)(2)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (f) Graduate Traineeships in Computer and Network Security 
     Research.--Section 5(c)(7) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7404(c)(7)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
                                 ______
                                 
  SA 2608. Mr. McCAIN (for himself, Mrs. Hutchison, Mr. Chambliss, Mr. 
Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson of 
Wisconsin) submitted an amendment intended to be proposed by him to the 
bill S. 3414, to enhance the security and resiliency of the cyber and 
communications infrastructure of the United States; which was ordered 
to lie on the table; as follows:

       Strike all after the enacting clause and insert the 
     following:

     SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the 
     ``Strengthening and Enhancing Cybersecurity by Using 
     Research, Education, Information, and Technology Act of 
     2012'' or ``SECURE IT''.
       (b) Table of Contents.--The table of contents of this Act 
     is as follows:

Sec. 1. Short title; table of contents.

       TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION

Sec. 101. Definitions.
Sec. 102. Authorization to share cyber threat information.
Sec. 103. Information sharing by the Federal government.
Sec. 104. Construction.
Sec. 105. Report on implementation.
Sec. 106. Inspector General review.
Sec. 107. Technical amendments.
Sec. 108. Access to classified information.

     TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY

Sec. 201. Coordination of Federal information security policy.
Sec. 202. Management of information technology.
Sec. 203. No new funding.
Sec. 204. Technical and conforming amendments.
Sec. 205. Clarification of authorities.

                     TITLE III--CRIMINAL PENALTIES

Sec. 301. Penalties for fraud and related activity in connection with 
              computers.
Sec. 302. Trafficking in passwords.
Sec. 303. Conspiracy and attempted computer fraud offenses.
Sec. 304. Criminal and civil forfeiture for fraud and related activity 
              in connection with computers.
Sec. 305. Damage to critical infrastructure computers.
Sec. 306. Limitation on actions involving unauthorized use.
Sec. 307. No new funding.

            TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT

Sec. 401. National High-Performance Computing Program planning and 
              coordination.
Sec. 402. Research in areas of national importance.
Sec. 403. Program improvements.
Sec. 404. Improving education of networking and information technology, 
              including high performance computing.
Sec. 405. Conforming and technical amendments to the High-Performance 
              Computing Act of 1991.
Sec. 406. Federal cyber scholarship-for-service program.
Sec. 407. Study and analysis of certification and training of 
              information infrastructure professionals.
Sec. 408. International cybersecurity technical standards.
Sec. 409. Identity management research and development.
Sec. 410. Federal cybersecurity research and development.

       TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION

     SEC. 101. DEFINITIONS.

       In this title:
       (1) Agency.--The term ``agency'' has the meaning given the 
     term in section 3502 of title 44, United States Code.
       (2) Antitrust laws.--The term ``antitrust laws''--
       (A) has the meaning given the term in section 1(a) of the 
     Clayton Act (15 U.S.C. 12(a));
       (B) includes section 5 of the Federal Trade Commission Act 
     (15 U.S.C. 45) to the extent that section 5 of that Act 
     applies to unfair methods of competition; and
       (C) includes any State law that has the same intent and 
     effect as the laws under subparagraphs (A) and (B).
       (3) Countermeasure.--The term ``countermeasure'' means an 
     automated or a manual action with defensive intent to 
     mitigate cyber threats.
       (4) Cyber threat information.--The term ``cyber threat 
     information'' means information that indicates or describes--
       (A) a technical or operation vulnerability or a cyber 
     threat mitigation measure;
       (B) an action or operation to mitigate a cyber threat;
       (C) malicious reconnaissance, including anomalous patterns 
     of network activity that appear to be transmitted for the 
     purpose of gathering technical information related to a 
     cybersecurity threat;
       (D) a method of defeating a technical control;
       (E) a method of defeating an operational control;
       (F) network activity or protocols known to be associated 
     with a malicious cyber actor or that signify malicious cyber 
     intent;
       (G) a method of causing a user with legitimate access to an 
     information system or information that is stored on, 
     processed by, or transiting an information system to 
     inadvertently enable the defeat of a technical or operational 
     control;
       (H) any other attribute of a cybersecurity threat or cyber 
     defense information that would foster situational awareness 
     of the United States cybersecurity posture, if disclosure of 
     such attribute or information is not otherwise prohibited by 
     law;
       (I) the actual or potential harm caused by a cyber 
     incident, including information exfiltrated when it is 
     necessary in order to identify or describe a cybersecurity 
     threat; or
       (J) any combination of subparagraphs (A) through (I).
       (5) Cybersecurity center.--The term ``cybersecurity 
     center'' means the Department of Defense Cyber Crime Center, 
     the Intelligence Community Incident Response Center, the 
     United States Cyber Command Joint Operations Center, the 
     National Cyber Investigative Joint Task Force, the National 
     Security Agency/Central Security Service Threat Operations 
     Center, the National Cybersecurity and Communications 
     Integration Center, and any successor center.
       (6) Cybersecurity system.--The term ``cybersecurity 
     system'' means a system designed or employed to ensure the 
     integrity, confidentiality, or availability of, or to 
     safeguard, a system or network, including measures intended 
     to protect a system or network from--
       (A) efforts to degrade, disrupt, or destroy such system or 
     network; or
       (B) theft or misappropriations of private or government 
     information, intellectual property, or personally 
     identifiable information.
       (7) Entity.--
       (A) In general.--The term ``entity'' means any private 
     entity, non-Federal government agency or department, or 
     State, tribal, or local government agency or department 
     (including an officer, employee, or agent thereof).
       (B) Inclusions.--The term ``entity'' includes a government 
     agency or department (including an officer, employee, or 
     agent thereof) of the District of Columbia, the Commonwealth 
     of Puerto Rico, the Virgin Islands, Guam, American Samoa, the 
     Northern Mariana Islands, and any other territory or 
     possession of the United States.
       (8) Federal information system.--The term ``Federal 
     information system'' means an information system of a Federal 
     department or agency used or operated by an executive agency, 
     by a contractor of an executive agency, or by another 
     organization on behalf of an executive agency.
       (9) Information security.--The term ``information 
     security'' means protecting information and information 
     systems from disruption or unauthorized access, use, 
     disclosure, modification, or destruction in order to 
     provide--
       (A) integrity, by guarding against improper information 
     modification or destruction, including by ensuring 
     information nonrepudiation and authenticity;
       (B) confidentiality, by preserving authorized restrictions 
     on access and disclosure, including means for protecting 
     personal privacy and proprietary information; or
       (C) availability, by ensuring timely and reliable access to 
     and use of information.
       (10) Information system.--The term ``information system'' 
     has the meaning given

[[Page 12464]]

     the term in section 3502 of title 44, United States Code.
       (11) Local government.--The term ``local government'' means 
     any borough, city, county, parish, town, township, village, 
     or other general purpose political subdivision of a State.
       (12) Malicious reconnaissance.--The term ``malicious 
     reconnaissance'' means a method for actively probing or 
     passively monitoring an information system for the purpose of 
     discerning technical vulnerabilities of the information 
     system, if such method is associated with a known or 
     suspected cybersecurity threat.
       (13) Operational control.--The term ``operational control'' 
     means a security control for an information system that 
     primarily is implemented and executed by people.
       (14) Operational vulnerability.--The term ``operational 
     vulnerability'' means any attribute of policy, process, or 
     procedure that could enable or facilitate the defeat of an 
     operational control.
       (15) Private entity.--The term ``private entity'' means any 
     individual or any private group, organization, or 
     corporation, including an officer, employee, or agent 
     thereof.
       (16) Significant cyber incident.--The term ``significant 
     cyber incident'' means a cyber incident resulting in, or an 
     attempted cyber incident that, if successful, would have 
     resulted in--
       (A) the exfiltration from a Federal information system of 
     data that is essential to the operation of the Federal 
     information system; or
       (B) an incident in which an operational or technical 
     control essential to the security or operation of a Federal 
     information system was defeated.
       (17) Technical control.--The term ``technical control'' 
     means a hardware or software restriction on, or audit of, 
     access or use of an information system or information that is 
     stored on, processed by, or transiting an information system 
     that is intended to ensure the confidentiality, integrity, or 
     availability of that system.
       (18) Technical vulnerability.--The term ``technical 
     vulnerability'' means any attribute of hardware or software 
     that could enable or facilitate the defeat of a technical 
     control.
       (19) Tribal.--The term ``tribal'' has the meaning given the 
     term ``Indian tribe'' in section 4 of the Indian Self-
     Determination and Education Assistance Act (25 U.S.C. 450b).

     SEC. 102. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION.

       (a) Voluntary Disclosure.--
       (1) Private entities.--Notwithstanding any other provision 
     of law, a private entity may, for the purpose of preventing, 
     investigating, or otherwise mitigating threats to information 
     security, on its own networks, or as authorized by another 
     entity, on such entity's networks, employ countermeasures and 
     use cybersecurity systems in order to obtain, identify, or 
     otherwise possess cyber threat information.
       (2) Entities.--Notwithstanding any other provision of law, 
     an entity may disclose cyber threat information to--
       (A) a cybersecurity center; or
       (B) any other entity in order to assist with preventing, 
     investigating, or otherwise mitigating threats to information 
     security.
       (3) Information security providers.--If the cyber threat 
     information described in paragraph (1) is obtained, 
     identified, or otherwise possessed in the course of providing 
     information security products or services under contract to 
     another entity, that entity shall be given, at any time prior 
     to disclosure of such information, a reasonable opportunity 
     to authorize or prevent such disclosure, to request 
     anonymization of such information, or to request that 
     reasonable efforts be made to safeguard such information that 
     identifies specific persons from unauthorized access or 
     disclosure.
       (b) Significant Cyber Incidents Involving Federal 
     Information Systems.--
       (1) In general.--An entity providing electronic 
     communication services, remote computing services, or 
     information security services to a Federal department or 
     agency shall inform the Federal department or agency of a 
     significant cyber incident involving the Federal information 
     system of that Federal department or agency that--
       (A) is directly known to the entity as a result of 
     providing such services;
       (B) is directly related to the provision of such services 
     by the entity; and
       (C) as determined by the entity, has impeded or will impede 
     the performance of a critical mission of the Federal 
     department or agency.
       (2) Advance coordination.--A Federal department or agency 
     receiving the services described in paragraph (1) shall 
     coordinate in advance with an entity described in paragraph 
     (1) to develop the parameters of any information that may be 
     provided under paragraph (1), including clarification of the 
     type of significant cyber incident that will impede the 
     performance of a critical mission of the Federal department 
     or agency.
       (3) Report.--A Federal department or agency shall report 
     information provided under this subsection to a cybersecurity 
     center.
       (4) Construction.--Any information provided to a 
     cybersecurity center under paragraph (3) shall be treated in 
     the same manner as information provided to a cybersecurity 
     center under subsection (a).
       (c) Information Shared With or Provided to a Cybersecurity 
     Center.--Cyber threat information provided to a cybersecurity 
     center under this section--
       (1) may be disclosed to, retained by, and used by, 
     consistent with otherwise applicable Federal law, any Federal 
     agency or department, component, officer, employee, or agent 
     of the Federal government for a cybersecurity purpose, a 
     national security purpose, or in order to prevent, 
     investigate, or prosecute any of the offenses listed in 
     section 2516 of title 18, United States Code, and such 
     information shall not be disclosed to, retained by, or used 
     by any Federal agency or department for any use not permitted 
     under this paragraph;
       (2) may, with the prior written consent of the entity 
     submitting such information, be disclosed to and used by a 
     State, tribal, or local government or government agency for 
     the purpose of protecting information systems, or in 
     furtherance of preventing, investigating, or prosecuting a 
     criminal act, except that if the need for immediate 
     disclosure prevents obtaining written consent, such consent 
     may be provided orally with subsequent documentation of such 
     consent;
       (3) shall be considered the commercial, financial, or 
     proprietary information of the entity providing such 
     information to the Federal government and any disclosure 
     outside the Federal government may only be made upon the 
     prior written consent by such entity and shall not constitute 
     a waiver of any applicable privilege or protection provided 
     by law, except that if the need for immediate disclosure 
     prevents obtaining written consent, such consent may be 
     provided orally with subsequent documentation of such 
     consent;
       (4) shall be deemed voluntarily shared information and 
     exempt from disclosure under section 552 of title 5, United 
     States Code, and any State, tribal, or local law requiring 
     disclosure of information or records;
       (5) shall be, without discretion, withheld from the public 
     under section 552(b)(3)(B) of title 5, United States Code, 
     and any State, tribal, or local law requiring disclosure of 
     information or records;
       (6) shall not be subject to the rules of any Federal agency 
     or department or any judicial doctrine regarding ex parte 
     communications with a decision-making official;
       (7) shall not, if subsequently provided to a State, tribal, 
     or local government or government agency, otherwise be 
     disclosed or distributed to any entity by such State, tribal, 
     or local government or government agency without the prior 
     written consent of the entity submitting such information, 
     notwithstanding any State, tribal, or local law requiring 
     disclosure of information or records, except that if the need 
     for immediate disclosure prevents obtaining written consent, 
     such consent may be provided orally with subsequent 
     documentation of such consent; and
       (8) shall not be directly used by any Federal, State, 
     tribal, or local department or agency to regulate the lawful 
     activities of an entity, including activities relating to 
     obtaining, identifying, or otherwise possessing cyber threat 
     information, except that the procedures required to be 
     developed and implemented under this title shall not be 
     considered regulations within the meaning of this paragraph.
       (d) Procedures Relating to Information Sharing With a 
     Cybersecurity Center.--Not later than 60 days after the date 
     of enactment of this Act, the heads of each department or 
     agency containing a cybersecurity center shall jointly 
     develop, promulgate, and submit to Congress procedures to 
     ensure that cyber threat information shared with or provided 
     to--
       (1) a cybersecurity center under this section--
       (A) may be submitted to a cybersecurity center by an 
     entity, to the greatest extent possible, through a uniform, 
     publicly available process or format that is easily 
     accessible on the website of such cybersecurity center, and 
     that includes the ability to provide relevant details about 
     the cyber threat information and written consent to any 
     subsequent disclosures authorized by this paragraph;
       (B) shall immediately be further shared with each 
     cybersecurity center in order to prevent, investigate, or 
     otherwise mitigate threats to information security across the 
     Federal government;
       (C) is handled by the Federal government in a reasonable 
     manner, including consideration of the need to protect the 
     privacy and civil liberties of individuals through 
     anonymization or other appropriate methods, while fully 
     accomplishing the objectives of this title, and the Federal 
     government may undertake efforts consistent with this 
     subparagraph to limit the impact on privacy and civil 
     liberties of the sharing of cyber threat information with the 
     Federal government; and
       (D) except as provided in this section, shall only be used, 
     disclosed, or handled in accordance with the provisions of 
     subsection (c); and

[[Page 12465]]

       (2) a Federal agency or department under subsection (b) is 
     provided immediately to a cybersecurity center in order to 
     prevent, investigate, or otherwise mitigate threats to 
     information security across the Federal government.
       (e) Information Shared Between Entities.--
       (1) In general.--An entity sharing cyber threat information 
     with another entity under this title may restrict the use or 
     sharing of such information by such other entity.
       (2) Further sharing.--Cyber threat information shared by 
     any entity with another entity under this title--
       (A) shall only be further shared in accordance with any 
     restrictions placed on the sharing of such information by the 
     entity authorizing such sharing, such as appropriate 
     anonymization of such information; and
       (B) may not be used by any entity to gain an unfair 
     competitive advantage to the detriment of the entity 
     authorizing the sharing of such information, except that the 
     conduct described in paragraph (3) shall not constitute 
     unfair competitive conduct.
       (3) Information shared with state, tribal, or local 
     government or government agency.--Cyber threat information 
     shared with a State, tribal, or local government or 
     government agency under this title--
       (A) may, with the prior written consent of the entity 
     sharing such information, be disclosed to and used by a 
     State, tribal, or local government or government agency for 
     the purpose of protecting information systems, or in 
     furtherance of preventing, investigating, or prosecuting a 
     criminal act, except if the need for immediate disclosure 
     prevents obtaining written consent, consent may be provided 
     orally with subsequent documentation of the consent;
       (B) shall be deemed voluntarily shared information and 
     exempt from disclosure under any State, tribal, or local law 
     requiring disclosure of information or records;
       (C) shall not be disclosed or distributed to any entity by 
     the State, tribal, or local government or government agency 
     without the prior written consent of the entity submitting 
     such information, notwithstanding any State, tribal, or local 
     law requiring disclosure of information or records, except if 
     the need for immediate disclosure prevents obtaining written 
     consent, consent may be provided orally with subsequent 
     documentation of the consent; and
       (D) shall not be directly used by any State, tribal, or 
     local department or agency to regulate the lawful activities 
     of an entity, including activities relating to obtaining, 
     identifying, or otherwise possessing cyber threat 
     information, except that the procedures required to be 
     developed and implemented under this title shall not be 
     considered regulations within the meaning of this 
     subparagraph.
       (4) Antitrust exemption.--The exchange or provision of 
     cyber threat information or assistance between 2 or more 
     private entities under this title shall not be considered a 
     violation of any provision of antitrust laws if exchanged or 
     provided in order to assist with--
       (A) facilitating the prevention, investigation, or 
     mitigation of threats to information security; or
       (B) communicating or disclosing of cyber threat information 
     to help prevent, investigate or otherwise mitigate the 
     effects of a threat to information security.
       (5) No right or benefit.--The provision of cyber threat 
     information to an entity under this section shall not create 
     a right or a benefit to similar information by such entity or 
     any other entity.
       (f) Federal Preemption.--
       (1) In general.--This section supersedes any statute or 
     other law of a State or political subdivision of a State that 
     restricts or otherwise expressly regulates an activity 
     authorized under this section.
       (2) State law enforcement.--Nothing in this section shall 
     be construed to supersede any statute or other law of a State 
     or political subdivision of a State concerning the use of 
     authorized law enforcement techniques.
       (3) Public disclosure.--No information shared with or 
     provided to a State, tribal, or local government or 
     government agency pursuant to this section shall be made 
     publicly available pursuant to any State, tribal, or local 
     law requiring disclosure of information or records.
       (g) Civil and Criminal Liability.--
       (1) General protections.--
       (A) Private entities.--No cause of action shall lie or be 
     maintained in any court against any private entity for--
       (i) the use of countermeasures and cybersecurity systems as 
     authorized by this title;
       (ii) the use, receipt, or disclosure of any cyber threat 
     information as authorized by this title; or
       (iii) the subsequent actions or inactions of any lawful 
     recipient of cyber threat information provided by such 
     private entity.
       (B) Entities.--No cause of action shall lie or be 
     maintained in any court against any entity for--
       (i) the use, receipt, or disclosure of any cyber threat 
     information as authorized by this title; or
       (ii) the subsequent actions or inactions of any lawful 
     recipient of cyber threat information provided by such 
     entity.
       (2) Construction.--Nothing in this subsection shall be 
     construed as creating any immunity against, or otherwise 
     affecting, any action brought by the Federal government, or 
     any agency or department thereof, to enforce any law, 
     executive order, or procedure governing the appropriate 
     handling, disclosure, and use of classified information.
       (h) Otherwise Lawful Disclosures.--Nothing in this section 
     shall be construed to limit or prohibit otherwise lawful 
     disclosures of communications, records, or other information 
     by a private entity to any other governmental or private 
     entity not covered under this section.
       (i) Whistleblower Protection.--Nothing in this Act shall be 
     construed to preempt or preclude any employee from exercising 
     rights currently provided under any whistleblower law, rule, 
     or regulation.
       (j) Relationship to Other Laws.--The submission of cyber 
     threat information under this section to a cybersecurity 
     center shall not affect any requirement under any other 
     provision of law for an entity to provide information to the 
     Federal government.

     SEC. 103. INFORMATION SHARING BY THE FEDERAL GOVERNMENT.

       (a) Classified Information.--
       (1) Procedures.--Consistent with the protection of 
     intelligence sources and methods, and as otherwise determined 
     appropriate, the Director of National Intelligence and the 
     Secretary of Defense, in consultation with the heads of the 
     appropriate Federal departments or agencies, shall develop 
     and promulgate procedures to facilitate and promote--
       (A) the immediate sharing, through the cybersecurity 
     centers, of classified cyber threat information in the 
     possession of the Federal government with appropriately 
     cleared representatives of any appropriate entity; and
       (B) the declassification and immediate sharing, through the 
     cybersecurity centers, with any entity or, if appropriate, 
     public availability of cyber threat information in the 
     possession of the Federal government;
       (2) Handling of classified information.--The procedures 
     developed under paragraph (1) shall ensure that each entity 
     receiving classified cyber threat information pursuant to 
     this section has acknowledged in writing the ongoing 
     obligation to comply with all laws, executive orders, and 
     procedures concerning the appropriate handling, disclosure, 
     or use of classified information.
       (b) Unclassified Cyber Threat Information.--The heads of 
     each department or agency containing a cybersecurity center 
     shall jointly develop and promulgate procedures that ensure 
     that, consistent with the provisions of this section, 
     unclassified, including controlled unclassified, cyber threat 
     information in the possession of the Federal government--
       (1) is shared, through the cybersecurity centers, in an 
     immediate and adequate manner with appropriate entities; and
       (2) if appropriate, is made publicly available.
       (c) Development of Procedures.--
       (1) In general.--The procedures developed under this 
     section shall incorporate, to the greatest extent possible, 
     existing processes utilized by sector specific information 
     sharing and analysis centers.
       (2) Coordination with entities.--In developing the 
     procedures required under this section, the Director of 
     National Intelligence and the heads of each department or 
     agency containing a cybersecurity center shall coordinate 
     with appropriate entities to ensure that protocols are 
     implemented that will facilitate and promote the sharing of 
     cyber threat information by the Federal government.
       (d) Additional Responsibilities of Cybersecurity Centers.--
     Consistent with section 102, a cybersecurity center shall--
       (1) facilitate information sharing, interaction, and 
     collaboration among and between cybersecurity centers and--
       (A) other Federal entities;
       (B) any entity; and
       (C) international partners, in consultation with the 
     Secretary of State;
       (2) disseminate timely and actionable cybersecurity threat, 
     vulnerability, mitigation, and warning information, including 
     alerts, advisories, indicators, signatures, and mitigation 
     and response measures, to improve the security and protection 
     of information systems; and
       (3) coordinate with other Federal entities, as appropriate, 
     to integrate information from across the Federal government 
     to provide situational awareness of the cybersecurity posture 
     of the United States.
       (e) Sharing Within the Federal Government.--The heads of 
     appropriate Federal departments and agencies shall ensure 
     that cyber threat information in the possession of such 
     Federal departments or agencies that relates to the 
     prevention, investigation, or mitigation of threats to 
     information security across the Federal government is shared 
     effectively with the cybersecurity centers.
       (f) Submission to Congress.--Not later than 60 days after 
     the date of enactment of this Act, the Director of National 
     Intelligence, in coordination with the appropriate head of a 
     department or an agency containing a cybersecurity center, 
     shall submit

[[Page 12466]]

     the procedures required by this section to Congress.

     SEC. 104. CONSTRUCTION.

       (a) Information Sharing Relationships.--Nothing in this 
     title shall be construed--
       (1) to limit or modify an existing information sharing 
     relationship;
       (2) to prohibit a new information sharing relationship;
       (3) to require a new information sharing relationship 
     between any entity and the Federal government, except as 
     specified under section 102(b); or
       (4) to modify the authority of a department or agency of 
     the Federal government to protect sources and methods and the 
     national security of the United States.
       (b) Anti-tasking Restriction.--Nothing in this title shall 
     be construed to permit the Federal government--
       (1) to require an entity to share information with the 
     Federal government, except as expressly provided under 
     section 102(b); or
       (2) to condition the sharing of cyber threat information 
     with an entity on such entity's provision of cyber threat 
     information to the Federal government.
       (c) No Liability for Non-participation.--Nothing in this 
     title shall be construed to subject any entity to liability 
     for choosing not to engage in the voluntary activities 
     authorized under this title.
       (d) Use and Retention of Information.--Nothing in this 
     title shall be construed to authorize, or to modify any 
     existing authority of, a department or agency of the Federal 
     government to retain or use any information shared under 
     section 102 for any use other than a use permitted under 
     subsection 102(c)(1).
       (e) No New Funding.--An applicable Federal agency shall 
     carry out the provisions of this title with existing 
     facilities and funds otherwise available, through such means 
     as the head of the agency considers appropriate.

     SEC. 105. REPORT ON IMPLEMENTATION.

       (a) Content of Report.--Not later than 1 year after the 
     date of enactment of this Act, and biennially thereafter, the 
     heads of each department or agency containing a cybersecurity 
     center shall jointly submit, in coordination with the privacy 
     and civil liberties officials of such departments or agencies 
     and the Privacy and Civil Liberties Oversight Board, a 
     detailed report to Congress concerning the implementation of 
     this title, including--
       (1) an assessment of the sufficiency of the procedures 
     developed under section 103 of this Act in ensuring that 
     cyber threat information in the possession of the Federal 
     government is provided in an immediate and adequate manner to 
     appropriate entities or, if appropriate, is made publicly 
     available;
       (2) an assessment of whether information has been 
     appropriately classified and an accounting of the number of 
     security clearances authorized by the Federal government for 
     purposes of this title;
       (3) a review of the type of cyber threat information shared 
     with a cybersecurity center under section 102 of this Act, 
     including whether such information meets the definition of 
     cyber threat information under section 101, the degree to 
     which such information may impact the privacy and civil 
     liberties of individuals, any appropriate metrics to 
     determine any impact of the sharing of such information with 
     the Federal government on privacy and civil liberties, and 
     the adequacy of any steps taken to reduce such impact;
       (4) a review of actions taken by the Federal government 
     based on information provided to a cybersecurity center under 
     section 102 of this Act, including the appropriateness of any 
     subsequent use under section 102(c)(1) of this Act and 
     whether there was inappropriate stovepiping within the 
     Federal government of any such information;
       (5) a description of any violations of the requirements of 
     this title by the Federal government;
       (6) a classified list of entities that received classified 
     information from the Federal government under section 103 of 
     this Act and a description of any indication that such 
     information may not have been appropriately handled;
       (7) a summary of any breach of information security, if 
     known, attributable to a specific failure by any entity or 
     the Federal government to act on cyber threat information in 
     the possession of such entity or the Federal government that 
     resulted in substantial economic harm or injury to a specific 
     entity or the Federal government; and
       (8) any recommendation for improvements or modifications to 
     the authorities under this title.
       (b) Form of Report.--The report under subsection (a) shall 
     be submitted in unclassified form, but shall include a 
     classified annex.

     SEC. 106. INSPECTOR GENERAL REVIEW.

       (a) In General.--The Council of the Inspectors General on 
     Integrity and Efficiency are authorized to review compliance 
     by the cybersecurity centers, and by any Federal department 
     or agency receiving cyber threat information from such 
     cybersecurity centers, with the procedures required under 
     section 102 of this Act.
       (b) Scope of Review.--The review under subsection (a) shall 
     consider whether the Federal government has handled such 
     cyber threat information in a reasonable manner, including 
     consideration of the need to protect the privacy and civil 
     liberties of individuals through anonymization or other 
     appropriate methods, while fully accomplishing the objectives 
     of this title.
       (c) Report to Congress.--Each review conducted under this 
     section shall be provided to Congress not later than 30 days 
     after the date of completion of the review.

     SEC. 107. TECHNICAL AMENDMENTS.

       Section 552(b) of title 5, United States Code, is amended--
       (1) in paragraph (8), by striking ``or'';
       (2) in paragraph (9), by striking ``wells.'' and inserting 
     ``wells; or''; and
       (3) by adding at the end the following:
       ``(10) information shared with or provided to a 
     cybersecurity center under section 102 of title I of the 
     Strengthening and Enhancing Cybersecurity by Using Research, 
     Education, Information, and Technology Act of 2012.''.

     SEC. 108. ACCESS TO CLASSIFIED INFORMATION.

       (a) Authorization Required.--No person shall be provided 
     with access to classified information (as defined in section 
     6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to 
     classified national security information)) relating to cyber 
     security threats or cyber security vulnerabilities under this 
     title without the appropriate security clearances.
       (b) Security Clearances.--The appropriate Federal agencies 
     or departments shall, consistent with applicable procedures 
     and requirements, and if otherwise deemed appropriate, assist 
     an individual in timely obtaining an appropriate security 
     clearance where such individual has been determined to be 
     eligible for such clearance and has a need-to-know (as 
     defined in section 6.1 of that Executive Order) classified 
     information to carry out this title.

     TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY

     SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY 
                   POLICY.

       (a) In General.--Chapter 35 of title 44, United States 
     Code, is amended by striking subchapters II and III and 
     inserting the following:

                 ``SUBCHAPTER II--INFORMATION SECURITY

     ``Sec. 3551. Purposes

       ``The purposes of this subchapter are--
       ``(1) to provide a comprehensive framework for ensuring the 
     effectiveness of information security controls over 
     information resources that support Federal operations and 
     assets;
       ``(2) to recognize the highly networked nature of the 
     current Federal computing environment and provide effective 
     government-wide management of policies, directives, 
     standards, and guidelines, as well as effective and nimble 
     oversight of and response to information security risks, 
     including coordination of information security efforts 
     throughout the Federal civilian, national security, and law 
     enforcement communities;
       ``(3) to provide for development and maintenance of 
     controls required to protect agency information and 
     information systems and contribute to the overall improvement 
     of agency information security posture;
       ``(4) to provide for the development of tools and methods 
     to assess and respond to real-time situational risk for 
     Federal information system operations and assets; and
       ``(5) to provide a mechanism for improving agency 
     information security programs through continuous monitoring 
     of agency information systems and streamlined reporting 
     requirements rather than overly prescriptive manual 
     reporting.

     ``Sec. 3552. Definitions

       ``In this subchapter:
       ``(1) Adequate security.--The term `adequate security' 
     means security commensurate with the risk and magnitude of 
     the harm resulting from the unauthorized access to or loss, 
     misuse, destruction, or modification of information.
       ``(2) Agency.--The term `agency' has the meaning given the 
     term in section 3502 of title 44.
       ``(3) Cybersecurity center.--The term `cybersecurity 
     center' means the Department of Defense Cyber Crime Center, 
     the Intelligence Community Incident Response Center, the 
     United States Cyber Command Joint Operations Center, the 
     National Cyber Investigative Joint Task Force, the National 
     Security Agency/Central Security Service Threat Operations 
     Center, the National Cybersecurity and Communications 
     Integration Center, and any successor center.
       ``(4) Cyber threat information.--The term `cyber threat 
     information' means information that indicates or describes--
       ``(A) a technical or operation vulnerability or a cyber 
     threat mitigation measure;
       ``(B) an action or operation to mitigate a cyber threat;
       ``(C) malicious reconnaissance, including anomalous 
     patterns of network activity that appear to be transmitted 
     for the purpose of gathering technical information related to 
     a cybersecurity threat;
       ``(D) a method of defeating a technical control;
       ``(E) a method of defeating an operational control;
       ``(F) network activity or protocols known to be associated 
     with a malicious cyber actor or that signify malicious cyber 
     intent;
       ``(G) a method of causing a user with legitimate access to 
     an information system or

[[Page 12467]]

     information that is stored on, processed by, or transiting an 
     information system to inadvertently enable the defeat of a 
     technical or operational control;
       ``(H) any other attribute of a cybersecurity threat or 
     cyber defense information that would foster situational 
     awareness of the United States cybersecurity posture, if 
     disclosure of such attribute or information is not otherwise 
     prohibited by law;
       ``(I) the actual or potential harm caused by a cyber 
     incident, including information exfiltrated when it is 
     necessary in order to identify or describe a cybersecurity 
     threat; or
       ``(J) any combination of subparagraphs (A) through (I).
       ``(5) Director.--The term `Director' means the Director of 
     the Office of Management and Budget unless otherwise 
     specified.
       ``(6) Environment of operation.--The term `environment of 
     operation' means the information system and environment in 
     which those systems operate, including changing threats, 
     vulnerabilities, technologies, and missions and business 
     practices.
       ``(7) Federal information system.--The term `Federal 
     information system' means an information system used or 
     operated by an executive agency, by a contractor of an 
     executive agency, or by another organization on behalf of an 
     executive agency.
       ``(8) Incident.--The term `incident' means an occurrence 
     that--
       ``(A) actually or imminently jeopardizes the integrity, 
     confidentiality, or availability of an information system or 
     the information that system controls, processes, stores, or 
     transmits; or
       ``(B) constitutes a violation of law or an imminent threat 
     of violation of a law, a security policy, a security 
     procedure, or an acceptable use policy.
       ``(9) Information resources.--The term `information 
     resources' has the meaning given the term in section 3502 of 
     title 44.
       ``(10) Information security.--The term `information 
     security' means protecting information and information 
     systems from disruption or unauthorized access, use, 
     disclosure, modification, or destruction in order to 
     provide--
       ``(A) integrity, by guarding against improper information 
     modification or destruction, including by ensuring 
     information nonrepudiation and authenticity;
       ``(B) confidentiality, by preserving authorized 
     restrictions on access and disclosure, including means for 
     protecting personal privacy and proprietary information; or
       ``(C) availability, by ensuring timely and reliable access 
     to and use of information.
       ``(11) Information system.--The term `information system' 
     has the meaning given the term in section 3502 of title 44.
       ``(12) Information technology.--The term `information 
     technology' has the meaning given the term in section 11101 
     of title 40.
       ``(13) Malicious reconnaissance.--The term `malicious 
     reconnaissance' means a method for actively probing or 
     passively monitoring an information system for the purpose of 
     discerning technical vulnerabilities of the information 
     system, if such method is associated with a known or 
     suspected cybersecurity threat.
       ``(14) National security system.--
       ``(A) In general.--The term `national security system' 
     means any information system (including any 
     telecommunications system) used or operated by an agency or 
     by a contractor of an agency, or other organization on behalf 
     of an agency--
       ``(i) the function, operation, or use of which--

       ``(I) involves intelligence activities;

       ``(II) involves cryptologic activities related to national 
     security;
       ``(III) involves command and control of military forces;
       ``(IV) involves equipment that is an integral part of a 
     weapon or weapons system; or
       ``(V) subject to subparagraph (B), is critical to the 
     direct fulfillment of military or intelligence missions; or

       ``(ii) is protected at all times by procedures established 
     for information that have been specifically authorized under 
     criteria established by an Executive Order or an Act of 
     Congress to be kept classified in the interest of national 
     defense or foreign policy.
       ``(B) Limitation.--Subparagraph (A)(i)(V) does not include 
     a system that is to be used for routine administrative and 
     business applications (including payroll, finance, logistics, 
     and personnel management applications).
       ``(15) Operational control.--The term `operational control' 
     means a security control for an information system that 
     primarily is implemented and executed by people.
       ``(16) Person.--The term `person' has the meaning given the 
     term in section 3502 of title 44.
       ``(17) Secretary.--The term `Secretary' means the Secretary 
     of Commerce unless otherwise specified.
       ``(18) Security control.--The term `security control' means 
     the management, operational, and technical controls, 
     including safeguards or countermeasures, prescribed for an 
     information system to protect the confidentiality, integrity, 
     and availability of the system and its information.
       ``(19) Significant cyber incident.--The term `significant 
     cyber incident' means a cyber incident resulting in, or an 
     attempted cyber incident that, if successful, would have 
     resulted in--
       ``(A) the exfiltration from a Federal information system of 
     data that is essential to the operation of the Federal 
     information system; or
       ``(B) an incident in which an operational or technical 
     control essential to the security or operation of a Federal 
     information system was defeated.
       ``(20) Technical control.--The term `technical control' 
     means a hardware or software restriction on, or audit of, 
     access or use of an information system or information that is 
     stored on, processed by, or transiting an information system 
     that is intended to ensure the confidentiality, integrity, or 
     availability of that system.

     ``Sec. 3553. Federal information security authority and 
       coordination

       ``(a) In General.--The Secretary, in consultation with the 
     Secretary of Homeland Security, shall--
       ``(1) issue compulsory and binding policies and directives 
     governing agency information security operations, and require 
     implementation of such policies and directives, including--
       ``(A) policies and directives consistent with the standards 
     and guidelines promulgated under section 11331 of title 40 to 
     identify and provide information security protections 
     prioritized and commensurate with the risk and impact 
     resulting from the unauthorized access, use, disclosure, 
     disruption, modification, or destruction of--
       ``(i) information collected or maintained by or on behalf 
     of an agency; or
       ``(ii) information systems used or operated by an agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency;
       ``(B) minimum operational requirements for Federal 
     Government to protect agency information systems and provide 
     common situational awareness across all agency information 
     systems;
       ``(C) reporting requirements, consistent with relevant law, 
     regarding information security incidents and cyber threat 
     information;
       ``(D) requirements for agencywide information security 
     programs;
       ``(E) performance requirements and metrics for the security 
     of agency information systems;
       ``(F) training requirements to ensure that agencies are 
     able to fully and timely comply with the policies and 
     directives issued by the Secretary under this subchapter;
       ``(G) training requirements regarding privacy, civil 
     rights, and civil liberties, and information oversight for 
     agency information security personnel;
       ``(H) requirements for the annual reports to the Secretary 
     under section 3554(d);
       ``(I) any other information security operations or 
     information security requirements as determined by the 
     Secretary in coordination with relevant agency heads; and
       ``(J) coordinating the development of standards and 
     guidelines under section 20 of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3) with agencies 
     and offices operating or exercising control of national 
     security systems (including the National Security Agency) to 
     assure, to the maximum extent feasible, that such standards 
     and guidelines are complementary with standards and 
     guidelines developed for national security systems;
       ``(2) review the agencywide information security programs 
     under section 3554; and
       ``(3) designate an individual or an entity at each 
     cybersecurity center, among other responsibilities--
       ``(A) to receive reports and information about information 
     security incidents, cyber threat information, and 
     deterioration of security control affecting agency 
     information systems; and
       ``(B) to act on or share the information under subparagraph 
     (A) in accordance with this subchapter.
       ``(b) Considerations.--When issuing policies and directives 
     under subsection (a), the Secretary shall consider any 
     applicable standards or guidelines developed by the National 
     Institute of Standards and Technology under section 11331 of 
     title 40.
       ``(c) Limitation of Authority.--The authorities of the 
     Secretary under this section shall not apply to national 
     security systems. Information security policies, directives, 
     standards and guidelines for national security systems shall 
     be overseen as directed by the President and, in accordance 
     with that direction, carried out under the authority of the 
     heads of agencies that operate or exercise authority over 
     such national security systems.
       ``(d) Statutory Construction.--Nothing in this subchapter 
     shall be construed to alter or amend any law regarding the 
     authority of any head of an agency over such agency.

     ``Sec. 3554. Agency responsibilities

       ``(a) In General.--The head of each agency shall--
       ``(1) be responsible for--
       ``(A) complying with the policies and directives issued 
     under section 3553;

[[Page 12468]]

       ``(B) providing information security protections 
     commensurate with the risk resulting from unauthorized 
     access, use, disclosure, disruption, modification, or 
     destruction of--
       ``(i) information collected or maintained by the agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency; and
       ``(ii) information systems used or operated by an agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency;
       ``(C) complying with the requirements of this subchapter, 
     including--
       ``(i) information security standards and guidelines 
     promulgated under section 11331 of title 40;
       ``(ii) for any national security systems operated or 
     controlled by that agency, information security policies, 
     directives, standards and guidelines issued as directed by 
     the President; and
       ``(iii) for any non-national security systems operated or 
     controlled by that agency, information security policies, 
     directives, standards and guidelines issued under section 
     3553;
       ``(D) ensuring that information security management 
     processes are integrated with agency strategic and 
     operational planning processes;
       ``(E) reporting and sharing, for an agency operating or 
     exercising control of a national security system, information 
     about information security incidents, cyber threat 
     information, and deterioration of security controls to the 
     individual or entity designated at each cybersecurity center 
     and to other appropriate entities consistent with policies 
     and directives for national security systems issued as 
     directed by the President; and
       ``(F) reporting and sharing, for those agencies operating 
     or exercising control of non-national security systems, 
     information about information security incidents, cyber 
     threat information, and deterioration of security controls to 
     the individual or entity designated at each cybersecurity 
     center and to other appropriate entities consistent with 
     policies and directives for non-national security systems as 
     prescribed under section 3553(a), including information to 
     assist the entity designated under section 3555(a) with the 
     ongoing security analysis under section 3555;
       ``(2) ensure that each senior agency official provides 
     information security for the information and information 
     systems that support the operations and assets under the 
     senior agency official's control, including by--
       ``(A) assessing the risk and impact that could result from 
     the unauthorized access, use, disclosure, disruption, 
     modification, or destruction of such information or 
     information systems;
       ``(B) determining the level of information security 
     appropriate to protect such information and information 
     systems in accordance with policies and directives issued 
     under section 3553(a), and standards and guidelines 
     promulgated under section 11331 of title 40 for information 
     security classifications and related requirements;
       ``(C) implementing policies, procedures, and capabilities 
     to reduce risks to an acceptable level in a cost-effective 
     manner;
       ``(D) actively monitoring the effective implementation of 
     information security controls and techniques; and
       ``(E) reporting information about information security 
     incidents, cyber threat information, and deterioration of 
     security controls in a timely and adequate manner to the 
     entity designated under section 3553(a)(3) in accordance with 
     paragraph (1);
       ``(3) assess and maintain the resiliency of information 
     technology systems critical to agency mission and operations;
       ``(4) designate the agency Inspector General (or an 
     independent entity selected in consultation with the Director 
     and the Council of Inspectors General on Integrity and 
     Efficiency if the agency does not have an Inspector General) 
     to conduct the annual independent evaluation required under 
     section 3556, and allow the agency Inspector General to 
     contract with an independent entity to perform such 
     evaluation;
       ``(5) delegate to the Chief Information Officer or 
     equivalent (or to a senior agency official who reports to the 
     Chief Information Officer or equivalent)--
       ``(A) the authority and primary responsibility to implement 
     an agencywide information security program; and
       ``(B) the authority to provide information security for the 
     information collected and maintained by the agency (or by a 
     contractor, other agency, or other source on behalf of the 
     agency) and for the information systems that support the 
     operations, assets, and mission of the agency (including any 
     information system provided or managed by a contractor, other 
     agency, or other source on behalf of the agency);
       ``(6) delegate to the appropriate agency official (who is 
     responsible for a particular agency system or subsystem) the 
     responsibility to ensure and enforce compliance with all 
     requirements of the agency's agencywide information security 
     program in coordination with the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5);
       ``(7) ensure that an agency has trained personnel who have 
     obtained any necessary security clearances to permit them to 
     assist the agency in complying with this subchapter;
       ``(8) ensure that the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5), 
     in coordination with other senior agency officials, reports 
     to the agency head on the effectiveness of the agencywide 
     information security program, including the progress of any 
     remedial actions; and
       ``(9) ensure that the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5) 
     has the necessary qualifications to administer the functions 
     described in this subchapter and has information security 
     duties as a primary duty of that official.
       ``(b) Chief Information Officers.--Each Chief Information 
     Officer or equivalent (or the senior agency official who 
     reports to the Chief Information Officer or equivalent) under 
     subsection (a)(5) shall--
       ``(1) establish and maintain an enterprise security 
     operations capability that on a continuous basis--
       ``(A) detects, reports, contains, mitigates, and responds 
     to information security incidents that impair adequate 
     security of the agency's information or information system in 
     a timely manner and in accordance with the policies and 
     directives under section 3553; and
       ``(B) reports any information security incident under 
     subparagraph (A) to the entity designated under section 3555;
       ``(2) develop, maintain, and oversee an agencywide 
     information security program;
       ``(3) develop, maintain, and oversee information security 
     policies, procedures, and control techniques to address 
     applicable requirements, including requirements under section 
     3553 of this title and section 11331 of title 40; and
       ``(4) train and oversee the agency personnel who have 
     significant responsibility for information security with 
     respect to that responsibility.
       ``(c) Agencywide Information Security Programs.--
       ``(1) In general.--Each agencywide information security 
     program under subsection (b)(2) shall include--
       ``(A) relevant security risk assessments, including 
     technical assessments and others related to the acquisition 
     process;
       ``(B) security testing commensurate with risk and impact;
       ``(C) mitigation of deterioration of security controls 
     commensurate with risk and impact;
       ``(D) risk-based continuous monitoring and threat 
     assessment of the operational status and security of agency 
     information systems to enable evaluation of the effectiveness 
     of and compliance with information security policies, 
     procedures, and practices, including a relevant and 
     appropriate selection of security controls of information 
     systems identified in the inventory under section 3505(c);
       ``(E) operation of appropriate technical capabilities in 
     order to detect, mitigate, report, and respond to information 
     security incidents, cyber threat information, and 
     deterioration of security controls in a manner that is 
     consistent with the policies and directives under section 
     3553, including--
       ``(i) mitigating risks associated with such information 
     security incidents;
       ``(ii) notifying and consulting with the entity designated 
     under section 3555; and
       ``(iii) notifying and consulting with, as appropriate--

       ``(I) law enforcement and the relevant Office of the 
     Inspector General; and
       ``(II) any other entity, in accordance with law and as 
     directed by the President;

       ``(F) a process to ensure that remedial action is taken to 
     address any deficiencies in the information security 
     policies, procedures, and practices of the agency; and
       ``(G) a plan and procedures to ensure the continuity of 
     operations for information systems that support the 
     operations and assets of the agency.
       ``(2) Risk management strategies.--Each agencywide 
     information security program under subsection (b)(2) shall 
     include the development and maintenance of a risk management 
     strategy for information security. The risk management 
     strategy shall include--
       ``(A) consideration of information security incidents, 
     cyber threat information, and deterioration of security 
     controls; and
       ``(B) consideration of the consequences that could result 
     from the unauthorized access, use, disclosure, disruption, 
     modification, or destruction of information and information 
     systems that support the operations and assets of the agency, 
     including any information system provided or managed by a 
     contractor, other agency, or other source on behalf of the 
     agency;
       ``(3) Policies and procedures.--Each agencywide information 
     security program under subsection (b)(2) shall include 
     policies and procedures that--
       ``(A) are based on the risk management strategy under 
     paragraph (2);
       ``(B) reduce information security risks to an acceptable 
     level in a cost-effective manner;
       ``(C) ensure that cost-effective and adequate information 
     security is addressed as

[[Page 12469]]

     part of the acquisition and ongoing management of each agency 
     information system; and
       ``(D) ensure compliance with--
       ``(i) this subchapter; and
       ``(ii) any other applicable requirements.
       ``(4) Training requirements.--Each agencywide information 
     security program under subsection (b)(2) shall include 
     information security, privacy, civil rights, civil liberties, 
     and information oversight training that meets any applicable 
     requirements under section 3553. The training shall inform 
     each information security personnel that has access to agency 
     information systems (including contractors and other users of 
     information systems that support the operations and assets of 
     the agency) of--
       ``(A) the information security risks associated with the 
     information security personnel's activities; and
       ``(B) the individual's responsibility to comply with the 
     agency policies and procedures that reduce the risks under 
     subparagraph (A).
       ``(d) Annual Report.--Each agency shall submit a report 
     annually to the Secretary of Homeland Security on its 
     agencywide information security program and information 
     systems.

     ``Sec. 3555. Multiagency ongoing threat assessment

       ``(a) Implementation.--The Director of the Office of 
     Management and Budget, in coordination with the Secretary of 
     Homeland Security, shall designate an entity to implement 
     ongoing security analysis concerning agency information 
     systems--
       ``(1) based on cyber threat information;
       ``(2) based on agency information system and environment of 
     operation changes, including--
       ``(A) an ongoing evaluation of the information system 
     security controls; and
       ``(B) the security state, risk level, and environment of 
     operation of an agency information system, including--
       ``(i) a change in risk level due to a new cyber threat;
       ``(ii) a change resulting from a new technology;
       ``(iii) a change resulting from the agency's mission; and
       ``(iv) a change resulting from the business practice; and
       ``(3) using automated processes to the maximum extent 
     possible--
       ``(A) to increase information system security;
       ``(B) to reduce paper-based reporting requirements; and
       ``(C) to maintain timely and actionable knowledge of the 
     state of the information system security.
       ``(b) Standards.--The National Institute of Standards and 
     Technology may promulgate standards, in coordination with the 
     Secretary of Homeland Security, to assist an agency with its 
     duties under this section.
       ``(c) Compliance.--The head of each appropriate department 
     and agency shall be responsible for ensuring compliance and 
     implementing necessary procedures to comply with this 
     section. The head of each appropriate department and agency, 
     in consultation with the Director of the Office of Management 
     and Budget and the Secretary of Homeland Security, shall--
       ``(1) monitor compliance under this section;
       ``(2) develop a timeline and implement for the department 
     or agency--
       ``(A) adoption of any technology, system, or method that 
     facilitates continuous monitoring and threat assessments of 
     an agency information system;
       ``(B) adoption or updating of any technology, system, or 
     method that prevents, detects, or remediates a significant 
     cyber incident to a Federal information system of the 
     department or agency that has impeded, or is reasonably 
     likely to impede, the performance of a critical mission of 
     the department or agency; and
       ``(C) adoption of any technology, system, or method that 
     satisfies a requirement under this section.
       ``(d) Limitation of Authority.--The authorities of the 
     Director of the Office of Management and Budget and of the 
     Secretary of Homeland Security under this section shall not 
     apply to national security systems.
       ``(e) Report.--Not later than 6 months after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the Government Accountability Office shall issue a 
     report evaluating each agency's status toward implementing 
     this section.

     ``Sec. 3556. Independent evaluations

       ``(a) In General.--The Council of the Inspectors General on 
     Integrity and Efficiency, in consultation with the Director 
     and the Secretary of Homeland Security, the Secretary of 
     Commerce, and the Secretary of Defense, shall issue and 
     maintain criteria for the timely, cost-effective, risk-based, 
     and independent evaluation of each agencywide information 
     security program (and practices) to determine the 
     effectiveness of the agencywide information security program 
     (and practices). The criteria shall include measures to 
     assess any conflicts of interest in the performance of the 
     evaluation and whether the agencywide information security 
     program includes appropriate safeguards against disclosure of 
     information where such disclosure may adversely affect 
     information security.
       ``(b) Annual Independent Evaluations.--Each agency shall 
     perform an annual independent evaluation of its agencywide 
     information security program (and practices) in accordance 
     with the criteria under subsection (a).
       ``(c) Distribution of Reports.--Not later than 30 days 
     after receiving an independent evaluation under subsection 
     (b), each agency head shall transmit a copy of the 
     independent evaluation to the Secretary of Homeland Security, 
     the Secretary of Commerce, and the Secretary of Defense.
       ``(d) National Security Systems.--Evaluations involving 
     national security systems shall be conducted as directed by 
     President.

     ``Sec. 3557. National security systems.

       ``The head of each agency operating or exercising control 
     of a national security system shall be responsible for 
     ensuring that the agency--
       ``(1) provides information security protections 
     commensurate with the risk and magnitude of the harm 
     resulting from the unauthorized access, use, disclosure, 
     disruption, modification, or destruction of the information 
     contained in such system; and
       ``(2) implements information security policies and 
     practices as required by standards and guidelines for 
     national security systems, issued in accordance with law and 
     as directed by the President.''.
       (b) Savings Provisions.--
       (1) Policy and compliance guidance.--Policy and compliance 
     guidance issued by the Director before the date of enactment 
     of this Act under section 3543(a)(1) of title 44, United 
     States Code (as in effect on the day before the date of 
     enactment of this Act), shall continue in effect, according 
     to its terms, until modified, terminated, superseded, or 
     repealed pursuant to section 3553(a)(1) of title 44, United 
     States Code.
       (2) Standards and guidelines.--Standards and guidelines 
     issued by the Secretary of Commerce or by the Director before 
     the date of enactment of this Act under section 11331(a)(1) 
     of title 40, United States Code, (as in effect on the day 
     before the date of enactment of this Act) shall continue in 
     effect, according to their terms, until modified, terminated, 
     superseded, or repealed pursuant to section 11331(a)(1) of 
     title 40, United States Code, as amended by this Act.
       (c) Technical and Conforming Amendments.--
       (1) Chapter analysis.--The chapter analysis for chapter 35 
     of title 44, United States Code, is amended--
       (A) by striking the items relating to sections 3531 through 
     3538;
       (B) by striking the items relating to sections 3541 through 
     3549; and
       (C) by inserting the following:

``3551. Purposes.
``3552. Definitions.
``3553. Federal information security authority and coordination.
``3554. Agency responsibilities.
``3555. Multiagency ongoing threat assessment.
``3556. Independent evaluations.
``3557. National security systems.''.
       (2) Other references.--
       (A) Section 1001(c)(1)(A) of the Homeland Security Act of 
     2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section 
     3532(3)'' and inserting ``section 3552''.
       (B) Section 2222(j)(5) of title 10, United States Code, is 
     amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (C) Section 2223(c)(3) of title 10, United States Code, is 
     amended, by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (D) Section 2315 of title 10, United States Code, is 
     amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (E) Section 20 of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-3) is amended--
       (i) in subsection (a)(2), by striking ``section 
     3532(b)(2)'' and inserting ``section 3552'';
       (ii) in subsection (c)(3), by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (iii) in subsection (d)(1), by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (iv) in subsection (d)(8) by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (v) in subsection (d)(8), by striking ``submitted to the 
     Director'' and inserting ``submitted to the Secretary'';
       (vi) in subsection (e)(2), by striking ``section 3532(1) of 
     such title'' and inserting ``section 3552 of title 44''; and
       (vii) in subsection (e)(5), by striking ``section 
     3532(b)(2) of such title'' and inserting ``section 3552 of 
     title 44''.
       (F) Section 8(d)(1) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7406(d)(1)) is amended by striking 
     ``section 3534(b)'' and inserting ``section 3554(b)(2)''.

     SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY.

       (a) In General.--Section 11331 of title 40, United States 
     Code, is amended to read as follows:

[[Page 12470]]



     ``Sec. 11331. Responsibilities for Federal information 
       systems standards

       ``(a) Standards and Guidelines.--
       ``(1) Authority to prescribe.--Except as provided under 
     paragraph (2), the Secretary of Commerce shall prescribe 
     standards and guidelines pertaining to Federal information 
     systems--
       ``(A) in consultation with the Secretary of Homeland 
     Security; and
       ``(B) on the basis of standards and guidelines developed by 
     the National Institute of Standards and Technology under 
     paragraphs (2) and (3) of section 20(a) of the National 
     Institute of Standards and Technology Act (15 U.S.C. 278g-
     3(a)(2) and (a)(3)).
       ``(2) National security systems.--Standards and guidelines 
     for national security systems shall be developed, prescribed, 
     enforced, and overseen as otherwise authorized by law and as 
     directed by the President.
       ``(b) Mandatory Standards and Guidelines.--
       ``(1) Authority to make mandatory standards and 
     guidelines.--The Secretary of Commerce shall make standards 
     and guidelines under subsection (a)(1) compulsory and binding 
     to the extent determined necessary by the Secretary of 
     Commerce to improve the efficiency of operation or security 
     of Federal information systems.
       ``(2) Required mandatory standards and guidelines.--
       ``(A) In general.--Standards and guidelines under 
     subsection (a)(1) shall include information security 
     standards that--
       ``(i) provide minimum information security requirements as 
     determined under section 20(b) of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3(b)); and
       ``(ii) are otherwise necessary to improve the security of 
     Federal information and information systems.
       ``(B) Binding effect.--Information security standards under 
     subparagraph (A) shall be compulsory and binding.
       ``(c) Exercise of Authority.--To ensure fiscal and policy 
     consistency, the Secretary of Commerce shall exercise the 
     authority conferred by this section subject to direction by 
     the President and in coordination with the Director.
       ``(d) Application of More Stringent Standards and 
     Guidelines.--The head of an executive agency may employ 
     standards for the cost-effective information security for 
     information systems within or under the supervision of that 
     agency that are more stringent than the standards and 
     guidelines the Secretary of Commerce prescribes under this 
     section if the more stringent standards and guidelines--
       ``(1) contain at least the applicable standards and 
     guidelines made compulsory and binding by the Secretary of 
     Commerce; and
       ``(2) are otherwise consistent with the policies, 
     directives, and implementation memoranda issued under section 
     3553(a) of title 44.
       ``(e) Decisions on Promulgation of Standards and 
     Guidelines.--The decision by the Secretary of Commerce 
     regarding the promulgation of any standard or guideline under 
     this section shall occur not later than 6 months after the 
     date of submission of the proposed standard to the Secretary 
     of Commerce by the National Institute of Standards and 
     Technology under section 20 of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3).
       ``(f) Notice and Comment.--A decision by the Secretary of 
     Commerce to significantly modify, or not promulgate, a 
     proposed standard submitted to the Secretary by the National 
     Institute of Standards and Technology under section 20 of the 
     National Institute of Standards and Technology Act (15 U.S.C. 
     278g-3) shall be made after the public is given an 
     opportunity to comment on the Secretary's proposed decision.
       ``(g) Definitions.--In this section:
       ``(1) Federal information system.--The term `Federal 
     information system' has the meaning given the term in section 
     3552 of title 44.
       ``(2) Information security.--The term `information 
     security' has the meaning given the term in section 3552 of 
     title 44.
       ``(3) National security system.--The term `national 
     security system' has the meaning given the term in section 
     3552 of title 44.''.

     SEC. 203. NO NEW FUNDING.

       An applicable Federal agency shall carry out the provisions 
     of this title with existing facilities and funds otherwise 
     available, through such means as the head of the agency 
     considers appropriate.

     SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS.

       Section 21(b) of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-4(b)) is amended--
       (1) in paragraph (2), by striking ``and the Director of the 
     Office of Management and Budget'' and inserting ``, the 
     Secretary of Commerce, and the Secretary of Homeland 
     Security''; and
       (2) in paragraph (3), by inserting ``, the Secretary of 
     Homeland Security,'' after ``the Secretary of Commerce''.

     SEC. 205. CLARIFICATION OF AUTHORITIES.

       Nothing in this title shall be construed to convey any new 
     regulatory authority to any government entity implementing or 
     complying with any provision of this title.

                     TITLE III--CRIMINAL PENALTIES

     SEC. 301. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN 
                   CONNECTION WITH COMPUTERS.

       Section 1030(c) of title 18, United States Code, is amended 
     to read as follows:
       ``(c) The punishment for an offense under subsection (a) or 
     (b) of this section is--
       ``(1) a fine under this title or imprisonment for not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(1) of this section;
       ``(2)(A) except as provided in subparagraph (B), a fine 
     under this title or imprisonment for not more than 3 years, 
     or both, in the case of an offense under subsection (a)(2); 
     or
       ``(B) a fine under this title or imprisonment for not more 
     than ten years, or both, in the case of an offense under 
     subsection (a)(2) of this section, if--
       ``(i) the offense was committed for purposes of commercial 
     advantage or private financial gain;
       ``(ii) the offense was committed in the furtherance of any 
     criminal or tortious act in violation of the Constitution or 
     laws of the United States, or of any State; or
       ``(iii) the value of the information obtained, or that 
     would have been obtained if the offense was completed, 
     exceeds $5,000;
       ``(3) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(3) of this section;
       ``(4) a fine under this title or imprisonment of not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(4) of this section;
       ``(5)(A) except as provided in subparagraph (C), a fine 
     under this title, imprisonment for not more than 20 years, or 
     both, in the case of an offense under subsection (a)(5)(A) of 
     this section, if the offense caused--
       ``(i) loss to 1 or more persons during any 1-year period 
     (and, for purposes of an investigation, prosecution, or other 
     proceeding brought by the United States only, loss resulting 
     from a related course of conduct affecting 1 or more other 
     protected computers) aggregating at least $5,000 in value;
       ``(ii) the modification or impairment, or potential 
     modification or impairment, of the medical examination, 
     diagnosis, treatment, or care of 1 or more individuals;
       ``(iii) physical injury to any person;
       ``(iv) a threat to public health or safety;
       ``(v) damage affecting a computer used by, or on behalf of, 
     an entity of the United States Government in furtherance of 
     the administration of justice, national defense, or national 
     security; or
       ``(vi) damage affecting 10 or more protected computers 
     during any 1-year period;
       ``(B) a fine under this title, imprisonment for not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(5)(B), if the offense caused a harm provided 
     in clause (i) through (vi) of subparagraph (A) of this 
     subsection;
       ``(C) if the offender attempts to cause or knowingly or 
     recklessly causes death from conduct in violation of 
     subsection (a)(5)(A), a fine under this title, imprisonment 
     for any term of years or for life, or both;
       ``(D) a fine under this title, imprisonment for not more 
     than 10 years, or both, for any other offense under 
     subsection (a)(5);
       ``(E) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(6) of this section; or
       ``(F) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(7) of this section.''.

     SEC. 302. TRAFFICKING IN PASSWORDS.

       Section 1030(a)(6) of title 18, United States Code, is 
     amended to read as follows:
       ``(6) knowingly and with intent to defraud traffics (as 
     defined in section 1029) in any password or similar 
     information or means of access through which a protected 
     computer (as defined in subparagraphs (A) and (B) of 
     subsection (e)(2)) may be accessed without authorization.''.

     SEC. 303. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.

       Section 1030(b) of title 18, United States Code, is amended 
     by inserting ``as if for the completed offense'' after 
     ``punished as provided''.

     SEC. 304. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED 
                   ACTIVITY IN CONNECTION WITH COMPUTERS.

       Section 1030 of title 18, United States Code, is amended by 
     striking subsections (i) and (j) and inserting the following:
       ``(i) Criminal Forfeiture.--
       ``(1) The court, in imposing sentence on any person 
     convicted of a violation of this section, or convicted of 
     conspiracy to violate this section, shall order, in addition 
     to any other sentence imposed and irrespective of any 
     provision of State law, that such person forfeit to the 
     United States--
       ``(A) such persons interest in any property, real or 
     personal, that was used, or intended to be used, to commit or 
     facilitate the commission of such violation; and
       ``(B) any property, real or personal, constituting or 
     derived from any gross proceeds, or any property traceable to 
     such property, that such person obtained, directly or 
     indirectly, as a result of such violation.
       ``(2) The criminal forfeiture of property under this 
     subsection, including any seizure and disposition of the 
     property, and any related judicial or administrative 
     proceeding,

[[Page 12471]]

     shall be governed by the provisions of section 413 of the 
     Comprehensive Drug Abuse Prevention and Control Act of 1970 
     (21 U.S.C. 853), except subsection (d) of that section.
       ``(j) Civil Forfeiture.--
       ``(1) The following shall be subject to forfeiture to the 
     United States and no property right, real or personal, shall 
     exist in them:
       ``(A) Any property, real or personal, that was used, or 
     intended to be used, to commit or facilitate the commission 
     of any violation of this section, or a conspiracy to violate 
     this section.
       ``(B) Any property, real or personal, constituting or 
     derived from any gross proceeds obtained directly or 
     indirectly, or any property traceable to such property, as a 
     result of the commission of any violation of this section, or 
     a conspiracy to violate this section.
       ``(2) Seizures and forfeitures under this subsection shall 
     be governed by the provisions in chapter 46 relating to civil 
     forfeitures, except that such duties as are imposed on the 
     Secretary of the Treasury under the customs laws described in 
     section 981(d) shall be performed by such officers, agents 
     and other persons as may be designated for that purpose by 
     the Secretary of Homeland Security or the Attorney 
     General.''.

     SEC. 305. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.

       (a) In General.--Chapter 47 of title 18, United States 
     Code, is amended by inserting after section 1030 the 
     following:

     ``Sec. 1030A. Aggravated damage to a critical infrastructure 
       computer

       ``(a) Definitions.--In this section--
       ``(1) the term `computer' has the meaning given the term in 
     section 1030;
       ``(2) the term `critical infrastructure computer' means a 
     computer that manages or controls systems or assets vital to 
     national defense, national security, national economic 
     security, public health or safety, or any combination of 
     those matters, whether publicly or privately owned or 
     operated, including--
       ``(A) oil and gas production, storage, conversion, and 
     delivery systems;
       ``(B) water supply systems;
       ``(C) telecommunication networks;
       ``(D) electrical power generation and delivery systems;
       ``(E) finance and banking systems;
       ``(F) emergency services;
       ``(G) transportation systems and services; and
       ``(H) government operations that provide essential services 
     to the public; and
       ``(3) the term `damage' has the meaning given the term in 
     section 1030.
       ``(b) Offense.--It shall be unlawful, during and in 
     relation to a felony violation of section 1030, to knowingly 
     cause or attempt to cause damage to a critical infrastructure 
     computer if the damage results in (or, in the case of an 
     attempt, if completed, would have resulted in) the 
     substantial impairment--
       ``(1) of the operation of the critical infrastructure 
     computer; or
       ``(2) of the critical infrastructure associated with the 
     computer.
       ``(c) Penalty.--Any person who violates subsection (b) 
     shall be--
       ``(1) fined under this title;
       ``(2) imprisoned for not less than 3 years but not more 
     than 20 years; or
       ``(3) penalized under paragraphs (1) and (2).
       ``(d) Consecutive Sentence.--Notwithstanding any other 
     provision of law--
       ``(1) a court shall not place on probation any person 
     convicted of a violation of this section;
       ``(2) except as provided in paragraph (4), no term of 
     imprisonment imposed on a person under this section shall run 
     concurrently with any other term of imprisonment, including 
     any term of imprisonment imposed on the person under any 
     other provision of law, including any term of imprisonment 
     imposed for a felony violation of section 1030;
       ``(3) in determining any term of imprisonment to be imposed 
     for a felony violation of section 1030, a court shall not in 
     any way reduce the term to be imposed for such crime so as to 
     compensate for, or otherwise take into account, any separate 
     term of imprisonment imposed or to be imposed for a violation 
     of this section; and
       ``(4) a term of imprisonment imposed on a person for a 
     violation of this section may, in the discretion of the 
     court, run concurrently, in whole or in part, only with 
     another term of imprisonment that is imposed by the court at 
     the same time on that person for an additional violation of 
     this section, provided that such discretion shall be 
     exercised in accordance with any applicable guidelines and 
     policy statements issued by the United States Sentencing 
     Commission pursuant to section 994 of title 28.''.
       (b) Technical and Conforming Amendment.--The chapter 
     analysis for chapter 47 of title 18, United States Code, is 
     amended by inserting after the item relating to section 1030 
     the following:

``1030A. Aggravated damage to a critical infrastructure computer.''.

     SEC. 306. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.

       Section 1030(e)(6) of title 18, United States Code, is 
     amended by striking ``alter;'' and inserting ``alter, but 
     does not include access in violation of a contractual 
     obligation or agreement, such as an acceptable use policy or 
     terms of service agreement, with an Internet service 
     provider, Internet website, or non-government employer, if 
     such violation constitutes the sole basis for determining 
     that access to a protected computer is unauthorized;''.

     SEC. 307. NO NEW FUNDING.

       An applicable Federal agency shall carry out the provisions 
     of this title with existing facilities and funds otherwise 
     available, through such means as the head of the agency 
     considers appropriate.

            TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT

     SEC. 401. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM 
                   PLANNING AND COORDINATION.

       (a) Goals and Priorities.--Section 101 of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511) is amended 
     by adding at the end the following:
       ``(d) Goals and Priorities.--The goals and priorities for 
     Federal high-performance computing research, development, 
     networking, and other activities under subsection (a)(2)(A) 
     shall include--
       ``(1) encouraging and supporting mechanisms for 
     interdisciplinary research and development in networking and 
     information technology, including--
       ``(A) through collaborations across agencies;
       ``(B) through collaborations across Program Component 
     Areas;
       ``(C) through collaborations with industry;
       ``(D) through collaborations with institutions of higher 
     education;
       ``(E) through collaborations with Federal laboratories (as 
     defined in section 4 of the Stevenson-Wydler Technology 
     Innovation Act of 1980 (15 U.S.C. 3703)); and
       ``(F) through collaborations with international 
     organizations;
       ``(2) addressing national, multi-agency, multi-faceted 
     challenges of national importance; and
       ``(3) fostering the transfer of research and development 
     results into new technologies and applications for the 
     benefit of society.''.
       (b) Development of Strategic Plan.--Section 101 of the 
     High-Performance Computing Act of 1991 (15 U.S.C. 5511) is 
     amended by adding at the end the following:
       ``(e) Strategic Plan.--
       ``(1) In general.--Not later than 1 year after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the agencies under subsection (a)(3)(B), working 
     through the National Science and Technology Council and with 
     the assistance of the Office of Science and Technology Policy 
     shall develop a 5-year strategic plan to guide the activities 
     under subsection (a)(1).
       ``(2) Contents.--The strategic plan shall specify--
       ``(A) the near-term objectives for the Program;
       ``(B) the long-term objectives for the Program;
       ``(C) the anticipated time frame for achieving the near-
     term objectives;
       ``(D) the metrics that will be used to assess any progress 
     made toward achieving the near-term objectives and the long-
     term objectives; and
       ``(E) how the Program will achieve the goals and priorities 
     under subsection (d).
       ``(3) Implementation roadmap.--
       ``(A) In general.--The agencies under subsection (a)(3)(B) 
     shall develop and annually update an implementation roadmap 
     for the strategic plan.
       ``(B) Requirements.--The information in the implementation 
     roadmap shall be coordinated with the database under section 
     102(c) and the annual report under section 101(a)(3). The 
     implementation roadmap shall--
       ``(i) specify the role of each Federal agency in carrying 
     out or sponsoring research and development to meet the 
     research objectives of the strategic plan, including a 
     description of how progress toward the research objectives 
     will be evaluated, with consideration of any relevant 
     recommendations of the advisory committee;
       ``(ii) specify the funding allocated to each major research 
     objective of the strategic plan and the source of funding by 
     agency for the current fiscal year; and
       ``(iii) estimate the funding required for each major 
     research objective of the strategic plan for the next 3 
     fiscal years.
       ``(4) Recommendations.--The agencies under subsection 
     (a)(3)(B) shall take into consideration when developing the 
     strategic plan under paragraph (1) the recommendations of--
       ``(A) the advisory committee under subsection (b); and
       ``(B) the stakeholders under section 102(a)(3).
       ``(5) Report to congress.--The Director of the Office of 
     Science and Technology Policy shall transmit the strategic 
     plan under this subsection, including the implementation 
     roadmap and any updates under paragraph (3), to--
       ``(A) the advisory committee under subsection (b);
       ``(B) the Committee on Commerce, Science, and 
     Transportation of the Senate; and
       ``(C) the Committee on Science and Technology of the House 
     of Representatives.''.
       (c) Periodic Reviews.--Section 101 of the High-Performance 
     Computing Act of 1991 (15

[[Page 12472]]

     U.S.C. 5511) is amended by adding at the end the following:
       ``(f) Periodic Reviews.--The agencies under subsection 
     (a)(3)(B) shall--
       ``(1) periodically assess the contents and funding levels 
     of the Program Component Areas and restructure the Program 
     when warranted, taking into consideration any relevant 
     recommendations of the advisory committee under subsection 
     (b); and
       ``(2) ensure that the Program includes national, multi-
     agency, multi-faceted research and development activities, 
     including activities described in section 104.''.
       (d) Additional Responsibilities of Director.--Section 
     101(a)(2) of the High-Performance Computing Act of 1991 (15 
     U.S.C. 5511(a)(2)) is amended--
       (1) by redesignating subparagraphs (E) and (F) as 
     subparagraphs (G) and (H), respectively; and
       (2) by inserting after subparagraph (D) the following:
       ``(E) encourage and monitor the efforts of the agencies 
     participating in the Program to allocate the level of 
     resources and management attention necessary--
       ``(i) to ensure that the strategic plan under subsection 
     (e) is developed and executed effectively; and
       ``(ii) to ensure that the objectives of the Program are 
     met;
       ``(F) working with the Office of Management and Budget and 
     in coordination with the creation of the database under 
     section 102(c), direct the Office of Science and Technology 
     Policy and the agencies participating in the Program to 
     establish a mechanism (consistent with existing law) to track 
     all ongoing and completed research and development projects 
     and associated funding;''.
       (e) Advisory Committee.--Section 101(b) of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is 
     amended--
       (1) in paragraph (1)--
       (A) by inserting after the first sentence the following: 
     ``The co-chairs of the advisory committee shall meet the 
     qualifications of committee members and may be members of the 
     Presidents Council of Advisors on Science and Technology.''; 
     and
       (B) by striking ``high-performance'' in subparagraph (D) 
     and inserting ``high-end''; and
       (2) by amending paragraph (2) to read as follows:
       ``(2) In addition to the duties under paragraph (1), the 
     advisory committee shall conduct periodic evaluations of the 
     funding, management, coordination, implementation, and 
     activities of the Program. The advisory committee shall 
     report its findings and recommendations not less frequently 
     than once every 3 fiscal years to the Committee on Commerce, 
     Science, and Transportation of the Senate and the Committee 
     on Science and Technology of the House of Representatives. 
     The report shall be submitted in conjunction with the update 
     of the strategic plan.''.
       (f) Report.--Section 101(a)(3) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended--
       (1) in subparagraph (C)--
       (A) by striking ``is submitted,'' and inserting ``is 
     submitted, the levels for the previous fiscal year,''; and
       (B) by striking ``each Program Component Area'' and 
     inserting ``each Program Component Area and each research 
     area supported in accordance with section 104'';
       (2) in subparagraph (D)--
       (A) by striking ``each Program Component Area,'' and 
     inserting ``each Program Component Area and each research 
     area supported in accordance with section 104,'';
       (B) by striking ``is submitted,'' and inserting ``is 
     submitted, the levels for the previous fiscal year,''; and
       (C) by striking ``and'' after the semicolon;
       (3) by redesignating subparagraph (E) as subparagraph (G); 
     and
       (4) by inserting after subparagraph (D) the following:
       ``(E) include a description of how the objectives for each 
     Program Component Area, and the objectives for activities 
     that involve multiple Program Component Areas, relate to the 
     objectives of the Program identified in the strategic plan 
     under subsection (e);
       ``(F) include--
       ``(i) a description of the funding required by the Office 
     of Science and Technology Policy to perform the functions 
     under subsections (a) and (c) of section 102 for the next 
     fiscal year by category of activity;
       ``(ii) a description of the funding required by the Office 
     of Science and Technology Policy to perform the functions 
     under subsections (a) and (c) of section 102 for the current 
     fiscal year by category of activity; and
       ``(iii) the amount of funding provided for the Office of 
     Science and Technology Policy for the current fiscal year by 
     each agency participating in the Program; and''.
       (g) Definitions.--Section 4 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5503) is amended--
       (1) by redesignating paragraphs (1) and (2) as paragraphs 
     (2) and (3), respectively;
       (2) by redesignating paragraph (3) as paragraph (6);
       (3) by redesignating paragraphs (6) and (7) as paragraphs 
     (7) and (8), respectively;
       (4) by inserting before paragraph (2), as redesignated, the 
     following:
       ``(1) `cyber-physical systems' means physical or engineered 
     systems whose networking and information technology functions 
     and physical elements are deeply integrated and are actively 
     connected to the physical world through sensors, actuators, 
     or other means to perform monitoring and control 
     functions;'';
       (5) in paragraph (3), as redesignated, by striking ``high-
     performance computing'' and inserting ``networking and 
     information technology'';
       (6) in paragraph (6), as redesignated--
       (A) by striking ``high-performance computing'' and 
     inserting ``networking and information technology''; and
       (B) by striking ``supercomputer'' and inserting ``high-end 
     computing'';
       (7) in paragraph (5), by striking ``network referred to 
     as'' and all that follows through the semicolon and inserting 
     ``network, including advanced computer networks of Federal 
     agencies and departments''; and
       (8) in paragraph (7), as redesignated, by striking 
     ``National High-Performance Computing Program'' and inserting 
     ``networking and information technology research and 
     development program''.

     SEC. 402. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.

       (a) Research in Areas of National Importance.--Title I of 
     the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et 
     seq.) is amended by adding at the end the following:

     ``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.

       ``(a) In General.--The Program shall encourage agencies 
     under section 101(a)(3)(B) to support, maintain, and improve 
     national, multi-agency, multi-faceted, research and 
     development activities in networking and information 
     technology directed toward application areas that have the 
     potential for significant contributions to national economic 
     competitiveness and for other significant societal benefits.
       ``(b) Technical Solutions.--An activity under subsection 
     (a) shall be designed to advance the development of research 
     discoveries by demonstrating technical solutions to important 
     problems in areas including--
       ``(1) cybersecurity;
       ``(2) health care;
       ``(3) energy management and low-power systems and devices;
       ``(4) transportation, including surface and air 
     transportation;
       ``(5) cyber-physical systems;
       ``(6) large-scale data analysis and modeling of physical 
     phenomena;
       ``(7) large scale data analysis and modeling of behavioral 
     phenomena;
       ``(8) supply chain quality and security; and
       ``(9) privacy protection and protected disclosure of 
     confidential data.
       ``(c) Recommendations.--The advisory committee under 
     section 101(b) shall make recommendations to the Program for 
     candidate research and development areas for support under 
     this section.
       ``(d) Characteristics.--
       ``(1) In general.--Research and development activities 
     under this section--
       ``(A) shall include projects selected on the basis of 
     applications for support through a competitive, merit-based 
     process;
       ``(B) shall leverage, when possible, Federal investments 
     through collaboration with related State initiatives;
       ``(C) shall include a plan for fostering the transfer of 
     research discoveries and the results of technology 
     demonstration activities, including from institutions of 
     higher education and Federal laboratories, to industry for 
     commercial development;
       ``(D) shall involve collaborations among researchers in 
     institutions of higher education and industry; and
       ``(E) may involve collaborations among nonprofit research 
     institutions and Federal laboratories, as appropriate.
       ``(2) Cost-sharing.--In selecting applications for support, 
     the agencies under section 101(a)(3)(B) shall give special 
     consideration to projects that include cost sharing from non-
     Federal sources.
       ``(3) Multidisciplinary research centers.--Research and 
     development activities under this section shall be supported 
     through multidisciplinary research centers, including Federal 
     laboratories, that are organized to investigate basic 
     research questions and carry out technology demonstration 
     activities in areas described in subsection (a). Research may 
     be carried out through existing multidisciplinary centers, 
     including those authorized under section 7024(b)(2) of the 
     America COMPETES Act (42 U.S.C. 1862o-10(2)).''.
       (b) Cyber-Physical Systems.--Section 101(a)(1) of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is 
     amended--
       (1) in subparagraph (H), by striking ``and'' after the 
     semicolon;
       (2) in subparagraph (I), by striking the period at the end 
     and inserting a semicolon; and
       (3) by adding at the end the following:
       ``(J) provide for increased understanding of the scientific 
     principles of cyber-physical systems and improve the methods 
     available for the design, development, and operation of 
     cyber-physical systems that are characterized by high 
     reliability, safety, and security; and
       ``(K) provide for research and development on human-
     computer interactions, visualization, and big data.''.

[[Page 12473]]

       (c) Task Force.--Title I of the High-Performance Computing 
     Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section 
     402(a) of this Act, is amended by adding at the end the 
     following:

     ``SEC. 105. TASK FORCE.

       ``(a) Establishment.--Not later than 180 days after the 
     date of enactment the Strengthening and Enhancing 
     Cybersecurity by Using Research, Education, Information, and 
     Technology Act of 2012, the Director of the Office of Science 
     and Technology Policy under section 102 shall convene a task 
     force to explore mechanisms for carrying out collaborative 
     research and development activities for cyber-physical 
     systems (including the related technologies required to 
     enable these systems) through a consortium or other 
     appropriate entity with participants from institutions of 
     higher education, Federal laboratories, and industry.
       ``(b) Functions.--The task force shall--
       ``(1) develop options for a collaborative model and an 
     organizational structure for such entity under which the 
     joint research and development activities could be planned, 
     managed, and conducted effectively, including mechanisms for 
     the allocation of resources among the participants in such 
     entity for support of such activities;
       ``(2) propose a process for developing a research and 
     development agenda for such entity, including guidelines to 
     ensure an appropriate scope of work focused on nationally 
     significant challenges and requiring collaboration and to 
     ensure the development of related scientific and 
     technological milestones;
       ``(3) define the roles and responsibilities for the 
     participants from institutions of higher education, Federal 
     laboratories, and industry in such entity;
       ``(4) propose guidelines for assigning intellectual 
     property rights and for transferring research results to the 
     private sector; and
       ``(5) make recommendations for how such entity could be 
     funded from Federal, State, and non-governmental sources.
       ``(c) Composition.--In establishing the task force under 
     subsection (a), the Director of the Office of Science and 
     Technology Policy shall appoint an equal number of 
     individuals from institutions of higher education and from 
     industry with knowledge and expertise in cyber-physical 
     systems, and may appoint not more than 2 individuals from 
     Federal laboratories.
       ``(d) Report.--Not later than 1 year after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the Director of the Office of Science and Technology 
     Policy shall transmit to the Committee on Commerce, Science, 
     and Transportation of the Senate and the Committee on Science 
     and Technology of the House of Representatives a report 
     describing the findings and recommendations of the task 
     force.
       ``(e) Termination.--The task force shall terminate upon 
     transmittal of the report required under subsection (d).
       ``(f) Compensation and Expenses.--Members of the task force 
     shall serve without compensation.''.

     SEC. 403. PROGRAM IMPROVEMENTS.

       Section 102 of the High-Performance Computing Act of 1991 
     (15 U.S.C. 5512) is amended to read as follows:

     ``SEC. 102. PROGRAM IMPROVEMENTS.

       ``(a) Functions.--The Director of the Office of Science and 
     Technology Policy shall continue--
       ``(1) to provide technical and administrative support to--
       ``(A) the agencies participating in planning and 
     implementing the Program, including support needed to develop 
     the strategic plan under section 101(e); and
       ``(B) the advisory committee under section 101(b);
       ``(2) to serve as the primary point of contact on Federal 
     networking and information technology activities for 
     government agencies, academia, industry, professional 
     societies, State computing and networking technology 
     programs, interested citizen groups, and others to exchange 
     technical and programmatic information;
       ``(3) to solicit input and recommendations from a wide 
     range of stakeholders during the development of each 
     strategic plan under section 101(e) by convening at least 1 
     workshop with invitees from academia, industry, Federal 
     laboratories, and other relevant organizations and 
     institutions;
       ``(4) to conduct public outreach, including the 
     dissemination of the advisory committee's findings and 
     recommendations, as appropriate;
       ``(5) to promote access to and early application of the 
     technologies, innovations, and expertise derived from Program 
     activities to agency missions and systems across the Federal 
     Government and to United States industry;
       ``(6) to ensure accurate and detailed budget reporting of 
     networking and information technology research and 
     development investment; and
       ``(7) to encourage agencies participating in the Program to 
     use existing programs and resources to strengthen networking 
     and information technology education and training, and 
     increase participation in such fields, including by women and 
     underrepresented minorities.
       ``(b) Source of Funding.--
       ``(1) In general.--The functions under this section shall 
     be supported by funds from each agency participating in the 
     Program.
       ``(2) Specifications.--The portion of the total budget of 
     the Office of Science and Technology Policy that is provided 
     by each agency participating in the Program for each fiscal 
     year shall be in the same proportion as each agency's share 
     of the total budget for the Program for the previous fiscal 
     year, as specified in the database under section 102(c).
       ``(c) Database.--
       ``(1) In general.--The Director of the Office of Science 
     and Technology Policy shall develop and maintain a database 
     of projects funded by each agency for the fiscal year for 
     each Program Component Area.
       ``(2) Public accessibility.--The Director of the Office of 
     Science and Technology Policy shall make the database 
     accessible to the public.
       ``(3) Database contents.--The database shall include, for 
     each project in the database--
       ``(A) a description of the project;
       ``(B) each agency, industry, institution of higher 
     education, Federal laboratory, or international institution 
     involved in the project;
       ``(C) the source funding of the project (set forth by 
     agency);
       ``(D) the funding history of the project; and
       ``(E) whether the project has been completed.''.

     SEC. 404. IMPROVING EDUCATION OF NETWORKING AND INFORMATION 
                   TECHNOLOGY, INCLUDING HIGH PERFORMANCE 
                   COMPUTING.

       Section 201(a) of the High-Performance Computing Act of 
     1991 (15 U.S.C. 5521(a)) is amended--
       (1) by redesignating paragraphs (2) through (4) as 
     paragraphs (3) through (5), respectively; and
       (2) by inserting after paragraph (1) the following:
       ``(2) the National Science Foundation shall use its 
     existing programs, in collaboration with other agencies, as 
     appropriate, to improve the teaching and learning of 
     networking and information technology at all levels of 
     education and to increase participation in networking and 
     information technology fields;''.

     SEC. 405. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH-
                   PERFORMANCE COMPUTING ACT OF 1991.

       (a) Section 3.--Section 3 of the High-Performance Computing 
     Act of 1991 (15 U.S.C. 5502) is amended--
       (1) in the matter preceding paragraph (1), by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology'';
       (2) in paragraph (1)--
       (A) in the matter preceding subparagraph (A), by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology'';
       (B) in subparagraphs (A), (F), and (G), by striking ``high-
     performance computing'' each place it appears and inserting 
     ``networking and information technology''; and
       (C) in subparagraph (H), by striking ``high-performance'' 
     and inserting ``high-end''; and
       (3) in paragraph (2)--
       (A) by striking ``high-performance computing and'' and 
     inserting ``networking and information technology, and''; and
       (B) by striking ``high-performance computing network'' and 
     inserting ``networking and information technology''.
       (b) Title Heading.--The heading of title I of the High-
     Performance Computing Act of 1991 (105 Stat. 1595) is amended 
     by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting 
     ``NETWORKING AND INFORMATION TECHNOLOGY''.
       (c) Section 101.--Section 101 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511) is amended--
       (1) in the section heading, by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology research and development'';
       (2) in subsection (a)--
       (A) in the subsection heading, by striking ``National High-
     Performance Computing'' and inserting ``Networking and 
     Information Technology Research and Development'';
       (B) in paragraph (1)--
       (i) by striking ``National High-Performance Computing 
     Program'' and inserting ``networking and information 
     technology research and development program'';
       (ii) in subparagraph (A), by striking ``high-performance 
     computing, including networking'' and inserting ``networking 
     and information technology'';
       (iii) in subparagraphs (B) and (G), by striking ``high-
     performance'' each place it appears and inserting ``high-
     end''; and
       (iv) in subparagraph (C), by striking ``high-performance 
     computing and networking'' and inserting ``high-end 
     computing, distributed, and networking''; and
       (C) in paragraph (2)--
       (i) in subparagraphs (A) and (C)--

       (I) by striking ``high-performance computing'' each place 
     it appears and inserting ``networking and information 
     technology''; and
       (II) by striking ``development, networking,'' each place it 
     appears and inserting ``development,''; and

[[Page 12474]]

       (ii) in subparagraphs (G) and (H), as redesignated by 
     section 401(d) of this Act, by striking ``high-performance'' 
     each place it appears and inserting ``high-end'';
       (3) in subsection (b)(1), in the matter preceding 
     subparagraph (A), by striking ``high-performance computing'' 
     each place it appears and inserting ``networking and 
     information technology''; and
       (4) in subsection (c)(1)(A), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology''.
       (d) Section 201.--Section 201(a)(1) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by 
     striking ``high-performance computing and advanced high-speed 
     computer networking'' and inserting ``networking and 
     information technology research and development''.
       (e) Section 202.--Section 202(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by 
     striking ``high-performance computing'' and inserting 
     ``networking and information technology''.
       (f) Section 203.--Section 203(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5523(a)) is amended--
       (1) in paragraph (1), by striking ``high-performance 
     computing and networking'' and inserting ``networking and 
     information technology''; and
       (2) in paragraph (2)(A), by striking ``high-performance'' 
     and inserting ``high-end''.
       (g) Section 204.--Section 204 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5524) is amended--
       (1) in subsection (a)(1)--
       (A) in subparagraph (A), by striking ``high-performance 
     computing systems and networks'' and inserting ``networking 
     and information technology systems and capabilities'';
       (B) in subparagraph (B), by striking ``interoperability of 
     high-performance computing systems in networks and for common 
     user interfaces to systems'' and inserting ``interoperability 
     and usability of networking and information technology 
     systems''; and
       (C) in subparagraph (C), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology''; and
       (2) in subsection (b)--
       (A) by striking ``High-Performance Computing and Network'' 
     in the heading and inserting ``Networking and Information 
     Technology''; and
       (B) by striking ``sensitive''.
       (h) Section 205.--Section 205(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by 
     striking ``computational'' and inserting ``networking and 
     information technology''.
       (i) Section 206.--Section 206(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by 
     striking ``computational research'' and inserting 
     ``networking and information technology research''.
       (j) Section 207.--Section 207 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5527) is amended by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology''.
       (k) Section 208.--Section 208 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5528) is amended--
       (1) in the section heading, by striking ``HIGH-PERFORMANCE 
     COMPUTING'' and inserting ``NETWORKING AND INFORMATION 
     TECHNOLOGY''; and
       (2) in subsection (a)--
       (A) in paragraph (1), by striking ``High-performance 
     computing and associated'' and inserting ``Networking and 
     information'';
       (B) in paragraph (2), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technologies'';
       (C) in paragraph (3), by striking ``high-performance'' and 
     inserting ``high-end'';
       (D) in paragraph (4), by striking ``high-performance 
     computers and associated'' and inserting ``networking and 
     information''; and
       (E) in paragraph (5), by striking ``high-performance 
     computing and associated'' and inserting ``networking and 
     information''.

     SEC. 406. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.

       (a) In General.--The Director of the National Science 
     Foundation, in coordination with the Secretary of Homeland 
     Security, shall carry out a Federal cyber scholarship-for-
     service program to recruit and train the next generation of 
     information technology professionals and security managers to 
     meet the needs of the cybersecurity mission for the Federal 
     government.
       (b) Program Description and Components.--The program 
     shall--
       (1) annually assess the workforce needs of the Federal 
     government for cybersecurity professionals, including network 
     engineers, software engineers, and other experts in order to 
     determine how many scholarships should be awarded annually to 
     ensure that the workforce needs following graduation match 
     the number of scholarships awarded;
       (2) provide scholarships for up to 1,000 students per year 
     in their pursuit of undergraduate or graduate degrees in the 
     cybersecurity field, in an amount that may include coverage 
     for full tuition, fees, and a stipend;
       (3) require each scholarship recipient, as a condition of 
     receiving a scholarship under the program, to serve in a 
     Federal information technology workforce for a period equal 
     to one and one-half times each year, or partial year, of 
     scholarship received, in addition to an internship in the 
     cybersecurity field, if applicable, following graduation;
       (4) provide a procedure for the National Science Foundation 
     or a Federal agency, consistent with regulations of the 
     Office of Personnel Management, to request and fund a 
     security clearance for a scholarship recipient, including 
     providing for clearance during a summer internship and upon 
     graduation; and
       (5) provide opportunities for students to receive temporary 
     appointments for meaningful employment in the Federal 
     information technology workforce during school vacation 
     periods and for internships.
       (c) Hiring Authority.--
       (1) In general.--For purposes of any law or regulation 
     governing the appointment of an individual in the Federal 
     civil service, upon the successful completion of the 
     student's studies, a student receiving a scholarship under 
     the program may--
       (A) be hired under section 213.3102(r) of title 5, Code of 
     Federal Regulations; and
       (B) be exempt from competitive service.
       (2) Competitive service.--Upon satisfactory fulfillment of 
     the service term under paragraph (1), an individual may be 
     converted to a competitive service position without 
     competition if the individual meets the requirements for that 
     position.
       (d) Eligibility.--The eligibility requirements for a 
     scholarship under this section shall include that a 
     scholarship applicant--
       (1) be a citizen of the United States;
       (2) be eligible to be granted a security clearance;
       (3) maintain a grade point average of 3.2 or above on a 4.0 
     scale for undergraduate study or a 3.5 or above on a 4.0 
     scale for postgraduate study;
       (4) demonstrate a commitment to a career in improving the 
     security of the information infrastructure; and
       (5) has demonstrated a level of proficiency in math or 
     computer sciences.
       (e) Failure to Complete Service Obligation.--
       (1) In general.--A scholarship recipient under this section 
     shall be liable to the United States under paragraph (2) if 
     the scholarship recipient--
       (A) fails to maintain an acceptable level of academic 
     standing in the educational institution in which the 
     individual is enrolled, as determined by the Director;
       (B) is dismissed from such educational institution for 
     disciplinary reasons;
       (C) withdraws from the program for which the award was made 
     before the completion of such program;
       (D) declares that the individual does not intend to fulfill 
     the service obligation under this section;
       (E) fails to fulfill the service obligation of the 
     individual under this section; or
       (F) loses a security clearance or becomes ineligible for a 
     security clearance.
       (2) Repayment amounts.--
       (A) Less than 1 year of service.--If a circumstance under 
     paragraph (1) occurs before the completion of 1 year of a 
     service obligation under this section, the total amount of 
     awards received by the individual under this section shall be 
     repaid.
       (B) One or more years of service.--If a circumstance 
     described in subparagraph (D) or (E) of paragraph (1) occurs 
     after the completion of 1 year of a service obligation under 
     this section, the total amount of scholarship awards received 
     by the individual under this section, reduced by the ratio of 
     the number of years of service completed divided by the 
     number of years of service required, shall be repaid.
       (f) Evaluation and Report.--The Director of the National 
     Science Foundation shall--
       (1) evaluate the success of recruiting individuals for 
     scholarships under this section and of hiring and retaining 
     those individuals in the public sector workforce, including 
     the annual cost and an assessment of how the program actually 
     improves the Federal workforce; and
       (2) periodically report the findings under paragraph (1) to 
     Congress.
       (g) Authorization of Appropriations.--From amounts made 
     available under section 503 of the America COMPETES 
     Reauthorization Act of 2010 (124 Stat. 4005), the Director 
     may use funds to carry out the requirements of this section 
     for fiscal years 2012 through 2013.

     SEC. 407. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF 
                   INFORMATION INFRASTRUCTURE PROFESSIONALS.

       (a) Study.--The President shall enter into an agreement 
     with the National Academies to conduct a comprehensive study 
     of government, academic, and private-sector accreditation, 
     training, and certification programs for personnel working in 
     information infrastructure. The agreement shall require the 
     National Academies to consult with sector coordinating 
     councils and relevant governmental agencies, regulatory 
     entities, and nongovernmental organizations in the course of 
     the study.
       (b) Scope.--The study shall include--
       (1) an evaluation of the body of knowledge and various 
     skills that specific categories of personnel working in 
     information infrastructure should possess in order to secure 
     information systems;

[[Page 12475]]

       (2) an assessment of whether existing government, academic, 
     and private-sector accreditation, training, and certification 
     programs provide the body of knowledge and various skills 
     described in paragraph (1);
       (3) an analysis of any barriers to the Federal Government 
     recruiting and hiring cybersecurity talent, including 
     barriers relating to compensation, the hiring process, job 
     classification, and hiring flexibility; and
       (4) an analysis of the sources and availability of 
     cybersecurity talent, a comparison of the skills and 
     expertise sought by the Federal Government and the private 
     sector, an examination of the current and future capacity of 
     United States institutions of higher education, including 
     community colleges, to provide current and future 
     cybersecurity professionals, through education and training 
     activities, with those skills sought by the Federal 
     Government, State and local entities, and the private sector.
       (c) Report.--Not later than 1 year after the date of 
     enactment of this Act, the National Academies shall submit to 
     the President and Congress a report on the results of the 
     study. The report shall include--
       (1) findings regarding the state of information 
     infrastructure accreditation, training, and certification 
     programs, including specific areas of deficiency and 
     demonstrable progress; and
       (2) recommendations for the improvement of information 
     infrastructure accreditation, training, and certification 
     programs.

     SEC. 408. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.

       (a) In General.--The Director of the National Institute of 
     Standards and Technology, in coordination with appropriate 
     Federal authorities, shall--
       (1) as appropriate, ensure coordination of Federal agencies 
     engaged in the development of international technical 
     standards related to information system security; and
       (2) not later than 1 year after the date of enactment of 
     this Act, develop and transmit to Congress a plan for 
     ensuring such Federal agency coordination.
       (b) Consultation With the Private Sector.--In carrying out 
     the activities under subsection (a)(1), the Director shall 
     ensure consultation with appropriate private sector 
     stakeholders.

     SEC. 409. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.

       The Director of the National Institute of Standards and 
     Technology shall continue a program to support the 
     development of technical standards, metrology, testbeds, and 
     conformance criteria, taking into account appropriate user 
     concerns--
       (1) to improve interoperability among identity management 
     technologies;
       (2) to strengthen authentication methods of identity 
     management systems;
       (3) to improve privacy protection in identity management 
     systems, including health information technology systems, 
     through authentication and security protocols; and
       (4) to improve the usability of identity management 
     systems.

     SEC. 410. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.

       (a) National Science Foundation Computer and Network 
     Security Research Grant Areas.--Section 4(a)(1) of the Cyber 
     Security Research and Development Act (15 U.S.C. 7403(a)(1)) 
     is amended--
       (1) in subparagraph (H), by striking ``and'' after the 
     semicolon;
       (2) in subparagraph (I), by striking ``property.'' and 
     inserting ``property;''; and
       (3) by adding at the end the following:
       ``(J) secure fundamental protocols that are at the heart of 
     inter-network communications and data exchange;
       ``(K) system security that addresses the building of secure 
     systems from trusted and untrusted components;
       ``(L) monitoring and detection; and
       ``(M) resiliency and rapid recovery methods.''.
       (b) National Science Foundation Computer and Network 
     Security Grants.--Section 4(a)(3) of the Cyber Security 
     Research and Development Act (15 U.S.C. 7403(a)(3)) is 
     amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (c) Computer and Network Security Centers.--Section 4(b)(7) 
     of the Cyber Security Research and Development Act (15 U.S.C. 
     7403(b)(7)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (d) Computer and Network Security Capacity Building 
     Grants.--Section 5(a)(6) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7404(a)(6)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (e) Scientific and Advanced Technology Act Grants.--Section 
     5(b)(2) of the Cyber Security Research and Development Act 
     (15 U.S.C. 7404(b)(2)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (f) Graduate Traineeships in Computer and Network Security 
     Research.--Section 5(c)(7) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7404(c)(7)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
                                 ______
                                 
  SA 2609. Mr. PAUL submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       At the appropriate place, insert the following:

     SEC. __. LIMITATION ON FOREIGN ASSISTANCE TO PAKISTAN.

       No amounts may be obligated or expended to provide any 
     direct United States assistance to the Government of Pakistan 
     unless the President certifies to Congress that--
       (1) Dr. Shakil Afridi has been released from prison in 
     Pakistan;
       (2) any criminal charges brought against Dr. Afridi, 
     including treason, have been dropped; and
       (3) if necessary to ensure his freedom, Dr. Afridi has been 
     allowed to leave Pakistan.
                                 ______
                                 
  SA 2610. Mrs. HUTCHISON submitted an amendment intended to be 
proposed by her to the bill S. 3414, to enhance the security and 
resiliency of the cyber and communications infrastructure of the United 
States; which was ordered to lie on the table; as follows:

       Beginning on page 106, strike line 8 and all that follows 
     through page 156, line 13, and insert the following:

           TITLE III--CYBERSECURITY RESEARCH AND DEVELOPMENT

     SEC. 301. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM 
                   PLANNING AND COORDINATION.

       (a) Goals and Priorities.--Section 101 of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511) is amended 
     by adding at the end the following:
       ``(d) Goals and Priorities.--The goals and priorities for 
     Federal high-performance computing research, development, 
     networking, and other activities under subsection (a)(2)(A) 
     shall include--
       ``(1) encouraging and supporting mechanisms for 
     interdisciplinary research and development in networking and 
     information technology, including--
       ``(A) through collaborations across agencies;
       ``(B) through collaborations across Program Component 
     Areas;
       ``(C) through collaborations with industry;
       ``(D) through collaborations with institutions of higher 
     education;
       ``(E) through collaborations with Federal laboratories (as 
     defined in section 4 of the Stevenson-Wydler Technology 
     Innovation Act of 1980 (15 U.S.C. 3703)); and
       ``(F) through collaborations with international 
     organizations;
       ``(2) addressing national, multi-agency, multi-faceted 
     challenges of national importance; and
       ``(3) fostering the transfer of research and development 
     results into new technologies and applications for the 
     benefit of society.''.
       (b) Development of Strategic Plan.--Section 101 of the 
     High-Performance Computing Act of 1991 (15 U.S.C. 5511) is 
     amended by adding at the end the following:
       ``(e) Strategic Plan.--
       ``(1) In general.--Not later than 1 year after the date of 
     enactment of the Cybersecurity Act of 2012, the agencies 
     under subsection (a)(3)(B), working through the National 
     Science and Technology Council and with the assistance of the 
     Office of Science and Technology Policy shall develop a 5-
     year strategic plan to guide the activities under subsection 
     (a)(1).

[[Page 12476]]

       ``(2) Contents.--The strategic plan shall specify--
       ``(A) the near-term objectives for the Program;
       ``(B) the long-term objectives for the Program;
       ``(C) the anticipated time frame for achieving the near-
     term objectives;
       ``(D) the metrics that will be used to assess any progress 
     made toward achieving the near-term objectives and the long-
     term objectives; and
       ``(E) how the Program will achieve the goals and priorities 
     under subsection (d).
       ``(3) Implementation roadmap.--
       ``(A) In general.--The agencies under subsection (a)(3)(B) 
     shall develop and annually update an implementation roadmap 
     for the strategic plan.
       ``(B) Requirements.--The information in the implementation 
     roadmap shall be coordinated with the database under section 
     102(c) and the annual report under section 101(a)(3). The 
     implementation roadmap shall--
       ``(i) specify the role of each Federal agency in carrying 
     out or sponsoring research and development to meet the 
     research objectives of the strategic plan, including a 
     description of how progress toward the research objectives 
     will be evaluated, with consideration of any relevant 
     recommendations of the advisory committee;
       ``(ii) specify the funding allocated to each major research 
     objective of the strategic plan and the source of funding by 
     agency for the current fiscal year; and
       ``(iii) estimate the funding required for each major 
     research objective of the strategic plan for the next 3 
     fiscal years.
       ``(4) Recommendations.--The agencies under subsection 
     (a)(3)(B) shall take into consideration when developing the 
     strategic plan under paragraph (1) the recommendations of--
       ``(A) the advisory committee under subsection (b); and
       ``(B) the stakeholders under section 102(a)(3).
       ``(5) Report to congress.--The Director of the Office of 
     Science and Technology Policy shall transmit the strategic 
     plan under this subsection, including the implementation 
     roadmap and any updates under paragraph (3), to--
       ``(A) the advisory committee under subsection (b);
       ``(B) the Committee on Commerce, Science, and 
     Transportation of the Senate; and
       ``(C) the Committee on Science and Technology of the House 
     of Representatives.''.
       (c) Periodic Reviews.--Section 101 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511) is amended by adding 
     at the end the following:
       ``(f) Periodic Reviews.--The agencies under subsection 
     (a)(3)(B) shall--
       ``(1) periodically assess the contents and funding levels 
     of the Program Component Areas and restructure the Program 
     when warranted, taking into consideration any relevant 
     recommendations of the advisory committee under subsection 
     (b); and
       ``(2) ensure that the Program includes national, multi-
     agency, multi-faceted research and development activities, 
     including activities described in section 104.''.
       (d) Additional Responsibilities of Director.--Section 
     101(a)(2) of the High-Performance Computing Act of 1991 (15 
     U.S.C. 5511(a)(2)) is amended--
       (1) by redesignating subparagraphs (E) and (F) as 
     subparagraphs (G) and (H), respectively; and
       (2) by inserting after subparagraph (D) the following:
       ``(E) encourage and monitor the efforts of the agencies 
     participating in the Program to allocate the level of 
     resources and management attention necessary--
       ``(i) to ensure that the strategic plan under subsection 
     (e) is developed and executed effectively; and
       ``(ii) to ensure that the objectives of the Program are 
     met;
       ``(F) working with the Office of Management and Budget and 
     in coordination with the creation of the database under 
     section 102(c), direct the Office of Science and Technology 
     Policy and the agencies participating in the Program to 
     establish a mechanism (consistent with existing law) to track 
     all ongoing and completed research and development projects 
     and associated funding;''.
       (e) Advisory Committee.--Section 101(b) of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is 
     amended--
       (1) in paragraph (1)--
       (A) by inserting after the first sentence the following: 
     ``The co-chairs of the advisory committee shall meet the 
     qualifications of committee members and may be members of the 
     Presidents Council of Advisors on Science and Technology.''; 
     and
       (B) by striking ``high-performance'' in subparagraph (D) 
     and inserting ``high-end''; and
       (2) by amending paragraph (2) to read as follows:
       ``(2) In addition to the duties under paragraph (1), the 
     advisory committee shall conduct periodic evaluations of the 
     funding, management, coordination, implementation, and 
     activities of the Program. The advisory committee shall 
     report its findings and recommendations not less frequently 
     than once every 3 fiscal years to the Committee on Commerce, 
     Science, and Transportation of the Senate and the Committee 
     on Science and Technology of the House of Representatives. 
     The report shall be submitted in conjunction with the update 
     of the strategic plan.''.
       (f) Report.--Section 101(a)(3) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended--
       (1) in subparagraph (C)--
       (A) by striking ``is submitted,'' and inserting ``is 
     submitted, the levels for the previous fiscal year,''; and
       (B) by striking ``each Program Component Area'' and 
     inserting ``each Program Component Area and each research 
     area supported in accordance with section 104'';
       (2) in subparagraph (D)--
       (A) by striking ``each Program Component Area,'' and 
     inserting ``each Program Component Area and each research 
     area supported in accordance with section 104,'';
       (B) by striking ``is submitted,'' and inserting ``is 
     submitted, the levels for the previous fiscal year,''; and
       (C) by striking ``and'' after the semicolon;
       (3) by redesignating subparagraph (E) as subparagraph (G); 
     and
       (4) by inserting after subparagraph (D) the following:
       ``(E) include a description of how the objectives for each 
     Program Component Area, and the objectives for activities 
     that involve multiple Program Component Areas, relate to the 
     objectives of the Program identified in the strategic plan 
     under subsection (e);
       ``(F) include--
       ``(i) a description of the funding required by the Office 
     of Science and Technology Policy to perform the functions 
     under subsections (a) and (c) of section 102 for the next 
     fiscal year by category of activity;
       ``(ii) a description of the funding required by the Office 
     of Science and Technology Policy to perform the functions 
     under subsections (a) and (c) of section 102 for the current 
     fiscal year by category of activity; and
       ``(iii) the amount of funding provided for the Office of 
     Science and Technology Policy for the current fiscal year by 
     each agency participating in the Program; and''.
       (g) Definitions.--Section 4 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5503) is amended--
       (1) by redesignating paragraphs (1) and (2) as paragraphs 
     (2) and (3), respectively;
       (2) by redesignating paragraph (3) as paragraph (6);
       (3) by redesignating paragraphs (6) and (7) as paragraphs 
     (7) and (8), respectively;
       (4) by inserting before paragraph (2), as redesignated, the 
     following:
       ``(1) `cyber-physical systems' means physical or engineered 
     systems whose networking and information technology functions 
     and physical elements are deeply integrated and are actively 
     connected to the physical world through sensors, actuators, 
     or other means to perform monitoring and control 
     functions;'';
       (5) in paragraph (3), as redesignated, by striking ``high-
     performance computing'' and inserting ``networking and 
     information technology'';
       (6) in paragraph (6), as redesignated--
       (A) by striking ``high-performance computing'' and 
     inserting ``networking and information technology''; and
       (B) by striking ``supercomputer'' and inserting ``high-end 
     computing'';
       (7) in paragraph (5), by striking ``network referred to 
     as'' and all that follows through the semicolon and inserting 
     ``network, including advanced computer networks of Federal 
     agencies and departments''; and
       (8) in paragraph (7), as redesignated, by striking 
     ``National High-Performance Computing Program'' and inserting 
     ``networking and information technology research and 
     development program''.

     SEC. 302. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.

       (a) Research in Areas of National Importance.--Title I of 
     the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et 
     seq.) is amended by adding at the end the following:

     ``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.

       ``(a) In General.--The Program shall encourage agencies 
     under section 101(a)(3)(B) to support, maintain, and improve 
     national, multi-agency, multi-faceted, research and 
     development activities in networking and information 
     technology directed toward application areas that have the 
     potential for significant contributions to national economic 
     competitiveness and for other significant societal benefits.
       ``(b) Technical Solutions.--An activity under subsection 
     (a) shall be designed to advance the development of research 
     discoveries by demonstrating technical solutions to important 
     problems in areas including--
       ``(1) cybersecurity;
       ``(2) health care;
       ``(3) energy management and low-power systems and devices;
       ``(4) transportation, including surface and air 
     transportation;
       ``(5) cyber-physical systems;
       ``(6) large-scale data analysis and modeling of physical 
     phenomena;
       ``(7) large scale data analysis and modeling of behavioral 
     phenomena;
       ``(8) supply chain quality and security; and

[[Page 12477]]

       ``(9) privacy protection and protected disclosure of 
     confidential data.
       ``(c) Recommendations.--The advisory committee under 
     section 101(b) shall make recommendations to the Program for 
     candidate research and development areas for support under 
     this section.
       ``(d) Characteristics.--
       ``(1) In general.--Research and development activities 
     under this section--
       ``(A) shall include projects selected on the basis of 
     applications for support through a competitive, merit-based 
     process;
       ``(B) shall leverage, when possible, Federal investments 
     through collaboration with related State initiatives;
       ``(C) shall include a plan for fostering the transfer of 
     research discoveries and the results of technology 
     demonstration activities, including from institutions of 
     higher education and Federal laboratories, to industry for 
     commercial development;
       ``(D) shall involve collaborations among researchers in 
     institutions of higher education and industry; and
       ``(E) may involve collaborations among nonprofit research 
     institutions and Federal laboratories, as appropriate.
       ``(2) Cost-sharing.--In selecting applications for support, 
     the agencies under section 101(a)(3)(B) shall give special 
     consideration to projects that include cost sharing from non-
     Federal sources.
       ``(3) Multidisciplinary research centers.--Research and 
     development activities under this section shall be supported 
     through multidisciplinary research centers, including Federal 
     laboratories, that are organized to investigate basic 
     research questions and carry out technology demonstration 
     activities in areas described in subsection (a). Research may 
     be carried out through existing multidisciplinary centers, 
     including those authorized under section 7024(b)(2) of the 
     America COMPETES Act (42 U.S.C. 1862o-10(2)).''.
       (b) Cyber-Physical Systems.--Section 101(a)(1) of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is 
     amended--
       (1) in subparagraph (H), by striking ``and'' after the 
     semicolon;
       (2) in subparagraph (I), by striking the period at the end 
     and inserting a semicolon; and
       (3) by adding at the end the following:
       ``(J) provide for increased understanding of the scientific 
     principles of cyber-physical systems and improve the methods 
     available for the design, development, and operation of 
     cyber-physical systems that are characterized by high 
     reliability, safety, and security; and
       ``(K) provide for research and development on human-
     computer interactions, visualization, and big data.''.
       (c) Task Force.--Title I of the High-Performance Computing 
     Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section 
     302(a) of this Act, is amended by adding at the end the 
     following:

     ``SEC. 105. TASK FORCE.

       ``(a) Establishment.--Not later than 180 days after the 
     date of enactment the Cybersecurity Act of 2012, the Director 
     of the Office of Science and Technology Policy under section 
     102 shall convene a task force to explore mechanisms for 
     carrying out collaborative research and development 
     activities for cyber-physical systems (including the related 
     technologies required to enable these systems) through a 
     consortium or other appropriate entity with participants from 
     institutions of higher education, Federal laboratories, and 
     industry.
       ``(b) Functions.--The task force shall--
       ``(1) develop options for a collaborative model and an 
     organizational structure for such entity under which the 
     joint research and development activities could be planned, 
     managed, and conducted effectively, including mechanisms for 
     the allocation of resources among the participants in such 
     entity for support of such activities;
       ``(2) propose a process for developing a research and 
     development agenda for such entity, including guidelines to 
     ensure an appropriate scope of work focused on nationally 
     significant challenges and requiring collaboration and to 
     ensure the development of related scientific and 
     technological milestones;
       ``(3) define the roles and responsibilities for the 
     participants from institutions of higher education, Federal 
     laboratories, and industry in such entity;
       ``(4) propose guidelines for assigning intellectual 
     property rights and for transferring research results to the 
     private sector; and
       ``(5) make recommendations for how such entity could be 
     funded from Federal, State, and non-governmental sources.
       ``(c) Composition.--In establishing the task force under 
     subsection (a), the Director of the Office of Science and 
     Technology Policy shall appoint an equal number of 
     individuals from institutions of higher education and from 
     industry with knowledge and expertise in cyber-physical 
     systems, and may appoint not more than 2 individuals from 
     Federal laboratories.
       ``(d) Report.--Not later than 1 year after the date of 
     enactment of the Cybersecurity Act of 2012, the Director of 
     the Office of Science and Technology Policy shall transmit to 
     the Committee on Commerce, Science, and Transportation of the 
     Senate and the Committee on Science and Technology of the 
     House of Representatives a report describing the findings and 
     recommendations of the task force.
       ``(e) Termination.--The task force shall terminate upon 
     transmittal of the report required under subsection (d).
       ``(f) Compensation and Expenses.--Members of the task force 
     shall serve without compensation.''.

     SEC. 303. PROGRAM IMPROVEMENTS.

       Section 102 of the High-Performance Computing Act of 1991 
     (15 U.S.C. 5512) is amended to read as follows:

     ``SEC. 102. PROGRAM IMPROVEMENTS.

       ``(a) Functions.--The Director of the Office of Science and 
     Technology Policy shall continue--
       ``(1) to provide technical and administrative support to--
       ``(A) the agencies participating in planning and 
     implementing the Program, including support needed to develop 
     the strategic plan under section 101(e); and
       ``(B) the advisory committee under section 101(b);
       ``(2) to serve as the primary point of contact on Federal 
     networking and information technology activities for 
     government agencies, academia, industry, professional 
     societies, State computing and networking technology 
     programs, interested citizen groups, and others to exchange 
     technical and programmatic information;
       ``(3) to solicit input and recommendations from a wide 
     range of stakeholders during the development of each 
     strategic plan under section 101(e) by convening at least 1 
     workshop with invitees from academia, industry, Federal 
     laboratories, and other relevant organizations and 
     institutions;
       ``(4) to conduct public outreach, including the 
     dissemination of the advisory committee's findings and 
     recommendations, as appropriate;
       ``(5) to promote access to and early application of the 
     technologies, innovations, and expertise derived from Program 
     activities to agency missions and systems across the Federal 
     Government and to United States industry;
       ``(6) to ensure accurate and detailed budget reporting of 
     networking and information technology research and 
     development investment; and
       ``(7) to encourage agencies participating in the Program to 
     use existing programs and resources to strengthen networking 
     and information technology education and training, and 
     increase participation in such fields, including by women and 
     underrepresented minorities.
       ``(b) Source of Funding.--
       ``(1) In general.--The functions under this section shall 
     be supported by funds from each agency participating in the 
     Program.
       ``(2) Specifications.--The portion of the total budget of 
     the Office of Science and Technology Policy that is provided 
     by each agency participating in the Program for each fiscal 
     year shall be in the same proportion as each agency's share 
     of the total budget for the Program for the previous fiscal 
     year, as specified in the database under section 102(c).
       ``(c) Database.--
       ``(1) In general.--The Director of the Office of Science 
     and Technology Policy shall develop and maintain a database 
     of projects funded by each agency for the fiscal year for 
     each Program Component Area.
       ``(2) Public accessibility.--The Director of the Office of 
     Science and Technology Policy shall make the database 
     accessible to the public.
       ``(3) Database contents.--The database shall include, for 
     each project in the database--
       ``(A) a description of the project;
       ``(B) each agency, industry, institution of higher 
     education, Federal laboratory, or international institution 
     involved in the project;
       ``(C) the source funding of the project (set forth by 
     agency);
       ``(D) the funding history of the project; and
       ``(E) whether the project has been completed.''.

     SEC. 304. IMPROVING EDUCATION OF NETWORKING AND INFORMATION 
                   TECHNOLOGY, INCLUDING HIGH PERFORMANCE 
                   COMPUTING.

       Section 201(a) of the High-Performance Computing Act of 
     1991 (15 U.S.C. 5521(a)) is amended--
       (1) by redesignating paragraphs (2) through (4) as 
     paragraphs (3) through (5), respectively; and
       (2) by inserting after paragraph (1) the following:
       ``(2) the National Science Foundation shall use its 
     existing programs, in collaboration with other agencies, as 
     appropriate, to improve the teaching and learning of 
     networking and information technology at all levels of 
     education and to increase participation in networking and 
     information technology fields;''.

     SEC. 305. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH-
                   PERFORMANCE COMPUTING ACT OF 1991.

       (a) Section 3.--Section 3 of the High-Performance Computing 
     Act of 1991 (15 U.S.C. 5502) is amended--
       (1) in the matter preceding paragraph (1), by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology'';

[[Page 12478]]

       (2) in paragraph (1)--
       (A) in the matter preceding subparagraph (A), by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology'';
       (B) in subparagraphs (A), (F), and (G), by striking ``high-
     performance computing'' each place it appears and inserting 
     ``networking and information technology''; and
       (C) in subparagraph (H), by striking ``high-performance'' 
     and inserting ``high-end''; and
       (3) in paragraph (2)--
       (A) by striking ``high-performance computing and'' and 
     inserting ``networking and information technology, and''; and
       (B) by striking ``high-performance computing network'' and 
     inserting ``networking and information technology''.
       (b) Title Heading.--The heading of title I of the High-
     Performance Computing Act of 1991 (105 Stat. 1595) is amended 
     by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting 
     ``NETWORKING AND INFORMATION TECHNOLOGY''.
       (c) Section 101.--Section 101 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511) is amended--
       (1) in the section heading, by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology research and development'';
       (2) in subsection (a)--
       (A) in the subsection heading, by striking ``National High-
     Performance Computing'' and inserting ``Networking and 
     Information Technology Research and Development'';
       (B) in paragraph (1)--
       (i) by striking ``National High-Performance Computing 
     Program'' and inserting ``networking and information 
     technology research and development program'';
       (ii) in subparagraph (A), by striking ``high-performance 
     computing, including networking'' and inserting ``networking 
     and information technology'';
       (iii) in subparagraphs (B) and (G), by striking ``high-
     performance'' each place it appears and inserting ``high-
     end''; and
       (iv) in subparagraph (C), by striking ``high-performance 
     computing and networking'' and inserting ``high-end 
     computing, distributed, and networking''; and
       (C) in paragraph (2)--
       (i) in subparagraphs (A) and (C)--

       (I) by striking ``high-performance computing'' each place 
     it appears and inserting ``networking and information 
     technology''; and
       (II) by striking ``development, networking,'' each place it 
     appears and inserting ``development,''; and

       (ii) in subparagraphs (G) and (H), as redesignated by 
     section 301(d) of this Act, by striking ``high-performance'' 
     each place it appears and inserting ``high-end'';
       (3) in subsection (b)(1), in the matter preceding 
     subparagraph (A), by striking ``high-performance computing'' 
     each place it appears and inserting ``networking and 
     information technology''; and
       (4) in subsection (c)(1)(A), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology''.
       (d) Section 201.--Section 201(a)(1) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by 
     striking ``high-performance computing and advanced high-speed 
     computer networking'' and inserting ``networking and 
     information technology research and development''.
       (e) Section 202.--Section 202(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by 
     striking ``high-performance computing'' and inserting 
     ``networking and information technology''.
       (f) Section 203.--Section 203(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5523(a)) is amended--
       (1) in paragraph (1), by striking ``high-performance 
     computing and networking'' and inserting ``networking and 
     information technology''; and
       (2) in paragraph (2)(A), by striking ``high-performance'' 
     and inserting ``high-end''.
       (g) Section 204.--Section 204 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5524) is amended--
       (1) in subsection (a)(1)--
       (A) in subparagraph (A), by striking ``high-performance 
     computing systems and networks'' and inserting ``networking 
     and information technology systems and capabilities'';
       (B) in subparagraph (B), by striking ``interoperability of 
     high-performance computing systems in networks and for common 
     user interfaces to systems'' and inserting ``interoperability 
     and usability of networking and information technology 
     systems''; and
       (C) in subparagraph (C), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology''; and
       (2) in subsection (b)--
       (A) by striking ``High-Performance Computing and Network'' 
     in the heading and inserting ``Networking and Information 
     Technology''; and
       (B) by striking ``sensitive''.
       (h) Section 205.--Section 205(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by 
     striking ``computational'' and inserting ``networking and 
     information technology''.
       (i) Section 206.--Section 206(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by 
     striking ``computational research'' and inserting 
     ``networking and information technology research''.
       (j) Section 207.--Section 207 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5527) is amended by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology''.
       (k) Section 208.--Section 208 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5528) is amended--
       (1) in the section heading, by striking ``HIGH-PERFORMANCE 
     COMPUTING'' and inserting ``NETWORKING AND INFORMATION 
     TECHNOLOGY''; and
       (2) in subsection (a)--
       (A) in paragraph (1), by striking ``High-performance 
     computing and associated'' and inserting ``Networking and 
     information'';
       (B) in paragraph (2), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technologies'';
       (C) in paragraph (3), by striking ``high-performance'' and 
     inserting ``high-end'';
       (D) in paragraph (4), by striking ``high-performance 
     computers and associated'' and inserting ``networking and 
     information''; and
       (E) in paragraph (5), by striking ``high-performance 
     computing and associated'' and inserting ``networking and 
     information''.

     SEC. 306. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.

       (a) In General.--The Director of the National Science 
     Foundation, in coordination with the Secretary of Homeland 
     Security, shall carry out a Federal cyber scholarship-for-
     service program to recruit and train the next generation of 
     information technology professionals and security managers to 
     meet the needs of the cybersecurity mission for the Federal 
     government.
       (b) Program Description and Components.--The program 
     shall--
       (1) annually assess the workforce needs of the Federal 
     government for cybersecurity professionals, including network 
     engineers, software engineers, and other experts in order to 
     determine how many scholarships should be awarded annually to 
     ensure that the workforce needs following graduation match 
     the number of scholarships awarded;
       (2) provide scholarships for up to 1,000 students per year 
     in their pursuit of undergraduate or graduate degrees in the 
     cybersecurity field, in an amount that may include coverage 
     for full tuition, fees, and a stipend;
       (3) require each scholarship recipient, as a condition of 
     receiving a scholarship under the program, to serve in a 
     Federal information technology workforce for a period equal 
     to one and one-half times each year, or partial year, of 
     scholarship received, in addition to an internship in the 
     cybersecurity field, if applicable, following graduation;
       (4) provide a procedure for the National Science Foundation 
     or a Federal agency, consistent with regulations of the 
     Office of Personnel Management, to request and fund a 
     security clearance for a scholarship recipient, including 
     providing for clearance during a summer internship and upon 
     graduation; and
       (5) provide opportunities for students to receive temporary 
     appointments for meaningful employment in the Federal 
     information technology workforce during school vacation 
     periods and for internships.
       (c) Hiring Authority.--
       (1) In general.--For purposes of any law or regulation 
     governing the appointment of an individual in the Federal 
     civil service, upon the successful completion of the 
     student's studies, a student receiving a scholarship under 
     the program may--
       (A) be hired under section 213.3102(r) of title 5, Code of 
     Federal Regulations; and
       (B) be exempt from competitive service.
       (2) Competitive service.--Upon satisfactory fulfillment of 
     the service term under paragraph (1), an individual may be 
     converted to a competitive service position without 
     competition if the individual meets the requirements for that 
     position.
       (d) Eligibility.--The eligibility requirements for a 
     scholarship under this section shall include that a 
     scholarship applicant--
       (1) be a citizen of the United States;
       (2) be eligible to be granted a security clearance;
       (3) maintain a grade point average of 3.2 or above on a 4.0 
     scale for undergraduate study or a 3.5 or above on a 4.0 
     scale for postgraduate study;
       (4) demonstrate a commitment to a career in improving the 
     security of the information infrastructure; and
       (5) has demonstrated a level of proficiency in math or 
     computer sciences.
       (e) Failure to Complete Service Obligation.--
       (1) In general.--A scholarship recipient under this section 
     shall be liable to the United States under paragraph (2) if 
     the scholarship recipient--
       (A) fails to maintain an acceptable level of academic 
     standing in the educational institution in which the 
     individual is enrolled, as determined by the Director;
       (B) is dismissed from such educational institution for 
     disciplinary reasons;
       (C) withdraws from the program for which the award was made 
     before the completion of such program;
       (D) declares that the individual does not intend to fulfill 
     the service obligation under this section;

[[Page 12479]]

       (E) fails to fulfill the service obligation of the 
     individual under this section; or
       (F) loses a security clearance or becomes ineligible for a 
     security clearance.
       (2) Repayment amounts.--
       (A) Less than 1 year of service.--If a circumstance under 
     paragraph (1) occurs before the completion of 1 year of a 
     service obligation under this section, the total amount of 
     awards received by the individual under this section shall be 
     repaid.
       (B) One or more years of service.--If a circumstance 
     described in subparagraph (D) or (E) of paragraph (1) occurs 
     after the completion of 1 year of a service obligation under 
     this section, the total amount of scholarship awards received 
     by the individual under this section, reduced by the ratio of 
     the number of years of service completed divided by the 
     number of years of service required, shall be repaid.
       (f) Evaluation and Report.--The Director of the National 
     Science Foundation shall--
       (1) evaluate the success of recruiting individuals for 
     scholarships under this section and of hiring and retaining 
     those individuals in the public sector workforce, including 
     the annual cost and an assessment of how the program actually 
     improves the Federal workforce; and
       (2) periodically report the findings under paragraph (1) to 
     Congress.
       (g) Authorization of Appropriations.--From amounts made 
     available under section 503 of the America COMPETES 
     Reauthorization Act of 2010 (124 Stat. 4005), the Director 
     may use funds to carry out the requirements of this section 
     for fiscal years 2012 through 2013.

     SEC. 307. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF 
                   INFORMATION INFRASTRUCTURE PROFESSIONALS.

       (a) Study.--The President shall enter into an agreement 
     with the National Academies to conduct a comprehensive study 
     of government, academic, and private-sector accreditation, 
     training, and certification programs for personnel working in 
     information infrastructure. The agreement shall require the 
     National Academies to consult with sector coordinating 
     councils and relevant governmental agencies, regulatory 
     entities, and nongovernmental organizations in the course of 
     the study.
       (b) Scope.--The study shall include--
       (1) an evaluation of the body of knowledge and various 
     skills that specific categories of personnel working in 
     information infrastructure should possess in order to secure 
     information systems;
       (2) an assessment of whether existing government, academic, 
     and private-sector accreditation, training, and certification 
     programs provide the body of knowledge and various skills 
     described in paragraph (1);
       (3) an analysis of any barriers to the Federal Government 
     recruiting and hiring cybersecurity talent, including 
     barriers relating to compensation, the hiring process, job 
     classification, and hiring flexibility; and
       (4) an analysis of the sources and availability of 
     cybersecurity talent, a comparison of the skills and 
     expertise sought by the Federal Government and the private 
     sector, an examination of the current and future capacity of 
     United States institutions of higher education, including 
     community colleges, to provide current and future 
     cybersecurity professionals, through education and training 
     activities, with those skills sought by the Federal 
     Government, State and local entities, and the private sector.
       (c) Report.--Not later than 1 year after the date of 
     enactment of this Act, the National Academies shall submit to 
     the President and Congress a report on the results of the 
     study. The report shall include--
       (1) findings regarding the state of information 
     infrastructure accreditation, training, and certification 
     programs, including specific areas of deficiency and 
     demonstrable progress; and
       (2) recommendations for the improvement of information 
     infrastructure accreditation, training, and certification 
     programs.

     SEC. 308. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.

       (a) In General.--The Director of the National Institute of 
     Standards and Technology, in coordination with appropriate 
     Federal authorities, shall--
       (1) as appropriate, ensure coordination of Federal agencies 
     engaged in the development of international technical 
     standards related to information system security; and
       (2) not later than 1 year after the date of enactment of 
     this Act, develop and transmit to Congress a plan for 
     ensuring such Federal agency coordination.
       (b) Consultation With the Private Sector.--In carrying out 
     the activities under subsection (a)(1), the Director shall 
     ensure consultation with appropriate private sector 
     stakeholders.

     SEC. 309. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.

       The Director of the National Institute of Standards and 
     Technology shall continue a program to support the 
     development of technical standards, metrology, testbeds, and 
     conformance criteria, taking into account appropriate user 
     concerns--
       (1) to improve interoperability among identity management 
     technologies;
       (2) to strengthen authentication methods of identity 
     management systems;
       (3) to improve privacy protection in identity management 
     systems, including health information technology systems, 
     through authentication and security protocols; and
       (4) to improve the usability of identity management 
     systems.

     SEC. 310. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.

       (a) National Science Foundation Computer and Network 
     Security Research Grant Areas.--Section 4(a)(1) of the Cyber 
     Security Research and Development Act (15 U.S.C. 7403(a)(1)) 
     is amended--
       (1) in subparagraph (H), by striking ``and'' after the 
     semicolon;
       (2) in subparagraph (I), by striking ``property.'' and 
     inserting ``property;''; and
       (3) by adding at the end the following:
       ``(J) secure fundamental protocols that are at the heart of 
     inter-network communications and data exchange;
       ``(K) system security that addresses the building of secure 
     systems from trusted and untrusted components;
       ``(L) monitoring and detection; and
       ``(M) resiliency and rapid recovery methods.''.
       (b) National Science Foundation Computer and Network 
     Security Grants.--Section 4(a)(3) of the Cyber Security 
     Research and Development Act (15 U.S.C. 7403(a)(3)) is 
     amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (c) Computer and Network Security Centers.--Section 4(b)(7) 
     of the Cyber Security Research and Development Act (15 U.S.C. 
     7403(b)(7)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (d) Computer and Network Security Capacity Building 
     Grants.--Section 5(a)(6) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7404(a)(6)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (e) Scientific and Advanced Technology Act Grants.--Section 
     5(b)(2) of the Cyber Security Research and Development Act 
     (15 U.S.C. 7404(b)(2)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (f) Graduate Traineeships in Computer and Network Security 
     Research.--Section 5(c)(7) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7404(c)(7)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
                                 ______
                                 
  SA 2611. Mrs. HUTCHISON submitted an amendment intended to be 
proposed by her to the bill S. 3414, to enhance the security and 
resiliency of the cyber and communications infrastructure of the United 
States; which was ordered to lie on the table; as follows:

       Beginning on page 45, strike line 1 and all that follows 
     through page 87, line 22, and insert the following:

     TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY

     SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY 
                   POLICY.

       (a) In General.--Chapter 35 of title 44, United States 
     Code, is amended by striking subchapters II and III and 
     inserting the following:

                 ``SUBCHAPTER II--INFORMATION SECURITY

     ``Sec. 3551. Purposes

       ``The purposes of this subchapter are--
       ``(1) to provide a comprehensive framework for ensuring the 
     effectiveness of information

[[Page 12480]]

     security controls over information resources that support 
     Federal operations and assets;
       ``(2) to recognize the highly networked nature of the 
     current Federal computing environment and provide effective 
     government-wide management of policies, directives, 
     standards, and guidelines, as well as effective and nimble 
     oversight of and response to information security risks, 
     including coordination of information security efforts 
     throughout the Federal civilian, national security, and law 
     enforcement communities;
       ``(3) to provide for development and maintenance of 
     controls required to protect agency information and 
     information systems and contribute to the overall improvement 
     of agency information security posture;
       ``(4) to provide for the development of tools and methods 
     to assess and respond to real-time situational risk for 
     Federal information system operations and assets; and
       ``(5) to provide a mechanism for improving agency 
     information security programs through continuous monitoring 
     of agency information systems and streamlined reporting 
     requirements rather than overly prescriptive manual 
     reporting.

     ``Sec. 3552. Definitions

       ``In this subchapter:
       ``(1) Adequate security.--The term `adequate security' 
     means security commensurate with the risk and magnitude of 
     the harm resulting from the unauthorized access to or loss, 
     misuse, destruction, or modification of information.
       ``(2) Agency.--The term `agency' has the meaning given the 
     term in section 3502 of title 44.
       ``(3) Cybersecurity center.--The term `cybersecurity 
     center' means the Department of Defense Cyber Crime Center, 
     the Intelligence Community Incident Response Center, the 
     United States Cyber Command Joint Operations Center, the 
     National Cyber Investigative Joint Task Force, the National 
     Security Agency/Central Security Service Threat Operations 
     Center, the National Cybersecurity and Communications 
     Integration Center, and any successor center.
       ``(4) Cyber threat information.--The term `cyber threat 
     information' means information that indicates or describes--
       ``(A) a technical or operation vulnerability or a cyber 
     threat mitigation measure;
       ``(B) an action or operation to mitigate a cyber threat;
       ``(C) malicious reconnaissance, including anomalous 
     patterns of network activity that appear to be transmitted 
     for the purpose of gathering technical information related to 
     a cybersecurity threat;
       ``(D) a method of defeating a technical control;
       ``(E) a method of defeating an operational control;
       ``(F) network activity or protocols known to be associated 
     with a malicious cyber actor or that signify malicious cyber 
     intent;
       ``(G) a method of causing a user with legitimate access to 
     an information system or information that is stored on, 
     processed by, or transiting an information system to 
     inadvertently enable the defeat of a technical or operational 
     control;
       ``(H) any other attribute of a cybersecurity threat or 
     cyber defense information that would foster situational 
     awareness of the United States cybersecurity posture, if 
     disclosure of such attribute or information is not otherwise 
     prohibited by law;
       ``(I) the actual or potential harm caused by a cyber 
     incident, including information exfiltrated when it is 
     necessary in order to identify or describe a cybersecurity 
     threat; or
       ``(J) any combination of subparagraphs (A) through (I).
       ``(5) Director.--The term `Director' means the Director of 
     the Office of Management and Budget unless otherwise 
     specified.
       ``(6) Environment of operation.--The term `environment of 
     operation' means the information system and environment in 
     which those systems operate, including changing threats, 
     vulnerabilities, technologies, and missions and business 
     practices.
       ``(7) Federal information system.--The term `Federal 
     information system' means an information system used or 
     operated by an executive agency, by a contractor of an 
     executive agency, or by another organization on behalf of an 
     executive agency.
       ``(8) Incident.--The term `incident' means an occurrence 
     that--
       ``(A) actually or imminently jeopardizes the integrity, 
     confidentiality, or availability of an information system or 
     the information that system controls, processes, stores, or 
     transmits; or
       ``(B) constitutes a violation of law or an imminent threat 
     of violation of a law, a security policy, a security 
     procedure, or an acceptable use policy.
       ``(9) Information resources.--The term `information 
     resources' has the meaning given the term in section 3502 of 
     title 44.
       ``(10) Information security.--The term `information 
     security' means protecting information and information 
     systems from disruption or unauthorized access, use, 
     disclosure, modification, or destruction in order to 
     provide--
       ``(A) integrity, by guarding against improper information 
     modification or destruction, including by ensuring 
     information nonrepudiation and authenticity;
       ``(B) confidentiality, by preserving authorized 
     restrictions on access and disclosure, including means for 
     protecting personal privacy and proprietary information; or
       ``(C) availability, by ensuring timely and reliable access 
     to and use of information.
       ``(11) Information system.--The term `information system' 
     has the meaning given the term in section 3502 of title 44.
       ``(12) Information technology.--The term `information 
     technology' has the meaning given the term in section 11101 
     of title 40.
       ``(13) Malicious reconnaissance.--The term `malicious 
     reconnaissance' means a method for actively probing or 
     passively monitoring an information system for the purpose of 
     discerning technical vulnerabilities of the information 
     system, if such method is associated with a known or 
     suspected cybersecurity threat.
       ``(14) National security system.--
       ``(A) In general.--The term `national security system' 
     means any information system (including any 
     telecommunications system) used or operated by an agency or 
     by a contractor of an agency, or other organization on behalf 
     of an agency--
       ``(i) the function, operation, or use of which--

       ``(I) involves intelligence activities;
       ``(II) involves cryptologic activities related to national 
     security;
       ``(III) involves command and control of military forces;
       ``(IV) involves equipment that is an integral part of a 
     weapon or weapons system; or
       ``(V) subject to subparagraph (B), is critical to the 
     direct fulfillment of military or intelligence missions; or

       ``(ii) is protected at all times by procedures established 
     for information that have been specifically authorized under 
     criteria established by an Executive Order or an Act of 
     Congress to be kept classified in the interest of national 
     defense or foreign policy.
       ``(B) Limitation.--Subparagraph (A)(i)(V) does not include 
     a system that is to be used for routine administrative and 
     business applications (including payroll, finance, logistics, 
     and personnel management applications).
       ``(15) Operational control.--The term `operational control' 
     means a security control for an information system that 
     primarily is implemented and executed by people.
       ``(16) Person.--The term `person' has the meaning given the 
     term in section 3502 of title 44.
       ``(17) Secretary.--The term `Secretary' means the Secretary 
     of Commerce unless otherwise specified.
       ``(18) Security control.--The term `security control' means 
     the management, operational, and technical controls, 
     including safeguards or countermeasures, prescribed for an 
     information system to protect the confidentiality, integrity, 
     and availability of the system and its information.
       ``(19) Significant cyber incident.--The term `significant 
     cyber incident' means a cyber incident resulting in, or an 
     attempted cyber incident that, if successful, would have 
     resulted in--
       ``(A) the exfiltration from a Federal information system of 
     data that is essential to the operation of the Federal 
     information system; or
       ``(B) an incident in which an operational or technical 
     control essential to the security or operation of a Federal 
     information system was defeated.
       ``(20) Technical control.--The term `technical control' 
     means a hardware or software restriction on, or audit of, 
     access or use of an information system or information that is 
     stored on, processed by, or transiting an information system 
     that is intended to ensure the confidentiality, integrity, or 
     availability of that system.

     ``Sec. 3553. Federal information security authority and 
       coordination

       ``(a) In General.--The Secretary, in consultation with the 
     Secretary of Homeland Security, shall--
       ``(1) issue compulsory and binding policies and directives 
     governing agency information security operations, and require 
     implementation of such policies and directives, including--
       ``(A) policies and directives consistent with the standards 
     and guidelines promulgated under section 11331 of title 40 to 
     identify and provide information security protections 
     prioritized and commensurate with the risk and impact 
     resulting from the unauthorized access, use, disclosure, 
     disruption, modification, or destruction of--
       ``(i) information collected or maintained by or on behalf 
     of an agency; or
       ``(ii) information systems used or operated by an agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency;
       ``(B) minimum operational requirements for Federal 
     Government to protect agency information systems and provide 
     common situational awareness across all agency information 
     systems;
       ``(C) reporting requirements, consistent with relevant law, 
     regarding information security incidents and cyber threat 
     information;
       ``(D) requirements for agencywide information security 
     programs;

[[Page 12481]]

       ``(E) performance requirements and metrics for the security 
     of agency information systems;
       ``(F) training requirements to ensure that agencies are 
     able to fully and timely comply with the policies and 
     directives issued by the Secretary under this subchapter;
       ``(G) training requirements regarding privacy, civil 
     rights, and civil liberties, and information oversight for 
     agency information security personnel;
       ``(H) requirements for the annual reports to the Secretary 
     under section 3554(d);
       ``(I) any other information security operations or 
     information security requirements as determined by the 
     Secretary in coordination with relevant agency heads; and
       ``(J) coordinating the development of standards and 
     guidelines under section 20 of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3) with agencies 
     and offices operating or exercising control of national 
     security systems (including the National Security Agency) to 
     assure, to the maximum extent feasible, that such standards 
     and guidelines are complementary with standards and 
     guidelines developed for national security systems;
       ``(2) review the agencywide information security programs 
     under section 3554; and
       ``(3) designate an individual or an entity at each 
     cybersecurity center, among other responsibilities--
       ``(A) to receive reports and information about information 
     security incidents, cyber threat information, and 
     deterioration of security control affecting agency 
     information systems; and
       ``(B) to act on or share the information under subparagraph 
     (A) in accordance with this subchapter.
       ``(b) Considerations.--When issuing policies and directives 
     under subsection (a), the Secretary shall consider any 
     applicable standards or guidelines developed by the National 
     Institute of Standards and Technology under section 11331 of 
     title 40.
       ``(c) Limitation of Authority.--The authorities of the 
     Secretary under this section shall not apply to national 
     security systems. Information security policies, directives, 
     standards and guidelines for national security systems shall 
     be overseen as directed by the President and, in accordance 
     with that direction, carried out under the authority of the 
     heads of agencies that operate or exercise authority over 
     such national security systems.
       ``(d) Statutory Construction.--Nothing in this subchapter 
     shall be construed to alter or amend any law regarding the 
     authority of any head of an agency over such agency.

     ``Sec. 3554. Agency responsibilities

       ``(a) In General.--The head of each agency shall--
       ``(1) be responsible for--
       ``(A) complying with the policies and directives issued 
     under section 3553;
       ``(B) providing information security protections 
     commensurate with the risk resulting from unauthorized 
     access, use, disclosure, disruption, modification, or 
     destruction of--
       ``(i) information collected or maintained by the agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency; and
       ``(ii) information systems used or operated by an agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency;
       ``(C) complying with the requirements of this subchapter, 
     including--
       ``(i) information security standards and guidelines 
     promulgated under section 11331 of title 40;
       ``(ii) for any national security systems operated or 
     controlled by that agency, information security policies, 
     directives, standards and guidelines issued as directed by 
     the President; and
       ``(iii) for any non-national security systems operated or 
     controlled by that agency, information security policies, 
     directives, standards and guidelines issued under section 
     3553;
       ``(D) ensuring that information security management 
     processes are integrated with agency strategic and 
     operational planning processes;
       ``(E) reporting and sharing, for an agency operating or 
     exercising control of a national security system, information 
     about information security incidents, cyber threat 
     information, and deterioration of security controls to the 
     individual or entity designated at each cybersecurity center 
     and to other appropriate entities consistent with policies 
     and directives for national security systems issued as 
     directed by the President; and
       ``(F) reporting and sharing, for those agencies operating 
     or exercising control of non-national security systems, 
     information about information security incidents, cyber 
     threat information, and deterioration of security controls to 
     the individual or entity designated at each cybersecurity 
     center and to other appropriate entities consistent with 
     policies and directives for non-national security systems as 
     prescribed under section 3553(a), including information to 
     assist the entity designated under section 3555(a) with the 
     ongoing security analysis under section 3555;
       ``(2) ensure that each senior agency official provides 
     information security for the information and information 
     systems that support the operations and assets under the 
     senior agency official's control, including by--
       ``(A) assessing the risk and impact that could result from 
     the unauthorized access, use, disclosure, disruption, 
     modification, or destruction of such information or 
     information systems;
       ``(B) determining the level of information security 
     appropriate to protect such information and information 
     systems in accordance with policies and directives issued 
     under section 3553(a), and standards and guidelines 
     promulgated under section 11331 of title 40 for information 
     security classifications and related requirements;
       ``(C) implementing policies, procedures, and capabilities 
     to reduce risks to an acceptable level in a cost-effective 
     manner;
       ``(D) actively monitoring the effective implementation of 
     information security controls and techniques; and
       ``(E) reporting information about information security 
     incidents, cyber threat information, and deterioration of 
     security controls in a timely and adequate manner to the 
     entity designated under section 3553(a)(3) in accordance with 
     paragraph (1);
       ``(3) assess and maintain the resiliency of information 
     technology systems critical to agency mission and operations;
       ``(4) designate the agency Inspector General (or an 
     independent entity selected in consultation with the Director 
     and the Council of Inspectors General on Integrity and 
     Efficiency if the agency does not have an Inspector General) 
     to conduct the annual independent evaluation required under 
     section 3556, and allow the agency Inspector General to 
     contract with an independent entity to perform such 
     evaluation;
       ``(5) delegate to the Chief Information Officer or 
     equivalent (or to a senior agency official who reports to the 
     Chief Information Officer or equivalent)--
       ``(A) the authority and primary responsibility to implement 
     an agencywide information security program; and
       ``(B) the authority to provide information security for the 
     information collected and maintained by the agency (or by a 
     contractor, other agency, or other source on behalf of the 
     agency) and for the information systems that support the 
     operations, assets, and mission of the agency (including any 
     information system provided or managed by a contractor, other 
     agency, or other source on behalf of the agency);
       ``(6) delegate to the appropriate agency official (who is 
     responsible for a particular agency system or subsystem) the 
     responsibility to ensure and enforce compliance with all 
     requirements of the agency's agencywide information security 
     program in coordination with the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5);
       ``(7) ensure that an agency has trained personnel who have 
     obtained any necessary security clearances to permit them to 
     assist the agency in complying with this subchapter;
       ``(8) ensure that the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5), 
     in coordination with other senior agency officials, reports 
     to the agency head on the effectiveness of the agencywide 
     information security program, including the progress of any 
     remedial actions; and
       ``(9) ensure that the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5) 
     has the necessary qualifications to administer the functions 
     described in this subchapter and has information security 
     duties as a primary duty of that official.
       ``(b) Chief Information Officers.--Each Chief Information 
     Officer or equivalent (or the senior agency official who 
     reports to the Chief Information Officer or equivalent) under 
     subsection (a)(5) shall--
       ``(1) establish and maintain an enterprise security 
     operations capability that on a continuous basis--
       ``(A) detects, reports, contains, mitigates, and responds 
     to information security incidents that impair adequate 
     security of the agency's information or information system in 
     a timely manner and in accordance with the policies and 
     directives under section 3553; and
       ``(B) reports any information security incident under 
     subparagraph (A) to the entity designated under section 3555;
       ``(2) develop, maintain, and oversee an agencywide 
     information security program;
       ``(3) develop, maintain, and oversee information security 
     policies, procedures, and control techniques to address 
     applicable requirements, including requirements under section 
     3553 of this title and section 11331 of title 40; and
       ``(4) train and oversee the agency personnel who have 
     significant responsibility for information security with 
     respect to that responsibility.
       ``(c) Agencywide Information Security Programs.--
       ``(1) In general.--Each agencywide information security 
     program under subsection (b)(2) shall include--
       ``(A) relevant security risk assessments, including 
     technical assessments and others related to the acquisition 
     process;
       ``(B) security testing commensurate with risk and impact;

[[Page 12482]]

       ``(C) mitigation of deterioration of security controls 
     commensurate with risk and impact;
       ``(D) risk-based continuous monitoring and threat 
     assessment of the operational status and security of agency 
     information systems to enable evaluation of the effectiveness 
     of and compliance with information security policies, 
     procedures, and practices, including a relevant and 
     appropriate selection of security controls of information 
     systems identified in the inventory under section 3505(c);
       ``(E) operation of appropriate technical capabilities in 
     order to detect, mitigate, report, and respond to information 
     security incidents, cyber threat information, and 
     deterioration of security controls in a manner that is 
     consistent with the policies and directives under section 
     3553, including--
       ``(i) mitigating risks associated with such information 
     security incidents;
       ``(ii) notifying and consulting with the entity designated 
     under section 3555; and
       ``(iii) notifying and consulting with, as appropriate--

       ``(I) law enforcement and the relevant Office of the 
     Inspector General; and
       ``(II) any other entity, in accordance with law and as 
     directed by the President;

       ``(F) a process to ensure that remedial action is taken to 
     address any deficiencies in the information security 
     policies, procedures, and practices of the agency; and
       ``(G) a plan and procedures to ensure the continuity of 
     operations for information systems that support the 
     operations and assets of the agency.
       ``(2) Risk management strategies.--Each agencywide 
     information security program under subsection (b)(2) shall 
     include the development and maintenance of a risk management 
     strategy for information security. The risk management 
     strategy shall include--
       ``(A) consideration of information security incidents, 
     cyber threat information, and deterioration of security 
     controls; and
       ``(B) consideration of the consequences that could result 
     from the unauthorized access, use, disclosure, disruption, 
     modification, or destruction of information and information 
     systems that support the operations and assets of the agency, 
     including any information system provided or managed by a 
     contractor, other agency, or other source on behalf of the 
     agency;
       ``(3) Policies and procedures.--Each agencywide information 
     security program under subsection (b)(2) shall include 
     policies and procedures that--
       ``(A) are based on the risk management strategy under 
     paragraph (2);
       ``(B) reduce information security risks to an acceptable 
     level in a cost-effective manner;
       ``(C) ensure that cost-effective and adequate information 
     security is addressed as part of the acquisition and ongoing 
     management of each agency information system; and
       ``(D) ensure compliance with--
       ``(i) this subchapter; and
       ``(ii) any other applicable requirements.
       ``(4) Training requirements.--Each agencywide information 
     security program under subsection (b)(2) shall include 
     information security, privacy, civil rights, civil liberties, 
     and information oversight training that meets any applicable 
     requirements under section 3553. The training shall inform 
     each information security personnel that has access to agency 
     information systems (including contractors and other users of 
     information systems that support the operations and assets of 
     the agency) of--
       ``(A) the information security risks associated with the 
     information security personnel's activities; and
       ``(B) the individual's responsibility to comply with the 
     agency policies and procedures that reduce the risks under 
     subparagraph (A).
       ``(d) Annual Report.--Each agency shall submit a report 
     annually to the Secretary of Homeland Security on its 
     agencywide information security program and information 
     systems.

     ``Sec. 3555. Multiagency ongoing threat assessment

       ``(a) Implementation.--The Director of the Office of 
     Management and Budget, in coordination with the Secretary of 
     Homeland Security, shall designate an entity to implement 
     ongoing security analysis concerning agency information 
     systems--
       ``(1) based on cyber threat information;
       ``(2) based on agency information system and environment of 
     operation changes, including--
       ``(A) an ongoing evaluation of the information system 
     security controls; and
       ``(B) the security state, risk level, and environment of 
     operation of an agency information system, including--
       ``(i) a change in risk level due to a new cyber threat;
       ``(ii) a change resulting from a new technology;
       ``(iii) a change resulting from the agency's mission; and
       ``(iv) a change resulting from the business practice; and
       ``(3) using automated processes to the maximum extent 
     possible--
       ``(A) to increase information system security;
       ``(B) to reduce paper-based reporting requirements; and
       ``(C) to maintain timely and actionable knowledge of the 
     state of the information system security.
       ``(b) Standards.--The National Institute of Standards and 
     Technology may promulgate standards, in coordination with the 
     Secretary of Homeland Security, to assist an agency with its 
     duties under this section.
       ``(c) Compliance.--The head of each appropriate department 
     and agency shall be responsible for ensuring compliance and 
     implementing necessary procedures to comply with this 
     section. The head of each appropriate department and agency, 
     in consultation with the Director of the Office of Management 
     and Budget and the Secretary of Homeland Security, shall--
       ``(1) monitor compliance under this section;
       ``(2) develop a timeline and implement for the department 
     or agency--
       ``(A) adoption of any technology, system, or method that 
     facilitates continuous monitoring and threat assessments of 
     an agency information system;
       ``(B) adoption or updating of any technology, system, or 
     method that prevents, detects, or remediates a significant 
     cyber incident to a Federal information system of the 
     department or agency that has impeded, or is reasonably 
     likely to impede, the performance of a critical mission of 
     the department or agency; and
       ``(C) adoption of any technology, system, or method that 
     satisfies a requirement under this section.
       ``(d) Limitation of Authority.--The authorities of the 
     Director of the Office of Management and Budget and of the 
     Secretary of Homeland Security under this section shall not 
     apply to national security systems.
       ``(e) Report.--Not later than 6 months after the date of 
     enactment of the Cybersecurity Act of 2012, the Government 
     Accountability Office shall issue a report evaluating each 
     agency's status toward implementing this section.

     ``Sec. 3556. Independent evaluations

       ``(a) In General.--The Council of the Inspectors General on 
     Integrity and Efficiency, in consultation with the Director 
     and the Secretary of Homeland Security, the Secretary of 
     Commerce, and the Secretary of Defense, shall issue and 
     maintain criteria for the timely, cost-effective, risk-based, 
     and independent evaluation of each agencywide information 
     security program (and practices) to determine the 
     effectiveness of the agencywide information security program 
     (and practices). The criteria shall include measures to 
     assess any conflicts of interest in the performance of the 
     evaluation and whether the agencywide information security 
     program includes appropriate safeguards against disclosure of 
     information where such disclosure may adversely affect 
     information security.
       ``(b) Annual Independent Evaluations.--Each agency shall 
     perform an annual independent evaluation of its agencywide 
     information security program (and practices) in accordance 
     with the criteria under subsection (a).
       ``(c) Distribution of Reports.--Not later than 30 days 
     after receiving an independent evaluation under subsection 
     (b), each agency head shall transmit a copy of the 
     independent evaluation to the Secretary of Homeland Security, 
     the Secretary of Commerce, and the Secretary of Defense.
       ``(d) National Security Systems.--Evaluations involving 
     national security systems shall be conducted as directed by 
     President.

     ``Sec. 3557. National security systems.

       ``The head of each agency operating or exercising control 
     of a national security system shall be responsible for 
     ensuring that the agency--
       ``(1) provides information security protections 
     commensurate with the risk and magnitude of the harm 
     resulting from the unauthorized access, use, disclosure, 
     disruption, modification, or destruction of the information 
     contained in such system; and
       ``(2) implements information security policies and 
     practices as required by standards and guidelines for 
     national security systems, issued in accordance with law and 
     as directed by the President.''.
       (b) Savings Provisions.--
       (1) Policy and compliance guidance.--Policy and compliance 
     guidance issued by the Director before the date of enactment 
     of this Act under section 3543(a)(1) of title 44, United 
     States Code (as in effect on the day before the date of 
     enactment of this Act), shall continue in effect, according 
     to its terms, until modified, terminated, superseded, or 
     repealed pursuant to section 3553(a)(1) of title 44, United 
     States Code.
       (2) Standards and guidelines.--Standards and guidelines 
     issued by the Secretary of Commerce or by the Director before 
     the date of enactment of this Act under section 11331(a)(1) 
     of title 40, United States Code, (as in effect on the day 
     before the date of enactment of this Act) shall continue in 
     effect, according to their terms, until modified, terminated, 
     superseded, or repealed pursuant to section 11331(a)(1) of 
     title 40, United States Code, as amended by this Act.
       (c) Technical and Conforming Amendments.--
       (1) Chapter analysis.--The chapter analysis for chapter 35 
     of title 44, United States Code, is amended--

[[Page 12483]]

       (A) by striking the items relating to sections 3531 through 
     3538;
       (B) by striking the items relating to sections 3541 through 
     3549; and
       (C) by inserting the following:

``3551. Purposes.
``3552. Definitions.
``3553. Federal information security authority and coordination.
``3554. Agency responsibilities.
``3555. Multiagency ongoing threat assessment.
``3556. Independent evaluations.
``3557. National security systems.''.

       (2) Other references.--
       (A) Section 1001(c)(1)(A) of the Homeland Security Act of 
     2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section 
     3532(3)'' and inserting ``section 3552''.
       (B) Section 2222(j)(5) of title 10, United States Code, is 
     amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (C) Section 2223(c)(3) of title 10, United States Code, is 
     amended, by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (D) Section 2315 of title 10, United States Code, is 
     amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (E) Section 20 of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-3) is amended--
       (i) in subsection (a)(2), by striking ``section 
     3532(b)(2)'' and inserting ``section 3552'';
       (ii) in subsection (c)(3), by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (iii) in subsection (d)(1), by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (iv) in subsection (d)(8) by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (v) in subsection (d)(8), by striking ``submitted to the 
     Director'' and inserting ``submitted to the Secretary'';
       (vi) in subsection (e)(2), by striking ``section 3532(1) of 
     such title'' and inserting ``section 3552 of title 44''; and
       (vii) in subsection (e)(5), by striking ``section 
     3532(b)(2) of such title'' and inserting ``section 3552 of 
     title 44''.
       (F) Section 8(d)(1) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7406(d)(1)) is amended by striking 
     ``section 3534(b)'' and inserting ``section 3554(b)(2)''.

     SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY.

       (a) In General.--Section 11331 of title 40, United States 
     Code, is amended to read as follows:

     ``Sec. 11331. Responsibilities for Federal information 
       systems standards

       ``(a) Standards and Guidelines.--
       ``(1) Authority to prescribe.--Except as provided under 
     paragraph (2), the Secretary of Commerce shall prescribe 
     standards and guidelines pertaining to Federal information 
     systems--
       ``(A) in consultation with the Secretary of Homeland 
     Security; and
       ``(B) on the basis of standards and guidelines developed by 
     the National Institute of Standards and Technology under 
     paragraphs (2) and (3) of section 20(a) of the National 
     Institute of Standards and Technology Act (15 U.S.C. 278g-
     3(a)(2) and (a)(3)).
       ``(2) National security systems.--Standards and guidelines 
     for national security systems shall be developed, prescribed, 
     enforced, and overseen as otherwise authorized by law and as 
     directed by the President.
       ``(b) Mandatory Standards and Guidelines.--
       ``(1) Authority to make mandatory standards and 
     guidelines.--The Secretary of Commerce shall make standards 
     and guidelines under subsection (a)(1) compulsory and binding 
     to the extent determined necessary by the Secretary of 
     Commerce to improve the efficiency of operation or security 
     of Federal information systems.
       ``(2) Required mandatory standards and guidelines.--
       ``(A) In general.--Standards and guidelines under 
     subsection (a)(1) shall include information security 
     standards that--
       ``(i) provide minimum information security requirements as 
     determined under section 20(b) of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3(b)); and
       ``(ii) are otherwise necessary to improve the security of 
     Federal information and information systems.
       ``(B) Binding effect.--Information security standards under 
     subparagraph (A) shall be compulsory and binding.
       ``(c) Exercise of Authority.--To ensure fiscal and policy 
     consistency, the Secretary of Commerce shall exercise the 
     authority conferred by this section subject to direction by 
     the President and in coordination with the Director.
       ``(d) Application of More Stringent Standards and 
     Guidelines.--The head of an executive agency may employ 
     standards for the cost-effective information security for 
     information systems within or under the supervision of that 
     agency that are more stringent than the standards and 
     guidelines the Secretary of Commerce prescribes under this 
     section if the more stringent standards and guidelines--
       ``(1) contain at least the applicable standards and 
     guidelines made compulsory and binding by the Secretary of 
     Commerce; and
       ``(2) are otherwise consistent with the policies, 
     directives, and implementation memoranda issued under section 
     3553(a) of title 44.
       ``(e) Decisions on Promulgation of Standards and 
     Guidelines.--The decision by the Secretary of Commerce 
     regarding the promulgation of any standard or guideline under 
     this section shall occur not later than 6 months after the 
     date of submission of the proposed standard to the Secretary 
     of Commerce by the National Institute of Standards and 
     Technology under section 20 of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3).
       ``(f) Notice and Comment.--A decision by the Secretary of 
     Commerce to significantly modify, or not promulgate, a 
     proposed standard submitted to the Secretary by the National 
     Institute of Standards and Technology under section 20 of the 
     National Institute of Standards and Technology Act (15 U.S.C. 
     278g-3) shall be made after the public is given an 
     opportunity to comment on the Secretary's proposed decision.
       ``(g) Definitions.--In this section:
       ``(1) Federal information system.--The term `Federal 
     information system' has the meaning given the term in section 
     3552 of title 44.
       ``(2) Information security.--The term `information 
     security' has the meaning given the term in section 3552 of 
     title 44.
       ``(3) National security system.--The term `national 
     security system' has the meaning given the term in section 
     3552 of title 44.''.

     SEC. 203. NO NEW FUNDING.

       An applicable Federal agency shall carry out the provisions 
     of this title with existing facilities and funds otherwise 
     available, through such means as the head of the agency 
     considers appropriate.

     SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS.

       Section 21(b) of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-4(b)) is amended--
       (1) in paragraph (2), by striking ``and the Director of the 
     Office of Management and Budget'' and inserting ``, the 
     Secretary of Commerce, and the Secretary of Homeland 
     Security''; and
       (2) in paragraph (3), by inserting ``, the Secretary of 
     Homeland Security,'' after ``the Secretary of Commerce''.

     SEC. 205. CLARIFICATION OF AUTHORITIES.

       Nothing in this title shall be construed to convey any new 
     regulatory authority to any government entity implementing or 
     complying with any provision of this title.
                                 ______
                                 
  SA 2612. Mrs. HUTCHISON submitted an amendment intended to be 
proposed by her to the bill S. 3414, to enhance the security and 
resiliency of the cyber and communications infrastructure of the United 
States; which was ordered to lie on the table; as follows:

       Beginning on page 45, strike line 1 and all that follows 
     through the undesignated matter between lines 7 and 8 on page 
     106, and insert the following:

     TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY

     SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY 
                   POLICY.

       (a) In General.--Chapter 35 of title 44, United States 
     Code, is amended by striking subchapters II and III and 
     inserting the following:

                 ``SUBCHAPTER II--INFORMATION SECURITY

     ``Sec. 3551. Purposes

       ``The purposes of this subchapter are--
       ``(1) to provide a comprehensive framework for ensuring the 
     effectiveness of information security controls over 
     information resources that support Federal operations and 
     assets;
       ``(2) to recognize the highly networked nature of the 
     current Federal computing environment and provide effective 
     government-wide management of policies, directives, 
     standards, and guidelines, as well as effective and nimble 
     oversight of and response to information security risks, 
     including coordination of information security efforts 
     throughout the Federal civilian, national security, and law 
     enforcement communities;
       ``(3) to provide for development and maintenance of 
     controls required to protect agency information and 
     information systems and contribute to the overall improvement 
     of agency information security posture;
       ``(4) to provide for the development of tools and methods 
     to assess and respond to real-time situational risk for 
     Federal information system operations and assets; and
       ``(5) to provide a mechanism for improving agency 
     information security programs through continuous monitoring 
     of agency information systems and streamlined reporting 
     requirements rather than overly prescriptive manual 
     reporting.

     ``Sec. 3552. Definitions

       ``In this subchapter:
       ``(1) Adequate security.--The term `adequate security' 
     means security commensurate with the risk and magnitude of 
     the harm resulting from the unauthorized access to or loss, 
     misuse, destruction, or modification of information.
       ``(2) Agency.--The term `agency' has the meaning given the 
     term in section 3502 of title 44.

[[Page 12484]]

       ``(3) Cybersecurity center.--The term `cybersecurity 
     center' means the Department of Defense Cyber Crime Center, 
     the Intelligence Community Incident Response Center, the 
     United States Cyber Command Joint Operations Center, the 
     National Cyber Investigative Joint Task Force, the National 
     Security Agency/Central Security Service Threat Operations 
     Center, the National Cybersecurity and Communications 
     Integration Center, and any successor center.
       ``(4) Cyber threat information.--The term `cyber threat 
     information' means information that indicates or describes--
       ``(A) a technical or operation vulnerability or a cyber 
     threat mitigation measure;
       ``(B) an action or operation to mitigate a cyber threat;
       ``(C) malicious reconnaissance, including anomalous 
     patterns of network activity that appear to be transmitted 
     for the purpose of gathering technical information related to 
     a cybersecurity threat;
       ``(D) a method of defeating a technical control;
       ``(E) a method of defeating an operational control;
       ``(F) network activity or protocols known to be associated 
     with a malicious cyber actor or that signify malicious cyber 
     intent;
       ``(G) a method of causing a user with legitimate access to 
     an information system or information that is stored on, 
     processed by, or transiting an information system to 
     inadvertently enable the defeat of a technical or operational 
     control;
       ``(H) any other attribute of a cybersecurity threat or 
     cyber defense information that would foster situational 
     awareness of the United States cybersecurity posture, if 
     disclosure of such attribute or information is not otherwise 
     prohibited by law;
       ``(I) the actual or potential harm caused by a cyber 
     incident, including information exfiltrated when it is 
     necessary in order to identify or describe a cybersecurity 
     threat; or
       ``(J) any combination of subparagraphs (A) through (I).
       ``(5) Director.--The term `Director' means the Director of 
     the Office of Management and Budget unless otherwise 
     specified.
       ``(6) Environment of operation.--The term `environment of 
     operation' means the information system and environment in 
     which those systems operate, including changing threats, 
     vulnerabilities, technologies, and missions and business 
     practices.
       ``(7) Federal information system.--The term `Federal 
     information system' means an information system used or 
     operated by an executive agency, by a contractor of an 
     executive agency, or by another organization on behalf of an 
     executive agency.
       ``(8) Incident.--The term `incident' means an occurrence 
     that--
       ``(A) actually or imminently jeopardizes the integrity, 
     confidentiality, or availability of an information system or 
     the information that system controls, processes, stores, or 
     transmits; or
       ``(B) constitutes a violation of law or an imminent threat 
     of violation of a law, a security policy, a security 
     procedure, or an acceptable use policy.
       ``(9) Information resources.--The term `information 
     resources' has the meaning given the term in section 3502 of 
     title 44.
       ``(10) Information security.--The term `information 
     security' means protecting information and information 
     systems from disruption or unauthorized access, use, 
     disclosure, modification, or destruction in order to 
     provide--
       ``(A) integrity, by guarding against improper information 
     modification or destruction, including by ensuring 
     information nonrepudiation and authenticity;
       ``(B) confidentiality, by preserving authorized 
     restrictions on access and disclosure, including means for 
     protecting personal privacy and proprietary information; or
       ``(C) availability, by ensuring timely and reliable access 
     to and use of information.
       ``(11) Information system.--The term `information system' 
     has the meaning given the term in section 3502 of title 44.
       ``(12) Information technology.--The term `information 
     technology' has the meaning given the term in section 11101 
     of title 40.
       ``(13) Malicious reconnaissance.--The term `malicious 
     reconnaissance' means a method for actively probing or 
     passively monitoring an information system for the purpose of 
     discerning technical vulnerabilities of the information 
     system, if such method is associated with a known or 
     suspected cybersecurity threat.
       ``(14) National security system.--
       ``(A) In general.--The term `national security system' 
     means any information system (including any 
     telecommunications system) used or operated by an agency or 
     by a contractor of an agency, or other organization on behalf 
     of an agency--
       ``(i) the function, operation, or use of which--

       ``(I) involves intelligence activities;
       ``(II) involves cryptologic activities related to national 
     security;
       ``(III) involves command and control of military forces;
       ``(IV) involves equipment that is an integral part of a 
     weapon or weapons system; or
       ``(V) subject to subparagraph (B), is critical to the 
     direct fulfillment of military or intelligence missions; or

       ``(ii) is protected at all times by procedures established 
     for information that have been specifically authorized under 
     criteria established by an Executive Order or an Act of 
     Congress to be kept classified in the interest of national 
     defense or foreign policy.
       ``(B) Limitation.--Subparagraph (A)(i)(V) does not include 
     a system that is to be used for routine administrative and 
     business applications (including payroll, finance, logistics, 
     and personnel management applications).
       ``(15) Operational control.--The term `operational control' 
     means a security control for an information system that 
     primarily is implemented and executed by people.
       ``(16) Person.--The term `person' has the meaning given the 
     term in section 3502 of title 44.
       ``(17) Secretary.--The term `Secretary' means the Secretary 
     of Commerce unless otherwise specified.
       ``(18) Security control.--The term `security control' means 
     the management, operational, and technical controls, 
     including safeguards or countermeasures, prescribed for an 
     information system to protect the confidentiality, integrity, 
     and availability of the system and its information.
       ``(19) Significant cyber incident.--The term `significant 
     cyber incident' means a cyber incident resulting in, or an 
     attempted cyber incident that, if successful, would have 
     resulted in--
       ``(A) the exfiltration from a Federal information system of 
     data that is essential to the operation of the Federal 
     information system; or
       ``(B) an incident in which an operational or technical 
     control essential to the security or operation of a Federal 
     information system was defeated.
       ``(20) Technical control.--The term `technical control' 
     means a hardware or software restriction on, or audit of, 
     access or use of an information system or information that is 
     stored on, processed by, or transiting an information system 
     that is intended to ensure the confidentiality, integrity, or 
     availability of that system.

     ``Sec. 3553. Federal information security authority and 
       coordination

       ``(a) In General.--The Secretary, in consultation with the 
     Secretary of Homeland Security, shall--
       ``(1) issue compulsory and binding policies and directives 
     governing agency information security operations, and require 
     implementation of such policies and directives, including--
       ``(A) policies and directives consistent with the standards 
     and guidelines promulgated under section 11331 of title 40 to 
     identify and provide information security protections 
     prioritized and commensurate with the risk and impact 
     resulting from the unauthorized access, use, disclosure, 
     disruption, modification, or destruction of--
       ``(i) information collected or maintained by or on behalf 
     of an agency; or
       ``(ii) information systems used or operated by an agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency;
       ``(B) minimum operational requirements for Federal 
     Government to protect agency information systems and provide 
     common situational awareness across all agency information 
     systems;
       ``(C) reporting requirements, consistent with relevant law, 
     regarding information security incidents and cyber threat 
     information;
       ``(D) requirements for agencywide information security 
     programs;
       ``(E) performance requirements and metrics for the security 
     of agency information systems;
       ``(F) training requirements to ensure that agencies are 
     able to fully and timely comply with the policies and 
     directives issued by the Secretary under this subchapter;
       ``(G) training requirements regarding privacy, civil 
     rights, and civil liberties, and information oversight for 
     agency information security personnel;
       ``(H) requirements for the annual reports to the Secretary 
     under section 3554(d);
       ``(I) any other information security operations or 
     information security requirements as determined by the 
     Secretary in coordination with relevant agency heads; and
       ``(J) coordinating the development of standards and 
     guidelines under section 20 of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3) with agencies 
     and offices operating or exercising control of national 
     security systems (including the National Security Agency) to 
     assure, to the maximum extent feasible, that such standards 
     and guidelines are complementary with standards and 
     guidelines developed for national security systems;
       ``(2) review the agencywide information security programs 
     under section 3554; and
       ``(3) designate an individual or an entity at each 
     cybersecurity center, among other responsibilities--
       ``(A) to receive reports and information about information 
     security incidents, cyber threat information, and 
     deterioration of security control affecting agency 
     information systems; and

[[Page 12485]]

       ``(B) to act on or share the information under subparagraph 
     (A) in accordance with this subchapter.
       ``(b) Considerations.--When issuing policies and directives 
     under subsection (a), the Secretary shall consider any 
     applicable standards or guidelines developed by the National 
     Institute of Standards and Technology under section 11331 of 
     title 40.
       ``(c) Limitation of Authority.--The authorities of the 
     Secretary under this section shall not apply to national 
     security systems. Information security policies, directives, 
     standards and guidelines for national security systems shall 
     be overseen as directed by the President and, in accordance 
     with that direction, carried out under the authority of the 
     heads of agencies that operate or exercise authority over 
     such national security systems.
       ``(d) Statutory Construction.--Nothing in this subchapter 
     shall be construed to alter or amend any law regarding the 
     authority of any head of an agency over such agency.

     ``Sec. 3554. Agency responsibilities

       ``(a) In General.--The head of each agency shall--
       ``(1) be responsible for--
       ``(A) complying with the policies and directives issued 
     under section 3553;
       ``(B) providing information security protections 
     commensurate with the risk resulting from unauthorized 
     access, use, disclosure, disruption, modification, or 
     destruction of--
       ``(i) information collected or maintained by the agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency; and
       ``(ii) information systems used or operated by an agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency;
       ``(C) complying with the requirements of this subchapter, 
     including--
       ``(i) information security standards and guidelines 
     promulgated under section 11331 of title 40;
       ``(ii) for any national security systems operated or 
     controlled by that agency, information security policies, 
     directives, standards and guidelines issued as directed by 
     the President; and
       ``(iii) for any non-national security systems operated or 
     controlled by that agency, information security policies, 
     directives, standards and guidelines issued under section 
     3553;
       ``(D) ensuring that information security management 
     processes are integrated with agency strategic and 
     operational planning processes;
       ``(E) reporting and sharing, for an agency operating or 
     exercising control of a national security system, information 
     about information security incidents, cyber threat 
     information, and deterioration of security controls to the 
     individual or entity designated at each cybersecurity center 
     and to other appropriate entities consistent with policies 
     and directives for national security systems issued as 
     directed by the President; and
       ``(F) reporting and sharing, for those agencies operating 
     or exercising control of non-national security systems, 
     information about information security incidents, cyber 
     threat information, and deterioration of security controls to 
     the individual or entity designated at each cybersecurity 
     center and to other appropriate entities consistent with 
     policies and directives for non-national security systems as 
     prescribed under section 3553(a), including information to 
     assist the entity designated under section 3555(a) with the 
     ongoing security analysis under section 3555;
       ``(2) ensure that each senior agency official provides 
     information security for the information and information 
     systems that support the operations and assets under the 
     senior agency official's control, including by--
       ``(A) assessing the risk and impact that could result from 
     the unauthorized access, use, disclosure, disruption, 
     modification, or destruction of such information or 
     information systems;
       ``(B) determining the level of information security 
     appropriate to protect such information and information 
     systems in accordance with policies and directives issued 
     under section 3553(a), and standards and guidelines 
     promulgated under section 11331 of title 40 for information 
     security classifications and related requirements;
       ``(C) implementing policies, procedures, and capabilities 
     to reduce risks to an acceptable level in a cost-effective 
     manner;
       ``(D) actively monitoring the effective implementation of 
     information security controls and techniques; and
       ``(E) reporting information about information security 
     incidents, cyber threat information, and deterioration of 
     security controls in a timely and adequate manner to the 
     entity designated under section 3553(a)(3) in accordance with 
     paragraph (1);
       ``(3) assess and maintain the resiliency of information 
     technology systems critical to agency mission and operations;
       ``(4) designate the agency Inspector General (or an 
     independent entity selected in consultation with the Director 
     and the Council of Inspectors General on Integrity and 
     Efficiency if the agency does not have an Inspector General) 
     to conduct the annual independent evaluation required under 
     section 3556, and allow the agency Inspector General to 
     contract with an independent entity to perform such 
     evaluation;
       ``(5) delegate to the Chief Information Officer or 
     equivalent (or to a senior agency official who reports to the 
     Chief Information Officer or equivalent)--
       ``(A) the authority and primary responsibility to implement 
     an agencywide information security program; and
       ``(B) the authority to provide information security for the 
     information collected and maintained by the agency (or by a 
     contractor, other agency, or other source on behalf of the 
     agency) and for the information systems that support the 
     operations, assets, and mission of the agency (including any 
     information system provided or managed by a contractor, other 
     agency, or other source on behalf of the agency);
       ``(6) delegate to the appropriate agency official (who is 
     responsible for a particular agency system or subsystem) the 
     responsibility to ensure and enforce compliance with all 
     requirements of the agency's agencywide information security 
     program in coordination with the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5);
       ``(7) ensure that an agency has trained personnel who have 
     obtained any necessary security clearances to permit them to 
     assist the agency in complying with this subchapter;
       ``(8) ensure that the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5), 
     in coordination with other senior agency officials, reports 
     to the agency head on the effectiveness of the agencywide 
     information security program, including the progress of any 
     remedial actions; and
       ``(9) ensure that the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5) 
     has the necessary qualifications to administer the functions 
     described in this subchapter and has information security 
     duties as a primary duty of that official.
       ``(b) Chief Information Officers.--Each Chief Information 
     Officer or equivalent (or the senior agency official who 
     reports to the Chief Information Officer or equivalent) under 
     subsection (a)(5) shall--
       ``(1) establish and maintain an enterprise security 
     operations capability that on a continuous basis--
       ``(A) detects, reports, contains, mitigates, and responds 
     to information security incidents that impair adequate 
     security of the agency's information or information system in 
     a timely manner and in accordance with the policies and 
     directives under section 3553; and
       ``(B) reports any information security incident under 
     subparagraph (A) to the entity designated under section 3555;
       ``(2) develop, maintain, and oversee an agencywide 
     information security program;
       ``(3) develop, maintain, and oversee information security 
     policies, procedures, and control techniques to address 
     applicable requirements, including requirements under section 
     3553 of this title and section 11331 of title 40; and
       ``(4) train and oversee the agency personnel who have 
     significant responsibility for information security with 
     respect to that responsibility.
       ``(c) Agencywide Information Security Programs.--
       ``(1) In general.--Each agencywide information security 
     program under subsection (b)(2) shall include--
       ``(A) relevant security risk assessments, including 
     technical assessments and others related to the acquisition 
     process;
       ``(B) security testing commensurate with risk and impact;
       ``(C) mitigation of deterioration of security controls 
     commensurate with risk and impact;
       ``(D) risk-based continuous monitoring and threat 
     assessment of the operational status and security of agency 
     information systems to enable evaluation of the effectiveness 
     of and compliance with information security policies, 
     procedures, and practices, including a relevant and 
     appropriate selection of security controls of information 
     systems identified in the inventory under section 3505(c);
       ``(E) operation of appropriate technical capabilities in 
     order to detect, mitigate, report, and respond to information 
     security incidents, cyber threat information, and 
     deterioration of security controls in a manner that is 
     consistent with the policies and directives under section 
     3553, including--
       ``(i) mitigating risks associated with such information 
     security incidents;
       ``(ii) notifying and consulting with the entity designated 
     under section 3555; and
       ``(iii) notifying and consulting with, as appropriate--

       ``(I) law enforcement and the relevant Office of the 
     Inspector General; and
       ``(II) any other entity, in accordance with law and as 
     directed by the President;

       ``(F) a process to ensure that remedial action is taken to 
     address any deficiencies in the information security 
     policies, procedures, and practices of the agency; and
       ``(G) a plan and procedures to ensure the continuity of 
     operations for information systems that support the 
     operations and assets of the agency.

[[Page 12486]]

       ``(2) Risk management strategies.--Each agencywide 
     information security program under subsection (b)(2) shall 
     include the development and maintenance of a risk management 
     strategy for information security. The risk management 
     strategy shall include--
       ``(A) consideration of information security incidents, 
     cyber threat information, and deterioration of security 
     controls; and
       ``(B) consideration of the consequences that could result 
     from the unauthorized access, use, disclosure, disruption, 
     modification, or destruction of information and information 
     systems that support the operations and assets of the agency, 
     including any information system provided or managed by a 
     contractor, other agency, or other source on behalf of the 
     agency;
       ``(3) Policies and procedures.--Each agencywide information 
     security program under subsection (b)(2) shall include 
     policies and procedures that--
       ``(A) are based on the risk management strategy under 
     paragraph (2);
       ``(B) reduce information security risks to an acceptable 
     level in a cost-effective manner;
       ``(C) ensure that cost-effective and adequate information 
     security is addressed as part of the acquisition and ongoing 
     management of each agency information system; and
       ``(D) ensure compliance with--
       ``(i) this subchapter; and
       ``(ii) any other applicable requirements.
       ``(4) Training requirements.--Each agencywide information 
     security program under subsection (b)(2) shall include 
     information security, privacy, civil rights, civil liberties, 
     and information oversight training that meets any applicable 
     requirements under section 3553. The training shall inform 
     each information security personnel that has access to agency 
     information systems (including contractors and other users of 
     information systems that support the operations and assets of 
     the agency) of--
       ``(A) the information security risks associated with the 
     information security personnel's activities; and
       ``(B) the individual's responsibility to comply with the 
     agency policies and procedures that reduce the risks under 
     subparagraph (A).
       ``(d) Annual Report.--Each agency shall submit a report 
     annually to the Secretary of Homeland Security on its 
     agencywide information security program and information 
     systems.

     ``Sec. 3555. Multiagency ongoing threat assessment

       ``(a) Implementation.--The Director of the Office of 
     Management and Budget, in coordination with the Secretary of 
     Homeland Security, shall designate an entity to implement 
     ongoing security analysis concerning agency information 
     systems--
       ``(1) based on cyber threat information;
       ``(2) based on agency information system and environment of 
     operation changes, including--
       ``(A) an ongoing evaluation of the information system 
     security controls; and
       ``(B) the security state, risk level, and environment of 
     operation of an agency information system, including--
       ``(i) a change in risk level due to a new cyber threat;
       ``(ii) a change resulting from a new technology;
       ``(iii) a change resulting from the agency's mission; and
       ``(iv) a change resulting from the business practice; and
       ``(3) using automated processes to the maximum extent 
     possible--
       ``(A) to increase information system security;
       ``(B) to reduce paper-based reporting requirements; and
       ``(C) to maintain timely and actionable knowledge of the 
     state of the information system security.
       ``(b) Standards.--The National Institute of Standards and 
     Technology may promulgate standards, in coordination with the 
     Secretary of Homeland Security, to assist an agency with its 
     duties under this section.
       ``(c) Compliance.--The head of each appropriate department 
     and agency shall be responsible for ensuring compliance and 
     implementing necessary procedures to comply with this 
     section. The head of each appropriate department and agency, 
     in consultation with the Director of the Office of Management 
     and Budget and the Secretary of Homeland Security, shall--
       ``(1) monitor compliance under this section;
       ``(2) develop a timeline and implement for the department 
     or agency--
       ``(A) adoption of any technology, system, or method that 
     facilitates continuous monitoring and threat assessments of 
     an agency information system;
       ``(B) adoption or updating of any technology, system, or 
     method that prevents, detects, or remediates a significant 
     cyber incident to a Federal information system of the 
     department or agency that has impeded, or is reasonably 
     likely to impede, the performance of a critical mission of 
     the department or agency; and
       ``(C) adoption of any technology, system, or method that 
     satisfies a requirement under this section.
       ``(d) Limitation of Authority.--The authorities of the 
     Director of the Office of Management and Budget and of the 
     Secretary of Homeland Security under this section shall not 
     apply to national security systems.
       ``(e) Report.--Not later than 6 months after the date of 
     enactment of the Cybersecurity Act of 2012, the Government 
     Accountability Office shall issue a report evaluating each 
     agency's status toward implementing this section.

     ``Sec. 3556. Independent evaluations

       ``(a) In General.--The Council of the Inspectors General on 
     Integrity and Efficiency, in consultation with the Director 
     and the Secretary of Homeland Security, the Secretary of 
     Commerce, and the Secretary of Defense, shall issue and 
     maintain criteria for the timely, cost-effective, risk-based, 
     and independent evaluation of each agencywide information 
     security program (and practices) to determine the 
     effectiveness of the agencywide information security program 
     (and practices). The criteria shall include measures to 
     assess any conflicts of interest in the performance of the 
     evaluation and whether the agencywide information security 
     program includes appropriate safeguards against disclosure of 
     information where such disclosure may adversely affect 
     information security.
       ``(b) Annual Independent Evaluations.--Each agency shall 
     perform an annual independent evaluation of its agencywide 
     information security program (and practices) in accordance 
     with the criteria under subsection (a).
       ``(c) Distribution of Reports.--Not later than 30 days 
     after receiving an independent evaluation under subsection 
     (b), each agency head shall transmit a copy of the 
     independent evaluation to the Secretary of Homeland Security, 
     the Secretary of Commerce, and the Secretary of Defense.
       ``(d) National Security Systems.--Evaluations involving 
     national security systems shall be conducted as directed by 
     President.

     ``Sec. 3557. National security systems.

       ``The head of each agency operating or exercising control 
     of a national security system shall be responsible for 
     ensuring that the agency--
       ``(1) provides information security protections 
     commensurate with the risk and magnitude of the harm 
     resulting from the unauthorized access, use, disclosure, 
     disruption, modification, or destruction of the information 
     contained in such system; and
       ``(2) implements information security policies and 
     practices as required by standards and guidelines for 
     national security systems, issued in accordance with law and 
     as directed by the President.''.
       (b) Savings Provisions.--
       (1) Policy and compliance guidance.--Policy and compliance 
     guidance issued by the Director before the date of enactment 
     of this Act under section 3543(a)(1) of title 44, United 
     States Code (as in effect on the day before the date of 
     enactment of this Act), shall continue in effect, according 
     to its terms, until modified, terminated, superseded, or 
     repealed pursuant to section 3553(a)(1) of title 44, United 
     States Code.
       (2) Standards and guidelines.--Standards and guidelines 
     issued by the Secretary of Commerce or by the Director before 
     the date of enactment of this Act under section 11331(a)(1) 
     of title 40, United States Code, (as in effect on the day 
     before the date of enactment of this Act) shall continue in 
     effect, according to their terms, until modified, terminated, 
     superseded, or repealed pursuant to section 11331(a)(1) of 
     title 40, United States Code, as amended by this Act.
       (c) Technical and Conforming Amendments.--
       (1) Chapter analysis.--The chapter analysis for chapter 35 
     of title 44, United States Code, is amended--
       (A) by striking the items relating to sections 3531 through 
     3538;
       (B) by striking the items relating to sections 3541 through 
     3549; and
       (C) by inserting the following:

``3551. Purposes.
``3552. Definitions.
``3553. Federal information security authority and coordination.
``3554. Agency responsibilities.
``3555. Multiagency ongoing threat assessment.
``3556. Independent evaluations.
``3557. National security systems.''.
       (2) Other references.--
       (A) Section 1001(c)(1)(A) of the Homeland Security Act of 
     2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section 
     3532(3)'' and inserting ``section 3552''.
       (B) Section 2222(j)(5) of title 10, United States Code, is 
     amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (C) Section 2223(c)(3) of title 10, United States Code, is 
     amended, by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (D) Section 2315 of title 10, United States Code, is 
     amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (E) Section 20 of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-3) is amended--
       (i) in subsection (a)(2), by striking ``section 
     3532(b)(2)'' and inserting ``section 3552'';

[[Page 12487]]

       (ii) in subsection (c)(3), by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (iii) in subsection (d)(1), by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (iv) in subsection (d)(8) by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (v) in subsection (d)(8), by striking ``submitted to the 
     Director'' and inserting ``submitted to the Secretary'';
       (vi) in subsection (e)(2), by striking ``section 3532(1) of 
     such title'' and inserting ``section 3552 of title 44''; and
       (vii) in subsection (e)(5), by striking ``section 
     3532(b)(2) of such title'' and inserting ``section 3552 of 
     title 44''.
       (F) Section 8(d)(1) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7406(d)(1)) is amended by striking 
     ``section 3534(b)'' and inserting ``section 3554(b)(2)''.

     SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY.

       (a) In General.--Section 11331 of title 40, United States 
     Code, is amended to read as follows:

     ``Sec. 11331. Responsibilities for Federal information 
       systems standards

       ``(a) Standards and Guidelines.--
       ``(1) Authority to prescribe.--Except as provided under 
     paragraph (2), the Secretary of Commerce shall prescribe 
     standards and guidelines pertaining to Federal information 
     systems--
       ``(A) in consultation with the Secretary of Homeland 
     Security; and
       ``(B) on the basis of standards and guidelines developed by 
     the National Institute of Standards and Technology under 
     paragraphs (2) and (3) of section 20(a) of the National 
     Institute of Standards and Technology Act (15 U.S.C. 278g-
     3(a)(2) and (a)(3)).
       ``(2) National security systems.--Standards and guidelines 
     for national security systems shall be developed, prescribed, 
     enforced, and overseen as otherwise authorized by law and as 
     directed by the President.
       ``(b) Mandatory Standards and Guidelines.--
       ``(1) Authority to make mandatory standards and 
     guidelines.--The Secretary of Commerce shall make standards 
     and guidelines under subsection (a)(1) compulsory and binding 
     to the extent determined necessary by the Secretary of 
     Commerce to improve the efficiency of operation or security 
     of Federal information systems.
       ``(2) Required mandatory standards and guidelines.--
       ``(A) In general.--Standards and guidelines under 
     subsection (a)(1) shall include information security 
     standards that--
       ``(i) provide minimum information security requirements as 
     determined under section 20(b) of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3(b)); and
       ``(ii) are otherwise necessary to improve the security of 
     Federal information and information systems.
       ``(B) Binding effect.--Information security standards under 
     subparagraph (A) shall be compulsory and binding.
       ``(c) Exercise of Authority.--To ensure fiscal and policy 
     consistency, the Secretary of Commerce shall exercise the 
     authority conferred by this section subject to direction by 
     the President and in coordination with the Director.
       ``(d) Application of More Stringent Standards and 
     Guidelines.--The head of an executive agency may employ 
     standards for the cost-effective information security for 
     information systems within or under the supervision of that 
     agency that are more stringent than the standards and 
     guidelines the Secretary of Commerce prescribes under this 
     section if the more stringent standards and guidelines--
       ``(1) contain at least the applicable standards and 
     guidelines made compulsory and binding by the Secretary of 
     Commerce; and
       ``(2) are otherwise consistent with the policies, 
     directives, and implementation memoranda issued under section 
     3553(a) of title 44.
       ``(e) Decisions on Promulgation of Standards and 
     Guidelines.--The decision by the Secretary of Commerce 
     regarding the promulgation of any standard or guideline under 
     this section shall occur not later than 6 months after the 
     date of submission of the proposed standard to the Secretary 
     of Commerce by the National Institute of Standards and 
     Technology under section 20 of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3).
       ``(f) Notice and Comment.--A decision by the Secretary of 
     Commerce to significantly modify, or not promulgate, a 
     proposed standard submitted to the Secretary by the National 
     Institute of Standards and Technology under section 20 of the 
     National Institute of Standards and Technology Act (15 U.S.C. 
     278g-3) shall be made after the public is given an 
     opportunity to comment on the Secretary's proposed decision.
       ``(g) Definitions.--In this section:
       ``(1) Federal information system.--The term `Federal 
     information system' has the meaning given the term in section 
     3552 of title 44.
       ``(2) Information security.--The term `information 
     security' has the meaning given the term in section 3552 of 
     title 44.
       ``(3) National security system.--The term `national 
     security system' has the meaning given the term in section 
     3552 of title 44.''.

     SEC. 203. NO NEW FUNDING.

       An applicable Federal agency shall carry out the provisions 
     of this title with existing facilities and funds otherwise 
     available, through such means as the head of the agency 
     considers appropriate.

     SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS.

       Section 21(b) of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-4(b)) is amended--
       (1) in paragraph (2), by striking ``and the Director of the 
     Office of Management and Budget'' and inserting ``, the 
     Secretary of Commerce, and the Secretary of Homeland 
     Security''; and
       (2) in paragraph (3), by inserting ``, the Secretary of 
     Homeland Security,'' after ``the Secretary of Commerce''.

     SEC. 205. CLARIFICATION OF AUTHORITIES.

       Nothing in this title shall be construed to convey any new 
     regulatory authority to any government entity implementing or 
     complying with any provision of this title.
                                 ______
                                 
  SA 2613. Mrs. HUTCHISON (for herself, Mr. McCain, Mr. Chambliss, Mr. 
Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson of 
Wisconsin) submitted an amendment intended to be proposed by her to the 
bill S. 3414, to enhance the security and resiliency of the cyber and 
communications infrastructure of the United States; which was ordered 
to lie on the table; as follows:

       Beginning on page 1, strike line 3 and all that follows 
     through page 211, line 6 and insert the following:

     SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the 
     ``Strengthening and Enhancing Cybersecurity by Using 
     Research, Education, Information, and Technology Act of 
     2012'' or ``SECURE IT''.
       (b) Table of Contents.--The table of contents of this Act 
     is as follows:

Sec. 1. Short title; table of contents.

       TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION

Sec. 101. Definitions.
Sec. 102. Authorization to share cyber threat information.
Sec. 103. Information sharing by the Federal government.
Sec. 104. Construction.
Sec. 105. Report on implementation.
Sec. 106. Inspector General review.
Sec. 107. Technical amendments.
Sec. 108. Access to classified information.

     TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY

Sec. 201. Coordination of Federal information security policy.
Sec. 202. Management of information technology.
Sec. 203. No new funding.
Sec. 204. Technical and conforming amendments.
Sec. 205. Clarification of authorities.

                     TITLE III--CRIMINAL PENALTIES

Sec. 301. Penalties for fraud and related activity in connection with 
              computers.
Sec. 302. Trafficking in passwords.
Sec. 303. Conspiracy and attempted computer fraud offenses.
Sec. 304. Criminal and civil forfeiture for fraud and related activity 
              in connection with computers.
Sec. 305. Damage to critical infrastructure computers.
Sec. 306. Limitation on actions involving unauthorized use.
Sec. 307. No new funding.

            TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT

Sec. 401. National High-Performance Computing Program planning and 
              coordination.
Sec. 402. Research in areas of national importance.
Sec. 403. Program improvements.
Sec. 404. Improving education of networking and information technology, 
              including high performance computing.
Sec. 405. Conforming and technical amendments to the High-Performance 
              Computing Act of 1991.
Sec. 406. Federal cyber scholarship-for-service program.
Sec. 407. Study and analysis of certification and training of 
              information infrastructure professionals.
Sec. 408. International cybersecurity technical standards.
Sec. 409. Identity management research and development.
Sec. 410. Federal cybersecurity research and development.

       TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION

     SEC. 101. DEFINITIONS.

       In this title:
       (1) Agency.--The term ``agency'' has the meaning given the 
     term in section 3502 of title 44, United States Code.
       (2) Antitrust laws.--The term ``antitrust laws''--
       (A) has the meaning given the term in section 1(a) of the 
     Clayton Act (15 U.S.C. 12(a));

[[Page 12488]]

       (B) includes section 5 of the Federal Trade Commission Act 
     (15 U.S.C. 45) to the extent that section 5 of that Act 
     applies to unfair methods of competition; and
       (C) includes any State law that has the same intent and 
     effect as the laws under subparagraphs (A) and (B).
       (3) Countermeasure.--The term ``countermeasure'' means an 
     automated or a manual action with defensive intent to 
     mitigate cyber threats.
       (4) Cyber threat information.--The term ``cyber threat 
     information'' means information that indicates or describes--
       (A) a technical or operation vulnerability or a cyber 
     threat mitigation measure;
       (B) an action or operation to mitigate a cyber threat;
       (C) malicious reconnaissance, including anomalous patterns 
     of network activity that appear to be transmitted for the 
     purpose of gathering technical information related to a 
     cybersecurity threat;
       (D) a method of defeating a technical control;
       (E) a method of defeating an operational control;
       (F) network activity or protocols known to be associated 
     with a malicious cyber actor or that signify malicious cyber 
     intent;
       (G) a method of causing a user with legitimate access to an 
     information system or information that is stored on, 
     processed by, or transiting an information system to 
     inadvertently enable the defeat of a technical or operational 
     control;
       (H) any other attribute of a cybersecurity threat or cyber 
     defense information that would foster situational awareness 
     of the United States cybersecurity posture, if disclosure of 
     such attribute or information is not otherwise prohibited by 
     law;
       (I) the actual or potential harm caused by a cyber 
     incident, including information exfiltrated when it is 
     necessary in order to identify or describe a cybersecurity 
     threat; or
       (J) any combination of subparagraphs (A) through (I).
       (5) Cybersecurity center.--The term ``cybersecurity 
     center'' means the Department of Defense Cyber Crime Center, 
     the Intelligence Community Incident Response Center, the 
     United States Cyber Command Joint Operations Center, the 
     National Cyber Investigative Joint Task Force, the National 
     Security Agency/Central Security Service Threat Operations 
     Center, the National Cybersecurity and Communications 
     Integration Center, and any successor center.
       (6) Cybersecurity system.--The term ``cybersecurity 
     system'' means a system designed or employed to ensure the 
     integrity, confidentiality, or availability of, or to 
     safeguard, a system or network, including measures intended 
     to protect a system or network from--
       (A) efforts to degrade, disrupt, or destroy such system or 
     network; or
       (B) theft or misappropriations of private or government 
     information, intellectual property, or personally 
     identifiable information.
       (7) Entity.--
       (A) In general.--The term ``entity'' means any private 
     entity, non-Federal government agency or department, or 
     State, tribal, or local government agency or department 
     (including an officer, employee, or agent thereof).
       (B) Inclusions.--The term ``entity'' includes a government 
     agency or department (including an officer, employee, or 
     agent thereof) of the District of Columbia, the Commonwealth 
     of Puerto Rico, the Virgin Islands, Guam, American Samoa, the 
     Northern Mariana Islands, and any other territory or 
     possession of the United States.
       (8) Federal information system.--The term ``Federal 
     information system'' means an information system of a Federal 
     department or agency used or operated by an executive agency, 
     by a contractor of an executive agency, or by another 
     organization on behalf of an executive agency.
       (9) Information security.--The term ``information 
     security'' means protecting information and information 
     systems from disruption or unauthorized access, use, 
     disclosure, modification, or destruction in order to 
     provide--
       (A) integrity, by guarding against improper information 
     modification or destruction, including by ensuring 
     information nonrepudiation and authenticity;
       (B) confidentiality, by preserving authorized restrictions 
     on access and disclosure, including means for protecting 
     personal privacy and proprietary information; or
       (C) availability, by ensuring timely and reliable access to 
     and use of information.
       (10) Information system.--The term ``information system'' 
     has the meaning given the term in section 3502 of title 44, 
     United States Code.
       (11) Local government.--The term ``local government'' means 
     any borough, city, county, parish, town, township, village, 
     or other general purpose political subdivision of a State.
       (12) Malicious reconnaissance.--The term ``malicious 
     reconnaissance'' means a method for actively probing or 
     passively monitoring an information system for the purpose of 
     discerning technical vulnerabilities of the information 
     system, if such method is associated with a known or 
     suspected cybersecurity threat.
       (13) Operational control.--The term ``operational control'' 
     means a security control for an information system that 
     primarily is implemented and executed by people.
       (14) Operational vulnerability.--The term ``operational 
     vulnerability'' means any attribute of policy, process, or 
     procedure that could enable or facilitate the defeat of an 
     operational control.
       (15) Private entity.--The term ``private entity'' means any 
     individual or any private group, organization, or 
     corporation, including an officer, employee, or agent 
     thereof.
       (16) Significant cyber incident.--The term ``significant 
     cyber incident'' means a cyber incident resulting in, or an 
     attempted cyber incident that, if successful, would have 
     resulted in--
       (A) the exfiltration from a Federal information system of 
     data that is essential to the operation of the Federal 
     information system; or
       (B) an incident in which an operational or technical 
     control essential to the security or operation of a Federal 
     information system was defeated.
       (17) Technical control.--The term ``technical control'' 
     means a hardware or software restriction on, or audit of, 
     access or use of an information system or information that is 
     stored on, processed by, or transiting an information system 
     that is intended to ensure the confidentiality, integrity, or 
     availability of that system.
       (18) Technical vulnerability.--The term ``technical 
     vulnerability'' means any attribute of hardware or software 
     that could enable or facilitate the defeat of a technical 
     control.
       (19) Tribal.--The term ``tribal'' has the meaning given the 
     term ``Indian tribe'' in section 4 of the Indian Self-
     Determination and Education Assistance Act (25 U.S.C. 450b).

     SEC. 102. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION.

       (a) Voluntary Disclosure.--
       (1) Private entities.--Notwithstanding any other provision 
     of law, a private entity may, for the purpose of preventing, 
     investigating, or otherwise mitigating threats to information 
     security, on its own networks, or as authorized by another 
     entity, on such entity's networks, employ countermeasures and 
     use cybersecurity systems in order to obtain, identify, or 
     otherwise possess cyber threat information.
       (2) Entities.--Notwithstanding any other provision of law, 
     an entity may disclose cyber threat information to--
       (A) a cybersecurity center; or
       (B) any other entity in order to assist with preventing, 
     investigating, or otherwise mitigating threats to information 
     security.
       (3) Information security providers.--If the cyber threat 
     information described in paragraph (1) is obtained, 
     identified, or otherwise possessed in the course of providing 
     information security products or services under contract to 
     another entity, that entity shall be given, at any time prior 
     to disclosure of such information, a reasonable opportunity 
     to authorize or prevent such disclosure, to request 
     anonymization of such information, or to request that 
     reasonable efforts be made to safeguard such information that 
     identifies specific persons from unauthorized access or 
     disclosure.
       (b) Significant Cyber Incidents Involving Federal 
     Information Systems.--
       (1) In general.--An entity providing electronic 
     communication services, remote computing services, or 
     information security services to a Federal department or 
     agency shall inform the Federal department or agency of a 
     significant cyber incident involving the Federal information 
     system of that Federal department or agency that--
       (A) is directly known to the entity as a result of 
     providing such services;
       (B) is directly related to the provision of such services 
     by the entity; and
       (C) as determined by the entity, has impeded or will impede 
     the performance of a critical mission of the Federal 
     department or agency.
       (2) Advance coordination.--A Federal department or agency 
     receiving the services described in paragraph (1) shall 
     coordinate in advance with an entity described in paragraph 
     (1) to develop the parameters of any information that may be 
     provided under paragraph (1), including clarification of the 
     type of significant cyber incident that will impede the 
     performance of a critical mission of the Federal department 
     or agency.
       (3) Report.--A Federal department or agency shall report 
     information provided under this subsection to a cybersecurity 
     center.
       (4) Construction.--Any information provided to a 
     cybersecurity center under paragraph (3) shall be treated in 
     the same manner as information provided to a cybersecurity 
     center under subsection (a).
       (c) Information Shared With or Provided to a Cybersecurity 
     Center.--Cyber threat information provided to a cybersecurity 
     center under this section--
       (1) may be disclosed to, retained by, and used by, 
     consistent with otherwise applicable Federal law, any Federal 
     agency or department, component, officer, employee, or agent 
     of the Federal government for a cybersecurity purpose, a 
     national security purpose, or in order to prevent, 
     investigate, or

[[Page 12489]]

     prosecute any of the offenses listed in section 2516 of title 
     18, United States Code, and such information shall not be 
     disclosed to, retained by, or used by any Federal agency or 
     department for any use not permitted under this paragraph;
       (2) may, with the prior written consent of the entity 
     submitting such information, be disclosed to and used by a 
     State, tribal, or local government or government agency for 
     the purpose of protecting information systems, or in 
     furtherance of preventing, investigating, or prosecuting a 
     criminal act, except that if the need for immediate 
     disclosure prevents obtaining written consent, such consent 
     may be provided orally with subsequent documentation of such 
     consent;
       (3) shall be considered the commercial, financial, or 
     proprietary information of the entity providing such 
     information to the Federal government and any disclosure 
     outside the Federal government may only be made upon the 
     prior written consent by such entity and shall not constitute 
     a waiver of any applicable privilege or protection provided 
     by law, except that if the need for immediate disclosure 
     prevents obtaining written consent, such consent may be 
     provided orally with subsequent documentation of such 
     consent;
       (4) shall be deemed voluntarily shared information and 
     exempt from disclosure under section 552 of title 5, United 
     States Code, and any State, tribal, or local law requiring 
     disclosure of information or records;
       (5) shall be, without discretion, withheld from the public 
     under section 552(b)(3)(B) of title 5, United States Code, 
     and any State, tribal, or local law requiring disclosure of 
     information or records;
       (6) shall not be subject to the rules of any Federal agency 
     or department or any judicial doctrine regarding ex parte 
     communications with a decision-making official;
       (7) shall not, if subsequently provided to a State, tribal, 
     or local government or government agency, otherwise be 
     disclosed or distributed to any entity by such State, tribal, 
     or local government or government agency without the prior 
     written consent of the entity submitting such information, 
     notwithstanding any State, tribal, or local law requiring 
     disclosure of information or records, except that if the need 
     for immediate disclosure prevents obtaining written consent, 
     such consent may be provided orally with subsequent 
     documentation of such consent; and
       (8) shall not be directly used by any Federal, State, 
     tribal, or local department or agency to regulate the lawful 
     activities of an entity, including activities relating to 
     obtaining, identifying, or otherwise possessing cyber threat 
     information, except that the procedures required to be 
     developed and implemented under this title shall not be 
     considered regulations within the meaning of this paragraph.
       (d) Procedures Relating to Information Sharing With a 
     Cybersecurity Center.--Not later than 60 days after the date 
     of enactment of this Act, the heads of each department or 
     agency containing a cybersecurity center shall jointly 
     develop, promulgate, and submit to Congress procedures to 
     ensure that cyber threat information shared with or provided 
     to--
       (1) a cybersecurity center under this section--
       (A) may be submitted to a cybersecurity center by an 
     entity, to the greatest extent possible, through a uniform, 
     publicly available process or format that is easily 
     accessible on the website of such cybersecurity center, and 
     that includes the ability to provide relevant details about 
     the cyber threat information and written consent to any 
     subsequent disclosures authorized by this paragraph;
       (B) shall immediately be further shared with each 
     cybersecurity center in order to prevent, investigate, or 
     otherwise mitigate threats to information security across the 
     Federal government;
       (C) is handled by the Federal government in a reasonable 
     manner, including consideration of the need to protect the 
     privacy and civil liberties of individuals through 
     anonymization or other appropriate methods, while fully 
     accomplishing the objectives of this title, and the Federal 
     government may undertake efforts consistent with this 
     subparagraph to limit the impact on privacy and civil 
     liberties of the sharing of cyber threat information with the 
     Federal government; and
       (D) except as provided in this section, shall only be used, 
     disclosed, or handled in accordance with the provisions of 
     subsection (c); and
       (2) a Federal agency or department under subsection (b) is 
     provided immediately to a cybersecurity center in order to 
     prevent, investigate, or otherwise mitigate threats to 
     information security across the Federal government.
       (e) Information Shared Between Entities.--
       (1) In general.--An entity sharing cyber threat information 
     with another entity under this title may restrict the use or 
     sharing of such information by such other entity.
       (2) Further sharing.--Cyber threat information shared by 
     any entity with another entity under this title--
       (A) shall only be further shared in accordance with any 
     restrictions placed on the sharing of such information by the 
     entity authorizing such sharing, such as appropriate 
     anonymization of such information; and
       (B) may not be used by any entity to gain an unfair 
     competitive advantage to the detriment of the entity 
     authorizing the sharing of such information, except that the 
     conduct described in paragraph (3) shall not constitute 
     unfair competitive conduct.
       (3) Information shared with state, tribal, or local 
     government or government agency.--Cyber threat information 
     shared with a State, tribal, or local government or 
     government agency under this title--
       (A) may, with the prior written consent of the entity 
     sharing such information, be disclosed to and used by a 
     State, tribal, or local government or government agency for 
     the purpose of protecting information systems, or in 
     furtherance of preventing, investigating, or prosecuting a 
     criminal act, except if the need for immediate disclosure 
     prevents obtaining written consent, consent may be provided 
     orally with subsequent documentation of the consent;
       (B) shall be deemed voluntarily shared information and 
     exempt from disclosure under any State, tribal, or local law 
     requiring disclosure of information or records;
       (C) shall not be disclosed or distributed to any entity by 
     the State, tribal, or local government or government agency 
     without the prior written consent of the entity submitting 
     such information, notwithstanding any State, tribal, or local 
     law requiring disclosure of information or records, except if 
     the need for immediate disclosure prevents obtaining written 
     consent, consent may be provided orally with subsequent 
     documentation of the consent; and
       (D) shall not be directly used by any State, tribal, or 
     local department or agency to regulate the lawful activities 
     of an entity, including activities relating to obtaining, 
     identifying, or otherwise possessing cyber threat 
     information, except that the procedures required to be 
     developed and implemented under this title shall not be 
     considered regulations within the meaning of this 
     subparagraph.
       (4) Antitrust exemption.--The exchange or provision of 
     cyber threat information or assistance between 2 or more 
     private entities under this title shall not be considered a 
     violation of any provision of antitrust laws if exchanged or 
     provided in order to assist with--
       (A) facilitating the prevention, investigation, or 
     mitigation of threats to information security; or
       (B) communicating or disclosing of cyber threat information 
     to help prevent, investigate or otherwise mitigate the 
     effects of a threat to information security.
       (5) No right or benefit.--The provision of cyber threat 
     information to an entity under this section shall not create 
     a right or a benefit to similar information by such entity or 
     any other entity.
       (f) Federal Preemption.--
       (1) In general.--This section supersedes any statute or 
     other law of a State or political subdivision of a State that 
     restricts or otherwise expressly regulates an activity 
     authorized under this section.
       (2) State law enforcement.--Nothing in this section shall 
     be construed to supersede any statute or other law of a State 
     or political subdivision of a State concerning the use of 
     authorized law enforcement techniques.
       (3) Public disclosure.--No information shared with or 
     provided to a State, tribal, or local government or 
     government agency pursuant to this section shall be made 
     publicly available pursuant to any State, tribal, or local 
     law requiring disclosure of information or records.
       (g) Civil and Criminal Liability.--
       (1) General protections.--
       (A) Private entities.--No cause of action shall lie or be 
     maintained in any court against any private entity for--
       (i) the use of countermeasures and cybersecurity systems as 
     authorized by this title;
       (ii) the use, receipt, or disclosure of any cyber threat 
     information as authorized by this title; or
       (iii) the subsequent actions or inactions of any lawful 
     recipient of cyber threat information provided by such 
     private entity.
       (B) Entities.--No cause of action shall lie or be 
     maintained in any court against any entity for--
       (i) the use, receipt, or disclosure of any cyber threat 
     information as authorized by this title; or
       (ii) the subsequent actions or inactions of any lawful 
     recipient of cyber threat information provided by such 
     entity.
       (2) Construction.--Nothing in this subsection shall be 
     construed as creating any immunity against, or otherwise 
     affecting, any action brought by the Federal government, or 
     any agency or department thereof, to enforce any law, 
     executive order, or procedure governing the appropriate 
     handling, disclosure, and use of classified information.
       (h) Otherwise Lawful Disclosures.--Nothing in this section 
     shall be construed to limit or prohibit otherwise lawful 
     disclosures of communications, records, or other information 
     by a private entity to any other governmental or private 
     entity not covered under this section.

[[Page 12490]]

       (i) Whistleblower Protection.--Nothing in this Act shall be 
     construed to preempt or preclude any employee from exercising 
     rights currently provided under any whistleblower law, rule, 
     or regulation.
       (j) Relationship to Other Laws.--The submission of cyber 
     threat information under this section to a cybersecurity 
     center shall not affect any requirement under any other 
     provision of law for an entity to provide information to the 
     Federal government.

     SEC. 103. INFORMATION SHARING BY THE FEDERAL GOVERNMENT.

       (a) Classified Information.--
       (1) Procedures.--Consistent with the protection of 
     intelligence sources and methods, and as otherwise determined 
     appropriate, the Director of National Intelligence and the 
     Secretary of Defense, in consultation with the heads of the 
     appropriate Federal departments or agencies, shall develop 
     and promulgate procedures to facilitate and promote--
       (A) the immediate sharing, through the cybersecurity 
     centers, of classified cyber threat information in the 
     possession of the Federal government with appropriately 
     cleared representatives of any appropriate entity; and
       (B) the declassification and immediate sharing, through the 
     cybersecurity centers, with any entity or, if appropriate, 
     public availability of cyber threat information in the 
     possession of the Federal government;
       (2) Handling of classified information.--The procedures 
     developed under paragraph (1) shall ensure that each entity 
     receiving classified cyber threat information pursuant to 
     this section has acknowledged in writing the ongoing 
     obligation to comply with all laws, executive orders, and 
     procedures concerning the appropriate handling, disclosure, 
     or use of classified information.
       (b) Unclassified Cyber Threat Information.--The heads of 
     each department or agency containing a cybersecurity center 
     shall jointly develop and promulgate procedures that ensure 
     that, consistent with the provisions of this section, 
     unclassified, including controlled unclassified, cyber threat 
     information in the possession of the Federal government--
       (1) is shared, through the cybersecurity centers, in an 
     immediate and adequate manner with appropriate entities; and
       (2) if appropriate, is made publicly available.
       (c) Development of Procedures.--
       (1) In general.--The procedures developed under this 
     section shall incorporate, to the greatest extent possible, 
     existing processes utilized by sector specific information 
     sharing and analysis centers.
       (2) Coordination with entities.--In developing the 
     procedures required under this section, the Director of 
     National Intelligence and the heads of each department or 
     agency containing a cybersecurity center shall coordinate 
     with appropriate entities to ensure that protocols are 
     implemented that will facilitate and promote the sharing of 
     cyber threat information by the Federal government.
       (d) Additional Responsibilities of Cybersecurity Centers.--
     Consistent with section 102, a cybersecurity center shall--
       (1) facilitate information sharing, interaction, and 
     collaboration among and between cybersecurity centers and--
       (A) other Federal entities;
       (B) any entity; and
       (C) international partners, in consultation with the 
     Secretary of State;
       (2) disseminate timely and actionable cybersecurity threat, 
     vulnerability, mitigation, and warning information, including 
     alerts, advisories, indicators, signatures, and mitigation 
     and response measures, to improve the security and protection 
     of information systems; and
       (3) coordinate with other Federal entities, as appropriate, 
     to integrate information from across the Federal government 
     to provide situational awareness of the cybersecurity posture 
     of the United States.
       (e) Sharing Within the Federal Government.--The heads of 
     appropriate Federal departments and agencies shall ensure 
     that cyber threat information in the possession of such 
     Federal departments or agencies that relates to the 
     prevention, investigation, or mitigation of threats to 
     information security across the Federal government is shared 
     effectively with the cybersecurity centers.
       (f) Submission to Congress.--Not later than 60 days after 
     the date of enactment of this Act, the Director of National 
     Intelligence, in coordination with the appropriate head of a 
     department or an agency containing a cybersecurity center, 
     shall submit the procedures required by this section to 
     Congress.

     SEC. 104. CONSTRUCTION.

       (a) Information Sharing Relationships.--Nothing in this 
     title shall be construed--
       (1) to limit or modify an existing information sharing 
     relationship;
       (2) to prohibit a new information sharing relationship;
       (3) to require a new information sharing relationship 
     between any entity and the Federal government, except as 
     specified under section 102(b); or
       (4) to modify the authority of a department or agency of 
     the Federal government to protect sources and methods and the 
     national security of the United States.
       (b) Anti-tasking Restriction.--Nothing in this title shall 
     be construed to permit the Federal government--
       (1) to require an entity to share information with the 
     Federal government, except as expressly provided under 
     section 102(b); or
       (2) to condition the sharing of cyber threat information 
     with an entity on such entity's provision of cyber threat 
     information to the Federal government.
       (c) No Liability for Non-participation.--Nothing in this 
     title shall be construed to subject any entity to liability 
     for choosing not to engage in the voluntary activities 
     authorized under this title.
       (d) Use and Retention of Information.--Nothing in this 
     title shall be construed to authorize, or to modify any 
     existing authority of, a department or agency of the Federal 
     government to retain or use any information shared under 
     section 102 for any use other than a use permitted under 
     subsection 102(c)(1).
       (e) No New Funding.--An applicable Federal agency shall 
     carry out the provisions of this title with existing 
     facilities and funds otherwise available, through such means 
     as the head of the agency considers appropriate.

     SEC. 105. REPORT ON IMPLEMENTATION.

       (a) Content of Report.--Not later than 1 year after the 
     date of enactment of this Act, and biennially thereafter, the 
     heads of each department or agency containing a cybersecurity 
     center shall jointly submit, in coordination with the privacy 
     and civil liberties officials of such departments or agencies 
     and the Privacy and Civil Liberties Oversight Board, a 
     detailed report to Congress concerning the implementation of 
     this title, including--
       (1) an assessment of the sufficiency of the procedures 
     developed under section 103 of this Act in ensuring that 
     cyber threat information in the possession of the Federal 
     government is provided in an immediate and adequate manner to 
     appropriate entities or, if appropriate, is made publicly 
     available;
       (2) an assessment of whether information has been 
     appropriately classified and an accounting of the number of 
     security clearances authorized by the Federal government for 
     purposes of this title;
       (3) a review of the type of cyber threat information shared 
     with a cybersecurity center under section 102 of this Act, 
     including whether such information meets the definition of 
     cyber threat information under section 101, the degree to 
     which such information may impact the privacy and civil 
     liberties of individuals, any appropriate metrics to 
     determine any impact of the sharing of such information with 
     the Federal government on privacy and civil liberties, and 
     the adequacy of any steps taken to reduce such impact;
       (4) a review of actions taken by the Federal government 
     based on information provided to a cybersecurity center under 
     section 102 of this Act, including the appropriateness of any 
     subsequent use under section 102(c)(1) of this Act and 
     whether there was inappropriate stovepiping within the 
     Federal government of any such information;
       (5) a description of any violations of the requirements of 
     this title by the Federal government;
       (6) a classified list of entities that received classified 
     information from the Federal government under section 103 of 
     this Act and a description of any indication that such 
     information may not have been appropriately handled;
       (7) a summary of any breach of information security, if 
     known, attributable to a specific failure by any entity or 
     the Federal government to act on cyber threat information in 
     the possession of such entity or the Federal government that 
     resulted in substantial economic harm or injury to a specific 
     entity or the Federal government; and
       (8) any recommendation for improvements or modifications to 
     the authorities under this title.
       (b) Form of Report.--The report under subsection (a) shall 
     be submitted in unclassified form, but shall include a 
     classified annex.

     SEC. 106. INSPECTOR GENERAL REVIEW.

       (a) In General.--The Council of the Inspectors General on 
     Integrity and Efficiency are authorized to review compliance 
     by the cybersecurity centers, and by any Federal department 
     or agency receiving cyber threat information from such 
     cybersecurity centers, with the procedures required under 
     section 102 of this Act.
       (b) Scope of Review.--The review under subsection (a) shall 
     consider whether the Federal government has handled such 
     cyber threat information in a reasonable manner, including 
     consideration of the need to protect the privacy and civil 
     liberties of individuals through anonymization or other 
     appropriate methods, while fully accomplishing the objectives 
     of this title.
       (c) Report to Congress.--Each review conducted under this 
     section shall be provided to Congress not later than 30 days 
     after the date of completion of the review.

     SEC. 107. TECHNICAL AMENDMENTS.

       Section 552(b) of title 5, United States Code, is amended--
       (1) in paragraph (8), by striking ``or'';
       (2) in paragraph (9), by striking ``wells.'' and inserting 
     ``wells; or''; and
       (3) by adding at the end the following:

[[Page 12491]]

       ``(10) information shared with or provided to a 
     cybersecurity center under section 102 of title I of the 
     Strengthening and Enhancing Cybersecurity by Using Research, 
     Education, Information, and Technology Act of 2012.''.

     SEC. 108. ACCESS TO CLASSIFIED INFORMATION.

       (a) Authorization Required.--No person shall be provided 
     with access to classified information (as defined in section 
     6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to 
     classified national security information)) relating to cyber 
     security threats or cyber security vulnerabilities under this 
     title without the appropriate security clearances.
       (b) Security Clearances.--The appropriate Federal agencies 
     or departments shall, consistent with applicable procedures 
     and requirements, and if otherwise deemed appropriate, assist 
     an individual in timely obtaining an appropriate security 
     clearance where such individual has been determined to be 
     eligible for such clearance and has a need-to-know (as 
     defined in section 6.1 of that Executive Order) classified 
     information to carry out this title.

     TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY

     SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY 
                   POLICY.

       (a) In General.--Chapter 35 of title 44, United States 
     Code, is amended by striking subchapters II and III and 
     inserting the following:

                 ``SUBCHAPTER II--INFORMATION SECURITY

     ``Sec. 3551. Purposes

       ``The purposes of this subchapter are--
       ``(1) to provide a comprehensive framework for ensuring the 
     effectiveness of information security controls over 
     information resources that support Federal operations and 
     assets;
       ``(2) to recognize the highly networked nature of the 
     current Federal computing environment and provide effective 
     government-wide management of policies, directives, 
     standards, and guidelines, as well as effective and nimble 
     oversight of and response to information security risks, 
     including coordination of information security efforts 
     throughout the Federal civilian, national security, and law 
     enforcement communities;
       ``(3) to provide for development and maintenance of 
     controls required to protect agency information and 
     information systems and contribute to the overall improvement 
     of agency information security posture;
       ``(4) to provide for the development of tools and methods 
     to assess and respond to real-time situational risk for 
     Federal information system operations and assets; and
       ``(5) to provide a mechanism for improving agency 
     information security programs through continuous monitoring 
     of agency information systems and streamlined reporting 
     requirements rather than overly prescriptive manual 
     reporting.

     ``Sec. 3552. Definitions

       ``In this subchapter:
       ``(1) Adequate security.--The term `adequate security' 
     means security commensurate with the risk and magnitude of 
     the harm resulting from the unauthorized access to or loss, 
     misuse, destruction, or modification of information.
       ``(2) Agency.--The term `agency' has the meaning given the 
     term in section 3502 of title 44.
       ``(3) Cybersecurity center.--The term `cybersecurity 
     center' means the Department of Defense Cyber Crime Center, 
     the Intelligence Community Incident Response Center, the 
     United States Cyber Command Joint Operations Center, the 
     National Cyber Investigative Joint Task Force, the National 
     Security Agency/Central Security Service Threat Operations 
     Center, the National Cybersecurity and Communications 
     Integration Center, and any successor center.
       ``(4) Cyber threat information.--The term `cyber threat 
     information' means information that indicates or describes--
       ``(A) a technical or operation vulnerability or a cyber 
     threat mitigation measure;
       ``(B) an action or operation to mitigate a cyber threat;
       ``(C) malicious reconnaissance, including anomalous 
     patterns of network activity that appear to be transmitted 
     for the purpose of gathering technical information related to 
     a cybersecurity threat;
       ``(D) a method of defeating a technical control;
       ``(E) a method of defeating an operational control;
       ``(F) network activity or protocols known to be associated 
     with a malicious cyber actor or that signify malicious cyber 
     intent;
       ``(G) a method of causing a user with legitimate access to 
     an information system or information that is stored on, 
     processed by, or transiting an information system to 
     inadvertently enable the defeat of a technical or operational 
     control;
       ``(H) any other attribute of a cybersecurity threat or 
     cyber defense information that would foster situational 
     awareness of the United States cybersecurity posture, if 
     disclosure of such attribute or information is not otherwise 
     prohibited by law;
       ``(I) the actual or potential harm caused by a cyber 
     incident, including information exfiltrated when it is 
     necessary in order to identify or describe a cybersecurity 
     threat; or
       ``(J) any combination of subparagraphs (A) through (I).
       ``(5) Director.--The term `Director' means the Director of 
     the Office of Management and Budget unless otherwise 
     specified.
       ``(6) Environment of operation.--The term `environment of 
     operation' means the information system and environment in 
     which those systems operate, including changing threats, 
     vulnerabilities, technologies, and missions and business 
     practices.
       ``(7) Federal information system.--The term `Federal 
     information system' means an information system used or 
     operated by an executive agency, by a contractor of an 
     executive agency, or by another organization on behalf of an 
     executive agency.
       ``(8) Incident.--The term `incident' means an occurrence 
     that--
       ``(A) actually or imminently jeopardizes the integrity, 
     confidentiality, or availability of an information system or 
     the information that system controls, processes, stores, or 
     transmits; or
       ``(B) constitutes a violation of law or an imminent threat 
     of violation of a law, a security policy, a security 
     procedure, or an acceptable use policy.
       ``(9) Information resources.--The term `information 
     resources' has the meaning given the term in section 3502 of 
     title 44.
       ``(10) Information security.--The term `information 
     security' means protecting information and information 
     systems from disruption or unauthorized access, use, 
     disclosure, modification, or destruction in order to 
     provide--
       ``(A) integrity, by guarding against improper information 
     modification or destruction, including by ensuring 
     information nonrepudiation and authenticity;
       ``(B) confidentiality, by preserving authorized 
     restrictions on access and disclosure, including means for 
     protecting personal privacy and proprietary information; or
       ``(C) availability, by ensuring timely and reliable access 
     to and use of information.
       ``(11) Information system.--The term `information system' 
     has the meaning given the term in section 3502 of title 44.
       ``(12) Information technology.--The term `information 
     technology' has the meaning given the term in section 11101 
     of title 40.
       ``(13) Malicious reconnaissance.--The term `malicious 
     reconnaissance' means a method for actively probing or 
     passively monitoring an information system for the purpose of 
     discerning technical vulnerabilities of the information 
     system, if such method is associated with a known or 
     suspected cybersecurity threat.
       ``(14) National security system.--
       ``(A) In general.--The term `national security system' 
     means any information system (including any 
     telecommunications system) used or operated by an agency or 
     by a contractor of an agency, or other organization on behalf 
     of an agency--
       ``(i) the function, operation, or use of which--

       ``(I) involves intelligence activities;
       ``(II) involves cryptologic activities related to national 
     security;
       ``(III) involves command and control of military forces;
       ``(IV) involves equipment that is an integral part of a 
     weapon or weapons system; or
       ``(V) subject to subparagraph (B), is critical to the 
     direct fulfillment of military or intelligence missions; or

       ``(ii) is protected at all times by procedures established 
     for information that have been specifically authorized under 
     criteria established by an Executive Order or an Act of 
     Congress to be kept classified in the interest of national 
     defense or foreign policy.
       ``(B) Limitation.--Subparagraph (A)(i)(V) does not include 
     a system that is to be used for routine administrative and 
     business applications (including payroll, finance, logistics, 
     and personnel management applications).
       ``(15) Operational control.--The term `operational control' 
     means a security control for an information system that 
     primarily is implemented and executed by people.
       ``(16) Person.--The term `person' has the meaning given the 
     term in section 3502 of title 44.
       ``(17) Secretary.--The term `Secretary' means the Secretary 
     of Commerce unless otherwise specified.
       ``(18) Security control.--The term `security control' means 
     the management, operational, and technical controls, 
     including safeguards or countermeasures, prescribed for an 
     information system to protect the confidentiality, integrity, 
     and availability of the system and its information.
       ``(19) Significant cyber incident.--The term `significant 
     cyber incident' means a cyber incident resulting in, or an 
     attempted cyber incident that, if successful, would have 
     resulted in--
       ``(A) the exfiltration from a Federal information system of 
     data that is essential to the operation of the Federal 
     information system; or
       ``(B) an incident in which an operational or technical 
     control essential to the security or operation of a Federal 
     information system was defeated.
       ``(20) Technical control.--The term `technical control' 
     means a hardware or software

[[Page 12492]]

     restriction on, or audit of, access or use of an information 
     system or information that is stored on, processed by, or 
     transiting an information system that is intended to ensure 
     the confidentiality, integrity, or availability of that 
     system.

     ``Sec. 3553. Federal information security authority and 
       coordination

       ``(a) In General.--The Secretary, in consultation with the 
     Secretary of Homeland Security, shall--
       ``(1) issue compulsory and binding policies and directives 
     governing agency information security operations, and require 
     implementation of such policies and directives, including--
       ``(A) policies and directives consistent with the standards 
     and guidelines promulgated under section 11331 of title 40 to 
     identify and provide information security protections 
     prioritized and commensurate with the risk and impact 
     resulting from the unauthorized access, use, disclosure, 
     disruption, modification, or destruction of--
       ``(i) information collected or maintained by or on behalf 
     of an agency; or
       ``(ii) information systems used or operated by an agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency;
       ``(B) minimum operational requirements for Federal 
     Government to protect agency information systems and provide 
     common situational awareness across all agency information 
     systems;
       ``(C) reporting requirements, consistent with relevant law, 
     regarding information security incidents and cyber threat 
     information;
       ``(D) requirements for agencywide information security 
     programs;
       ``(E) performance requirements and metrics for the security 
     of agency information systems;
       ``(F) training requirements to ensure that agencies are 
     able to fully and timely comply with the policies and 
     directives issued by the Secretary under this subchapter;
       ``(G) training requirements regarding privacy, civil 
     rights, and civil liberties, and information oversight for 
     agency information security personnel;
       ``(H) requirements for the annual reports to the Secretary 
     under section 3554(d);
       ``(I) any other information security operations or 
     information security requirements as determined by the 
     Secretary in coordination with relevant agency heads; and
       ``(J) coordinating the development of standards and 
     guidelines under section 20 of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3) with agencies 
     and offices operating or exercising control of national 
     security systems (including the National Security Agency) to 
     assure, to the maximum extent feasible, that such standards 
     and guidelines are complementary with standards and 
     guidelines developed for national security systems;
       ``(2) review the agencywide information security programs 
     under section 3554; and
       ``(3) designate an individual or an entity at each 
     cybersecurity center, among other responsibilities--
       ``(A) to receive reports and information about information 
     security incidents, cyber threat information, and 
     deterioration of security control affecting agency 
     information systems; and
       ``(B) to act on or share the information under subparagraph 
     (A) in accordance with this subchapter.
       ``(b) Considerations.--When issuing policies and directives 
     under subsection (a), the Secretary shall consider any 
     applicable standards or guidelines developed by the National 
     Institute of Standards and Technology under section 11331 of 
     title 40.
       ``(c) Limitation of Authority.--The authorities of the 
     Secretary under this section shall not apply to national 
     security systems. Information security policies, directives, 
     standards and guidelines for national security systems shall 
     be overseen as directed by the President and, in accordance 
     with that direction, carried out under the authority of the 
     heads of agencies that operate or exercise authority over 
     such national security systems.
       ``(d) Statutory Construction.--Nothing in this subchapter 
     shall be construed to alter or amend any law regarding the 
     authority of any head of an agency over such agency.

     ``Sec. 3554. Agency responsibilities

       ``(a) In General.--The head of each agency shall--
       ``(1) be responsible for--
       ``(A) complying with the policies and directives issued 
     under section 3553;
       ``(B) providing information security protections 
     commensurate with the risk resulting from unauthorized 
     access, use, disclosure, disruption, modification, or 
     destruction of--
       ``(i) information collected or maintained by the agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency; and
       ``(ii) information systems used or operated by an agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency;
       ``(C) complying with the requirements of this subchapter, 
     including--
       ``(i) information security standards and guidelines 
     promulgated under section 11331 of title 40;
       ``(ii) for any national security systems operated or 
     controlled by that agency, information security policies, 
     directives, standards and guidelines issued as directed by 
     the President; and
       ``(iii) for any non-national security systems operated or 
     controlled by that agency, information security policies, 
     directives, standards and guidelines issued under section 
     3553;
       ``(D) ensuring that information security management 
     processes are integrated with agency strategic and 
     operational planning processes;
       ``(E) reporting and sharing, for an agency operating or 
     exercising control of a national security system, information 
     about information security incidents, cyber threat 
     information, and deterioration of security controls to the 
     individual or entity designated at each cybersecurity center 
     and to other appropriate entities consistent with policies 
     and directives for national security systems issued as 
     directed by the President; and
       ``(F) reporting and sharing, for those agencies operating 
     or exercising control of non-national security systems, 
     information about information security incidents, cyber 
     threat information, and deterioration of security controls to 
     the individual or entity designated at each cybersecurity 
     center and to other appropriate entities consistent with 
     policies and directives for non-national security systems as 
     prescribed under section 3553(a), including information to 
     assist the entity designated under section 3555(a) with the 
     ongoing security analysis under section 3555;
       ``(2) ensure that each senior agency official provides 
     information security for the information and information 
     systems that support the operations and assets under the 
     senior agency official's control, including by--
       ``(A) assessing the risk and impact that could result from 
     the unauthorized access, use, disclosure, disruption, 
     modification, or destruction of such information or 
     information systems;
       ``(B) determining the level of information security 
     appropriate to protect such information and information 
     systems in accordance with policies and directives issued 
     under section 3553(a), and standards and guidelines 
     promulgated under section 11331 of title 40 for information 
     security classifications and related requirements;
       ``(C) implementing policies, procedures, and capabilities 
     to reduce risks to an acceptable level in a cost-effective 
     manner;
       ``(D) actively monitoring the effective implementation of 
     information security controls and techniques; and
       ``(E) reporting information about information security 
     incidents, cyber threat information, and deterioration of 
     security controls in a timely and adequate manner to the 
     entity designated under section 3553(a)(3) in accordance with 
     paragraph (1);
       ``(3) assess and maintain the resiliency of information 
     technology systems critical to agency mission and operations;
       ``(4) designate the agency Inspector General (or an 
     independent entity selected in consultation with the Director 
     and the Council of Inspectors General on Integrity and 
     Efficiency if the agency does not have an Inspector General) 
     to conduct the annual independent evaluation required under 
     section 3556, and allow the agency Inspector General to 
     contract with an independent entity to perform such 
     evaluation;
       ``(5) delegate to the Chief Information Officer or 
     equivalent (or to a senior agency official who reports to the 
     Chief Information Officer or equivalent)--
       ``(A) the authority and primary responsibility to implement 
     an agencywide information security program; and
       ``(B) the authority to provide information security for the 
     information collected and maintained by the agency (or by a 
     contractor, other agency, or other source on behalf of the 
     agency) and for the information systems that support the 
     operations, assets, and mission of the agency (including any 
     information system provided or managed by a contractor, other 
     agency, or other source on behalf of the agency);
       ``(6) delegate to the appropriate agency official (who is 
     responsible for a particular agency system or subsystem) the 
     responsibility to ensure and enforce compliance with all 
     requirements of the agency's agencywide information security 
     program in coordination with the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5);
       ``(7) ensure that an agency has trained personnel who have 
     obtained any necessary security clearances to permit them to 
     assist the agency in complying with this subchapter;
       ``(8) ensure that the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5), 
     in coordination with other senior agency officials, reports 
     to the agency head on the effectiveness of the agencywide 
     information security program, including the progress of any 
     remedial actions; and
       ``(9) ensure that the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5) 
     has the necessary qualifications to administer

[[Page 12493]]

     the functions described in this subchapter and has 
     information security duties as a primary duty of that 
     official.
       ``(b) Chief Information Officers.--Each Chief Information 
     Officer or equivalent (or the senior agency official who 
     reports to the Chief Information Officer or equivalent) under 
     subsection (a)(5) shall--
       ``(1) establish and maintain an enterprise security 
     operations capability that on a continuous basis--
       ``(A) detects, reports, contains, mitigates, and responds 
     to information security incidents that impair adequate 
     security of the agency's information or information system in 
     a timely manner and in accordance with the policies and 
     directives under section 3553; and
       ``(B) reports any information security incident under 
     subparagraph (A) to the entity designated under section 3555;
       ``(2) develop, maintain, and oversee an agencywide 
     information security program;
       ``(3) develop, maintain, and oversee information security 
     policies, procedures, and control techniques to address 
     applicable requirements, including requirements under section 
     3553 of this title and section 11331 of title 40; and
       ``(4) train and oversee the agency personnel who have 
     significant responsibility for information security with 
     respect to that responsibility.
       ``(c) Agencywide Information Security Programs.--
       ``(1) In general.--Each agencywide information security 
     program under subsection (b)(2) shall include--
       ``(A) relevant security risk assessments, including 
     technical assessments and others related to the acquisition 
     process;
       ``(B) security testing commensurate with risk and impact;
       ``(C) mitigation of deterioration of security controls 
     commensurate with risk and impact;
       ``(D) risk-based continuous monitoring and threat 
     assessment of the operational status and security of agency 
     information systems to enable evaluation of the effectiveness 
     of and compliance with information security policies, 
     procedures, and practices, including a relevant and 
     appropriate selection of security controls of information 
     systems identified in the inventory under section 3505(c);
       ``(E) operation of appropriate technical capabilities in 
     order to detect, mitigate, report, and respond to information 
     security incidents, cyber threat information, and 
     deterioration of security controls in a manner that is 
     consistent with the policies and directives under section 
     3553, including--
       ``(i) mitigating risks associated with such information 
     security incidents;
       ``(ii) notifying and consulting with the entity designated 
     under section 3555; and
       ``(iii) notifying and consulting with, as appropriate--

       ``(I) law enforcement and the relevant Office of the 
     Inspector General; and
       ``(II) any other entity, in accordance with law and as 
     directed by the President;

       ``(F) a process to ensure that remedial action is taken to 
     address any deficiencies in the information security 
     policies, procedures, and practices of the agency; and
       ``(G) a plan and procedures to ensure the continuity of 
     operations for information systems that support the 
     operations and assets of the agency.
       ``(2) Risk management strategies.--Each agencywide 
     information security program under subsection (b)(2) shall 
     include the development and maintenance of a risk management 
     strategy for information security. The risk management 
     strategy shall include--
       ``(A) consideration of information security incidents, 
     cyber threat information, and deterioration of security 
     controls; and
       ``(B) consideration of the consequences that could result 
     from the unauthorized access, use, disclosure, disruption, 
     modification, or destruction of information and information 
     systems that support the operations and assets of the agency, 
     including any information system provided or managed by a 
     contractor, other agency, or other source on behalf of the 
     agency;
       ``(3) Policies and procedures.--Each agencywide information 
     security program under subsection (b)(2) shall include 
     policies and procedures that--
       ``(A) are based on the risk management strategy under 
     paragraph (2);
       ``(B) reduce information security risks to an acceptable 
     level in a cost-effective manner;
       ``(C) ensure that cost-effective and adequate information 
     security is addressed as part of the acquisition and ongoing 
     management of each agency information system; and
       ``(D) ensure compliance with--
       ``(i) this subchapter; and
       ``(ii) any other applicable requirements.
       ``(4) Training requirements.--Each agencywide information 
     security program under subsection (b)(2) shall include 
     information security, privacy, civil rights, civil liberties, 
     and information oversight training that meets any applicable 
     requirements under section 3553. The training shall inform 
     each information security personnel that has access to agency 
     information systems (including contractors and other users of 
     information systems that support the operations and assets of 
     the agency) of--
       ``(A) the information security risks associated with the 
     information security personnel's activities; and
       ``(B) the individual's responsibility to comply with the 
     agency policies and procedures that reduce the risks under 
     subparagraph (A).
       ``(d) Annual Report.--Each agency shall submit a report 
     annually to the Secretary of Homeland Security on its 
     agencywide information security program and information 
     systems.

     ``Sec. 3555. Multiagency ongoing threat assessment

       ``(a) Implementation.--The Director of the Office of 
     Management and Budget, in coordination with the Secretary of 
     Homeland Security, shall designate an entity to implement 
     ongoing security analysis concerning agency information 
     systems--
       ``(1) based on cyber threat information;
       ``(2) based on agency information system and environment of 
     operation changes, including--
       ``(A) an ongoing evaluation of the information system 
     security controls; and
       ``(B) the security state, risk level, and environment of 
     operation of an agency information system, including--
       ``(i) a change in risk level due to a new cyber threat;
       ``(ii) a change resulting from a new technology;
       ``(iii) a change resulting from the agency's mission; and
       ``(iv) a change resulting from the business practice; and
       ``(3) using automated processes to the maximum extent 
     possible--
       ``(A) to increase information system security;
       ``(B) to reduce paper-based reporting requirements; and
       ``(C) to maintain timely and actionable knowledge of the 
     state of the information system security.
       ``(b) Standards.--The National Institute of Standards and 
     Technology may promulgate standards, in coordination with the 
     Secretary of Homeland Security, to assist an agency with its 
     duties under this section.
       ``(c) Compliance.--The head of each appropriate department 
     and agency shall be responsible for ensuring compliance and 
     implementing necessary procedures to comply with this 
     section. The head of each appropriate department and agency, 
     in consultation with the Director of the Office of Management 
     and Budget and the Secretary of Homeland Security, shall--
       ``(1) monitor compliance under this section;
       ``(2) develop a timeline and implement for the department 
     or agency--
       ``(A) adoption of any technology, system, or method that 
     facilitates continuous monitoring and threat assessments of 
     an agency information system;
       ``(B) adoption or updating of any technology, system, or 
     method that prevents, detects, or remediates a significant 
     cyber incident to a Federal information system of the 
     department or agency that has impeded, or is reasonably 
     likely to impede, the performance of a critical mission of 
     the department or agency; and
       ``(C) adoption of any technology, system, or method that 
     satisfies a requirement under this section.
       ``(d) Limitation of Authority.--The authorities of the 
     Director of the Office of Management and Budget and of the 
     Secretary of Homeland Security under this section shall not 
     apply to national security systems.
       ``(e) Report.--Not later than 6 months after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the Government Accountability Office shall issue a 
     report evaluating each agency's status toward implementing 
     this section.

     ``Sec. 3556. Independent evaluations

       ``(a) In General.--The Council of the Inspectors General on 
     Integrity and Efficiency, in consultation with the Director 
     and the Secretary of Homeland Security, the Secretary of 
     Commerce, and the Secretary of Defense, shall issue and 
     maintain criteria for the timely, cost-effective, risk-based, 
     and independent evaluation of each agencywide information 
     security program (and practices) to determine the 
     effectiveness of the agencywide information security program 
     (and practices). The criteria shall include measures to 
     assess any conflicts of interest in the performance of the 
     evaluation and whether the agencywide information security 
     program includes appropriate safeguards against disclosure of 
     information where such disclosure may adversely affect 
     information security.
       ``(b) Annual Independent Evaluations.--Each agency shall 
     perform an annual independent evaluation of its agencywide 
     information security program (and practices) in accordance 
     with the criteria under subsection (a).
       ``(c) Distribution of Reports.--Not later than 30 days 
     after receiving an independent evaluation under subsection 
     (b), each agency head shall transmit a copy of the 
     independent evaluation to the Secretary of

[[Page 12494]]

     Homeland Security, the Secretary of Commerce, and the 
     Secretary of Defense.
       ``(d) National Security Systems.--Evaluations involving 
     national security systems shall be conducted as directed by 
     President.

     ``Sec. 3557. National security systems.

       ``The head of each agency operating or exercising control 
     of a national security system shall be responsible for 
     ensuring that the agency--
       ``(1) provides information security protections 
     commensurate with the risk and magnitude of the harm 
     resulting from the unauthorized access, use, disclosure, 
     disruption, modification, or destruction of the information 
     contained in such system; and
       ``(2) implements information security policies and 
     practices as required by standards and guidelines for 
     national security systems, issued in accordance with law and 
     as directed by the President.''.
       (b) Savings Provisions.--
       (1) Policy and compliance guidance.--Policy and compliance 
     guidance issued by the Director before the date of enactment 
     of this Act under section 3543(a)(1) of title 44, United 
     States Code (as in effect on the day before the date of 
     enactment of this Act), shall continue in effect, according 
     to its terms, until modified, terminated, superseded, or 
     repealed pursuant to section 3553(a)(1) of title 44, United 
     States Code.
       (2) Standards and guidelines.--Standards and guidelines 
     issued by the Secretary of Commerce or by the Director before 
     the date of enactment of this Act under section 11331(a)(1) 
     of title 40, United States Code, (as in effect on the day 
     before the date of enactment of this Act) shall continue in 
     effect, according to their terms, until modified, terminated, 
     superseded, or repealed pursuant to section 11331(a)(1) of 
     title 40, United States Code, as amended by this Act.
       (c) Technical and Conforming Amendments.--
       (1) Chapter analysis.--The chapter analysis for chapter 35 
     of title 44, United States Code, is amended--
       (A) by striking the items relating to sections 3531 through 
     3538;
       (B) by striking the items relating to sections 3541 through 
     3549; and
       (C) by inserting the following:

``3551. Purposes.
``3552. Definitions.
``3553. Federal information security authority and coordination.
``3554. Agency responsibilities.
``3555. Multiagency ongoing threat assessment.
``3556. Independent evaluations.
``3557. National security systems.''.

       (2) Other references.--
       (A) Section 1001(c)(1)(A) of the Homeland Security Act of 
     2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section 
     3532(3)'' and inserting ``section 3552''.
       (B) Section 2222(j)(5) of title 10, United States Code, is 
     amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (C) Section 2223(c)(3) of title 10, United States Code, is 
     amended, by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (D) Section 2315 of title 10, United States Code, is 
     amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (E) Section 20 of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-3) is amended--
       (i) in subsection (a)(2), by striking ``section 
     3532(b)(2)'' and inserting ``section 3552'';
       (ii) in subsection (c)(3), by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (iii) in subsection (d)(1), by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (iv) in subsection (d)(8) by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (v) in subsection (d)(8), by striking ``submitted to the 
     Director'' and inserting ``submitted to the Secretary'';
       (vi) in subsection (e)(2), by striking ``section 3532(1) of 
     such title'' and inserting ``section 3552 of title 44''; and
       (vii) in subsection (e)(5), by striking ``section 
     3532(b)(2) of such title'' and inserting ``section 3552 of 
     title 44''.
       (F) Section 8(d)(1) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7406(d)(1)) is amended by striking 
     ``section 3534(b)'' and inserting ``section 3554(b)(2)''.

     SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY.

       (a) In General.--Section 11331 of title 40, United States 
     Code, is amended to read as follows:

     ``Sec. 11331. Responsibilities for Federal information 
       systems standards

       ``(a) Standards and Guidelines.--
       ``(1) Authority to prescribe.--Except as provided under 
     paragraph (2), the Secretary of Commerce shall prescribe 
     standards and guidelines pertaining to Federal information 
     systems--
       ``(A) in consultation with the Secretary of Homeland 
     Security; and
       ``(B) on the basis of standards and guidelines developed by 
     the National Institute of Standards and Technology under 
     paragraphs (2) and (3) of section 20(a) of the National 
     Institute of Standards and Technology Act (15 U.S.C. 278g-
     3(a)(2) and (a)(3)).
       ``(2) National security systems.--Standards and guidelines 
     for national security systems shall be developed, prescribed, 
     enforced, and overseen as otherwise authorized by law and as 
     directed by the President.
       ``(b) Mandatory Standards and Guidelines.--
       ``(1) Authority to make mandatory standards and 
     guidelines.--The Secretary of Commerce shall make standards 
     and guidelines under subsection (a)(1) compulsory and binding 
     to the extent determined necessary by the Secretary of 
     Commerce to improve the efficiency of operation or security 
     of Federal information systems.
       ``(2) Required mandatory standards and guidelines.--
       ``(A) In general.--Standards and guidelines under 
     subsection (a)(1) shall include information security 
     standards that--
       ``(i) provide minimum information security requirements as 
     determined under section 20(b) of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3(b)); and
       ``(ii) are otherwise necessary to improve the security of 
     Federal information and information systems.
       ``(B) Binding effect.--Information security standards under 
     subparagraph (A) shall be compulsory and binding.
       ``(c) Exercise of Authority.--To ensure fiscal and policy 
     consistency, the Secretary of Commerce shall exercise the 
     authority conferred by this section subject to direction by 
     the President and in coordination with the Director.
       ``(d) Application of More Stringent Standards and 
     Guidelines.--The head of an executive agency may employ 
     standards for the cost-effective information security for 
     information systems within or under the supervision of that 
     agency that are more stringent than the standards and 
     guidelines the Secretary of Commerce prescribes under this 
     section if the more stringent standards and guidelines--
       ``(1) contain at least the applicable standards and 
     guidelines made compulsory and binding by the Secretary of 
     Commerce; and
       ``(2) are otherwise consistent with the policies, 
     directives, and implementation memoranda issued under section 
     3553(a) of title 44.
       ``(e) Decisions on Promulgation of Standards and 
     Guidelines.--The decision by the Secretary of Commerce 
     regarding the promulgation of any standard or guideline under 
     this section shall occur not later than 6 months after the 
     date of submission of the proposed standard to the Secretary 
     of Commerce by the National Institute of Standards and 
     Technology under section 20 of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3).
       ``(f) Notice and Comment.--A decision by the Secretary of 
     Commerce to significantly modify, or not promulgate, a 
     proposed standard submitted to the Secretary by the National 
     Institute of Standards and Technology under section 20 of the 
     National Institute of Standards and Technology Act (15 U.S.C. 
     278g-3) shall be made after the public is given an 
     opportunity to comment on the Secretary's proposed decision.
       ``(g) Definitions.--In this section:
       ``(1) Federal information system.--The term `Federal 
     information system' has the meaning given the term in section 
     3552 of title 44.
       ``(2) Information security.--The term `information 
     security' has the meaning given the term in section 3552 of 
     title 44.
       ``(3) National security system.--The term `national 
     security system' has the meaning given the term in section 
     3552 of title 44.''.

     SEC. 203. NO NEW FUNDING.

       An applicable Federal agency shall carry out the provisions 
     of this title with existing facilities and funds otherwise 
     available, through such means as the head of the agency 
     considers appropriate.

     SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS.

       Section 21(b) of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-4(b)) is amended--
       (1) in paragraph (2), by striking ``and the Director of the 
     Office of Management and Budget'' and inserting ``, the 
     Secretary of Commerce, and the Secretary of Homeland 
     Security''; and
       (2) in paragraph (3), by inserting ``, the Secretary of 
     Homeland Security,'' after ``the Secretary of Commerce''.

     SEC. 205. CLARIFICATION OF AUTHORITIES.

       Nothing in this title shall be construed to convey any new 
     regulatory authority to any government entity implementing or 
     complying with any provision of this title.

                     TITLE III--CRIMINAL PENALTIES

     SEC. 301. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN 
                   CONNECTION WITH COMPUTERS.

       Section 1030(c) of title 18, United States Code, is amended 
     to read as follows:
       ``(c) The punishment for an offense under subsection (a) or 
     (b) of this section is--
       ``(1) a fine under this title or imprisonment for not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(1) of this section;
       ``(2)(A) except as provided in subparagraph (B), a fine 
     under this title or imprisonment for not more than 3 years, 
     or both, in the case of an offense under subsection (a)(2); 
     or
       ``(B) a fine under this title or imprisonment for not more 
     than ten years, or both, in

[[Page 12495]]

     the case of an offense under subsection (a)(2) of this 
     section, if--
       ``(i) the offense was committed for purposes of commercial 
     advantage or private financial gain;
       ``(ii) the offense was committed in the furtherance of any 
     criminal or tortious act in violation of the Constitution or 
     laws of the United States, or of any State; or
       ``(iii) the value of the information obtained, or that 
     would have been obtained if the offense was completed, 
     exceeds $5,000;
       ``(3) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(3) of this section;
       ``(4) a fine under this title or imprisonment of not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(4) of this section;
       ``(5)(A) except as provided in subparagraph (C), a fine 
     under this title, imprisonment for not more than 20 years, or 
     both, in the case of an offense under subsection (a)(5)(A) of 
     this section, if the offense caused--
       ``(i) loss to 1 or more persons during any 1-year period 
     (and, for purposes of an investigation, prosecution, or other 
     proceeding brought by the United States only, loss resulting 
     from a related course of conduct affecting 1 or more other 
     protected computers) aggregating at least $5,000 in value;
       ``(ii) the modification or impairment, or potential 
     modification or impairment, of the medical examination, 
     diagnosis, treatment, or care of 1 or more individuals;
       ``(iii) physical injury to any person;
       ``(iv) a threat to public health or safety;
       ``(v) damage affecting a computer used by, or on behalf of, 
     an entity of the United States Government in furtherance of 
     the administration of justice, national defense, or national 
     security; or
       ``(vi) damage affecting 10 or more protected computers 
     during any 1-year period;
       ``(B) a fine under this title, imprisonment for not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(5)(B), if the offense caused a harm provided 
     in clause (i) through (vi) of subparagraph (A) of this 
     subsection;
       ``(C) if the offender attempts to cause or knowingly or 
     recklessly causes death from conduct in violation of 
     subsection (a)(5)(A), a fine under this title, imprisonment 
     for any term of years or for life, or both;
       ``(D) a fine under this title, imprisonment for not more 
     than 10 years, or both, for any other offense under 
     subsection (a)(5);
       ``(E) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(6) of this section; or
       ``(F) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(7) of this section.''.

     SEC. 302. TRAFFICKING IN PASSWORDS.

       Section 1030(a)(6) of title 18, United States Code, is 
     amended to read as follows:
       ``(6) knowingly and with intent to defraud traffics (as 
     defined in section 1029) in any password or similar 
     information or means of access through which a protected 
     computer (as defined in subparagraphs (A) and (B) of 
     subsection (e)(2)) may be accessed without authorization.''.

     SEC. 303. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.

       Section 1030(b) of title 18, United States Code, is amended 
     by inserting ``as if for the completed offense'' after 
     ``punished as provided''.

     SEC. 304. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED 
                   ACTIVITY IN CONNECTION WITH COMPUTERS.

       Section 1030 of title 18, United States Code, is amended by 
     striking subsections (i) and (j) and inserting the following:
       ``(i) Criminal Forfeiture.--
       ``(1) The court, in imposing sentence on any person 
     convicted of a violation of this section, or convicted of 
     conspiracy to violate this section, shall order, in addition 
     to any other sentence imposed and irrespective of any 
     provision of State law, that such person forfeit to the 
     United States--
       ``(A) such persons interest in any property, real or 
     personal, that was used, or intended to be used, to commit or 
     facilitate the commission of such violation; and
       ``(B) any property, real or personal, constituting or 
     derived from any gross proceeds, or any property traceable to 
     such property, that such person obtained, directly or 
     indirectly, as a result of such violation.
       ``(2) The criminal forfeiture of property under this 
     subsection, including any seizure and disposition of the 
     property, and any related judicial or administrative 
     proceeding, shall be governed by the provisions of section 
     413 of the Comprehensive Drug Abuse Prevention and Control 
     Act of 1970 (21 U.S.C. 853), except subsection (d) of that 
     section.
       ``(j) Civil Forfeiture.--
       ``(1) The following shall be subject to forfeiture to the 
     United States and no property right, real or personal, shall 
     exist in them:
       ``(A) Any property, real or personal, that was used, or 
     intended to be used, to commit or facilitate the commission 
     of any violation of this section, or a conspiracy to violate 
     this section.
       ``(B) Any property, real or personal, constituting or 
     derived from any gross proceeds obtained directly or 
     indirectly, or any property traceable to such property, as a 
     result of the commission of any violation of this section, or 
     a conspiracy to violate this section.
       ``(2) Seizures and forfeitures under this subsection shall 
     be governed by the provisions in chapter 46 relating to civil 
     forfeitures, except that such duties as are imposed on the 
     Secretary of the Treasury under the customs laws described in 
     section 981(d) shall be performed by such officers, agents 
     and other persons as may be designated for that purpose by 
     the Secretary of Homeland Security or the Attorney 
     General.''.

     SEC. 305. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.

       (a) In General.--Chapter 47 of title 18, United States 
     Code, is amended by inserting after section 1030 the 
     following:

     ``Sec. 1030A. Aggravated damage to a critical infrastructure 
       computer

       ``(a) Definitions.--In this section--
       ``(1) the term `computer' has the meaning given the term in 
     section 1030;
       ``(2) the term `critical infrastructure computer' means a 
     computer that manages or controls systems or assets vital to 
     national defense, national security, national economic 
     security, public health or safety, or any combination of 
     those matters, whether publicly or privately owned or 
     operated, including--
       ``(A) oil and gas production, storage, conversion, and 
     delivery systems;
       ``(B) water supply systems;
       ``(C) telecommunication networks;
       ``(D) electrical power generation and delivery systems;
       ``(E) finance and banking systems;
       ``(F) emergency services;
       ``(G) transportation systems and services; and
       ``(H) government operations that provide essential services 
     to the public; and
       ``(3) the term `damage' has the meaning given the term in 
     section 1030.
       ``(b) Offense.--It shall be unlawful, during and in 
     relation to a felony violation of section 1030, to knowingly 
     cause or attempt to cause damage to a critical infrastructure 
     computer if the damage results in (or, in the case of an 
     attempt, if completed, would have resulted in) the 
     substantial impairment--
       ``(1) of the operation of the critical infrastructure 
     computer; or
       ``(2) of the critical infrastructure associated with the 
     computer.
       ``(c) Penalty.--Any person who violates subsection (b) 
     shall be--
       ``(1) fined under this title;
       ``(2) imprisoned for not less than 3 years but not more 
     than 20 years; or
       ``(3) penalized under paragraphs (1) and (2).
       ``(d) Consecutive Sentence.--Notwithstanding any other 
     provision of law--
       ``(1) a court shall not place on probation any person 
     convicted of a violation of this section;
       ``(2) except as provided in paragraph (4), no term of 
     imprisonment imposed on a person under this section shall run 
     concurrently with any other term of imprisonment, including 
     any term of imprisonment imposed on the person under any 
     other provision of law, including any term of imprisonment 
     imposed for a felony violation of section 1030;
       ``(3) in determining any term of imprisonment to be imposed 
     for a felony violation of section 1030, a court shall not in 
     any way reduce the term to be imposed for such crime so as to 
     compensate for, or otherwise take into account, any separate 
     term of imprisonment imposed or to be imposed for a violation 
     of this section; and
       ``(4) a term of imprisonment imposed on a person for a 
     violation of this section may, in the discretion of the 
     court, run concurrently, in whole or in part, only with 
     another term of imprisonment that is imposed by the court at 
     the same time on that person for an additional violation of 
     this section, provided that such discretion shall be 
     exercised in accordance with any applicable guidelines and 
     policy statements issued by the United States Sentencing 
     Commission pursuant to section 994 of title 28.''.
       (b) Technical and Conforming Amendment.--The chapter 
     analysis for chapter 47 of title 18, United States Code, is 
     amended by inserting after the item relating to section 1030 
     the following:

``1030A. Aggravated damage to a critical infrastructure computer.''.

     SEC. 306. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.

       Section 1030(e)(6) of title 18, United States Code, is 
     amended by striking ``alter;'' and inserting ``alter, but 
     does not include access in violation of a contractual 
     obligation or agreement, such as an acceptable use policy or 
     terms of service agreement, with an Internet service 
     provider, Internet website, or non-government employer, if 
     such violation constitutes the sole basis for determining 
     that access to a protected computer is unauthorized;''.

     SEC. 307. NO NEW FUNDING.

       An applicable Federal agency shall carry out the provisions 
     of this title with existing facilities and funds otherwise 
     available, through such means as the head of the agency 
     considers appropriate.

[[Page 12496]]



            TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT

     SEC. 401. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM 
                   PLANNING AND COORDINATION.

       (a) Goals and Priorities.--Section 101 of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511) is amended 
     by adding at the end the following:
       ``(d) Goals and Priorities.--The goals and priorities for 
     Federal high-performance computing research, development, 
     networking, and other activities under subsection (a)(2)(A) 
     shall include--
       ``(1) encouraging and supporting mechanisms for 
     interdisciplinary research and development in networking and 
     information technology, including--
       ``(A) through collaborations across agencies;
       ``(B) through collaborations across Program Component 
     Areas;
       ``(C) through collaborations with industry;
       ``(D) through collaborations with institutions of higher 
     education;
       ``(E) through collaborations with Federal laboratories (as 
     defined in section 4 of the Stevenson-Wydler Technology 
     Innovation Act of 1980 (15 U.S.C. 3703)); and
       ``(F) through collaborations with international 
     organizations;
       ``(2) addressing national, multi-agency, multi-faceted 
     challenges of national importance; and
       ``(3) fostering the transfer of research and development 
     results into new technologies and applications for the 
     benefit of society.''.
       (b) Development of Strategic Plan.--Section 101 of the 
     High-Performance Computing Act of 1991 (15 U.S.C. 5511) is 
     amended by adding at the end the following:
       ``(e) Strategic Plan.--
       ``(1) In general.--Not later than 1 year after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the agencies under subsection (a)(3)(B), working 
     through the National Science and Technology Council and with 
     the assistance of the Office of Science and Technology Policy 
     shall develop a 5-year strategic plan to guide the activities 
     under subsection (a)(1).
       ``(2) Contents.--The strategic plan shall specify--
       ``(A) the near-term objectives for the Program;
       ``(B) the long-term objectives for the Program;
       ``(C) the anticipated time frame for achieving the near-
     term objectives;
       ``(D) the metrics that will be used to assess any progress 
     made toward achieving the near-term objectives and the long-
     term objectives; and
       ``(E) how the Program will achieve the goals and priorities 
     under subsection (d).
       ``(3) Implementation roadmap.--
       ``(A) In general.--The agencies under subsection (a)(3)(B) 
     shall develop and annually update an implementation roadmap 
     for the strategic plan.
       ``(B) Requirements.--The information in the implementation 
     roadmap shall be coordinated with the database under section 
     102(c) and the annual report under section 101(a)(3). The 
     implementation roadmap shall--
       ``(i) specify the role of each Federal agency in carrying 
     out or sponsoring research and development to meet the 
     research objectives of the strategic plan, including a 
     description of how progress toward the research objectives 
     will be evaluated, with consideration of any relevant 
     recommendations of the advisory committee;
       ``(ii) specify the funding allocated to each major research 
     objective of the strategic plan and the source of funding by 
     agency for the current fiscal year; and
       ``(iii) estimate the funding required for each major 
     research objective of the strategic plan for the next 3 
     fiscal years.
       ``(4) Recommendations.--The agencies under subsection 
     (a)(3)(B) shall take into consideration when developing the 
     strategic plan under paragraph (1) the recommendations of--
       ``(A) the advisory committee under subsection (b); and
       ``(B) the stakeholders under section 102(a)(3).
       ``(5) Report to congress.--The Director of the Office of 
     Science and Technology Policy shall transmit the strategic 
     plan under this subsection, including the implementation 
     roadmap and any updates under paragraph (3), to--
       ``(A) the advisory committee under subsection (b);
       ``(B) the Committee on Commerce, Science, and 
     Transportation of the Senate; and
       ``(C) the Committee on Science and Technology of the House 
     of Representatives.''.
       (c) Periodic Reviews.--Section 101 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511) is amended by adding 
     at the end the following:
       ``(f) Periodic Reviews.--The agencies under subsection 
     (a)(3)(B) shall--
       ``(1) periodically assess the contents and funding levels 
     of the Program Component Areas and restructure the Program 
     when warranted, taking into consideration any relevant 
     recommendations of the advisory committee under subsection 
     (b); and
       ``(2) ensure that the Program includes national, multi-
     agency, multi-faceted research and development activities, 
     including activities described in section 104.''.
       (d) Additional Responsibilities of Director.--Section 
     101(a)(2) of the High-Performance Computing Act of 1991 (15 
     U.S.C. 5511(a)(2)) is amended--
       (1) by redesignating subparagraphs (E) and (F) as 
     subparagraphs (G) and (H), respectively; and
       (2) by inserting after subparagraph (D) the following:
       ``(E) encourage and monitor the efforts of the agencies 
     participating in the Program to allocate the level of 
     resources and management attention necessary--
       ``(i) to ensure that the strategic plan under subsection 
     (e) is developed and executed effectively; and
       ``(ii) to ensure that the objectives of the Program are 
     met;
       ``(F) working with the Office of Management and Budget and 
     in coordination with the creation of the database under 
     section 102(c), direct the Office of Science and Technology 
     Policy and the agencies participating in the Program to 
     establish a mechanism (consistent with existing law) to track 
     all ongoing and completed research and development projects 
     and associated funding;''.
       (e) Advisory Committee.--Section 101(b) of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is 
     amended--
       (1) in paragraph (1)--
       (A) by inserting after the first sentence the following: 
     ``The co-chairs of the advisory committee shall meet the 
     qualifications of committee members and may be members of the 
     Presidents Council of Advisors on Science and Technology.''; 
     and
       (B) by striking ``high-performance'' in subparagraph (D) 
     and inserting ``high-end''; and
       (2) by amending paragraph (2) to read as follows:
       ``(2) In addition to the duties under paragraph (1), the 
     advisory committee shall conduct periodic evaluations of the 
     funding, management, coordination, implementation, and 
     activities of the Program. The advisory committee shall 
     report its findings and recommendations not less frequently 
     than once every 3 fiscal years to the Committee on Commerce, 
     Science, and Transportation of the Senate and the Committee 
     on Science and Technology of the House of Representatives. 
     The report shall be submitted in conjunction with the update 
     of the strategic plan.''.
       (f) Report.--Section 101(a)(3) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended--
       (1) in subparagraph (C)--
       (A) by striking ``is submitted,'' and inserting ``is 
     submitted, the levels for the previous fiscal year,''; and
       (B) by striking ``each Program Component Area'' and 
     inserting ``each Program Component Area and each research 
     area supported in accordance with section 104'';
       (2) in subparagraph (D)--
       (A) by striking ``each Program Component Area,'' and 
     inserting ``each Program Component Area and each research 
     area supported in accordance with section 104,'';
       (B) by striking ``is submitted,'' and inserting ``is 
     submitted, the levels for the previous fiscal year,''; and
       (C) by striking ``and'' after the semicolon;
       (3) by redesignating subparagraph (E) as subparagraph (G); 
     and
       (4) by inserting after subparagraph (D) the following:
       ``(E) include a description of how the objectives for each 
     Program Component Area, and the objectives for activities 
     that involve multiple Program Component Areas, relate to the 
     objectives of the Program identified in the strategic plan 
     under subsection (e);
       ``(F) include--
       ``(i) a description of the funding required by the Office 
     of Science and Technology Policy to perform the functions 
     under subsections (a) and (c) of section 102 for the next 
     fiscal year by category of activity;
       ``(ii) a description of the funding required by the Office 
     of Science and Technology Policy to perform the functions 
     under subsections (a) and (c) of section 102 for the current 
     fiscal year by category of activity; and
       ``(iii) the amount of funding provided for the Office of 
     Science and Technology Policy for the current fiscal year by 
     each agency participating in the Program; and''.
       (g) Definitions.--Section 4 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5503) is amended--
       (1) by redesignating paragraphs (1) and (2) as paragraphs 
     (2) and (3), respectively;
       (2) by redesignating paragraph (3) as paragraph (6);
       (3) by redesignating paragraphs (6) and (7) as paragraphs 
     (7) and (8), respectively;
       (4) by inserting before paragraph (2), as redesignated, the 
     following:
       ``(1) `cyber-physical systems' means physical or engineered 
     systems whose networking and information technology functions 
     and physical elements are deeply integrated and are actively 
     connected to the physical world through sensors, actuators, 
     or other means to perform monitoring and control 
     functions;'';
       (5) in paragraph (3), as redesignated, by striking ``high-
     performance computing'' and inserting ``networking and 
     information technology'';

[[Page 12497]]

       (6) in paragraph (6), as redesignated--
       (A) by striking ``high-performance computing'' and 
     inserting ``networking and information technology''; and
       (B) by striking ``supercomputer'' and inserting ``high-end 
     computing'';
       (7) in paragraph (5), by striking ``network referred to 
     as'' and all that follows through the semicolon and inserting 
     ``network, including advanced computer networks of Federal 
     agencies and departments''; and
       (8) in paragraph (7), as redesignated, by striking 
     ``National High-Performance Computing Program'' and inserting 
     ``networking and information technology research and 
     development program''.

     SEC. 402. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.

       (a) Research in Areas of National Importance.--Title I of 
     the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et 
     seq.) is amended by adding at the end the following:

     ``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.

       ``(a) In General.--The Program shall encourage agencies 
     under section 101(a)(3)(B) to support, maintain, and improve 
     national, multi-agency, multi-faceted, research and 
     development activities in networking and information 
     technology directed toward application areas that have the 
     potential for significant contributions to national economic 
     competitiveness and for other significant societal benefits.
       ``(b) Technical Solutions.--An activity under subsection 
     (a) shall be designed to advance the development of research 
     discoveries by demonstrating technical solutions to important 
     problems in areas including--
       ``(1) cybersecurity;
       ``(2) health care;
       ``(3) energy management and low-power systems and devices;
       ``(4) transportation, including surface and air 
     transportation;
       ``(5) cyber-physical systems;
       ``(6) large-scale data analysis and modeling of physical 
     phenomena;
       ``(7) large scale data analysis and modeling of behavioral 
     phenomena;
       ``(8) supply chain quality and security; and
       ``(9) privacy protection and protected disclosure of 
     confidential data.
       ``(c) Recommendations.--The advisory committee under 
     section 101(b) shall make recommendations to the Program for 
     candidate research and development areas for support under 
     this section.
       ``(d) Characteristics.--
       ``(1) In general.--Research and development activities 
     under this section--
       ``(A) shall include projects selected on the basis of 
     applications for support through a competitive, merit-based 
     process;
       ``(B) shall leverage, when possible, Federal investments 
     through collaboration with related State initiatives;
       ``(C) shall include a plan for fostering the transfer of 
     research discoveries and the results of technology 
     demonstration activities, including from institutions of 
     higher education and Federal laboratories, to industry for 
     commercial development;
       ``(D) shall involve collaborations among researchers in 
     institutions of higher education and industry; and
       ``(E) may involve collaborations among nonprofit research 
     institutions and Federal laboratories, as appropriate.
       ``(2) Cost-sharing.--In selecting applications for support, 
     the agencies under section 101(a)(3)(B) shall give special 
     consideration to projects that include cost sharing from non-
     Federal sources.
       ``(3) Multidisciplinary research centers.--Research and 
     development activities under this section shall be supported 
     through multidisciplinary research centers, including Federal 
     laboratories, that are organized to investigate basic 
     research questions and carry out technology demonstration 
     activities in areas described in subsection (a). Research may 
     be carried out through existing multidisciplinary centers, 
     including those authorized under section 7024(b)(2) of the 
     America COMPETES Act (42 U.S.C. 1862o-10(2)).''.
       (b) Cyber-Physical Systems.--Section 101(a)(1) of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is 
     amended--
       (1) in subparagraph (H), by striking ``and'' after the 
     semicolon;
       (2) in subparagraph (I), by striking the period at the end 
     and inserting a semicolon; and
       (3) by adding at the end the following:
       ``(J) provide for increased understanding of the scientific 
     principles of cyber-physical systems and improve the methods 
     available for the design, development, and operation of 
     cyber-physical systems that are characterized by high 
     reliability, safety, and security; and
       ``(K) provide for research and development on human-
     computer interactions, visualization, and big data.''.
       (c) Task Force.--Title I of the High-Performance Computing 
     Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section 
     402(a) of this Act, is amended by adding at the end the 
     following:

     ``SEC. 105. TASK FORCE.

       ``(a) Establishment.--Not later than 180 days after the 
     date of enactment the Strengthening and Enhancing 
     Cybersecurity by Using Research, Education, Information, and 
     Technology Act of 2012, the Director of the Office of Science 
     and Technology Policy under section 102 shall convene a task 
     force to explore mechanisms for carrying out collaborative 
     research and development activities for cyber-physical 
     systems (including the related technologies required to 
     enable these systems) through a consortium or other 
     appropriate entity with participants from institutions of 
     higher education, Federal laboratories, and industry.
       ``(b) Functions.--The task force shall--
       ``(1) develop options for a collaborative model and an 
     organizational structure for such entity under which the 
     joint research and development activities could be planned, 
     managed, and conducted effectively, including mechanisms for 
     the allocation of resources among the participants in such 
     entity for support of such activities;
       ``(2) propose a process for developing a research and 
     development agenda for such entity, including guidelines to 
     ensure an appropriate scope of work focused on nationally 
     significant challenges and requiring collaboration and to 
     ensure the development of related scientific and 
     technological milestones;
       ``(3) define the roles and responsibilities for the 
     participants from institutions of higher education, Federal 
     laboratories, and industry in such entity;
       ``(4) propose guidelines for assigning intellectual 
     property rights and for transferring research results to the 
     private sector; and
       ``(5) make recommendations for how such entity could be 
     funded from Federal, State, and non-governmental sources.
       ``(c) Composition.--In establishing the task force under 
     subsection (a), the Director of the Office of Science and 
     Technology Policy shall appoint an equal number of 
     individuals from institutions of higher education and from 
     industry with knowledge and expertise in cyber-physical 
     systems, and may appoint not more than 2 individuals from 
     Federal laboratories.
       ``(d) Report.--Not later than 1 year after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the Director of the Office of Science and Technology 
     Policy shall transmit to the Committee on Commerce, Science, 
     and Transportation of the Senate and the Committee on Science 
     and Technology of the House of Representatives a report 
     describing the findings and recommendations of the task 
     force.
       ``(e) Termination.--The task force shall terminate upon 
     transmittal of the report required under subsection (d).
       ``(f) Compensation and Expenses.--Members of the task force 
     shall serve without compensation.''.

     SEC. 403. PROGRAM IMPROVEMENTS.

       Section 102 of the High-Performance Computing Act of 1991 
     (15 U.S.C. 5512) is amended to read as follows:

     ``SEC. 102. PROGRAM IMPROVEMENTS.

       ``(a) Functions.--The Director of the Office of Science and 
     Technology Policy shall continue--
       ``(1) to provide technical and administrative support to--
       ``(A) the agencies participating in planning and 
     implementing the Program, including support needed to develop 
     the strategic plan under section 101(e); and
       ``(B) the advisory committee under section 101(b);
       ``(2) to serve as the primary point of contact on Federal 
     networking and information technology activities for 
     government agencies, academia, industry, professional 
     societies, State computing and networking technology 
     programs, interested citizen groups, and others to exchange 
     technical and programmatic information;
       ``(3) to solicit input and recommendations from a wide 
     range of stakeholders during the development of each 
     strategic plan under section 101(e) by convening at least 1 
     workshop with invitees from academia, industry, Federal 
     laboratories, and other relevant organizations and 
     institutions;
       ``(4) to conduct public outreach, including the 
     dissemination of the advisory committee's findings and 
     recommendations, as appropriate;
       ``(5) to promote access to and early application of the 
     technologies, innovations, and expertise derived from Program 
     activities to agency missions and systems across the Federal 
     Government and to United States industry;
       ``(6) to ensure accurate and detailed budget reporting of 
     networking and information technology research and 
     development investment; and
       ``(7) to encourage agencies participating in the Program to 
     use existing programs and resources to strengthen networking 
     and information technology education and training, and 
     increase participation in such fields, including by women and 
     underrepresented minorities.
       ``(b) Source of Funding.--
       ``(1) In general.--The functions under this section shall 
     be supported by funds from each agency participating in the 
     Program.
       ``(2) Specifications.--The portion of the total budget of 
     the Office of Science and Technology Policy that is provided 
     by each agency participating in the Program for each fiscal 
     year shall be in the same proportion as

[[Page 12498]]

     each agency's share of the total budget for the Program for 
     the previous fiscal year, as specified in the database under 
     section 102(c).
       ``(c) Database.--
       ``(1) In general.--The Director of the Office of Science 
     and Technology Policy shall develop and maintain a database 
     of projects funded by each agency for the fiscal year for 
     each Program Component Area.
       ``(2) Public accessibility.--The Director of the Office of 
     Science and Technology Policy shall make the database 
     accessible to the public.
       ``(3) Database contents.--The database shall include, for 
     each project in the database--
       ``(A) a description of the project;
       ``(B) each agency, industry, institution of higher 
     education, Federal laboratory, or international institution 
     involved in the project;
       ``(C) the source funding of the project (set forth by 
     agency);
       ``(D) the funding history of the project; and
       ``(E) whether the project has been completed.''.

     SEC. 404. IMPROVING EDUCATION OF NETWORKING AND INFORMATION 
                   TECHNOLOGY, INCLUDING HIGH PERFORMANCE 
                   COMPUTING.

       Section 201(a) of the High-Performance Computing Act of 
     1991 (15 U.S.C. 5521(a)) is amended--
       (1) by redesignating paragraphs (2) through (4) as 
     paragraphs (3) through (5), respectively; and
       (2) by inserting after paragraph (1) the following:
       ``(2) the National Science Foundation shall use its 
     existing programs, in collaboration with other agencies, as 
     appropriate, to improve the teaching and learning of 
     networking and information technology at all levels of 
     education and to increase participation in networking and 
     information technology fields;''.

     SEC. 405. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH-
                   PERFORMANCE COMPUTING ACT OF 1991.

       (a) Section 3.--Section 3 of the High-Performance Computing 
     Act of 1991 (15 U.S.C. 5502) is amended--
       (1) in the matter preceding paragraph (1), by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology'';
       (2) in paragraph (1)--
       (A) in the matter preceding subparagraph (A), by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology'';
       (B) in subparagraphs (A), (F), and (G), by striking ``high-
     performance computing'' each place it appears and inserting 
     ``networking and information technology''; and
       (C) in subparagraph (H), by striking ``high-performance'' 
     and inserting ``high-end''; and
       (3) in paragraph (2)--
       (A) by striking ``high-performance computing and'' and 
     inserting ``networking and information technology, and''; and
       (B) by striking ``high-performance computing network'' and 
     inserting ``networking and information technology''.
       (b) Title Heading.--The heading of title I of the High-
     Performance Computing Act of 1991 (105 Stat. 1595) is amended 
     by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting 
     ``NETWORKING AND INFORMATION TECHNOLOGY''.
       (c) Section 101.--Section 101 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511) is amended--
       (1) in the section heading, by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology research and development'';
       (2) in subsection (a)--
       (A) in the subsection heading, by striking ``National High-
     Performance Computing'' and inserting ``Networking and 
     Information Technology Research and Development'';
       (B) in paragraph (1)--
       (i) by striking ``National High-Performance Computing 
     Program'' and inserting ``networking and information 
     technology research and development program'';
       (ii) in subparagraph (A), by striking ``high-performance 
     computing, including networking'' and inserting ``networking 
     and information technology'';
       (iii) in subparagraphs (B) and (G), by striking ``high-
     performance'' each place it appears and inserting ``high-
     end''; and
       (iv) in subparagraph (C), by striking ``high-performance 
     computing and networking'' and inserting ``high-end 
     computing, distributed, and networking''; and
       (C) in paragraph (2)--
       (i) in subparagraphs (A) and (C)--

       (I) by striking ``high-performance computing'' each place 
     it appears and inserting ``networking and information 
     technology''; and
       (II) by striking ``development, networking,'' each place it 
     appears and inserting ``development,''; and

       (ii) in subparagraphs (G) and (H), as redesignated by 
     section 401(d) of this Act, by striking ``high-performance'' 
     each place it appears and inserting ``high-end'';
       (3) in subsection (b)(1), in the matter preceding 
     subparagraph (A), by striking ``high- performance computing'' 
     each place it appears and inserting ``networking and 
     information technology''; and
       (4) in subsection (c)(1)(A), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology''.
       (d) Section 201.--Section 201(a)(1) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by 
     striking ``high-performance computing and advanced high-speed 
     computer networking'' and inserting ``networking and 
     information technology research and development''.
       (e) Section 202.--Section 202(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by 
     striking ``high-performance computing'' and inserting 
     ``networking and information technology''.
       (f) Section 203.--Section 203(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5523(a)) is amended--
       (1) in paragraph (1), by striking ``high-performance 
     computing and networking'' and inserting ``networking and 
     information technology''; and
       (2) in paragraph (2)(A), by striking ``high-performance'' 
     and inserting ``high-end''.
       (g) Section 204.--Section 204 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5524) is amended--
       (1) in subsection (a)(1)--
       (A) in subparagraph (A), by striking ``high-performance 
     computing systems and networks'' and inserting ``networking 
     and information technology systems and capabilities'';
       (B) in subparagraph (B), by striking ``interoperability of 
     high-performance computing systems in networks and for common 
     user interfaces to systems'' and inserting ``interoperability 
     and usability of networking and information technology 
     systems''; and
       (C) in subparagraph (C), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology''; and
       (2) in subsection (b)--
       (A) by striking ``High-Performance Computing and Network'' 
     in the heading and inserting ``Networking and Information 
     Technology''; and
       (B) by striking ``sensitive''.
       (h) Section 205.--Section 205(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by 
     striking ``computational'' and inserting ``networking and 
     information technology''.
       (i) Section 206.--Section 206(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by 
     striking ``computational research'' and inserting 
     ``networking and information technology research''.
       (j) Section 207.--Section 207 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5527) is amended by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology''.
       (k) Section 208.--Section 208 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5528) is amended--
       (1) in the section heading, by striking ``HIGH-PERFORMANCE 
     COMPUTING'' and inserting ``NETWORKING AND INFORMATION 
     TECHNOLOGY''; and
       (2) in subsection (a)--
       (A) in paragraph (1), by striking ``High-performance 
     computing and associated'' and inserting ``Networking and 
     information'';
       (B) in paragraph (2), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technologies'';
       (C) in paragraph (3), by striking ``high-performance'' and 
     inserting ``high-end'';
       (D) in paragraph (4), by striking ``high-performance 
     computers and associated'' and inserting ``networking and 
     information''; and
       (E) in paragraph (5), by striking ``high-performance 
     computing and associated'' and inserting ``networking and 
     information''.

     SEC. 406. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.

       (a) In General.--The Director of the National Science 
     Foundation, in coordination with the Secretary of Homeland 
     Security, shall carry out a Federal cyber scholarship-for-
     service program to recruit and train the next generation of 
     information technology professionals and security managers to 
     meet the needs of the cybersecurity mission for the Federal 
     government.
       (b) Program Description and Components.--The program 
     shall--
       (1) annually assess the workforce needs of the Federal 
     government for cybersecurity professionals, including network 
     engineers, software engineers, and other experts in order to 
     determine how many scholarships should be awarded annually to 
     ensure that the workforce needs following graduation match 
     the number of scholarships awarded;
       (2) provide scholarships for up to 1,000 students per year 
     in their pursuit of undergraduate or graduate degrees in the 
     cybersecurity field, in an amount that may include coverage 
     for full tuition, fees, and a stipend;
       (3) require each scholarship recipient, as a condition of 
     receiving a scholarship under the program, to serve in a 
     Federal information technology workforce for a period equal 
     to one and one-half times each year, or partial year, of 
     scholarship received, in addition to an internship in the 
     cybersecurity field, if applicable, following graduation;
       (4) provide a procedure for the National Science Foundation 
     or a Federal agency, consistent with regulations of the 
     Office of

[[Page 12499]]

     Personnel Management, to request and fund a security 
     clearance for a scholarship recipient, including providing 
     for clearance during a summer internship and upon graduation; 
     and
       (5) provide opportunities for students to receive temporary 
     appointments for meaningful employment in the Federal 
     information technology workforce during school vacation 
     periods and for internships.
       (c) Hiring Authority.--
       (1) In general.--For purposes of any law or regulation 
     governing the appointment of an individual in the Federal 
     civil service, upon the successful completion of the 
     student's studies, a student receiving a scholarship under 
     the program may--
       (A) be hired under section 213.3102(r) of title 5, Code of 
     Federal Regulations; and
       (B) be exempt from competitive service.
       (2) Competitive service.--Upon satisfactory fulfillment of 
     the service term under paragraph (1), an individual may be 
     converted to a competitive service position without 
     competition if the individual meets the requirements for that 
     position.
       (d) Eligibility.--The eligibility requirements for a 
     scholarship under this section shall include that a 
     scholarship applicant--
       (1) be a citizen of the United States;
       (2) be eligible to be granted a security clearance;
       (3) maintain a grade point average of 3.2 or above on a 4.0 
     scale for undergraduate study or a 3.5 or above on a 4.0 
     scale for postgraduate study;
       (4) demonstrate a commitment to a career in improving the 
     security of the information infrastructure; and
       (5) has demonstrated a level of proficiency in math or 
     computer sciences.
       (e) Failure to Complete Service Obligation.--
       (1) In general.--A scholarship recipient under this section 
     shall be liable to the United States under paragraph (2) if 
     the scholarship recipient--
       (A) fails to maintain an acceptable level of academic 
     standing in the educational institution in which the 
     individual is enrolled, as determined by the Director;
       (B) is dismissed from such educational institution for 
     disciplinary reasons;
       (C) withdraws from the program for which the award was made 
     before the completion of such program;
       (D) declares that the individual does not intend to fulfill 
     the service obligation under this section;
       (E) fails to fulfill the service obligation of the 
     individual under this section; or
       (F) loses a security clearance or becomes ineligible for a 
     security clearance.
       (2) Repayment amounts.--
       (A) Less than 1 year of service.--If a circumstance under 
     paragraph (1) occurs before the completion of 1 year of a 
     service obligation under this section, the total amount of 
     awards received by the individual under this section shall be 
     repaid.
       (B) One or more years of service.--If a circumstance 
     described in subparagraph (D) or (E) of paragraph (1) occurs 
     after the completion of 1 year of a service obligation under 
     this section, the total amount of scholarship awards received 
     by the individual under this section, reduced by the ratio of 
     the number of years of service completed divided by the 
     number of years of service required, shall be repaid.
       (f) Evaluation and Report.--The Director of the National 
     Science Foundation shall--
       (1) evaluate the success of recruiting individuals for 
     scholarships under this section and of hiring and retaining 
     those individuals in the public sector workforce, including 
     the annual cost and an assessment of how the program actually 
     improves the Federal workforce; and
       (2) periodically report the findings under paragraph (1) to 
     Congress.
       (g) Authorization of Appropriations.--From amounts made 
     available under section 503 of the America COMPETES 
     Reauthorization Act of 2010 (124 Stat. 4005), the Director 
     may use funds to carry out the requirements of this section 
     for fiscal years 2012 through 2013.

     SEC. 407. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF 
                   INFORMATION INFRASTRUCTURE PROFESSIONALS.

       (a) Study.--The President shall enter into an agreement 
     with the National Academies to conduct a comprehensive study 
     of government, academic, and private-sector accreditation, 
     training, and certification programs for personnel working in 
     information infrastructure. The agreement shall require the 
     National Academies to consult with sector coordinating 
     councils and relevant governmental agencies, regulatory 
     entities, and nongovernmental organizations in the course of 
     the study.
       (b) Scope.--The study shall include--
       (1) an evaluation of the body of knowledge and various 
     skills that specific categories of personnel working in 
     information infrastructure should possess in order to secure 
     information systems;
       (2) an assessment of whether existing government, academic, 
     and private-sector accreditation, training, and certification 
     programs provide the body of knowledge and various skills 
     described in paragraph (1);
       (3) an analysis of any barriers to the Federal Government 
     recruiting and hiring cybersecurity talent, including 
     barriers relating to compensation, the hiring process, job 
     classification, and hiring flexibility; and
       (4) an analysis of the sources and availability of 
     cybersecurity talent, a comparison of the skills and 
     expertise sought by the Federal Government and the private 
     sector, an examination of the current and future capacity of 
     United States institutions of higher education, including 
     community colleges, to provide current and future 
     cybersecurity professionals, through education and training 
     activities, with those skills sought by the Federal 
     Government, State and local entities, and the private sector.
       (c) Report.--Not later than 1 year after the date of 
     enactment of this Act, the National Academies shall submit to 
     the President and Congress a report on the results of the 
     study. The report shall include--
       (1) findings regarding the state of information 
     infrastructure accreditation, training, and certification 
     programs, including specific areas of deficiency and 
     demonstrable progress; and
       (2) recommendations for the improvement of information 
     infrastructure accreditation, training, and certification 
     programs.

     SEC. 408. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.

       (a) In General.--The Director of the National Institute of 
     Standards and Technology, in coordination with appropriate 
     Federal authorities, shall--
       (1) as appropriate, ensure coordination of Federal agencies 
     engaged in the development of international technical 
     standards related to information system security; and
       (2) not later than 1 year after the date of enactment of 
     this Act, develop and transmit to Congress a plan for 
     ensuring such Federal agency coordination.
       (b) Consultation With the Private Sector.--In carrying out 
     the activities under subsection (a)(1), the Director shall 
     ensure consultation with appropriate private sector 
     stakeholders.

     SEC. 409. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.

       The Director of the National Institute of Standards and 
     Technology shall continue a program to support the 
     development of technical standards, metrology, testbeds, and 
     conformance criteria, taking into account appropriate user 
     concerns--
       (1) to improve interoperability among identity management 
     technologies;
       (2) to strengthen authentication methods of identity 
     management systems;
       (3) to improve privacy protection in identity management 
     systems, including health information technology systems, 
     through authentication and security protocols; and
       (4) to improve the usability of identity management 
     systems.

     SEC. 410. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.

       (a) National Science Foundation Computer and Network 
     Security Research Grant Areas.--Section 4(a)(1) of the Cyber 
     Security Research and Development Act (15 U.S.C. 7403(a)(1)) 
     is amended--
       (1) in subparagraph (H), by striking ``and'' after the 
     semicolon;
       (2) in subparagraph (I), by striking ``property.'' and 
     inserting ``property;''; and
       (3) by adding at the end the following:
       ``(J) secure fundamental protocols that are at the heart of 
     inter-network communications and data exchange;
       ``(K) system security that addresses the building of secure 
     systems from trusted and untrusted components;
       ``(L) monitoring and detection; and
       ``(M) resiliency and rapid recovery methods.''.
       (b) National Science Foundation Computer and Network 
     Security Grants.--Section 4(a)(3) of the Cyber Security 
     Research and Development Act (15 U.S.C. 7403(a)(3)) is 
     amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (c) Computer and Network Security Centers.--Section 4(b)(7) 
     of the Cyber Security Research and Development Act (15 U.S.C. 
     7403(b)(7)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (d) Computer and Network Security Capacity Building 
     Grants.--Section 5(a)(6) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7404(a)(6)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat.

[[Page 12500]]

     4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (e) Scientific and Advanced Technology Act Grants.--Section 
     5(b)(2) of the Cyber Security Research and Development Act 
     (15 U.S.C. 7404(b)(2)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (f) Graduate Traineeships in Computer and Network Security 
     Research.--Section 5(c)(7) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7404(c)(7)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
                                 ______
                                 
  SA 2614. Mrs. HUTCHISON (for herself, Mr. McCain, Mr. Chambliss, Mr. 
Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson of 
Wisconsin) submitted an amendment intended to be proposed by her to the 
bill S. 3414, to enhance the security and resiliency of the cyber and 
communications infrastructure of the United States; which was ordered 
to lie on the table; as follows:

       Strike all after the enacting clause and insert the 
     following:

     SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the 
     ``Strengthening and Enhancing Cybersecurity by Using 
     Research, Education, Information, and Technology Act of 
     2012'' or ``SECURE IT''.
       (b) Table of Contents.--The table of contents of this Act 
     is as follows:

Sec. 1. Short title; table of contents.

       TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION

Sec. 101. Definitions.
Sec. 102. Authorization to share cyber threat information.
Sec. 103. Information sharing by the Federal government.
Sec. 104. Construction.
Sec. 105. Report on implementation.
Sec. 106. Inspector General review.
Sec. 107. Technical amendments.
Sec. 108. Access to classified information.

     TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY

Sec. 201. Coordination of Federal information security policy.
Sec. 202. Management of information technology.
Sec. 203. No new funding.
Sec. 204. Technical and conforming amendments.
Sec. 205. Clarification of authorities.

                     TITLE III--CRIMINAL PENALTIES

Sec. 301. Penalties for fraud and related activity in connection with 
              computers.
Sec. 302. Trafficking in passwords.
Sec. 303. Conspiracy and attempted computer fraud offenses.
Sec. 304. Criminal and civil forfeiture for fraud and related activity 
              in connection with computers.
Sec. 305. Damage to critical infrastructure computers.
Sec. 306. Limitation on actions involving unauthorized use.
Sec. 307. No new funding.

            TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT

Sec. 401. National High-Performance Computing Program planning and 
              coordination.
Sec. 402. Research in areas of national importance.
Sec. 403. Program improvements.
Sec. 404. Improving education of networking and information technology, 
              including high performance computing.
Sec. 405. Conforming and technical amendments to the High-Performance 
              Computing Act of 1991.
Sec. 406. Federal cyber scholarship-for-service program.
Sec. 407. Study and analysis of certification and training of 
              information infrastructure professionals.
Sec. 408. International cybersecurity technical standards.
Sec. 409. Identity management research and development.
Sec. 410. Federal cybersecurity research and development.

       TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION

     SEC. 101. DEFINITIONS.

       In this title:
       (1) Agency.--The term ``agency'' has the meaning given the 
     term in section 3502 of title 44, United States Code.
       (2) Antitrust laws.--The term ``antitrust laws''--
       (A) has the meaning given the term in section 1(a) of the 
     Clayton Act (15 U.S.C. 12(a));
       (B) includes section 5 of the Federal Trade Commission Act 
     (15 U.S.C. 45) to the extent that section 5 of that Act 
     applies to unfair methods of competition; and
       (C) includes any State law that has the same intent and 
     effect as the laws under subparagraphs (A) and (B).
       (3) Countermeasure.--The term ``countermeasure'' means an 
     automated or a manual action with defensive intent to 
     mitigate cyber threats.
       (4) Cyber threat information.--The term ``cyber threat 
     information'' means information that indicates or describes--
       (A) a technical or operation vulnerability or a cyber 
     threat mitigation measure;
       (B) an action or operation to mitigate a cyber threat;
       (C) malicious reconnaissance, including anomalous patterns 
     of network activity that appear to be transmitted for the 
     purpose of gathering technical information related to a 
     cybersecurity threat;
       (D) a method of defeating a technical control;
       (E) a method of defeating an operational control;
       (F) network activity or protocols known to be associated 
     with a malicious cyber actor or that signify malicious cyber 
     intent;
       (G) a method of causing a user with legitimate access to an 
     information system or information that is stored on, 
     processed by, or transiting an information system to 
     inadvertently enable the defeat of a technical or operational 
     control;
       (H) any other attribute of a cybersecurity threat or cyber 
     defense information that would foster situational awareness 
     of the United States cybersecurity posture, if disclosure of 
     such attribute or information is not otherwise prohibited by 
     law;
       (I) the actual or potential harm caused by a cyber 
     incident, including information exfiltrated when it is 
     necessary in order to identify or describe a cybersecurity 
     threat; or
       (J) any combination of subparagraphs (A) through (I).
       (5) Cybersecurity center.--The term ``cybersecurity 
     center'' means the Department of Defense Cyber Crime Center, 
     the Intelligence Community Incident Response Center, the 
     United States Cyber Command Joint Operations Center, the 
     National Cyber Investigative Joint Task Force, the National 
     Security Agency/Central Security Service Threat Operations 
     Center, the National Cybersecurity and Communications 
     Integration Center, and any successor center.
       (6) Cybersecurity system.--The term ``cybersecurity 
     system'' means a system designed or employed to ensure the 
     integrity, confidentiality, or availability of, or to 
     safeguard, a system or network, including measures intended 
     to protect a system or network from--
       (A) efforts to degrade, disrupt, or destroy such system or 
     network; or
       (B) theft or misappropriations of private or government 
     information, intellectual property, or personally 
     identifiable information.
       (7) Entity.--
       (A) In general.--The term ``entity'' means any private 
     entity, non-Federal government agency or department, or 
     State, tribal, or local government agency or department 
     (including an officer, employee, or agent thereof).
       (B) Inclusions.--The term ``entity'' includes a government 
     agency or department (including an officer, employee, or 
     agent thereof) of the District of Columbia, the Commonwealth 
     of Puerto Rico, the Virgin Islands, Guam, American Samoa, the 
     Northern Mariana Islands, and any other territory or 
     possession of the United States.
       (8) Federal information system.--The term ``Federal 
     information system'' means an information system of a Federal 
     department or agency used or operated by an executive agency, 
     by a contractor of an executive agency, or by another 
     organization on behalf of an executive agency.
       (9) Information security.--The term ``information 
     security'' means protecting information and information 
     systems from disruption or unauthorized access, use, 
     disclosure, modification, or destruction in order to 
     provide--
       (A) integrity, by guarding against improper information 
     modification or destruction, including by ensuring 
     information nonrepudiation and authenticity;
       (B) confidentiality, by preserving authorized restrictions 
     on access and disclosure, including means for protecting 
     personal privacy and proprietary information; or
       (C) availability, by ensuring timely and reliable access to 
     and use of information.
       (10) Information system.--The term ``information system'' 
     has the meaning given the term in section 3502 of title 44, 
     United States Code.
       (11) Local government.--The term ``local government'' means 
     any borough, city, county, parish, town, township, village, 
     or other general purpose political subdivision of a State.
       (12) Malicious reconnaissance.--The term ``malicious 
     reconnaissance'' means a method

[[Page 12501]]

     for actively probing or passively monitoring an information 
     system for the purpose of discerning technical 
     vulnerabilities of the information system, if such method is 
     associated with a known or suspected cybersecurity threat.
       (13) Operational control.--The term ``operational control'' 
     means a security control for an information system that 
     primarily is implemented and executed by people.
       (14) Operational vulnerability.--The term ``operational 
     vulnerability'' means any attribute of policy, process, or 
     procedure that could enable or facilitate the defeat of an 
     operational control.
       (15) Private entity.--The term ``private entity'' means any 
     individual or any private group, organization, or 
     corporation, including an officer, employee, or agent 
     thereof.
       (16) Significant cyber incident.--The term ``significant 
     cyber incident'' means a cyber incident resulting in, or an 
     attempted cyber incident that, if successful, would have 
     resulted in--
       (A) the exfiltration from a Federal information system of 
     data that is essential to the operation of the Federal 
     information system; or
       (B) an incident in which an operational or technical 
     control essential to the security or operation of a Federal 
     information system was defeated.
       (17) Technical control.--The term ``technical control'' 
     means a hardware or software restriction on, or audit of, 
     access or use of an information system or information that is 
     stored on, processed by, or transiting an information system 
     that is intended to ensure the confidentiality, integrity, or 
     availability of that system.
       (18) Technical vulnerability.--The term ``technical 
     vulnerability'' means any attribute of hardware or software 
     that could enable or facilitate the defeat of a technical 
     control.
       (19) Tribal.--The term ``tribal'' has the meaning given the 
     term ``Indian tribe'' in section 4 of the Indian Self-
     Determination and Education Assistance Act (25 U.S.C. 450b).

     SEC. 102. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION.

       (a) Voluntary Disclosure.--
       (1) Private entities.--Notwithstanding any other provision 
     of law, a private entity may, for the purpose of preventing, 
     investigating, or otherwise mitigating threats to information 
     security, on its own networks, or as authorized by another 
     entity, on such entity's networks, employ countermeasures and 
     use cybersecurity systems in order to obtain, identify, or 
     otherwise possess cyber threat information.
       (2) Entities.--Notwithstanding any other provision of law, 
     an entity may disclose cyber threat information to--
       (A) a cybersecurity center; or
       (B) any other entity in order to assist with preventing, 
     investigating, or otherwise mitigating threats to information 
     security.
       (3) Information security providers.--If the cyber threat 
     information described in paragraph (1) is obtained, 
     identified, or otherwise possessed in the course of providing 
     information security products or services under contract to 
     another entity, that entity shall be given, at any time prior 
     to disclosure of such information, a reasonable opportunity 
     to authorize or prevent such disclosure, to request 
     anonymization of such information, or to request that 
     reasonable efforts be made to safeguard such information that 
     identifies specific persons from unauthorized access or 
     disclosure.
       (b) Significant Cyber Incidents Involving Federal 
     Information Systems.--
       (1) In general.--An entity providing electronic 
     communication services, remote computing services, or 
     information security services to a Federal department or 
     agency shall inform the Federal department or agency of a 
     significant cyber incident involving the Federal information 
     system of that Federal department or agency that--
       (A) is directly known to the entity as a result of 
     providing such services;
       (B) is directly related to the provision of such services 
     by the entity; and
       (C) as determined by the entity, has impeded or will impede 
     the performance of a critical mission of the Federal 
     department or agency.
       (2) Advance coordination.--A Federal department or agency 
     receiving the services described in paragraph (1) shall 
     coordinate in advance with an entity described in paragraph 
     (1) to develop the parameters of any information that may be 
     provided under paragraph (1), including clarification of the 
     type of significant cyber incident that will impede the 
     performance of a critical mission of the Federal department 
     or agency.
       (3) Report.--A Federal department or agency shall report 
     information provided under this subsection to a cybersecurity 
     center.
       (4) Construction.--Any information provided to a 
     cybersecurity center under paragraph (3) shall be treated in 
     the same manner as information provided to a cybersecurity 
     center under subsection (a).
       (c) Information Shared With or Provided to a Cybersecurity 
     Center.--Cyber threat information provided to a cybersecurity 
     center under this section--
       (1) may be disclosed to, retained by, and used by, 
     consistent with otherwise applicable Federal law, any Federal 
     agency or department, component, officer, employee, or agent 
     of the Federal government for a cybersecurity purpose, a 
     national security purpose, or in order to prevent, 
     investigate, or prosecute any of the offenses listed in 
     section 2516 of title 18, United States Code, and such 
     information shall not be disclosed to, retained by, or used 
     by any Federal agency or department for any use not permitted 
     under this paragraph;
       (2) may, with the prior written consent of the entity 
     submitting such information, be disclosed to and used by a 
     State, tribal, or local government or government agency for 
     the purpose of protecting information systems, or in 
     furtherance of preventing, investigating, or prosecuting a 
     criminal act, except that if the need for immediate 
     disclosure prevents obtaining written consent, such consent 
     may be provided orally with subsequent documentation of such 
     consent;
       (3) shall be considered the commercial, financial, or 
     proprietary information of the entity providing such 
     information to the Federal government and any disclosure 
     outside the Federal government may only be made upon the 
     prior written consent by such entity and shall not constitute 
     a waiver of any applicable privilege or protection provided 
     by law, except that if the need for immediate disclosure 
     prevents obtaining written consent, such consent may be 
     provided orally with subsequent documentation of such 
     consent;
       (4) shall be deemed voluntarily shared information and 
     exempt from disclosure under section 552 of title 5, United 
     States Code, and any State, tribal, or local law requiring 
     disclosure of information or records;
       (5) shall be, without discretion, withheld from the public 
     under section 552(b)(3)(B) of title 5, United States Code, 
     and any State, tribal, or local law requiring disclosure of 
     information or records;
       (6) shall not be subject to the rules of any Federal agency 
     or department or any judicial doctrine regarding ex parte 
     communications with a decision-making official;
       (7) shall not, if subsequently provided to a State, tribal, 
     or local government or government agency, otherwise be 
     disclosed or distributed to any entity by such State, tribal, 
     or local government or government agency without the prior 
     written consent of the entity submitting such information, 
     notwithstanding any State, tribal, or local law requiring 
     disclosure of information or records, except that if the need 
     for immediate disclosure prevents obtaining written consent, 
     such consent may be provided orally with subsequent 
     documentation of such consent; and
       (8) shall not be directly used by any Federal, State, 
     tribal, or local department or agency to regulate the lawful 
     activities of an entity, including activities relating to 
     obtaining, identifying, or otherwise possessing cyber threat 
     information, except that the procedures required to be 
     developed and implemented under this title shall not be 
     considered regulations within the meaning of this paragraph.
       (d) Procedures Relating to Information Sharing With a 
     Cybersecurity Center.--Not later than 60 days after the date 
     of enactment of this Act, the heads of each department or 
     agency containing a cybersecurity center shall jointly 
     develop, promulgate, and submit to Congress procedures to 
     ensure that cyber threat information shared with or provided 
     to--
       (1) a cybersecurity center under this section--
       (A) may be submitted to a cybersecurity center by an 
     entity, to the greatest extent possible, through a uniform, 
     publicly available process or format that is easily 
     accessible on the website of such cybersecurity center, and 
     that includes the ability to provide relevant details about 
     the cyber threat information and written consent to any 
     subsequent disclosures authorized by this paragraph;
       (B) shall immediately be further shared with each 
     cybersecurity center in order to prevent, investigate, or 
     otherwise mitigate threats to information security across the 
     Federal government;
       (C) is handled by the Federal government in a reasonable 
     manner, including consideration of the need to protect the 
     privacy and civil liberties of individuals through 
     anonymization or other appropriate methods, while fully 
     accomplishing the objectives of this title, and the Federal 
     government may undertake efforts consistent with this 
     subparagraph to limit the impact on privacy and civil 
     liberties of the sharing of cyber threat information with the 
     Federal government; and
       (D) except as provided in this section, shall only be used, 
     disclosed, or handled in accordance with the provisions of 
     subsection (c); and
       (2) a Federal agency or department under subsection (b) is 
     provided immediately to a cybersecurity center in order to 
     prevent, investigate, or otherwise mitigate threats to 
     information security across the Federal government.
       (e) Information Shared Between Entities.--
       (1) In general.--An entity sharing cyber threat information 
     with another entity under this title may restrict the use or 
     sharing of such information by such other entity.

[[Page 12502]]

       (2) Further sharing.--Cyber threat information shared by 
     any entity with another entity under this title--
       (A) shall only be further shared in accordance with any 
     restrictions placed on the sharing of such information by the 
     entity authorizing such sharing, such as appropriate 
     anonymization of such information; and
       (B) may not be used by any entity to gain an unfair 
     competitive advantage to the detriment of the entity 
     authorizing the sharing of such information, except that the 
     conduct described in paragraph (3) shall not constitute 
     unfair competitive conduct.
       (3) Information shared with state, tribal, or local 
     government or government agency.--Cyber threat information 
     shared with a State, tribal, or local government or 
     government agency under this title--
       (A) may, with the prior written consent of the entity 
     sharing such information, be disclosed to and used by a 
     State, tribal, or local government or government agency for 
     the purpose of protecting information systems, or in 
     furtherance of preventing, investigating, or prosecuting a 
     criminal act, except if the need for immediate disclosure 
     prevents obtaining written consent, consent may be provided 
     orally with subsequent documentation of the consent;
       (B) shall be deemed voluntarily shared information and 
     exempt from disclosure under any State, tribal, or local law 
     requiring disclosure of information or records;
       (C) shall not be disclosed or distributed to any entity by 
     the State, tribal, or local government or government agency 
     without the prior written consent of the entity submitting 
     such information, notwithstanding any State, tribal, or local 
     law requiring disclosure of information or records, except if 
     the need for immediate disclosure prevents obtaining written 
     consent, consent may be provided orally with subsequent 
     documentation of the consent; and
       (D) shall not be directly used by any State, tribal, or 
     local department or agency to regulate the lawful activities 
     of an entity, including activities relating to obtaining, 
     identifying, or otherwise possessing cyber threat 
     information, except that the procedures required to be 
     developed and implemented under this title shall not be 
     considered regulations within the meaning of this 
     subparagraph.
       (4) Antitrust exemption.--The exchange or provision of 
     cyber threat information or assistance between 2 or more 
     private entities under this title shall not be considered a 
     violation of any provision of antitrust laws if exchanged or 
     provided in order to assist with--
       (A) facilitating the prevention, investigation, or 
     mitigation of threats to information security; or
       (B) communicating or disclosing of cyber threat information 
     to help prevent, investigate or otherwise mitigate the 
     effects of a threat to information security.
       (5) No right or benefit.--The provision of cyber threat 
     information to an entity under this section shall not create 
     a right or a benefit to similar information by such entity or 
     any other entity.
       (f) Federal Preemption.--
       (1) In general.--This section supersedes any statute or 
     other law of a State or political subdivision of a State that 
     restricts or otherwise expressly regulates an activity 
     authorized under this section.
       (2) State law enforcement.--Nothing in this section shall 
     be construed to supersede any statute or other law of a State 
     or political subdivision of a State concerning the use of 
     authorized law enforcement techniques.
       (3) Public disclosure.--No information shared with or 
     provided to a State, tribal, or local government or 
     government agency pursuant to this section shall be made 
     publicly available pursuant to any State, tribal, or local 
     law requiring disclosure of information or records.
       (g) Civil and Criminal Liability.--
       (1) General protections.--
       (A) Private entities.--No cause of action shall lie or be 
     maintained in any court against any private entity for--
       (i) the use of countermeasures and cybersecurity systems as 
     authorized by this title;
       (ii) the use, receipt, or disclosure of any cyber threat 
     information as authorized by this title; or
       (iii) the subsequent actions or inactions of any lawful 
     recipient of cyber threat information provided by such 
     private entity.
       (B) Entities.--No cause of action shall lie or be 
     maintained in any court against any entity for--
       (i) the use, receipt, or disclosure of any cyber threat 
     information as authorized by this title; or
       (ii) the subsequent actions or inactions of any lawful 
     recipient of cyber threat information provided by such 
     entity.
       (2) Construction.--Nothing in this subsection shall be 
     construed as creating any immunity against, or otherwise 
     affecting, any action brought by the Federal government, or 
     any agency or department thereof, to enforce any law, 
     executive order, or procedure governing the appropriate 
     handling, disclosure, and use of classified information.
       (h) Otherwise Lawful Disclosures.--Nothing in this section 
     shall be construed to limit or prohibit otherwise lawful 
     disclosures of communications, records, or other information 
     by a private entity to any other governmental or private 
     entity not covered under this section.
       (i) Whistleblower Protection.--Nothing in this Act shall be 
     construed to preempt or preclude any employee from exercising 
     rights currently provided under any whistleblower law, rule, 
     or regulation.
       (j) Relationship to Other Laws.--The submission of cyber 
     threat information under this section to a cybersecurity 
     center shall not affect any requirement under any other 
     provision of law for an entity to provide information to the 
     Federal government.

     SEC. 103. INFORMATION SHARING BY THE FEDERAL GOVERNMENT.

       (a) Classified Information.--
       (1) Procedures.--Consistent with the protection of 
     intelligence sources and methods, and as otherwise determined 
     appropriate, the Director of National Intelligence and the 
     Secretary of Defense, in consultation with the heads of the 
     appropriate Federal departments or agencies, shall develop 
     and promulgate procedures to facilitate and promote--
       (A) the immediate sharing, through the cybersecurity 
     centers, of classified cyber threat information in the 
     possession of the Federal government with appropriately 
     cleared representatives of any appropriate entity; and
       (B) the declassification and immediate sharing, through the 
     cybersecurity centers, with any entity or, if appropriate, 
     public availability of cyber threat information in the 
     possession of the Federal government;
       (2) Handling of classified information.--The procedures 
     developed under paragraph (1) shall ensure that each entity 
     receiving classified cyber threat information pursuant to 
     this section has acknowledged in writing the ongoing 
     obligation to comply with all laws, executive orders, and 
     procedures concerning the appropriate handling, disclosure, 
     or use of classified information.
       (b) Unclassified Cyber Threat Information.--The heads of 
     each department or agency containing a cybersecurity center 
     shall jointly develop and promulgate procedures that ensure 
     that, consistent with the provisions of this section, 
     unclassified, including controlled unclassified, cyber threat 
     information in the possession of the Federal government--
       (1) is shared, through the cybersecurity centers, in an 
     immediate and adequate manner with appropriate entities; and
       (2) if appropriate, is made publicly available.
       (c) Development of Procedures.--
       (1) In general.--The procedures developed under this 
     section shall incorporate, to the greatest extent possible, 
     existing processes utilized by sector specific information 
     sharing and analysis centers.
       (2) Coordination with entities.--In developing the 
     procedures required under this section, the Director of 
     National Intelligence and the heads of each department or 
     agency containing a cybersecurity center shall coordinate 
     with appropriate entities to ensure that protocols are 
     implemented that will facilitate and promote the sharing of 
     cyber threat information by the Federal government.
       (d) Additional Responsibilities of Cybersecurity Centers.--
     Consistent with section 102, a cybersecurity center shall--
       (1) facilitate information sharing, interaction, and 
     collaboration among and between cybersecurity centers and--
       (A) other Federal entities;
       (B) any entity; and
       (C) international partners, in consultation with the 
     Secretary of State;
       (2) disseminate timely and actionable cybersecurity threat, 
     vulnerability, mitigation, and warning information, including 
     alerts, advisories, indicators, signatures, and mitigation 
     and response measures, to improve the security and protection 
     of information systems; and
       (3) coordinate with other Federal entities, as appropriate, 
     to integrate information from across the Federal government 
     to provide situational awareness of the cybersecurity posture 
     of the United States.
       (e) Sharing Within the Federal Government.--The heads of 
     appropriate Federal departments and agencies shall ensure 
     that cyber threat information in the possession of such 
     Federal departments or agencies that relates to the 
     prevention, investigation, or mitigation of threats to 
     information security across the Federal government is shared 
     effectively with the cybersecurity centers.
       (f) Submission to Congress.--Not later than 60 days after 
     the date of enactment of this Act, the Director of National 
     Intelligence, in coordination with the appropriate head of a 
     department or an agency containing a cybersecurity center, 
     shall submit the procedures required by this section to 
     Congress.

     SEC. 104. CONSTRUCTION.

       (a) Information Sharing Relationships.--Nothing in this 
     title shall be construed--
       (1) to limit or modify an existing information sharing 
     relationship;
       (2) to prohibit a new information sharing relationship;
       (3) to require a new information sharing relationship 
     between any entity and the Federal government, except as 
     specified under section 102(b); or

[[Page 12503]]

       (4) to modify the authority of a department or agency of 
     the Federal government to protect sources and methods and the 
     national security of the United States.
       (b) Anti-Tasking Restriction.--Nothing in this title shall 
     be construed to permit the Federal government--
       (1) to require an entity to share information with the 
     Federal government, except as expressly provided under 
     section 102(b); or
       (2) to condition the sharing of cyber threat information 
     with an entity on such entity's provision of cyber threat 
     information to the Federal government.
       (c) No Liability for Non-Participation.--Nothing in this 
     title shall be construed to subject any entity to liability 
     for choosing not to engage in the voluntary activities 
     authorized under this title.
       (d) Use and Retention of Information.--Nothing in this 
     title shall be construed to authorize, or to modify any 
     existing authority of, a department or agency of the Federal 
     government to retain or use any information shared under 
     section 102 for any use other than a use permitted under 
     subsection 102(c)(1).
       (e) No New Funding.--An applicable Federal agency shall 
     carry out the provisions of this title with existing 
     facilities and funds otherwise available, through such means 
     as the head of the agency considers appropriate.

     SEC. 105. REPORT ON IMPLEMENTATION.

       (a) Content of Report.--Not later than 1 year after the 
     date of enactment of this Act, and biennially thereafter, the 
     heads of each department or agency containing a cybersecurity 
     center shall jointly submit, in coordination with the privacy 
     and civil liberties officials of such departments or agencies 
     and the Privacy and Civil Liberties Oversight Board, a 
     detailed report to Congress concerning the implementation of 
     this title, including--
       (1) an assessment of the sufficiency of the procedures 
     developed under section 103 of this Act in ensuring that 
     cyber threat information in the possession of the Federal 
     government is provided in an immediate and adequate manner to 
     appropriate entities or, if appropriate, is made publicly 
     available;
       (2) an assessment of whether information has been 
     appropriately classified and an accounting of the number of 
     security clearances authorized by the Federal government for 
     purposes of this title;
       (3) a review of the type of cyber threat information shared 
     with a cybersecurity center under section 102 of this Act, 
     including whether such information meets the definition of 
     cyber threat information under section 101, the degree to 
     which such information may impact the privacy and civil 
     liberties of individuals, any appropriate metrics to 
     determine any impact of the sharing of such information with 
     the Federal government on privacy and civil liberties, and 
     the adequacy of any steps taken to reduce such impact;
       (4) a review of actions taken by the Federal government 
     based on information provided to a cybersecurity center under 
     section 102 of this Act, including the appropriateness of any 
     subsequent use under section 102(c)(1) of this Act and 
     whether there was inappropriate stovepiping within the 
     Federal government of any such information;
       (5) a description of any violations of the requirements of 
     this title by the Federal government;
       (6) a classified list of entities that received classified 
     information from the Federal government under section 103 of 
     this Act and a description of any indication that such 
     information may not have been appropriately handled;
       (7) a summary of any breach of information security, if 
     known, attributable to a specific failure by any entity or 
     the Federal government to act on cyber threat information in 
     the possession of such entity or the Federal government that 
     resulted in substantial economic harm or injury to a specific 
     entity or the Federal government; and
       (8) any recommendation for improvements or modifications to 
     the authorities under this title.
       (b) Form of Report.--The report under subsection (a) shall 
     be submitted in unclassified form, but shall include a 
     classified annex.

     SEC. 106. INSPECTOR GENERAL REVIEW.

       (a) In General.--The Council of the Inspectors General on 
     Integrity and Efficiency are authorized to review compliance 
     by the cybersecurity centers, and by any Federal department 
     or agency receiving cyber threat information from such 
     cybersecurity centers, with the procedures required under 
     section 102 of this Act.
       (b) Scope of Review.--The review under subsection (a) shall 
     consider whether the Federal government has handled such 
     cyber threat information in a reasonable manner, including 
     consideration of the need to protect the privacy and civil 
     liberties of individuals through anonymization or other 
     appropriate methods, while fully accomplishing the objectives 
     of this title.
       (c) Report to Congress.--Each review conducted under this 
     section shall be provided to Congress not later than 30 days 
     after the date of completion of the review.

     SEC. 107. TECHNICAL AMENDMENTS.

       Section 552(b) of title 5, United States Code, is amended--
       (1) in paragraph (8), by striking ``or'';
       (2) in paragraph (9), by striking ``wells.'' and inserting 
     ``wells; or''; and
       (3) by adding at the end the following:
       ``(10) information shared with or provided to a 
     cybersecurity center under section 102 of title I of the 
     Strengthening and Enhancing Cybersecurity by Using Research, 
     Education, Information, and Technology Act of 2012.''.

     SEC. 108. ACCESS TO CLASSIFIED INFORMATION.

       (a) Authorization Required.--No person shall be provided 
     with access to classified information (as defined in section 
     6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to 
     classified national security information)) relating to cyber 
     security threats or cyber security vulnerabilities under this 
     title without the appropriate security clearances.
       (b) Security Clearances.--The appropriate Federal agencies 
     or departments shall, consistent with applicable procedures 
     and requirements, and if otherwise deemed appropriate, assist 
     an individual in timely obtaining an appropriate security 
     clearance where such individual has been determined to be 
     eligible for such clearance and has a need-to-know (as 
     defined in section 6.1 of that Executive Order) classified 
     information to carry out this title.

     TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY

     SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY 
                   POLICY.

       (a) In General.--Chapter 35 of title 44, United States 
     Code, is amended by striking subchapters II and III and 
     inserting the following:

                 ``SUBCHAPTER II--INFORMATION SECURITY

     ``Sec. 3551. Purposes

       ``The purposes of this subchapter are--
       ``(1) to provide a comprehensive framework for ensuring the 
     effectiveness of information security controls over 
     information resources that support Federal operations and 
     assets;
       ``(2) to recognize the highly networked nature of the 
     current Federal computing environment and provide effective 
     government- wide management of policies, directives, 
     standards, and guidelines, as well as effective and nimble 
     oversight of and response to information security risks, 
     including coordination of information security efforts 
     throughout the Federal civilian, national security, and law 
     enforcement communities;
       ``(3) to provide for development and maintenance of 
     controls required to protect agency information and 
     information systems and contribute to the overall improvement 
     of agency information security posture;
       ``(4) to provide for the development of tools and methods 
     to assess and respond to real-time situational risk for 
     Federal information system operations and assets; and
       ``(5) to provide a mechanism for improving agency 
     information security programs through continuous monitoring 
     of agency information systems and streamlined reporting 
     requirements rather than overly prescriptive manual 
     reporting.

     ``Sec. 3552. Definitions

       ``In this subchapter:
       ``(1) Adequate security.--The term `adequate security' 
     means security commensurate with the risk and magnitude of 
     the harm resulting from the unauthorized access to or loss, 
     misuse, destruction, or modification of information.
       ``(2) Agency.--The term `agency' has the meaning given the 
     term in section 3502 of title 44.
       ``(3) Cybersecurity center.--The term `cybersecurity 
     center' means the Department of Defense Cyber Crime Center, 
     the Intelligence Community Incident Response Center, the 
     United States Cyber Command Joint Operations Center, the 
     National Cyber Investigative Joint Task Force, the National 
     Security Agency/Central Security Service Threat Operations 
     Center, the National Cybersecurity and Communications 
     Integration Center, and any successor center.
       ``(4) Cyber threat information.--The term `cyber threat 
     information' means information that indicates or describes--
       ``(A) a technical or operation vulnerability or a cyber 
     threat mitigation measure;
       ``(B) an action or operation to mitigate a cyber threat;
       ``(C) malicious reconnaissance, including anomalous 
     patterns of network activity that appear to be transmitted 
     for the purpose of gathering technical information related to 
     a cybersecurity threat;
       ``(D) a method of defeating a technical control;
       ``(E) a method of defeating an operational control;
       ``(F) network activity or protocols known to be associated 
     with a malicious cyber actor or that signify malicious cyber 
     intent;
       ``(G) a method of causing a user with legitimate access to 
     an information system or information that is stored on, 
     processed by, or transiting an information system to 
     inadvertently enable the defeat of a technical or operational 
     control;
       ``(H) any other attribute of a cybersecurity threat or 
     cyber defense information that would foster situational 
     awareness of the United States cybersecurity posture, if 
     disclosure of such attribute or information is not otherwise 
     prohibited by law;
       ``(I) the actual or potential harm caused by a cyber 
     incident, including information

[[Page 12504]]

     exfiltrated when it is necessary in order to identify or 
     describe a cybersecurity threat; or
       ``(J) any combination of subparagraphs (A) through (I).
       ``(5) Director.--The term `Director' means the Director of 
     the Office of Management and Budget unless otherwise 
     specified.
       ``(6) Environment of operation.--The term `environment of 
     operation' means the information system and environment in 
     which those systems operate, including changing threats, 
     vulnerabilities, technologies, and missions and business 
     practices.
       ``(7) Federal information system.--The term `Federal 
     information system' means an information system used or 
     operated by an executive agency, by a contractor of an 
     executive agency, or by another organization on behalf of an 
     executive agency.
       ``(8) Incident.--The term `incident' means an occurrence 
     that--
       ``(A) actually or imminently jeopardizes the integrity, 
     confidentiality, or availability of an information system or 
     the information that system controls, processes, stores, or 
     transmits; or
       ``(B) constitutes a violation of law or an imminent threat 
     of violation of a law, a security policy, a security 
     procedure, or an acceptable use policy.
       ``(9) Information resources.--The term `information 
     resources' has the meaning given the term in section 3502 of 
     title 44.
       ``(10) Information security.--The term `information 
     security' means protecting information and information 
     systems from disruption or unauthorized access, use, 
     disclosure, modification, or destruction in order to 
     provide--
       ``(A) integrity, by guarding against improper information 
     modification or destruction, including by ensuring 
     information nonrepudiation and authenticity;
       ``(B) confidentiality, by preserving authorized 
     restrictions on access and disclosure, including means for 
     protecting personal privacy and proprietary information; or
       ``(C) availability, by ensuring timely and reliable access 
     to and use of information.
       ``(11) Information system.--The term `information system' 
     has the meaning given the term in section 3502 of title 44.
       ``(12) Information technology.--The term `information 
     technology' has the meaning given the term in section 11101 
     of title 40.
       ``(13) Malicious reconnaissance.--The term `malicious 
     reconnaissance' means a method for actively probing or 
     passively monitoring an information system for the purpose of 
     discerning technical vulnerabilities of the information 
     system, if such method is associated with a known or 
     suspected cybersecurity threat.
       ``(14) National security system.--
       ``(A) In general.--The term `national security system' 
     means any information system (including any 
     telecommunications system) used or operated by an agency or 
     by a contractor of an agency, or other organization on behalf 
     of an agency--
       ``(i) the function, operation, or use of which--

       ``(I) involves intelligence activities;
       ``(II) involves cryptologic activities related to national 
     security;
       ``(III) involves command and control of military forces;
       ``(IV) involves equipment that is an integral part of a 
     weapon or weapons system; or
       ``(V) subject to subparagraph (B), is critical to the 
     direct fulfillment of military or intelligence missions; or

       ``(ii) is protected at all times by procedures established 
     for information that have been specifically authorized under 
     criteria established by an Executive Order or an Act of 
     Congress to be kept classified in the interest of national 
     defense or foreign policy.
       ``(B) Limitation.--Subparagraph (A)(i)(V) does not include 
     a system that is to be used for routine administrative and 
     business applications (including payroll, finance, logistics, 
     and personnel management applications).
       ``(15) Operational control.--The term `operational control' 
     means a security control for an information system that 
     primarily is implemented and executed by people.
       ``(16) Person.--The term `person' has the meaning given the 
     term in section 3502 of title 44.
       ``(17) Secretary.--The term `Secretary' means the Secretary 
     of Commerce unless otherwise specified.
       ``(18) Security control.--The term `security control' means 
     the management, operational, and technical controls, 
     including safeguards or countermeasures, prescribed for an 
     information system to protect the confidentiality, integrity, 
     and availability of the system and its information.
       ``(19) Significant cyber incident.--The term `significant 
     cyber incident' means a cyber incident resulting in, or an 
     attempted cyber incident that, if successful, would have 
     resulted in--
       ``(A) the exfiltration from a Federal information system of 
     data that is essential to the operation of the Federal 
     information system; or
       ``(B) an incident in which an operational or technical 
     control essential to the security or operation of a Federal 
     information system was defeated.
       ``(20) Technical control.--The term `technical control' 
     means a hardware or software restriction on, or audit of, 
     access or use of an information system or information that is 
     stored on, processed by, or transiting an information system 
     that is intended to ensure the confidentiality, integrity, or 
     availability of that system.

     ``Sec. 3553. Federal information security authority and 
       coordination

       ``(a) In General.--The Secretary, in consultation with the 
     Secretary of Homeland Security, shall--
       ``(1) issue compulsory and binding policies and directives 
     governing agency information security operations, and require 
     implementation of such policies and directives, including--
       ``(A) policies and directives consistent with the standards 
     and guidelines promulgated under section 11331 of title 40 to 
     identify and provide information security protections 
     prioritized and commensurate with the risk and impact 
     resulting from the unauthorized access, use, disclosure, 
     disruption, modification, or destruction of--
       ``(i) information collected or maintained by or on behalf 
     of an agency; or
       ``(ii) information systems used or operated by an agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency;
       ``(B) minimum operational requirements for Federal 
     Government to protect agency information systems and provide 
     common situational awareness across all agency information 
     systems;
       ``(C) reporting requirements, consistent with relevant law, 
     regarding information security incidents and cyber threat 
     information;
       ``(D) requirements for agencywide information security 
     programs;
       ``(E) performance requirements and metrics for the security 
     of agency information systems;
       ``(F) training requirements to ensure that agencies are 
     able to fully and timely comply with the policies and 
     directives issued by the Secretary under this subchapter;
       ``(G) training requirements regarding privacy, civil 
     rights, and civil liberties, and information oversight for 
     agency information security personnel;
       ``(H) requirements for the annual reports to the Secretary 
     under section 3554(d);
       ``(I) any other information security operations or 
     information security requirements as determined by the 
     Secretary in coordination with relevant agency heads; and
       ``(J) coordinating the development of standards and 
     guidelines under section 20 of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3) with agencies 
     and offices operating or exercising control of national 
     security systems (including the National Security Agency) to 
     assure, to the maximum extent feasible, that such standards 
     and guidelines are complementary with standards and 
     guidelines developed for national security systems;
       ``(2) review the agencywide information security programs 
     under section 3554; and
       ``(3) designate an individual or an entity at each 
     cybersecurity center, among other responsibilities--
       ``(A) to receive reports and information about information 
     security incidents, cyber threat information, and 
     deterioration of security control affecting agency 
     information systems; and
       ``(B) to act on or share the information under subparagraph 
     (A) in accordance with this subchapter.
       ``(b) Considerations.--When issuing policies and directives 
     under subsection (a), the Secretary shall consider any 
     applicable standards or guidelines developed by the National 
     Institute of Standards and Technology under section 11331 of 
     title 40.
       ``(c) Limitation of Authority.--The authorities of the 
     Secretary under this section shall not apply to national 
     security systems. Information security policies, directives, 
     standards and guidelines for national security systems shall 
     be overseen as directed by the President and, in accordance 
     with that direction, carried out under the authority of the 
     heads of agencies that operate or exercise authority over 
     such national security systems.
       ``(d) Statutory Construction.--Nothing in this subchapter 
     shall be construed to alter or amend any law regarding the 
     authority of any head of an agency over such agency.

     ``Sec. 3554. Agency responsibilities

       ``(a) In General.--The head of each agency shall--
       ``(1) be responsible for--
       ``(A) complying with the policies and directives issued 
     under section 3553;
       ``(B) providing information security protections 
     commensurate with the risk resulting from unauthorized 
     access, use, disclosure, disruption, modification, or 
     destruction of--
       ``(i) information collected or maintained by the agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency; and
       ``(ii) information systems used or operated by an agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency;
       ``(C) complying with the requirements of this subchapter, 
     including--

[[Page 12505]]

       ``(i) information security standards and guidelines 
     promulgated under section 11331 of title 40;
       ``(ii) for any national security systems operated or 
     controlled by that agency, information security policies, 
     directives, standards and guidelines issued as directed by 
     the President; and
       ``(iii) for any non-national security systems operated or 
     controlled by that agency, information security policies, 
     directives, standards and guidelines issued under section 
     3553;
       ``(D) ensuring that information security management 
     processes are integrated with agency strategic and 
     operational planning processes;
       ``(E) reporting and sharing, for an agency operating or 
     exercising control of a national security system, information 
     about information security incidents, cyber threat 
     information, and deterioration of security controls to the 
     individual or entity designated at each cybersecurity center 
     and to other appropriate entities consistent with policies 
     and directives for national security systems issued as 
     directed by the President; and
       ``(F) reporting and sharing, for those agencies operating 
     or exercising control of non-national security systems, 
     information about information security incidents, cyber 
     threat information, and deterioration of security controls to 
     the individual or entity designated at each cybersecurity 
     center and to other appropriate entities consistent with 
     policies and directives for non-national security systems as 
     prescribed under section 3553(a), including information to 
     assist the entity designated under section 3555(a) with the 
     ongoing security analysis under section 3555;
       ``(2) ensure that each senior agency official provides 
     information security for the information and information 
     systems that support the operations and assets under the 
     senior agency official's control, including by--
       ``(A) assessing the risk and impact that could result from 
     the unauthorized access, use, disclosure, disruption, 
     modification, or destruction of such information or 
     information systems;
       ``(B) determining the level of information security 
     appropriate to protect such information and information 
     systems in accordance with policies and directives issued 
     under section 3553(a), and standards and guidelines 
     promulgated under section 11331 of title 40 for information 
     security classifications and related requirements;
       ``(C) implementing policies, procedures, and capabilities 
     to reduce risks to an acceptable level in a cost-effective 
     manner;
       ``(D) actively monitoring the effective implementation of 
     information security controls and techniques; and
       ``(E) reporting information about information security 
     incidents, cyber threat information, and deterioration of 
     security controls in a timely and adequate manner to the 
     entity designated under section 3553(a)(3) in accordance with 
     paragraph (1);
       ``(3) assess and maintain the resiliency of information 
     technology systems critical to agency mission and operations;
       ``(4) designate the agency Inspector General (or an 
     independent entity selected in consultation with the Director 
     and the Council of Inspectors General on Integrity and 
     Efficiency if the agency does not have an Inspector General) 
     to conduct the annual independent evaluation required under 
     section 3556, and allow the agency Inspector General to 
     contract with an independent entity to perform such 
     evaluation;
       ``(5) delegate to the Chief Information Officer or 
     equivalent (or to a senior agency official who reports to the 
     Chief Information Officer or equivalent)--
       ``(A) the authority and primary responsibility to implement 
     an agencywide information security program; and
       ``(B) the authority to provide information security for the 
     information collected and maintained by the agency (or by a 
     contractor, other agency, or other source on behalf of the 
     agency) and for the information systems that support the 
     operations, assets, and mission of the agency (including any 
     information system provided or managed by a contractor, other 
     agency, or other source on behalf of the agency);
       ``(6) delegate to the appropriate agency official (who is 
     responsible for a particular agency system or subsystem) the 
     responsibility to ensure and enforce compliance with all 
     requirements of the agency's agencywide information security 
     program in coordination with the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5);
       ``(7) ensure that an agency has trained personnel who have 
     obtained any necessary security clearances to permit them to 
     assist the agency in complying with this subchapter;
       ``(8) ensure that the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5), 
     in coordination with other senior agency officials, reports 
     to the agency head on the effectiveness of the agencywide 
     information security program, including the progress of any 
     remedial actions; and
       ``(9) ensure that the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5) 
     has the necessary qualifications to administer the functions 
     described in this subchapter and has information security 
     duties as a primary duty of that official.
       ``(b) Chief Information Officers.--Each Chief Information 
     Officer or equivalent (or the senior agency official who 
     reports to the Chief Information Officer or equivalent) under 
     subsection (a)(5) shall--
       ``(1) establish and maintain an enterprise security 
     operations capability that on a continuous basis--
       ``(A) detects, reports, contains, mitigates, and responds 
     to information security incidents that impair adequate 
     security of the agency's information or information system in 
     a timely manner and in accordance with the policies and 
     directives under section 3553; and
       ``(B) reports any information security incident under 
     subparagraph (A) to the entity designated under section 3555;
       ``(2) develop, maintain, and oversee an agencywide 
     information security program;
       ``(3) develop, maintain, and oversee information security 
     policies, procedures, and control techniques to address 
     applicable requirements, including requirements under section 
     3553 of this title and section 11331 of title 40; and
       ``(4) train and oversee the agency personnel who have 
     significant responsibility for information security with 
     respect to that responsibility.
       ``(c) Agencywide Information Security Programs.--
       ``(1) In general.--Each agencywide information security 
     program under subsection (b)(2) shall include--
       ``(A) relevant security risk assessments, including 
     technical assessments and others related to the acquisition 
     process;
       ``(B) security testing commensurate with risk and impact;
       ``(C) mitigation of deterioration of security controls 
     commensurate with risk and impact;
       ``(D) risk-based continuous monitoring and threat 
     assessment of the operational status and security of agency 
     information systems to enable evaluation of the effectiveness 
     of and compliance with information security policies, 
     procedures, and practices, including a relevant and 
     appropriate selection of security controls of information 
     systems identified in the inventory under section 3505(c);
       ``(E) operation of appropriate technical capabilities in 
     order to detect, mitigate, report, and respond to information 
     security incidents, cyber threat information, and 
     deterioration of security controls in a manner that is 
     consistent with the policies and directives under section 
     3553, including--
       ``(i) mitigating risks associated with such information 
     security incidents;
       ``(ii) notifying and consulting with the entity designated 
     under section 3555; and
       ``(iii) notifying and consulting with, as appropriate--

       ``(I) law enforcement and the relevant Office of the 
     Inspector General; and
       ``(II) any other entity, in accordance with law and as 
     directed by the President;

       ``(F) a process to ensure that remedial action is taken to 
     address any deficiencies in the information security 
     policies, procedures, and practices of the agency; and
       ``(G) a plan and procedures to ensure the continuity of 
     operations for information systems that support the 
     operations and assets of the agency.
       ``(2) Risk management strategies.--Each agencywide 
     information security program under subsection (b)(2) shall 
     include the development and maintenance of a risk management 
     strategy for information security. The risk management 
     strategy shall include--
       ``(A) consideration of information security incidents, 
     cyber threat information, and deterioration of security 
     controls; and
       ``(B) consideration of the consequences that could result 
     from the unauthorized access, use, disclosure, disruption, 
     modification, or destruction of information and information 
     systems that support the operations and assets of the agency, 
     including any information system provided or managed by a 
     contractor, other agency, or other source on behalf of the 
     agency;
       ``(3) Policies and procedures.--Each agencywide information 
     security program under subsection (b)(2) shall include 
     policies and procedures that--
       ``(A) are based on the risk management strategy under 
     paragraph (2);
       ``(B) reduce information security risks to an acceptable 
     level in a cost-effective manner;
       ``(C) ensure that cost-effective and adequate information 
     security is addressed as part of the acquisition and ongoing 
     management of each agency information system; and
       ``(D) ensure compliance with--
       ``(i) this subchapter; and
       ``(ii) any other applicable requirements.
       ``(4) Training requirements.--Each agencywide information 
     security program under subsection (b)(2) shall include 
     information security, privacy, civil rights, civil liberties, 
     and information oversight training that meets any applicable 
     requirements under

[[Page 12506]]

     section 3553. The training shall inform each information 
     security personnel that has access to agency information 
     systems (including contractors and other users of information 
     systems that support the operations and assets of the agency) 
     of--
       ``(A) the information security risks associated with the 
     information security personnel's activities; and
       ``(B) the individual's responsibility to comply with the 
     agency policies and procedures that reduce the risks under 
     subparagraph (A).
       ``(d) Annual Report.--Each agency shall submit a report 
     annually to the Secretary of Homeland Security on its 
     agencywide information security program and information 
     systems.

     ``Sec. 3555. Multiagency ongoing threat assessment

       ``(a) Implementation.--The Director of the Office of 
     Management and Budget, in coordination with the Secretary of 
     Homeland Security, shall designate an entity to implement 
     ongoing security analysis concerning agency information 
     systems--
       ``(1) based on cyber threat information;
       ``(2) based on agency information system and environment of 
     operation changes, including--
       ``(A) an ongoing evaluation of the information system 
     security controls; and
       ``(B) the security state, risk level, and environment of 
     operation of an agency information system, including--
       ``(i) a change in risk level due to a new cyber threat;
       ``(ii) a change resulting from a new technology;
       ``(iii) a change resulting from the agency's mission; and
       ``(iv) a change resulting from the business practice; and
       ``(3) using automated processes to the maximum extent 
     possible--
       ``(A) to increase information system security;
       ``(B) to reduce paper-based reporting requirements; and
       ``(C) to maintain timely and actionable knowledge of the 
     state of the information system security.
       ``(b) Standards.--The National Institute of Standards and 
     Technology may promulgate standards, in coordination with the 
     Secretary of Homeland Security, to assist an agency with its 
     duties under this section.
       ``(c) Compliance.--The head of each appropriate department 
     and agency shall be responsible for ensuring compliance and 
     implementing necessary procedures to comply with this 
     section. The head of each appropriate department and agency, 
     in consultation with the Director of the Office of Management 
     and Budget and the Secretary of Homeland Security, shall--
       ``(1) monitor compliance under this section;
       ``(2) develop a timeline and implement for the department 
     or agency--
       ``(A) adoption of any technology, system, or method that 
     facilitates continuous monitoring and threat assessments of 
     an agency information system;
       ``(B) adoption or updating of any technology, system, or 
     method that prevents, detects, or remediates a significant 
     cyber incident to a Federal information system of the 
     department or agency that has impeded, or is reasonably 
     likely to impede, the performance of a critical mission of 
     the department or agency; and
       ``(C) adoption of any technology, system, or method that 
     satisfies a requirement under this section.
       ``(d) Limitation of Authority.--The authorities of the 
     Director of the Office of Management and Budget and of the 
     Secretary of Homeland Security under this section shall not 
     apply to national security systems.
       ``(e) Report.--Not later than 6 months after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the Government Accountability Office shall issue a 
     report evaluating each agency's status toward implementing 
     this section.

     ``Sec. 3556. Independent evaluations

       ``(a) In General.--The Council of the Inspectors General on 
     Integrity and Efficiency, in consultation with the Director 
     and the Secretary of Homeland Security, the Secretary of 
     Commerce, and the Secretary of Defense, shall issue and 
     maintain criteria for the timely, cost-effective, risk-based, 
     and independent evaluation of each agencywide information 
     security program (and practices) to determine the 
     effectiveness of the agencywide information security program 
     (and practices). The criteria shall include measures to 
     assess any conflicts of interest in the performance of the 
     evaluation and whether the agencywide information security 
     program includes appropriate safeguards against disclosure of 
     information where such disclosure may adversely affect 
     information security.
       ``(b) Annual Independent Evaluations.--Each agency shall 
     perform an annual independent evaluation of its agencywide 
     information security program (and practices) in accordance 
     with the criteria under subsection (a).
       ``(c) Distribution of Reports.--Not later than 30 days 
     after receiving an independent evaluation under subsection 
     (b), each agency head shall transmit a copy of the 
     independent evaluation to the Secretary of Homeland Security, 
     the Secretary of Commerce, and the Secretary of Defense.
       ``(d) National Security Systems.--Evaluations involving 
     national security systems shall be conducted as directed by 
     President.

     ``Sec. 3557. National security systems.

       ``The head of each agency operating or exercising control 
     of a national security system shall be responsible for 
     ensuring that the agency--
       ``(1) provides information security protections 
     commensurate with the risk and magnitude of the harm 
     resulting from the unauthorized access, use, disclosure, 
     disruption, modification, or destruction of the information 
     contained in such system; and
       ``(2) implements information security policies and 
     practices as required by standards and guidelines for 
     national security systems, issued in accordance with law and 
     as directed by the President.''.
       (b) Savings Provisions.--
       (1) Policy and compliance guidance.--Policy and compliance 
     guidance issued by the Director before the date of enactment 
     of this Act under section 3543(a)(1) of title 44, United 
     States Code (as in effect on the day before the date of 
     enactment of this Act), shall continue in effect, according 
     to its terms, until modified, terminated, superseded, or 
     repealed pursuant to section 3553(a)(1) of title 44, United 
     States Code.
       (2) Standards and guidelines.--Standards and guidelines 
     issued by the Secretary of Commerce or by the Director before 
     the date of enactment of this Act under section 11331(a)(1) 
     of title 40, United States Code, (as in effect on the day 
     before the date of enactment of this Act) shall continue in 
     effect, according to their terms, until modified, terminated, 
     superseded, or repealed pursuant to section 11331(a)(1) of 
     title 40, United States Code, as amended by this Act.
       (c) Technical and Conforming Amendments.--
       (1) Chapter analysis.--The chapter analysis for chapter 35 
     of title 44, United States Code, is amended--
       (A) by striking the items relating to sections 3531 through 
     3538;
       (B) by striking the items relating to sections 3541 through 
     3549; and
       (C) by inserting the following:

``3551. Purposes.
``3552. Definitions.
``3553. Federal information security authority and coordination.
``3554. Agency responsibilities.
``3555. Multiagency ongoing threat assessment.
``3556. Independent evaluations.
``3557. National security systems.''.
       (2) Other references.--
       (A) Section 1001(c)(1)(A) of the Homeland Security Act of 
     2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section 
     3532(3)'' and inserting ``section 3552''.
       (B) Section 2222(j)(5) of title 10, United States Code, is 
     amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (C) Section 2223(c)(3) of title 10, United States Code, is 
     amended, by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (D) Section 2315 of title 10, United States Code, is 
     amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (E) Section 20 of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-3) is amended--
       (i) in subsection (a)(2), by striking ``section 
     3532(b)(2)'' and inserting ``section 3552'';
       (ii) in subsection (c)(3), by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (iii) in subsection (d)(1), by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (iv) in subsection (d)(8) by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (v) in subsection (d)(8), by striking ``submitted to the 
     Director'' and inserting ``submitted to the Secretary'';
       (vi) in subsection (e)(2), by striking ``section 3532(1) of 
     such title'' and inserting ``section 3552 of title 44''; and
       (vii) in subsection (e)(5), by striking ``section 
     3532(b)(2) of such title'' and inserting ``section 3552 of 
     title 44''.
       (F) Section 8(d)(1) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7406(d)(1)) is amended by striking 
     ``section 3534(b)'' and inserting ``section 3554(b)(2)''.

     SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY.

       (a) In General.--Section 11331 of title 40, United States 
     Code, is amended to read as follows:

     ``Sec. 11331. Responsibilities for Federal information 
       systems standards

       ``(a) Standards and Guidelines.--
       ``(1) Authority to prescribe.--Except as provided under 
     paragraph (2), the Secretary of Commerce shall prescribe 
     standards and guidelines pertaining to Federal information 
     systems--
       ``(A) in consultation with the Secretary of Homeland 
     Security; and
       ``(B) on the basis of standards and guidelines developed by 
     the National Institute of Standards and Technology under 
     paragraphs

[[Page 12507]]

     (2) and (3) of section 20(a) of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3(a)(2) and 
     (a)(3)).
       ``(2) National security systems.--Standards and guidelines 
     for national security systems shall be developed, prescribed, 
     enforced, and overseen as otherwise authorized by law and as 
     directed by the President.
       ``(b) Mandatory Standards and Guidelines.--
       ``(1) Authority to make mandatory standards and 
     guidelines.--The Secretary of Commerce shall make standards 
     and guidelines under subsection (a)(1) compulsory and binding 
     to the extent determined necessary by the Secretary of 
     Commerce to improve the efficiency of operation or security 
     of Federal information systems.
       ``(2) Required mandatory standards and guidelines.--
       ``(A) In general.--Standards and guidelines under 
     subsection (a)(1) shall include information security 
     standards that--
       ``(i) provide minimum information security requirements as 
     determined under section 20(b) of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3(b)); and
       ``(ii) are otherwise necessary to improve the security of 
     Federal information and information systems.
       ``(B) Binding effect.--Information security standards under 
     subparagraph (A) shall be compulsory and binding.
       ``(c) Exercise of Authority.--To ensure fiscal and policy 
     consistency, the Secretary of Commerce shall exercise the 
     authority conferred by this section subject to direction by 
     the President and in coordination with the Director.
       ``(d) Application of More Stringent Standards and 
     Guidelines.--The head of an executive agency may employ 
     standards for the cost-effective information security for 
     information systems within or under the supervision of that 
     agency that are more stringent than the standards and 
     guidelines the Secretary of Commerce prescribes under this 
     section if the more stringent standards and guidelines--
       ``(1) contain at least the applicable standards and 
     guidelines made compulsory and binding by the Secretary of 
     Commerce; and
       ``(2) are otherwise consistent with the policies, 
     directives, and implementation memoranda issued under section 
     3553(a) of title 44.
       ``(e) Decisions on Promulgation of Standards and 
     Guidelines.--The decision by the Secretary of Commerce 
     regarding the promulgation of any standard or guideline under 
     this section shall occur not later than 6 months after the 
     date of submission of the proposed standard to the Secretary 
     of Commerce by the National Institute of Standards and 
     Technology under section 20 of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3).
       ``(f) Notice and Comment.--A decision by the Secretary of 
     Commerce to significantly modify, or not promulgate, a 
     proposed standard submitted to the Secretary by the National 
     Institute of Standards and Technology under section 20 of the 
     National Institute of Standards and Technology Act (15 U.S.C. 
     278g-3) shall be made after the public is given an 
     opportunity to comment on the Secretary's proposed decision.
       ``(g) Definitions.--In this section:
       ``(1) Federal information system.--The term `Federal 
     information system' has the meaning given the term in section 
     3552 of title 44.
       ``(2) Information security.--The term `information 
     security' has the meaning given the term in section 3552 of 
     title 44.
       ``(3) National security system.--The term `national 
     security system' has the meaning given the term in section 
     3552 of title 44.''.

     SEC. 203. NO NEW FUNDING.

       An applicable Federal agency shall carry out the provisions 
     of this title with existing facilities and funds otherwise 
     available, through such means as the head of the agency 
     considers appropriate.

     SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS.

       Section 21(b) of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-4(b)) is amended--
       (1) in paragraph (2), by striking ``and the Director of the 
     Office of Management and Budget'' and inserting ``, the 
     Secretary of Commerce, and the Secretary of Homeland 
     Security''; and
       (2) in paragraph (3), by inserting ``, the Secretary of 
     Homeland Security,'' after ``the Secretary of Commerce''.

     SEC. 205. CLARIFICATION OF AUTHORITIES.

       Nothing in this title shall be construed to convey any new 
     regulatory authority to any government entity implementing or 
     complying with any provision of this title.

                     TITLE III--CRIMINAL PENALTIES

     SEC. 301. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN 
                   CONNECTION WITH COMPUTERS.

       Section 1030(c) of title 18, United States Code, is amended 
     to read as follows:
       ``(c) The punishment for an offense under subsection (a) or 
     (b) of this section is--
       ``(1) a fine under this title or imprisonment for not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(1) of this section;
       ``(2)(A) except as provided in subparagraph (B), a fine 
     under this title or imprisonment for not more than 3 years, 
     or both, in the case of an offense under subsection (a)(2); 
     or
       ``(B) a fine under this title or imprisonment for not more 
     than ten years, or both, in the case of an offense under 
     subsection (a)(2) of this section, if--
       ``(i) the offense was committed for purposes of commercial 
     advantage or private financial gain;
       ``(ii) the offense was committed in the furtherance of any 
     criminal or tortious act in violation of the Constitution or 
     laws of the United States, or of any State; or
       ``(iii) the value of the information obtained, or that 
     would have been obtained if the offense was completed, 
     exceeds $5,000;
       ``(3) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(3) of this section;
       ``(4) a fine under this title or imprisonment of not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(4) of this section;
       ``(5)(A) except as provided in subparagraph (C), a fine 
     under this title, imprisonment for not more than 20 years, or 
     both, in the case of an offense under subsection (a)(5)(A) of 
     this section, if the offense caused--
       ``(i) loss to 1 or more persons during any 1-year period 
     (and, for purposes of an investigation, prosecution, or other 
     proceeding brought by the United States only, loss resulting 
     from a related course of conduct affecting 1 or more other 
     protected computers) aggregating at least $5,000 in value;
       ``(ii) the modification or impairment, or potential 
     modification or impairment, of the medical examination, 
     diagnosis, treatment, or care of 1 or more individuals;
       ``(iii) physical injury to any person;
       ``(iv) a threat to public health or safety;
       ``(v) damage affecting a computer used by, or on behalf of, 
     an entity of the United States Government in furtherance of 
     the administration of justice, national defense, or national 
     security; or
       ``(vi) damage affecting 10 or more protected computers 
     during any 1-year period;
       ``(B) a fine under this title, imprisonment for not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(5)(B), if the offense caused a harm provided 
     in clause (i) through (vi) of subparagraph (A) of this 
     subsection;
       ``(C) if the offender attempts to cause or knowingly or 
     recklessly causes death from conduct in violation of 
     subsection (a)(5)(A), a fine under this title, imprisonment 
     for any term of years or for life, or both;
       ``(D) a fine under this title, imprisonment for not more 
     than 10 years, or both, for any other offense under 
     subsection (a)(5);
       ``(E) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(6) of this section; or
       ``(F) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(7) of this section.''.

     SEC. 302. TRAFFICKING IN PASSWORDS.

       Section 1030(a)(6) of title 18, United States Code, is 
     amended to read as follows:
       ``(6) knowingly and with intent to defraud traffics (as 
     defined in section 1029) in any password or similar 
     information or means of access through which a protected 
     computer (as defined in subparagraphs (A) and (B) of 
     subsection (e)(2)) may be accessed without authorization.''.

     SEC. 303. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.

       Section 1030(b) of title 18, United States Code, is amended 
     by inserting ``as if for the completed offense'' after 
     ``punished as provided''.

     SEC. 304. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED 
                   ACTIVITY IN CONNECTION WITH COMPUTERS.

       Section 1030 of title 18, United States Code, is amended by 
     striking subsections (i) and (j) and inserting the following:
       ``(i) Criminal Forfeiture.--
       ``(1) The court, in imposing sentence on any person 
     convicted of a violation of this section, or convicted of 
     conspiracy to violate this section, shall order, in addition 
     to any other sentence imposed and irrespective of any 
     provision of State law, that such person forfeit to the 
     United States--
       ``(A) such persons interest in any property, real or 
     personal, that was used, or intended to be used, to commit or 
     facilitate the commission of such violation; and
       ``(B) any property, real or personal, constituting or 
     derived from any gross proceeds, or any property traceable to 
     such property, that such person obtained, directly or 
     indirectly, as a result of such violation.
       ``(2) The criminal forfeiture of property under this 
     subsection, including any seizure and disposition of the 
     property, and any related judicial or administrative 
     proceeding, shall be governed by the provisions of section 
     413 of the Comprehensive Drug Abuse Prevention and Control 
     Act of 1970 (21 U.S.C. 853), except subsection (d) of that 
     section.
       ``(j) Civil Forfeiture.--
       ``(1) The following shall be subject to forfeiture to the 
     United States and no property right, real or personal, shall 
     exist in them:
       ``(A) Any property, real or personal, that was used, or 
     intended to be used, to commit or facilitate the commission 
     of any violation of this section, or a conspiracy to violate 
     this section.

[[Page 12508]]

       ``(B) Any property, real or personal, constituting or 
     derived from any gross proceeds obtained directly or 
     indirectly, or any property traceable to such property, as a 
     result of the commission of any violation of this section, or 
     a conspiracy to violate this section.
       ``(2) Seizures and forfeitures under this subsection shall 
     be governed by the provisions in chapter 46 relating to civil 
     forfeitures, except that such duties as are imposed on the 
     Secretary of the Treasury under the customs laws described in 
     section 981(d) shall be performed by such officers, agents 
     and other persons as may be designated for that purpose by 
     the Secretary of Homeland Security or the Attorney 
     General.''.

     SEC. 305. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.

       (a) In General.--Chapter 47 of title 18, United States 
     Code, is amended by inserting after section 1030 the 
     following:

     ``Sec. 1030A. Aggravated damage to a critical infrastructure 
       computer

       ``(a) Definitions.--In this section--
       ``(1) the term `computer' has the meaning given the term in 
     section 1030;
       ``(2) the term `critical infrastructure computer' means a 
     computer that manages or controls systems or assets vital to 
     national defense, national security, national economic 
     security, public health or safety, or any combination of 
     those matters, whether publicly or privately owned or 
     operated, including--
       ``(A) oil and gas production, storage, conversion, and 
     delivery systems;
       ``(B) water supply systems;
       ``(C) telecommunication networks;
       ``(D) electrical power generation and delivery systems;
       ``(E) finance and banking systems;
       ``(F) emergency services;
       ``(G) transportation systems and services; and
       ``(H) government operations that provide essential services 
     to the public; and
       ``(3) the term `damage' has the meaning given the term in 
     section 1030.
       ``(b) Offense.--It shall be unlawful, during and in 
     relation to a felony violation of section 1030, to knowingly 
     cause or attempt to cause damage to a critical infrastructure 
     computer if the damage results in (or, in the case of an 
     attempt, if completed, would have resulted in) the 
     substantial impairment--
       ``(1) of the operation of the critical infrastructure 
     computer; or
       ``(2) of the critical infrastructure associated with the 
     computer.
       ``(c) Penalty.--Any person who violates subsection (b) 
     shall be--
       ``(1) fined under this title;
       ``(2) imprisoned for not less than 3 years but not more 
     than 20 years; or
       ``(3) penalized under paragraphs (1) and (2).
       ``(d) Consecutive Sentence.--Notwithstanding any other 
     provision of law--
       ``(1) a court shall not place on probation any person 
     convicted of a violation of this section;
       ``(2) except as provided in paragraph (4), no term of 
     imprisonment imposed on a person under this section shall run 
     concurrently with any other term of imprisonment, including 
     any term of imprisonment imposed on the person under any 
     other provision of law, including any term of imprisonment 
     imposed for a felony violation of section 1030;
       ``(3) in determining any term of imprisonment to be imposed 
     for a felony violation of section 1030, a court shall not in 
     any way reduce the term to be imposed for such crime so as to 
     compensate for, or otherwise take into account, any separate 
     term of imprisonment imposed or to be imposed for a violation 
     of this section; and
       ``(4) a term of imprisonment imposed on a person for a 
     violation of this section may, in the discretion of the 
     court, run concurrently, in whole or in part, only with 
     another term of imprisonment that is imposed by the court at 
     the same time on that person for an additional violation of 
     this section, provided that such discretion shall be 
     exercised in accordance with any applicable guidelines and 
     policy statements issued by the United States Sentencing 
     Commission pursuant to section 994 of title 28.''.
       (b) Technical and Conforming Amendment.--The chapter 
     analysis for chapter 47 of title 18, United States Code, is 
     amended by inserting after the item relating to section 1030 
     the following:

``1030A. Aggravated damage to a critical infrastructure computer.''.

     SEC. 306. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.

       Section 1030(e)(6) of title 18, United States Code, is 
     amended by striking ``alter;'' and inserting ``alter, but 
     does not include access in violation of a contractual 
     obligation or agreement, such as an acceptable use policy or 
     terms of service agreement, with an Internet service 
     provider, Internet website, or non-government employer, if 
     such violation constitutes the sole basis for determining 
     that access to a protected computer is unauthorized;''.

     SEC. 307. NO NEW FUNDING.

       An applicable Federal agency shall carry out the provisions 
     of this title with existing facilities and funds otherwise 
     available, through such means as the head of the agency 
     considers appropriate.

            TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT

     SEC. 401. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM 
                   PLANNING AND COORDINATION.

       (a) Goals and Priorities.--Section 101 of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511) is amended 
     by adding at the end the following:
       ``(d) Goals and Priorities.--The goals and priorities for 
     Federal high-performance computing research, development, 
     networking, and other activities under subsection (a)(2)(A) 
     shall include--
       ``(1) encouraging and supporting mechanisms for 
     interdisciplinary research and development in networking and 
     information technology, including--
       ``(A) through collaborations across agencies;
       ``(B) through collaborations across Program Component 
     Areas;
       ``(C) through collaborations with industry;
       ``(D) through collaborations with institutions of higher 
     education;
       ``(E) through collaborations with Federal laboratories (as 
     defined in section 4 of the Stevenson-Wydler Technology 
     Innovation Act of 1980 (15 U.S.C. 3703)); and
       ``(F) through collaborations with international 
     organizations;
       ``(2) addressing national, multi-agency, multi-faceted 
     challenges of national importance; and
       ``(3) fostering the transfer of research and development 
     results into new technologies and applications for the 
     benefit of society.''.
       (b) Development of Strategic Plan.--Section 101 of the 
     High-Performance Computing Act of 1991 (15 U.S.C. 5511) is 
     amended by adding at the end the following:
       ``(e) Strategic Plan.--
       ``(1) In general.--Not later than 1 year after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the agencies under subsection (a)(3)(B), working 
     through the National Science and Technology Council and with 
     the assistance of the Office of Science and Technology Policy 
     shall develop a 5-year strategic plan to guide the activities 
     under subsection (a)(1).
       ``(2) Contents.--The strategic plan shall specify--
       ``(A) the near-term objectives for the Program;
       ``(B) the long-term objectives for the Program;
       ``(C) the anticipated time frame for achieving the near-
     term objectives;
       ``(D) the metrics that will be used to assess any progress 
     made toward achieving the near-term objectives and the long-
     term objectives; and
       ``(E) how the Program will achieve the goals and priorities 
     under subsection (d).
       ``(3) Implementation roadmap.--
       ``(A) In general.--The agencies under subsection (a)(3)(B) 
     shall develop and annually update an implementation roadmap 
     for the strategic plan.
       ``(B) Requirements.--The information in the implementation 
     roadmap shall be coordinated with the database under section 
     102(c) and the annual report under section 101(a)(3). The 
     implementation roadmap shall--
       ``(i) specify the role of each Federal agency in carrying 
     out or sponsoring research and development to meet the 
     research objectives of the strategic plan, including a 
     description of how progress toward the research objectives 
     will be evaluated, with consideration of any relevant 
     recommendations of the advisory committee;
       ``(ii) specify the funding allocated to each major research 
     objective of the strategic plan and the source of funding by 
     agency for the current fiscal year; and
       ``(iii) estimate the funding required for each major 
     research objective of the strategic plan for the next 3 
     fiscal years.
       ``(4) Recommendations.--The agencies under subsection 
     (a)(3)(B) shall take into consideration when developing the 
     strategic plan under paragraph (1) the recommendations of--
       ``(A) the advisory committee under subsection (b); and
       ``(B) the stakeholders under section 102(a)(3).
       ``(5) Report to congress.--The Director of the Office of 
     Science and Technology Policy shall transmit the strategic 
     plan under this subsection, including the implementation 
     roadmap and any updates under paragraph (3), to--
       ``(A) the advisory committee under subsection (b);
       ``(B) the Committee on Commerce, Science, and 
     Transportation of the Senate; and
       ``(C) the Committee on Science and Technology of the House 
     of Representatives.''.
       (c) Periodic Reviews.--Section 101 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511) is amended by adding 
     at the end the following:
       ``(f) Periodic Reviews.--The agencies under subsection 
     (a)(3)(B) shall--
       ``(1) periodically assess the contents and funding levels 
     of the Program Component Areas and restructure the Program 
     when warranted, taking into consideration any relevant 
     recommendations of the advisory committee under subsection 
     (b); and
       ``(2) ensure that the Program includes national, multi-
     agency, multi-faceted research

[[Page 12509]]

     and development activities, including activities described in 
     section 104.''.
       (d) Additional Responsibilities of Director.--Section 
     101(a)(2) of the High-Performance Computing Act of 1991 (15 
     U.S.C. 5511(a)(2)) is amended--
       (1) by redesignating subparagraphs (E) and (F) as 
     subparagraphs (G) and (H), respectively; and
       (2) by inserting after subparagraph (D) the following:
       ``(E) encourage and monitor the efforts of the agencies 
     participating in the Program to allocate the level of 
     resources and management attention necessary--
       ``(i) to ensure that the strategic plan under subsection 
     (e) is developed and executed effectively; and
       ``(ii) to ensure that the objectives of the Program are 
     met;
       ``(F) working with the Office of Management and Budget and 
     in coordination with the creation of the database under 
     section 102(c), direct the Office of Science and Technology 
     Policy and the agencies participating in the Program to 
     establish a mechanism (consistent with existing law) to track 
     all ongoing and completed research and development projects 
     and associated funding;''.
       (e) Advisory Committee.--Section 101(b) of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is 
     amended--
       (1) in paragraph (1)--
       (A) by inserting after the first sentence the following: 
     ``The co-chairs of the advisory committee shall meet the 
     qualifications of committee members and may be members of the 
     Presidents Council of Advisors on Science and Technology.''; 
     and
       (B) by striking ``high-performance'' in subparagraph (D) 
     and inserting ``high-end''; and
       (2) by amending paragraph (2) to read as follows:
       ``(2) In addition to the duties under paragraph (1), the 
     advisory committee shall conduct periodic evaluations of the 
     funding, management, coordination, implementation, and 
     activities of the Program. The advisory committee shall 
     report its findings and recommendations not less frequently 
     than once every 3 fiscal years to the Committee on Commerce, 
     Science, and Transportation of the Senate and the Committee 
     on Science and Technology of the House of Representatives. 
     The report shall be submitted in conjunction with the update 
     of the strategic plan.''.
       (f) Report.--Section 101(a)(3) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended--
       (1) in subparagraph (C)--
       (A) by striking ``is submitted,'' and inserting ``is 
     submitted, the levels for the previous fiscal year,''; and
       (B) by striking ``each Program Component Area'' and 
     inserting ``each Program Component Area and each research 
     area supported in accordance with section 104'';
       (2) in subparagraph (D)--
       (A) by striking ``each Program Component Area,'' and 
     inserting ``each Program Component Area and each research 
     area supported in accordance with section 104,'';
       (B) by striking ``is submitted,'' and inserting ``is 
     submitted, the levels for the previous fiscal year,''; and
       (C) by striking ``and'' after the semicolon;
       (3) by redesignating subparagraph (E) as subparagraph (G); 
     and
       (4) by inserting after subparagraph (D) the following:
       ``(E) include a description of how the objectives for each 
     Program Component Area, and the objectives for activities 
     that involve multiple Program Component Areas, relate to the 
     objectives of the Program identified in the strategic plan 
     under subsection (e);
       ``(F) include--
       ``(i) a description of the funding required by the Office 
     of Science and Technology Policy to perform the functions 
     under subsections (a) and (c) of section 102 for the next 
     fiscal year by category of activity;
       ``(ii) a description of the funding required by the Office 
     of Science and Technology Policy to perform the functions 
     under subsections (a) and (c) of section 102 for the current 
     fiscal year by category of activity; and
       ``(iii) the amount of funding provided for the Office of 
     Science and Technology Policy for the current fiscal year by 
     each agency participating in the Program; and''.
       (g) Definitions.--Section 4 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5503) is amended--
       (1) by redesignating paragraphs (1) and (2) as paragraphs 
     (2) and (3), respectively;
       (2) by redesignating paragraph (3) as paragraph (6);
       (3) by redesignating paragraphs (6) and (7) as paragraphs 
     (7) and (8), respectively;
       (4) by inserting before paragraph (2), as redesignated, the 
     following:
       ``(1) `cyber-physical systems' means physical or engineered 
     systems whose networking and information technology functions 
     and physical elements are deeply integrated and are actively 
     connected to the physical world through sensors, actuators, 
     or other means to perform monitoring and control 
     functions;'';
       (5) in paragraph (3), as redesignated, by striking ``high-
     performance computing'' and inserting ``networking and 
     information technology'';
       (6) in paragraph (6), as redesignated--
       (A) by striking ``high-performance computing'' and 
     inserting ``networking and information technology''; and
       (B) by striking ``supercomputer'' and inserting ``high-end 
     computing'';
       (7) in paragraph (5), by striking ``network referred to 
     as'' and all that follows through the semicolon and inserting 
     ``network, including advanced computer networks of Federal 
     agencies and departments''; and
       (8) in paragraph (7), as redesignated, by striking 
     ``National High-Performance Computing Program'' and inserting 
     ``networking and information technology research and 
     development program''.

     SEC. 402. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.

       (a) Research in Areas of National Importance.--Title I of 
     the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et 
     seq.) is amended by adding at the end the following:

     ``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.

       ``(a) In General.--The Program shall encourage agencies 
     under section 101(a)(3)(B) to support, maintain, and improve 
     national, multi-agency, multi-faceted, research and 
     development activities in networking and information 
     technology directed toward application areas that have the 
     potential for significant contributions to national economic 
     competitiveness and for other significant societal benefits.
       ``(b) Technical Solutions.--An activity under subsection 
     (a) shall be designed to advance the development of research 
     discoveries by demonstrating technical solutions to important 
     problems in areas including--
       ``(1) cybersecurity;
       ``(2) health care;
       ``(3) energy management and low-power systems and devices;
       ``(4) transportation, including surface and air 
     transportation;
       ``(5) cyber-physical systems;
       ``(6) large-scale data analysis and modeling of physical 
     phenomena;
       ``(7) large scale data analysis and modeling of behavioral 
     phenomena;
       ``(8) supply chain quality and security; and
       ``(9) privacy protection and protected disclosure of 
     confidential data.
       ``(c) Recommendations.--The advisory committee under 
     section 101(b) shall make recommendations to the Program for 
     candidate research and development areas for support under 
     this section.
       ``(d) Characteristics.--
       ``(1) In general.--Research and development activities 
     under this section--
       ``(A) shall include projects selected on the basis of 
     applications for support through a competitive, merit-based 
     process;
       ``(B) shall leverage, when possible, Federal investments 
     through collaboration with related State initiatives;
       ``(C) shall include a plan for fostering the transfer of 
     research discoveries and the results of technology 
     demonstration activities, including from institutions of 
     higher education and Federal laboratories, to industry for 
     commercial development;
       ``(D) shall involve collaborations among researchers in 
     institutions of higher education and industry; and
       ``(E) may involve collaborations among nonprofit research 
     institutions and Federal laboratories, as appropriate.
       ``(2) Cost-sharing.--In selecting applications for support, 
     the agencies under section 101(a)(3)(B) shall give special 
     consideration to projects that include cost sharing from non-
     Federal sources.
       ``(3) Multidisciplinary research centers.--Research and 
     development activities under this section shall be supported 
     through multidisciplinary research centers, including Federal 
     laboratories, that are organized to investigate basic 
     research questions and carry out technology demonstration 
     activities in areas described in subsection (a). Research may 
     be carried out through existing multidisciplinary centers, 
     including those authorized under section 7024(b)(2) of the 
     America COMPETES Act (42 U.S.C. 1862o-10(2)).''.
       (b) Cyber-Physical Systems.--Section 101(a)(1) of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is 
     amended--
       (1) in subparagraph (H), by striking ``and'' after the 
     semicolon;
       (2) in subparagraph (I), by striking the period at the end 
     and inserting a semicolon; and
       (3) by adding at the end the following:
       ``(J) provide for increased understanding of the scientific 
     principles of cyber-physical systems and improve the methods 
     available for the design, development, and operation of 
     cyber-physical systems that are characterized by high 
     reliability, safety, and security; and
       ``(K) provide for research and development on human-
     computer interactions, visualization, and big data.''.
       (c) Task Force.--Title I of the High-Performance Computing 
     Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section 
     402(a) of this Act, is amended by adding at the end the 
     following:

     ``SEC. 105. TASK FORCE.

       ``(a) Establishment.--Not later than 180 days after the 
     date of enactment of the Strengthening and Enhancing 
     Cybersecurity by Using Research, Education, Information, and 
     Technology Act of 2012, the Director of

[[Page 12510]]

     the Office of Science and Technology Policy under section 102 
     shall convene a task force to explore mechanisms for carrying 
     out collaborative research and development activities for 
     cyber-physical systems (including the related technologies 
     required to enable these systems) through a consortium or 
     other appropriate entity with participants from institutions 
     of higher education, Federal laboratories, and industry.
       ``(b) Functions.--The task force shall--
       ``(1) develop options for a collaborative model and an 
     organizational structure for such entity under which the 
     joint research and development activities could be planned, 
     managed, and conducted effectively, including mechanisms for 
     the allocation of resources among the participants in such 
     entity for support of such activities;
       ``(2) propose a process for developing a research and 
     development agenda for such entity, including guidelines to 
     ensure an appropriate scope of work focused on nationally 
     significant challenges and requiring collaboration and to 
     ensure the development of related scientific and 
     technological milestones;
       ``(3) define the roles and responsibilities for the 
     participants from institutions of higher education, Federal 
     laboratories, and industry in such entity;
       ``(4) propose guidelines for assigning intellectual 
     property rights and for transferring research results to the 
     private sector; and
       ``(5) make recommendations for how such entity could be 
     funded from Federal, State, and non-governmental sources.
       ``(c) Composition.--In establishing the task force under 
     subsection (a), the Director of the Office of Science and 
     Technology Policy shall appoint an equal number of 
     individuals from institutions of higher education and from 
     industry with knowledge and expertise in cyber-physical 
     systems, and may appoint not more than 2 individuals from 
     Federal laboratories.
       ``(d) Report.--Not later than 1 year after the date of 
     enactment of the Strengthening and Enhancing Cybersecurity by 
     Using Research, Education, Information, and Technology Act of 
     2012, the Director of the Office of Science and Technology 
     Policy shall transmit to the Committee on Commerce, Science, 
     and Transportation of the Senate and the Committee on Science 
     and Technology of the House of Representatives a report 
     describing the findings and recommendations of the task 
     force.
       ``(e) Termination.--The task force shall terminate upon 
     transmittal of the report required under subsection (d).
       ``(f) Compensation and Expenses.--Members of the task force 
     shall serve without compensation.''.

     SEC. 403. PROGRAM IMPROVEMENTS.

       Section 102 of the High-Performance Computing Act of 1991 
     (15 U.S.C. 5512) is amended to read as follows:

     ``SEC. 102. PROGRAM IMPROVEMENTS.

       ``(a) Functions.--The Director of the Office of Science and 
     Technology Policy shall continue--
       ``(1) to provide technical and administrative support to--
       ``(A) the agencies participating in planning and 
     implementing the Program, including support needed to develop 
     the strategic plan under section 101(e); and
       ``(B) the advisory committee under section 101(b);
       ``(2) to serve as the primary point of contact on Federal 
     networking and information technology activities for 
     government agencies, academia, industry, professional 
     societies, State computing and networking technology 
     programs, interested citizen groups, and others to exchange 
     technical and programmatic information;
       ``(3) to solicit input and recommendations from a wide 
     range of stakeholders during the development of each 
     strategic plan under section 101(e) by convening at least 1 
     workshop with invitees from academia, industry, Federal 
     laboratories, and other relevant organizations and 
     institutions;
       ``(4) to conduct public outreach, including the 
     dissemination of the advisory committee's findings and 
     recommendations, as appropriate;
       ``(5) to promote access to and early application of the 
     technologies, innovations, and expertise derived from Program 
     activities to agency missions and systems across the Federal 
     Government and to United States industry;
       ``(6) to ensure accurate and detailed budget reporting of 
     networking and information technology research and 
     development investment; and
       ``(7) to encourage agencies participating in the Program to 
     use existing programs and resources to strengthen networking 
     and information technology education and training, and 
     increase participation in such fields, including by women and 
     underrepresented minorities.
       ``(b) Source of Funding.--
       ``(1) In general.--The functions under this section shall 
     be supported by funds from each agency participating in the 
     Program.
       ``(2) Specifications.--The portion of the total budget of 
     the Office of Science and Technology Policy that is provided 
     by each agency participating in the Program for each fiscal 
     year shall be in the same proportion as each agency's share 
     of the total budget for the Program for the previous fiscal 
     year, as specified in the database under section 102(c).
       ``(c) Database.--
       ``(1) In general.--The Director of the Office of Science 
     and Technology Policy shall develop and maintain a database 
     of projects funded by each agency for the fiscal year for 
     each Program Component Area.
       ``(2) Public accessibility.--The Director of the Office of 
     Science and Technology Policy shall make the database 
     accessible to the public.
       ``(3) Database contents.--The database shall include, for 
     each project in the database--
       ``(A) a description of the project;
       ``(B) each agency, industry, institution of higher 
     education, Federal laboratory, or international institution 
     involved in the project;
       ``(C) the source funding of the project (set forth by 
     agency);
       ``(D) the funding history of the project; and
       ``(E) whether the project has been completed.''.

     SEC. 404. IMPROVING EDUCATION OF NETWORKING AND INFORMATION 
                   TECHNOLOGY, INCLUDING HIGH PERFORMANCE 
                   COMPUTING.

       Section 201(a) of the High-Performance Computing Act of 
     1991 (15 U.S.C. 5521(a)) is amended--
       (1) by redesignating paragraphs (2) through (4) as 
     paragraphs (3) through (5), respectively; and
       (2) by inserting after paragraph (1) the following:
       ``(2) the National Science Foundation shall use its 
     existing programs, in collaboration with other agencies, as 
     appropriate, to improve the teaching and learning of 
     networking and information technology at all levels of 
     education and to increase participation in networking and 
     information technology fields;''.

     SEC. 405. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH-
                   PERFORMANCE COMPUTING ACT OF 1991.

       (a) Section 3.--Section 3 of the High-Performance Computing 
     Act of 1991 (15 U.S.C. 5502) is amended--
       (1) in the matter preceding paragraph (1), by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology'';
       (2) in paragraph (1)--
       (A) in the matter preceding subparagraph (A), by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology'';
       (B) in subparagraphs (A), (F), and (G), by striking ``high-
     performance computing'' each place it appears and inserting 
     ``networking and information technology''; and
       (C) in subparagraph (H), by striking ``high-performance'' 
     and inserting ``high-end''; and
       (3) in paragraph (2)--
       (A) by striking ``high-performance computing and'' and 
     inserting ``networking and information technology, and''; and
       (B) by striking ``high-performance computing network'' and 
     inserting ``networking and information technology''.
       (b) Title Heading.--The heading of title I of the High-
     Performance Computing Act of 1991 (105 Stat. 1595) is amended 
     by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting 
     ``NETWORKING AND INFORMATION TECHNOLOGY''.
       (c) Section 101.--Section 101 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511) is amended--
       (1) in the section heading, by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology research and development'';
       (2) in subsection (a)--
       (A) in the subsection heading, by striking ``National High-
     Performance Computing'' and inserting ``Networking and 
     Information Technology Research and Development'';
       (B) in paragraph (1)--
       (i) by striking ``National High-Performance Computing 
     Program'' and inserting ``networking and information 
     technology research and development program'';
       (ii) in subparagraph (A), by striking ``high-performance 
     computing, including networking'' and inserting ``networking 
     and information technology'';
       (iii) in subparagraphs (B) and (G), by striking ``high-
     performance'' each place it appears and inserting ``high-
     end''; and
       (iv) in subparagraph (C), by striking ``high-performance 
     computing and networking'' and inserting ``high-end 
     computing, distributed, and networking''; and
       (C) in paragraph (2)--
       (i) in subparagraphs (A) and (C)--

       (I) by striking ``high-performance computing'' each place 
     it appears and inserting ``networking and information 
     technology''; and
       (II) by striking ``development, networking,'' each place it 
     appears and inserting ``development,''; and

       (ii) in subparagraphs (G) and (H), as redesignated by 
     section 401(d) of this Act, by striking ``high-performance'' 
     each place it appears and inserting ``high-end'';
       (3) in subsection (b)(1), in the matter preceding 
     subparagraph (A), by striking ``high- performance computing'' 
     each place it appears and inserting ``networking and 
     information technology''; and

[[Page 12511]]

       (4) in subsection (c)(1)(A), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology''.
       (d) Section 201.--Section 201(a)(1) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by 
     striking ``high-performance computing and advanced high-speed 
     computer networking'' and inserting ``networking and 
     information technology research and development''.
       (e) Section 202.--Section 202(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by 
     striking ``high-performance computing'' and inserting 
     ``networking and information technology''.
       (f) Section 203.--Section 203(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5523(a)) is amended--
       (1) in paragraph (1), by striking ``high-performance 
     computing and networking'' and inserting ``networking and 
     information technology''; and
       (2) in paragraph (2)(A), by striking ``high-performance'' 
     and inserting ``high-end''.
       (g) Section 204.--Section 204 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5524) is amended--
       (1) in subsection (a)(1)--
       (A) in subparagraph (A), by striking ``high-performance 
     computing systems and networks'' and inserting ``networking 
     and information technology systems and capabilities'';
       (B) in subparagraph (B), by striking ``interoperability of 
     high-performance computing systems in networks and for common 
     user interfaces to systems'' and inserting ``interoperability 
     and usability of networking and information technology 
     systems''; and
       (C) in subparagraph (C), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology''; and
       (2) in subsection (b)--
       (A) by striking ``High-Performance Computing and Network'' 
     in the heading and inserting ``Networking and Information 
     Technology''; and
       (B) by striking ``sensitive''.
       (h) Section 205.--Section 205(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by 
     striking ``computational'' and inserting ``networking and 
     information technology''.
       (i) Section 206.--Section 206(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by 
     striking ``computational research'' and inserting 
     ``networking and information technology research''.
       (j) Section 207.--Section 207 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5527) is amended by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology''.
       (k) Section 208.--Section 208 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5528) is amended--
       (1) in the section heading, by striking ``HIGH-PERFORMANCE 
     COMPUTING'' and inserting ``NETWORKING AND INFORMATION 
     TECHNOLOGY''; and
       (2) in subsection (a)--
       (A) in paragraph (1), by striking ``High-performance 
     computing and associated'' and inserting ``Networking and 
     information'';
       (B) in paragraph (2), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technologies'';
       (C) in paragraph (3), by striking ``high-performance'' and 
     inserting ``high-end'';
       (D) in paragraph (4), by striking ``high-performance 
     computers and associated'' and inserting ``networking and 
     information''; and
       (E) in paragraph (5), by striking ``high-performance 
     computing and associated'' and inserting ``networking and 
     information''.

     SEC. 406. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.

       (a) In General.--The Director of the National Science 
     Foundation, in coordination with the Secretary of Homeland 
     Security, shall carry out a Federal cyber scholarship-for-
     service program to recruit and train the next generation of 
     information technology professionals and security managers to 
     meet the needs of the cybersecurity mission for the Federal 
     government.
       (b) Program Description and Components.--The program 
     shall--
       (1) annually assess the workforce needs of the Federal 
     government for cybersecurity professionals, including network 
     engineers, software engineers, and other experts in order to 
     determine how many scholarships should be awarded annually to 
     ensure that the workforce needs following graduation match 
     the number of scholarships awarded;
       (2) provide scholarships for up to 1,000 students per year 
     in their pursuit of undergraduate or graduate degrees in the 
     cybersecurity field, in an amount that may include coverage 
     for full tuition, fees, and a stipend;
       (3) require each scholarship recipient, as a condition of 
     receiving a scholarship under the program, to serve in a 
     Federal information technology workforce for a period equal 
     to one and one-half times each year, or partial year, of 
     scholarship received, in addition to an internship in the 
     cybersecurity field, if applicable, following graduation;
       (4) provide a procedure for the National Science Foundation 
     or a Federal agency, consistent with regulations of the 
     Office of Personnel Management, to request and fund a 
     security clearance for a scholarship recipient, including 
     providing for clearance during a summer internship and upon 
     graduation; and
       (5) provide opportunities for students to receive temporary 
     appointments for meaningful employment in the Federal 
     information technology workforce during school vacation 
     periods and for internships.
       (c) Hiring Authority.--
       (1) In general.--For purposes of any law or regulation 
     governing the appointment of an individual in the Federal 
     civil service, upon the successful completion of the 
     student's studies, a student receiving a scholarship under 
     the program may--
       (A) be hired under section 213.3102(r) of title 5, Code of 
     Federal Regulations; and
       (B) be exempt from competitive service.
       (2) Competitive service.--Upon satisfactory fulfillment of 
     the service term under paragraph (1), an individual may be 
     converted to a competitive service position without 
     competition if the individual meets the requirements for that 
     position.
       (d) Eligibility.--The eligibility requirements for a 
     scholarship under this section shall include that a 
     scholarship applicant--
       (1) be a citizen of the United States;
       (2) be eligible to be granted a security clearance;
       (3) maintain a grade point average of 3.2 or above on a 4.0 
     scale for undergraduate study or a 3.5 or above on a 4.0 
     scale for postgraduate study;
       (4) demonstrate a commitment to a career in improving the 
     security of the information infrastructure; and
       (5) has demonstrated a level of proficiency in math or 
     computer sciences.
       (e) Failure to Complete Service Obligation.--
       (1) In general.--A scholarship recipient under this section 
     shall be liable to the United States under paragraph (2) if 
     the scholarship recipient--
       (A) fails to maintain an acceptable level of academic 
     standing in the educational institution in which the 
     individual is enrolled, as determined by the Director;
       (B) is dismissed from such educational institution for 
     disciplinary reasons;
       (C) withdraws from the program for which the award was made 
     before the completion of such program;
       (D) declares that the individual does not intend to fulfill 
     the service obligation under this section;
       (E) fails to fulfill the service obligation of the 
     individual under this section; or
       (F) loses a security clearance or becomes ineligible for a 
     security clearance.
       (2) Repayment amounts.--
       (A) Less than 1 year of service.--If a circumstance under 
     paragraph (1) occurs before the completion of 1 year of a 
     service obligation under this section, the total amount of 
     awards received by the individual under this section shall be 
     repaid.
       (B) One or more years of service.--If a circumstance 
     described in subparagraph (D) or (E) of paragraph (1) occurs 
     after the completion of 1 year of a service obligation under 
     this section, the total amount of scholarship awards received 
     by the individual under this section, reduced by the ratio of 
     the number of years of service completed divided by the 
     number of years of service required, shall be repaid.
       (f) Evaluation and Report.--The Director of the National 
     Science Foundation shall--
       (1) evaluate the success of recruiting individuals for 
     scholarships under this section and of hiring and retaining 
     those individuals in the public sector workforce, including 
     the annual cost and an assessment of how the program actually 
     improves the Federal workforce; and
       (2) periodically report the findings under paragraph (1) to 
     Congress.
       (g) Authorization of Appropriations.--From amounts made 
     available under section 503 of the America COMPETES 
     Reauthorization Act of 2010 (124 Stat. 4005), the Director 
     may use funds to carry out the requirements of this section 
     for fiscal years 2012 through 2013.

     SEC. 407. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF 
                   INFORMATION INFRASTRUCTURE PROFESSIONALS.

       (a) Study.--The President shall enter into an agreement 
     with the National Academies to conduct a comprehensive study 
     of government, academic, and private-sector accreditation, 
     training, and certification programs for personnel working in 
     information infrastructure. The agreement shall require the 
     National Academies to consult with sector coordinating 
     councils and relevant governmental agencies, regulatory 
     entities, and nongovernmental organizations in the course of 
     the study.
       (b) Scope.--The study shall include--
       (1) an evaluation of the body of knowledge and various 
     skills that specific categories of personnel working in 
     information infrastructure should possess in order to secure 
     information systems;
       (2) an assessment of whether existing government, academic, 
     and private-sector accreditation, training, and certification 
     programs provide the body of knowledge and various skills 
     described in paragraph (1);
       (3) an analysis of any barriers to the Federal Government 
     recruiting and hiring cybersecurity talent, including 
     barriers relating to compensation, the hiring process, job 
     classification, and hiring flexibility; and

[[Page 12512]]

       (4) an analysis of the sources and availability of 
     cybersecurity talent, a comparison of the skills and 
     expertise sought by the Federal Government and the private 
     sector, an examination of the current and future capacity of 
     United States institutions of higher education, including 
     community colleges, to provide current and future 
     cybersecurity professionals, through education and training 
     activities, with those skills sought by the Federal 
     Government, State and local entities, and the private sector.
       (c) Report.--Not later than 1 year after the date of 
     enactment of this Act, the National Academies shall submit to 
     the President and Congress a report on the results of the 
     study. The report shall include--
       (1) findings regarding the state of information 
     infrastructure accreditation, training, and certification 
     programs, including specific areas of deficiency and 
     demonstrable progress; and
       (2) recommendations for the improvement of information 
     infrastructure accreditation, training, and certification 
     programs.

     SEC. 408. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.

       (a) In General.--The Director of the National Institute of 
     Standards and Technology, in coordination with appropriate 
     Federal authorities, shall--
       (1) as appropriate, ensure coordination of Federal agencies 
     engaged in the development of international technical 
     standards related to information system security; and
       (2) not later than 1 year after the date of enactment of 
     this Act, develop and transmit to Congress a plan for 
     ensuring such Federal agency coordination.
       (b) Consultation With the Private Sector.--In carrying out 
     the activities under subsection (a)(1), the Director shall 
     ensure consultation with appropriate private sector 
     stakeholders.

     SEC. 409. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.

       The Director of the National Institute of Standards and 
     Technology shall continue a program to support the 
     development of technical standards, metrology, testbeds, and 
     conformance criteria, taking into account appropriate user 
     concerns--
       (1) to improve interoperability among identity management 
     technologies;
       (2) to strengthen authentication methods of identity 
     management systems;
       (3) to improve privacy protection in identity management 
     systems, including health information technology systems, 
     through authentication and security protocols; and
       (4) to improve the usability of identity management 
     systems.

     SEC. 410. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.

       (a) National Science Foundation Computer and Network 
     Security Research Grant Areas.--Section 4(a)(1) of the Cyber 
     Security Research and Development Act (15 U.S.C. 7403(a)(1)) 
     is amended--
       (1) in subparagraph (H), by striking ``and'' after the 
     semicolon;
       (2) in subparagraph (I), by striking ``property.'' and 
     inserting ``property;''; and
       (3) by adding at the end the following:
       ``(J) secure fundamental protocols that are at the heart of 
     inter-network communications and data exchange;
       ``(K) system security that addresses the building of secure 
     systems from trusted and untrusted components;
       ``(L) monitoring and detection; and
       ``(M) resiliency and rapid recovery methods.''.
       (b) National Science Foundation Computer and Network 
     Security Grants.--Section 4(a)(3) of the Cyber Security 
     Research and Development Act (15 U.S.C. 7403(a)(3)) is 
     amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (c) Computer and Network Security Centers.--Section 4(b)(7) 
     of the Cyber Security Research and Development Act (15 U.S.C. 
     7403(b)(7)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (d) Computer and Network Security Capacity Building 
     Grants.--Section 5(a)(6) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7404(a)(6)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (e) Scientific and Advanced Technology Act Grants.--Section 
     5(b)(2) of the Cyber Security Research and Development Act 
     (15 U.S.C. 7404(b)(2)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (f) Graduate Traineeships in Computer and Network Security 
     Research.--Section 5(c)(7) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7404(c)(7)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
                                 ______
                                 
  SA 2615. Mrs. HUTCHISON submitted an amendment intended to be 
proposed by her to the bill S. 3414, to enhance the security and 
resiliency of the cyber and communications infrastructure of the United 
States; which was ordered to lie on the table; as follows:

       Beginning on page 45, strike line 1 and all that follows 
     through page 212, line 6, and insert the following:

       TITLE II--FACILITATING SHARING OF CYBER THREAT INFORMATION

     SEC. 201. DEFINITIONS.

       In this title:
       (1) Agency.--The term ``agency'' has the meaning given the 
     term in section 3502 of title 44, United States Code.
       (2) Antitrust laws.--The term ``antitrust laws''--
       (A) has the meaning given the term in section 1(a) of the 
     Clayton Act (15 U.S.C. 12(a));
       (B) includes section 5 of the Federal Trade Commission Act 
     (15 U.S.C. 45) to the extent that section 5 of that Act 
     applies to unfair methods of competition; and
       (C) includes any State law that has the same intent and 
     effect as the laws under subparagraphs (A) and (B).
       (3) Countermeasure.--The term ``countermeasure'' means an 
     automated or a manual action with defensive intent to 
     mitigate cyber threats.
       (4) Cyber threat information.--The term ``cyber threat 
     information'' means information that indicates or describes--
       (A) a technical or operation vulnerability or a cyber 
     threat mitigation measure;
       (B) an action or operation to mitigate a cyber threat;
       (C) malicious reconnaissance, including anomalous patterns 
     of network activity that appear to be transmitted for the 
     purpose of gathering technical information related to a 
     cybersecurity threat;
       (D) a method of defeating a technical control;
       (E) a method of defeating an operational control;
       (F) network activity or protocols known to be associated 
     with a malicious cyber actor or that signify malicious cyber 
     intent;
       (G) a method of causing a user with legitimate access to an 
     information system or information that is stored on, 
     processed by, or transiting an information system to 
     inadvertently enable the defeat of a technical or operational 
     control;
       (H) any other attribute of a cybersecurity threat or cyber 
     defense information that would foster situational awareness 
     of the United States cybersecurity posture, if disclosure of 
     such attribute or information is not otherwise prohibited by 
     law;
       (I) the actual or potential harm caused by a cyber 
     incident, including information exfiltrated when it is 
     necessary in order to identify or describe a cybersecurity 
     threat; or
       (J) any combination of subparagraphs (A) through (I).
       (5) Cybersecurity center.--The term ``cybersecurity 
     center'' means the Department of Defense Cyber Crime Center, 
     the Intelligence Community Incident Response Center, the 
     United States Cyber Command Joint Operations Center, the 
     National Cyber Investigative Joint Task Force, the National 
     Security Agency/Central Security Service Threat Operations 
     Center, the National Cybersecurity and Communications 
     Integration Center, and any successor center.
       (6) Cybersecurity system.--The term ``cybersecurity 
     system'' means a system designed or employed to ensure the 
     integrity, confidentiality, or availability of, or to 
     safeguard, a system or network, including measures intended 
     to protect a system or network from--
       (A) efforts to degrade, disrupt, or destroy such system or 
     network; or
       (B) theft or misappropriations of private or government 
     information, intellectual property, or personally 
     identifiable information.
       (7) Entity.--

[[Page 12513]]

       (A) In general.--The term ``entity'' means any private 
     entity, non-Federal government agency or department, or 
     State, tribal, or local government agency or department 
     (including an officer, employee, or agent thereof).
       (B) Inclusions.--The term ``entity'' includes a government 
     agency or department (including an officer, employee, or 
     agent thereof) of the District of Columbia, the Commonwealth 
     of Puerto Rico, the Virgin Islands, Guam, American Samoa, the 
     Northern Mariana Islands, and any other territory or 
     possession of the United States.
       (8) Federal information system.--The term ``Federal 
     information system'' means an information system of a Federal 
     department or agency used or operated by an executive agency, 
     by a contractor of an executive agency, or by another 
     organization on behalf of an executive agency.
       (9) Information security.--The term ``information 
     security'' means protecting information and information 
     systems from disruption or unauthorized access, use, 
     disclosure, modification, or destruction in order to 
     provide--
       (A) integrity, by guarding against improper information 
     modification or destruction, including by ensuring 
     information nonrepudiation and authenticity;
       (B) confidentiality, by preserving authorized restrictions 
     on access and disclosure, including means for protecting 
     personal privacy and proprietary information; or
       (C) availability, by ensuring timely and reliable access to 
     and use of information.
       (10) Information system.--The term ``information system'' 
     has the meaning given the term in section 3502 of title 44, 
     United States Code.
       (11) Local government.--The term ``local government'' means 
     any borough, city, county, parish, town, township, village, 
     or other general purpose political subdivision of a State.
       (12) Malicious reconnaissance.--The term ``malicious 
     reconnaissance'' means a method for actively probing or 
     passively monitoring an information system for the purpose of 
     discerning technical vulnerabilities of the information 
     system, if such method is associated with a known or 
     suspected cybersecurity threat.
       (13) Operational control.--The term ``operational control'' 
     means a security control for an information system that 
     primarily is implemented and executed by people.
       (14) Operational vulnerability.--The term ``operational 
     vulnerability'' means any attribute of policy, process, or 
     procedure that could enable or facilitate the defeat of an 
     operational control.
       (15) Private entity.--The term ``private entity'' means any 
     individual or any private group, organization, or 
     corporation, including an officer, employee, or agent 
     thereof.
       (16) Significant cyber incident.--The term ``significant 
     cyber incident'' means a cyber incident resulting in, or an 
     attempted cyber incident that, if successful, would have 
     resulted in--
       (A) the exfiltration from a Federal information system of 
     data that is essential to the operation of the Federal 
     information system; or
       (B) an incident in which an operational or technical 
     control essential to the security or operation of a Federal 
     information system was defeated.
       (17) Technical control.--The term ``technical control'' 
     means a hardware or software restriction on, or audit of, 
     access or use of an information system or information that is 
     stored on, processed by, or transiting an information system 
     that is intended to ensure the confidentiality, integrity, or 
     availability of that system.
       (18) Technical vulnerability.--The term ``technical 
     vulnerability'' means any attribute of hardware or software 
     that could enable or facilitate the defeat of a technical 
     control.
       (19) Tribal.--The term ``tribal'' has the meaning given the 
     term ``Indian tribe'' in section 4 of the Indian Self-
     Determination and Education Assistance Act (25 U.S.C. 450b).

     SEC. 202. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION.

       (a) Voluntary Disclosure.--
       (1) Private entities.--Notwithstanding any other provision 
     of law, a private entity may, for the purpose of preventing, 
     investigating, or otherwise mitigating threats to information 
     security, on its own networks, or as authorized by another 
     entity, on such entity's networks, employ countermeasures and 
     use cybersecurity systems in order to obtain, identify, or 
     otherwise possess cyber threat information.
       (2) Entities.--Notwithstanding any other provision of law, 
     an entity may disclose cyber threat information to--
       (A) a cybersecurity center; or
       (B) any other entity in order to assist with preventing, 
     investigating, or otherwise mitigating threats to information 
     security.
       (3) Information security providers.--If the cyber threat 
     information described in paragraph (1) is obtained, 
     identified, or otherwise possessed in the course of providing 
     information security products or services under contract to 
     another entity, that entity shall be given, at any time prior 
     to disclosure of such information, a reasonable opportunity 
     to authorize or prevent such disclosure, to request 
     anonymization of such information, or to request that 
     reasonable efforts be made to safeguard such information that 
     identifies specific persons from unauthorized access or 
     disclosure.
       (b) Significant Cyber Incidents Involving Federal 
     Information Systems.--
       (1) In general.--An entity providing electronic 
     communication services, remote computing services, or 
     information security services to a Federal department or 
     agency shall inform the Federal department or agency of a 
     significant cyber incident involving the Federal information 
     system of that Federal department or agency that--
       (A) is directly known to the entity as a result of 
     providing such services;
       (B) is directly related to the provision of such services 
     by the entity; and
       (C) as determined by the entity, has impeded or will impede 
     the performance of a critical mission of the Federal 
     department or agency.
       (2) Advance coordination.--A Federal department or agency 
     receiving the services described in paragraph (1) shall 
     coordinate in advance with an entity described in paragraph 
     (1) to develop the parameters of any information that may be 
     provided under paragraph (1), including clarification of the 
     type of significant cyber incident that will impede the 
     performance of a critical mission of the Federal department 
     or agency.
       (3) Report.--A Federal department or agency shall report 
     information provided under this subsection to a cybersecurity 
     center.
       (4) Construction.--Any information provided to a 
     cybersecurity center under paragraph (3) shall be treated in 
     the same manner as information provided to a cybersecurity 
     center under subsection (a).
       (c) Information Shared With or Provided to a Cybersecurity 
     Center.--Cyber threat information provided to a cybersecurity 
     center under this section--
       (1) may be disclosed to, retained by, and used by, 
     consistent with otherwise applicable Federal law, any Federal 
     agency or department, component, officer, employee, or agent 
     of the Federal government for a cybersecurity purpose, a 
     national security purpose, or in order to prevent, 
     investigate, or prosecute any of the offenses listed in 
     section 2516 of title 18, United States Code, and such 
     information shall not be disclosed to, retained by, or used 
     by any Federal agency or department for any use not permitted 
     under this paragraph;
       (2) may, with the prior written consent of the entity 
     submitting such information, be disclosed to and used by a 
     State, tribal, or local government or government agency for 
     the purpose of protecting information systems, or in 
     furtherance of preventing, investigating, or prosecuting a 
     criminal act, except that if the need for immediate 
     disclosure prevents obtaining written consent, such consent 
     may be provided orally with subsequent documentation of such 
     consent;
       (3) shall be considered the commercial, financial, or 
     proprietary information of the entity providing such 
     information to the Federal government and any disclosure 
     outside the Federal government may only be made upon the 
     prior written consent by such entity and shall not constitute 
     a waiver of any applicable privilege or protection provided 
     by law, except that if the need for immediate disclosure 
     prevents obtaining written consent, such consent may be 
     provided orally with subsequent documentation of such 
     consent;
       (4) shall be deemed voluntarily shared information and 
     exempt from disclosure under section 552 of title 5, United 
     States Code, and any State, tribal, or local law requiring 
     disclosure of information or records;
       (5) shall be, without discretion, withheld from the public 
     under section 552(b)(3)(B) of title 5, United States Code, 
     and any State, tribal, or local law requiring disclosure of 
     information or records;
       (6) shall not be subject to the rules of any Federal agency 
     or department or any judicial doctrine regarding ex parte 
     communications with a decision-making official;
       (7) shall not, if subsequently provided to a State, tribal, 
     or local government or government agency, otherwise be 
     disclosed or distributed to any entity by such State, tribal, 
     or local government or government agency without the prior 
     written consent of the entity submitting such information, 
     notwithstanding any State, tribal, or local law requiring 
     disclosure of information or records, except that if the need 
     for immediate disclosure prevents obtaining written consent, 
     such consent may be provided orally with subsequent 
     documentation of such consent; and
       (8) shall not be directly used by any Federal, State, 
     tribal, or local department or agency to regulate the lawful 
     activities of an entity, including activities relating to 
     obtaining, identifying, or otherwise possessing cyber threat 
     information, except that the procedures required to be 
     developed and implemented under this title shall not be 
     considered regulations within the meaning of this paragraph.
       (d) Procedures Relating to Information Sharing With a 
     Cybersecurity Center.--

[[Page 12514]]

     Not later than 60 days after the date of enactment of this 
     Act, the heads of each department or agency containing a 
     cybersecurity center shall jointly develop, promulgate, and 
     submit to Congress procedures to ensure that cyber threat 
     information shared with or provided to--
       (1) a cybersecurity center under this section--
       (A) may be submitted to a cybersecurity center by an 
     entity, to the greatest extent possible, through a uniform, 
     publicly available process or format that is easily 
     accessible on the website of such cybersecurity center, and 
     that includes the ability to provide relevant details about 
     the cyber threat information and written consent to any 
     subsequent disclosures authorized by this paragraph;
       (B) shall immediately be further shared with each 
     cybersecurity center in order to prevent, investigate, or 
     otherwise mitigate threats to information security across the 
     Federal government;
       (C) is handled by the Federal government in a reasonable 
     manner, including consideration of the need to protect the 
     privacy and civil liberties of individuals through 
     anonymization or other appropriate methods, while fully 
     accomplishing the objectives of this title, and the Federal 
     government may undertake efforts consistent with this 
     subparagraph to limit the impact on privacy and civil 
     liberties of the sharing of cyber threat information with the 
     Federal government; and
       (D) except as provided in this section, shall only be used, 
     disclosed, or handled in accordance with the provisions of 
     subsection (c); and
       (2) a Federal agency or department under subsection (b) is 
     provided immediately to a cybersecurity center in order to 
     prevent, investigate, or otherwise mitigate threats to 
     information security across the Federal government.
       (e) Information Shared Between Entities.--
       (1) In general.--An entity sharing cyber threat information 
     with another entity under this title may restrict the use or 
     sharing of such information by such other entity.
       (2) Further sharing.--Cyber threat information shared by 
     any entity with another entity under this title--
       (A) shall only be further shared in accordance with any 
     restrictions placed on the sharing of such information by the 
     entity authorizing such sharing, such as appropriate 
     anonymization of such information; and
       (B) may not be used by any entity to gain an unfair 
     competitive advantage to the detriment of the entity 
     authorizing the sharing of such information, except that the 
     conduct described in paragraph (3) shall not constitute 
     unfair competitive conduct.
       (3) Information shared with state, tribal, or local 
     government or government agency.--Cyber threat information 
     shared with a State, tribal, or local government or 
     government agency under this title--
       (A) may, with the prior written consent of the entity 
     sharing such information, be disclosed to and used by a 
     State, tribal, or local government or government agency for 
     the purpose of protecting information systems, or in 
     furtherance of preventing, investigating, or prosecuting a 
     criminal act, except if the need for immediate disclosure 
     prevents obtaining written consent, consent may be provided 
     orally with subsequent documentation of the consent;
       (B) shall be deemed voluntarily shared information and 
     exempt from disclosure under any State, tribal, or local law 
     requiring disclosure of information or records;
       (C) shall not be disclosed or distributed to any entity by 
     the State, tribal, or local government or government agency 
     without the prior written consent of the entity submitting 
     such information, notwithstanding any State, tribal, or local 
     law requiring disclosure of information or records, except if 
     the need for immediate disclosure prevents obtaining written 
     consent, consent may be provided orally with subsequent 
     documentation of the consent; and
       (D) shall not be directly used by any State, tribal, or 
     local department or agency to regulate the lawful activities 
     of an entity, including activities relating to obtaining, 
     identifying, or otherwise possessing cyber threat 
     information, except that the procedures required to be 
     developed and implemented under this title shall not be 
     considered regulations within the meaning of this 
     subparagraph.
       (4) Antitrust exemption.--The exchange or provision of 
     cyber threat information or assistance between 2 or more 
     private entities under this title shall not be considered a 
     violation of any provision of antitrust laws if exchanged or 
     provided in order to assist with--
       (A) facilitating the prevention, investigation, or 
     mitigation of threats to information security; or
       (B) communicating or disclosing of cyber threat information 
     to help prevent, investigate or otherwise mitigate the 
     effects of a threat to information security.
       (5) No right or benefit.--The provision of cyber threat 
     information to an entity under this section shall not create 
     a right or a benefit to similar information by such entity or 
     any other entity.
       (f) Federal Preemption.--
       (1) In general.--This section supersedes any statute or 
     other law of a State or political subdivision of a State that 
     restricts or otherwise expressly regulates an activity 
     authorized under this section.
       (2) State law enforcement.--Nothing in this section shall 
     be construed to supersede any statute or other law of a State 
     or political subdivision of a State concerning the use of 
     authorized law enforcement techniques.
       (3) Public disclosure.--No information shared with or 
     provided to a State, tribal, or local government or 
     government agency pursuant to this section shall be made 
     publicly available pursuant to any State, tribal, or local 
     law requiring disclosure of information or records.
       (g) Civil and Criminal Liability.--
       (1) General protections.--
       (A) Private entities.--No cause of action shall lie or be 
     maintained in any court against any private entity for--
       (i) the use of countermeasures and cybersecurity systems as 
     authorized by this title;
       (ii) the use, receipt, or disclosure of any cyber threat 
     information as authorized by this title; or
       (iii) the subsequent actions or inactions of any lawful 
     recipient of cyber threat information provided by such 
     private entity.
       (B) Entities.--No cause of action shall lie or be 
     maintained in any court against any entity for--
       (i) the use, receipt, or disclosure of any cyber threat 
     information as authorized by this title; or
       (ii) the subsequent actions or inactions of any lawful 
     recipient of cyber threat information provided by such 
     entity.
       (2) Construction.--Nothing in this subsection shall be 
     construed as creating any immunity against, or otherwise 
     affecting, any action brought by the Federal government, or 
     any agency or department thereof, to enforce any law, 
     executive order, or procedure governing the appropriate 
     handling, disclosure, and use of classified information.
       (h) Otherwise Lawful Disclosures.--Nothing in this section 
     shall be construed to limit or prohibit otherwise lawful 
     disclosures of communications, records, or other information 
     by a private entity to any other governmental or private 
     entity not covered under this section.
       (i) Whistleblower Protection.--Nothing in this Act shall be 
     construed to preempt or preclude any employee from exercising 
     rights currently provided under any whistleblower law, rule, 
     or regulation.
       (j) Relationship to Other Laws.--The submission of cyber 
     threat information under this section to a cybersecurity 
     center shall not affect any requirement under any other 
     provision of law for an entity to provide information to the 
     Federal government.

     SEC. 203. INFORMATION SHARING BY THE FEDERAL GOVERNMENT.

       (a) Classified Information.--
       (1) Procedures.--Consistent with the protection of 
     intelligence sources and methods, and as otherwise determined 
     appropriate, the Director of National Intelligence and the 
     Secretary of Defense, in consultation with the heads of the 
     appropriate Federal departments or agencies, shall develop 
     and promulgate procedures to facilitate and promote--
       (A) the immediate sharing, through the cybersecurity 
     centers, of classified cyber threat information in the 
     possession of the Federal government with appropriately 
     cleared representatives of any appropriate entity; and
       (B) the declassification and immediate sharing, through the 
     cybersecurity centers, with any entity or, if appropriate, 
     public availability of cyber threat information in the 
     possession of the Federal government;
       (2) Handling of classified information.--The procedures 
     developed under paragraph (1) shall ensure that each entity 
     receiving classified cyber threat information pursuant to 
     this section has acknowledged in writing the ongoing 
     obligation to comply with all laws, executive orders, and 
     procedures concerning the appropriate handling, disclosure, 
     or use of classified information.
       (b) Unclassified Cyber Threat Information.--The heads of 
     each department or agency containing a cybersecurity center 
     shall jointly develop and promulgate procedures that ensure 
     that, consistent with the provisions of this section, 
     unclassified, including controlled unclassified, cyber threat 
     information in the possession of the Federal government--
       (1) is shared, through the cybersecurity centers, in an 
     immediate and adequate manner with appropriate entities; and
       (2) if appropriate, is made publicly available.
       (c) Development of Procedures.--
       (1) In general.--The procedures developed under this 
     section shall incorporate, to the greatest extent possible, 
     existing processes utilized by sector specific information 
     sharing and analysis centers.
       (2) Coordination with entities.--In developing the 
     procedures required under this section, the Director of 
     National Intelligence and the heads of each department or 
     agency containing a cybersecurity center shall coordinate 
     with appropriate entities to ensure that protocols are 
     implemented that will facilitate and promote the sharing of 
     cyber threat information by the Federal government.

[[Page 12515]]

       (d) Additional Responsibilities of Cybersecurity Centers.--
     Consistent with section 202, a cybersecurity center shall--
       (1) facilitate information sharing, interaction, and 
     collaboration among and between cybersecurity centers and--
       (A) other Federal entities;
       (B) any entity; and
       (C) international partners, in consultation with the 
     Secretary of State;
       (2) disseminate timely and actionable cybersecurity threat, 
     vulnerability, mitigation, and warning information, including 
     alerts, advisories, indicators, signatures, and mitigation 
     and response measures, to improve the security and protection 
     of information systems; and
       (3) coordinate with other Federal entities, as appropriate, 
     to integrate information from across the Federal government 
     to provide situational awareness of the cybersecurity posture 
     of the United States.
       (e) Sharing Within the Federal Government.--The heads of 
     appropriate Federal departments and agencies shall ensure 
     that cyber threat information in the possession of such 
     Federal departments or agencies that relates to the 
     prevention, investigation, or mitigation of threats to 
     information security across the Federal government is shared 
     effectively with the cybersecurity centers.
       (f) Submission to Congress.--Not later than 60 days after 
     the date of enactment of this Act, the Director of National 
     Intelligence, in coordination with the appropriate head of a 
     department or an agency containing a cybersecurity center, 
     shall submit the procedures required by this section to 
     Congress.

     SEC. 204. CONSTRUCTION.

       (a) Information Sharing Relationships.--Nothing in this 
     title shall be construed--
       (1) to limit or modify an existing information sharing 
     relationship;
       (2) to prohibit a new information sharing relationship;
       (3) to require a new information sharing relationship 
     between any entity and the Federal government, except as 
     specified under section 202(b); or
       (4) to modify the authority of a department or agency of 
     the Federal government to protect sources and methods and the 
     national security of the United States.
       (b) Anti-tasking Restriction.--Nothing in this title shall 
     be construed to permit the Federal government--
       (1) to require an entity to share information with the 
     Federal government, except as expressly provided under 
     section 202(b); or
       (2) to condition the sharing of cyber threat information 
     with an entity on such entity's provision of cyber threat 
     information to the Federal government.
       (c) No Liability for Non-participation.--Nothing in this 
     title shall be construed to subject any entity to liability 
     for choosing not to engage in the voluntary activities 
     authorized under this title.
       (d) Use and Retention of Information.--Nothing in this 
     title shall be construed to authorize, or to modify any 
     existing authority of, a department or agency of the Federal 
     government to retain or use any information shared under 
     section 202 for any use other than a use permitted under 
     section 202(c)(1).
       (e) No New Funding.--An applicable Federal agency shall 
     carry out the provisions of this title with existing 
     facilities and funds otherwise available, through such means 
     as the head of the agency considers appropriate.

     SEC. 205. REPORT ON IMPLEMENTATION.

       (a) Content of Report.--Not later than 1 year after the 
     date of enactment of this Act, and biennially thereafter, the 
     heads of each department or agency containing a cybersecurity 
     center shall jointly submit, in coordination with the privacy 
     and civil liberties officials of such departments or agencies 
     and the Privacy and Civil Liberties Oversight Board, a 
     detailed report to Congress concerning the implementation of 
     this title, including--
       (1) an assessment of the sufficiency of the procedures 
     developed under section 203 of this Act in ensuring that 
     cyber threat information in the possession of the Federal 
     government is provided in an immediate and adequate manner to 
     appropriate entities or, if appropriate, is made publicly 
     available;
       (2) an assessment of whether information has been 
     appropriately classified and an accounting of the number of 
     security clearances authorized by the Federal government for 
     purposes of this title;
       (3) a review of the type of cyber threat information shared 
     with a cybersecurity center under section 202 of this Act, 
     including whether such information meets the definition of 
     cyber threat information under section 201, the degree to 
     which such information may impact the privacy and civil 
     liberties of individuals, any appropriate metrics to 
     determine any impact of the sharing of such information with 
     the Federal government on privacy and civil liberties, and 
     the adequacy of any steps taken to reduce such impact;
       (4) a review of actions taken by the Federal government 
     based on information provided to a cybersecurity center under 
     section 202 of this Act, including the appropriateness of any 
     subsequent use under section 202(c)(1) of this Act and 
     whether there was inappropriate stovepiping within the 
     Federal government of any such information;
       (5) a description of any violations of the requirements of 
     this title by the Federal government;
       (6) a classified list of entities that received classified 
     information from the Federal government under section 203 of 
     this Act and a description of any indication that such 
     information may not have been appropriately handled;
       (7) a summary of any breach of information security, if 
     known, attributable to a specific failure by any entity or 
     the Federal government to act on cyber threat information in 
     the possession of such entity or the Federal government that 
     resulted in substantial economic harm or injury to a specific 
     entity or the Federal government; and
       (8) any recommendation for improvements or modifications to 
     the authorities under this title.
       (b) Form of Report.--The report under subsection (a) shall 
     be submitted in unclassified form, but shall include a 
     classified annex.

     SEC. 206. INSPECTOR GENERAL REVIEW.

       (a) In General.--The Council of the Inspectors General on 
     Integrity and Efficiency are authorized to review compliance 
     by the cybersecurity centers, and by any Federal department 
     or agency receiving cyber threat information from such 
     cybersecurity centers, with the procedures required under 
     section 202 of this Act.
       (b) Scope of Review.--The review under subsection (a) shall 
     consider whether the Federal government has handled such 
     cyber threat information in a reasonable manner, including 
     consideration of the need to protect the privacy and civil 
     liberties of individuals through anonymization or other 
     appropriate methods, while fully accomplishing the objectives 
     of this title.
       (c) Report to Congress.--Each review conducted under this 
     section shall be provided to Congress not later than 30 days 
     after the date of completion of the review.

     SEC. 207. TECHNICAL AMENDMENTS.

       Section 552(b) of title 5, United States Code, is amended--
       (1) in paragraph (8), by striking ``or'';
       (2) in paragraph (9), by striking ``wells.'' and inserting 
     ``wells; or''; and
       (3) by adding at the end the following:
       ``(10) information shared with or provided to a 
     cybersecurity center under section 202 of title II of the 
     Cybersecurity Act of 2012.''.

     SEC. 208. ACCESS TO CLASSIFIED INFORMATION.

       (a) Authorization Required.--No person shall be provided 
     with access to classified information (as defined in section 
     6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to 
     classified national security information)) relating to cyber 
     security threats or cyber security vulnerabilities under this 
     title without the appropriate security clearances.
       (b) Security Clearances.--The appropriate Federal agencies 
     or departments shall, consistent with applicable procedures 
     and requirements, and if otherwise deemed appropriate, assist 
     an individual in timely obtaining an appropriate security 
     clearance where such individual has been determined to be 
     eligible for such clearance and has a need-to-know (as 
     defined in section 6.1 of that Executive Order) classified 
     information to carry out this title.

     TITLE III--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY

     SEC. 301. COORDINATION OF FEDERAL INFORMATION SECURITY 
                   POLICY.

       (a) In General.--Chapter 35 of title 44, United States 
     Code, is amended by striking subchapters II and III and 
     inserting the following:

                 ``SUBCHAPTER II--INFORMATION SECURITY

     ``Sec. 3551. Purposes

       ``The purposes of this subchapter are--
       ``(1) to provide a comprehensive framework for ensuring the 
     effectiveness of information security controls over 
     information resources that support Federal operations and 
     assets;
       ``(2) to recognize the highly networked nature of the 
     current Federal computing environment and provide effective 
     government-wide management of policies, directives, 
     standards, and guidelines, as well as effective and nimble 
     oversight of and response to information security risks, 
     including coordination of information security efforts 
     throughout the Federal civilian, national security, and law 
     enforcement communities;
       ``(3) to provide for development and maintenance of 
     controls required to protect agency information and 
     information systems and contribute to the overall improvement 
     of agency information security posture;
       ``(4) to provide for the development of tools and methods 
     to assess and respond to real-time situational risk for 
     Federal information system operations and assets; and
       ``(5) to provide a mechanism for improving agency 
     information security programs through continuous monitoring 
     of agency information systems and streamlined reporting 
     requirements rather than overly prescriptive manual 
     reporting.

     ``Sec. 3552. Definitions

       ``In this subchapter:
       ``(1) Adequate security.--The term `adequate security' 
     means security commensurate with the risk and magnitude of 
     the harm resulting from the unauthorized access to or loss, 
     misuse, destruction, or modification of information.

[[Page 12516]]

       ``(2) Agency.--The term `agency' has the meaning given the 
     term in section 3502 of title 44.
       ``(3) Cybersecurity center.--The term `cybersecurity 
     center' means the Department of Defense Cyber Crime Center, 
     the Intelligence Community Incident Response Center, the 
     United States Cyber Command Joint Operations Center, the 
     National Cyber Investigative Joint Task Force, the National 
     Security Agency/Central Security Service Threat Operations 
     Center, the National Cybersecurity and Communications 
     Integration Center, and any successor center.
       ``(4) Cyber threat information.--The term `cyber threat 
     information' means information that indicates or describes--
       ``(A) a technical or operation vulnerability or a cyber 
     threat mitigation measure;
       ``(B) an action or operation to mitigate a cyber threat;
       ``(C) malicious reconnaissance, including anomalous 
     patterns of network activity that appear to be transmitted 
     for the purpose of gathering technical information related to 
     a cybersecurity threat;
       ``(D) a method of defeating a technical control;
       ``(E) a method of defeating an operational control;
       ``(F) network activity or protocols known to be associated 
     with a malicious cyber actor or that signify malicious cyber 
     intent;
       ``(G) a method of causing a user with legitimate access to 
     an information system or information that is stored on, 
     processed by, or transiting an information system to 
     inadvertently enable the defeat of a technical or operational 
     control;
       ``(H) any other attribute of a cybersecurity threat or 
     cyber defense information that would foster situational 
     awareness of the United States cybersecurity posture, if 
     disclosure of such attribute or information is not otherwise 
     prohibited by law;
       ``(I) the actual or potential harm caused by a cyber 
     incident, including information exfiltrated when it is 
     necessary in order to identify or describe a cybersecurity 
     threat; or
       ``(J) any combination of subparagraphs (A) through (I).
       ``(5) Director.--The term `Director' means the Director of 
     the Office of Management and Budget unless otherwise 
     specified.
       ``(6) Environment of operation.--The term `environment of 
     operation' means the information system and environment in 
     which those systems operate, including changing threats, 
     vulnerabilities, technologies, and missions and business 
     practices.
       ``(7) Federal information system.--The term `Federal 
     information system' means an information system used or 
     operated by an executive agency, by a contractor of an 
     executive agency, or by another organization on behalf of an 
     executive agency.
       ``(8) Incident.--The term `incident' means an occurrence 
     that--
       ``(A) actually or imminently jeopardizes the integrity, 
     confidentiality, or availability of an information system or 
     the information that system controls, processes, stores, or 
     transmits; or
       ``(B) constitutes a violation of law or an imminent threat 
     of violation of a law, a security policy, a security 
     procedure, or an acceptable use policy.
       ``(9) Information resources.--The term `information 
     resources' has the meaning given the term in section 3502 of 
     title 44.
       ``(10) Information security.--The term `information 
     security' means protecting information and information 
     systems from disruption or unauthorized access, use, 
     disclosure, modification, or destruction in order to 
     provide--
       ``(A) integrity, by guarding against improper information 
     modification or destruction, including by ensuring 
     information nonrepudiation and authenticity;
       ``(B) confidentiality, by preserving authorized 
     restrictions on access and disclosure, including means for 
     protecting personal privacy and proprietary information; or
       ``(C) availability, by ensuring timely and reliable access 
     to and use of information.
       ``(11) Information system.--The term `information system' 
     has the meaning given the term in section 3502 of title 44.
       ``(12) Information technology.--The term `information 
     technology' has the meaning given the term in section 11101 
     of title 40.
       ``(13) Malicious reconnaissance.--The term `malicious 
     reconnaissance' means a method for actively probing or 
     passively monitoring an information system for the purpose of 
     discerning technical vulnerabilities of the information 
     system, if such method is associated with a known or 
     suspected cybersecurity threat.
       ``(14) National security system.--
       ``(A) In general.--The term `national security system' 
     means any information system (including any 
     telecommunications system) used or operated by an agency or 
     by a contractor of an agency, or other organization on behalf 
     of an agency--
       ``(i) the function, operation, or use of which--

       ``(I) involves intelligence activities;
       ``(II) involves cryptologic activities related to national 
     security;
       ``(III) involves command and control of military forces;
       ``(IV) involves equipment that is an integral part of a 
     weapon or weapons system; or
       ``(V) subject to subparagraph (B), is critical to the 
     direct fulfillment of military or intelligence missions; or

       ``(ii) is protected at all times by procedures established 
     for information that have been specifically authorized under 
     criteria established by an Executive Order or an Act of 
     Congress to be kept classified in the interest of national 
     defense or foreign policy.
       ``(B) Limitation.--Subparagraph (A)(i)(V) does not include 
     a system that is to be used for routine administrative and 
     business applications (including payroll, finance, logistics, 
     and personnel management applications).
       ``(15) Operational control.--The term `operational control' 
     means a security control for an information system that 
     primarily is implemented and executed by people.
       ``(16) Person.--The term `person' has the meaning given the 
     term in section 3502 of title 44.
       ``(17) Secretary.--The term `Secretary' means the Secretary 
     of Commerce unless otherwise specified.
       ``(18) Security control.--The term `security control' means 
     the management, operational, and technical controls, 
     including safeguards or countermeasures, prescribed for an 
     information system to protect the confidentiality, integrity, 
     and availability of the system and its information.
       ``(19) Significant cyber incident.--The term `significant 
     cyber incident' means a cyber incident resulting in, or an 
     attempted cyber incident that, if successful, would have 
     resulted in--
       ``(A) the exfiltration from a Federal information system of 
     data that is essential to the operation of the Federal 
     information system; or
       ``(B) an incident in which an operational or technical 
     control essential to the security or operation of a Federal 
     information system was defeated.
       ``(20) Technical control.--The term `technical control' 
     means a hardware or software restriction on, or audit of, 
     access or use of an information system or information that is 
     stored on, processed by, or transiting an information system 
     that is intended to ensure the confidentiality, integrity, or 
     availability of that system.

     ``Sec. 3553. Federal information security authority and 
       coordination

       ``(a) In General.--The Secretary, in consultation with the 
     Secretary of Homeland Security, shall--
       ``(1) issue compulsory and binding policies and directives 
     governing agency information security operations, and require 
     implementation of such policies and directives, including--
       ``(A) policies and directives consistent with the standards 
     and guidelines promulgated under section 11331 of title 40 to 
     identify and provide information security protections 
     prioritized and commensurate with the risk and impact 
     resulting from the unauthorized access, use, disclosure, 
     disruption, modification, or destruction of--
       ``(i) information collected or maintained by or on behalf 
     of an agency; or
       ``(ii) information systems used or operated by an agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency;
       ``(B) minimum operational requirements for Federal 
     Government to protect agency information systems and provide 
     common situational awareness across all agency information 
     systems;
       ``(C) reporting requirements, consistent with relevant law, 
     regarding information security incidents and cyber threat 
     information;
       ``(D) requirements for agencywide information security 
     programs;
       ``(E) performance requirements and metrics for the security 
     of agency information systems;
       ``(F) training requirements to ensure that agencies are 
     able to fully and timely comply with the policies and 
     directives issued by the Secretary under this subchapter;
       ``(G) training requirements regarding privacy, civil 
     rights, and civil liberties, and information oversight for 
     agency information security personnel;
       ``(H) requirements for the annual reports to the Secretary 
     under section 3554(d);
       ``(I) any other information security operations or 
     information security requirements as determined by the 
     Secretary in coordination with relevant agency heads; and
       ``(J) coordinating the development of standards and 
     guidelines under section 20 of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3) with agencies 
     and offices operating or exercising control of national 
     security systems (including the National Security Agency) to 
     assure, to the maximum extent feasible, that such standards 
     and guidelines are complementary with standards and 
     guidelines developed for national security systems;
       ``(2) review the agencywide information security programs 
     under section 3554; and
       ``(3) designate an individual or an entity at each 
     cybersecurity center, among other responsibilities--
       ``(A) to receive reports and information about information 
     security incidents, cyber

[[Page 12517]]

     threat information, and deterioration of security control 
     affecting agency information systems; and
       ``(B) to act on or share the information under subparagraph 
     (A) in accordance with this subchapter.
       ``(b) Considerations.--When issuing policies and directives 
     under subsection (a), the Secretary shall consider any 
     applicable standards or guidelines developed by the National 
     Institute of Standards and Technology under section 11331 of 
     title 40.
       ``(c) Limitation of Authority.--The authorities of the 
     Secretary under this section shall not apply to national 
     security systems. Information security policies, directives, 
     standards and guidelines for national security systems shall 
     be overseen as directed by the President and, in accordance 
     with that direction, carried out under the authority of the 
     heads of agencies that operate or exercise authority over 
     such national security systems.
       ``(d) Statutory Construction.--Nothing in this subchapter 
     shall be construed to alter or amend any law regarding the 
     authority of any head of an agency over such agency.

     ``Sec. 3554. Agency responsibilities

       ``(a) In General.--The head of each agency shall--
       ``(1) be responsible for--
       ``(A) complying with the policies and directives issued 
     under section 3553;
       ``(B) providing information security protections 
     commensurate with the risk resulting from unauthorized 
     access, use, disclosure, disruption, modification, or 
     destruction of--
       ``(i) information collected or maintained by the agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency; and
       ``(ii) information systems used or operated by an agency or 
     by a contractor of an agency or other organization on behalf 
     of an agency;
       ``(C) complying with the requirements of this subchapter, 
     including--
       ``(i) information security standards and guidelines 
     promulgated under section 11331 of title 40;
       ``(ii) for any national security systems operated or 
     controlled by that agency, information security policies, 
     directives, standards and guidelines issued as directed by 
     the President; and
       ``(iii) for any non-national security systems operated or 
     controlled by that agency, information security policies, 
     directives, standards and guidelines issued under section 
     3553;
       ``(D) ensuring that information security management 
     processes are integrated with agency strategic and 
     operational planning processes;
       ``(E) reporting and sharing, for an agency operating or 
     exercising control of a national security system, information 
     about information security incidents, cyber threat 
     information, and deterioration of security controls to the 
     individual or entity designated at each cybersecurity center 
     and to other appropriate entities consistent with policies 
     and directives for national security systems issued as 
     directed by the President; and
       ``(F) reporting and sharing, for those agencies operating 
     or exercising control of non-national security systems, 
     information about information security incidents, cyber 
     threat information, and deterioration of security controls to 
     the individual or entity designated at each cybersecurity 
     center and to other appropriate entities consistent with 
     policies and directives for non-national security systems as 
     prescribed under section 3553(a), including information to 
     assist the entity designated under section 3555(a) with the 
     ongoing security analysis under section 3555;
       ``(2) ensure that each senior agency official provides 
     information security for the information and information 
     systems that support the operations and assets under the 
     senior agency official's control, including by--
       ``(A) assessing the risk and impact that could result from 
     the unauthorized access, use, disclosure, disruption, 
     modification, or destruction of such information or 
     information systems;
       ``(B) determining the level of information security 
     appropriate to protect such information and information 
     systems in accordance with policies and directives issued 
     under section 3553(a), and standards and guidelines 
     promulgated under section 11331 of title 40 for information 
     security classifications and related requirements;
       ``(C) implementing policies, procedures, and capabilities 
     to reduce risks to an acceptable level in a cost-effective 
     manner;
       ``(D) actively monitoring the effective implementation of 
     information security controls and techniques; and
       ``(E) reporting information about information security 
     incidents, cyber threat information, and deterioration of 
     security controls in a timely and adequate manner to the 
     entity designated under section 3553(a)(3) in accordance with 
     paragraph (1);
       ``(3) assess and maintain the resiliency of information 
     technology systems critical to agency mission and operations;
       ``(4) designate the agency Inspector General (or an 
     independent entity selected in consultation with the Director 
     and the Council of Inspectors General on Integrity and 
     Efficiency if the agency does not have an Inspector General) 
     to conduct the annual independent evaluation required under 
     section 3556, and allow the agency Inspector General to 
     contract with an independent entity to perform such 
     evaluation;
       ``(5) delegate to the Chief Information Officer or 
     equivalent (or to a senior agency official who reports to the 
     Chief Information Officer or equivalent)--
       ``(A) the authority and primary responsibility to implement 
     an agencywide information security program; and
       ``(B) the authority to provide information security for the 
     information collected and maintained by the agency (or by a 
     contractor, other agency, or other source on behalf of the 
     agency) and for the information systems that support the 
     operations, assets, and mission of the agency (including any 
     information system provided or managed by a contractor, other 
     agency, or other source on behalf of the agency);
       ``(6) delegate to the appropriate agency official (who is 
     responsible for a particular agency system or subsystem) the 
     responsibility to ensure and enforce compliance with all 
     requirements of the agency's agencywide information security 
     program in coordination with the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5);
       ``(7) ensure that an agency has trained personnel who have 
     obtained any necessary security clearances to permit them to 
     assist the agency in complying with this subchapter;
       ``(8) ensure that the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5), 
     in coordination with other senior agency officials, reports 
     to the agency head on the effectiveness of the agencywide 
     information security program, including the progress of any 
     remedial actions; and
       ``(9) ensure that the Chief Information Officer or 
     equivalent (or the senior agency official who reports to the 
     Chief Information Officer or equivalent) under paragraph (5) 
     has the necessary qualifications to administer the functions 
     described in this subchapter and has information security 
     duties as a primary duty of that official.
       ``(b) Chief Information Officers.--Each Chief Information 
     Officer or equivalent (or the senior agency official who 
     reports to the Chief Information Officer or equivalent) under 
     subsection (a)(5) shall--
       ``(1) establish and maintain an enterprise security 
     operations capability that on a continuous basis--
       ``(A) detects, reports, contains, mitigates, and responds 
     to information security incidents that impair adequate 
     security of the agency's information or information system in 
     a timely manner and in accordance with the policies and 
     directives under section 3553; and
       ``(B) reports any information security incident under 
     subparagraph (A) to the entity designated under section 3555;
       ``(2) develop, maintain, and oversee an agencywide 
     information security program;
       ``(3) develop, maintain, and oversee information security 
     policies, procedures, and control techniques to address 
     applicable requirements, including requirements under section 
     3553 of this title and section 11331 of title 40; and
       ``(4) train and oversee the agency personnel who have 
     significant responsibility for information security with 
     respect to that responsibility.
       ``(c) Agencywide Information Security Programs.--
       ``(1) In general.--Each agencywide information security 
     program under subsection (b)(2) shall include--
       ``(A) relevant security risk assessments, including 
     technical assessments and others related to the acquisition 
     process;
       ``(B) security testing commensurate with risk and impact;
       ``(C) mitigation of deterioration of security controls 
     commensurate with risk and impact;
       ``(D) risk-based continuous monitoring and threat 
     assessment of the operational status and security of agency 
     information systems to enable evaluation of the effectiveness 
     of and compliance with information security policies, 
     procedures, and practices, including a relevant and 
     appropriate selection of security controls of information 
     systems identified in the inventory under section 3505(c);
       ``(E) operation of appropriate technical capabilities in 
     order to detect, mitigate, report, and respond to information 
     security incidents, cyber threat information, and 
     deterioration of security controls in a manner that is 
     consistent with the policies and directives under section 
     3553, including--
       ``(i) mitigating risks associated with such information 
     security incidents;
       ``(ii) notifying and consulting with the entity designated 
     under section 3555; and
       ``(iii) notifying and consulting with, as appropriate--

       ``(I) law enforcement and the relevant Office of the 
     Inspector General; and
       ``(II) any other entity, in accordance with law and as 
     directed by the President;

       ``(F) a process to ensure that remedial action is taken to 
     address any deficiencies in the information security 
     policies, procedures, and practices of the agency; and

[[Page 12518]]

       ``(G) a plan and procedures to ensure the continuity of 
     operations for information systems that support the 
     operations and assets of the agency.
       ``(2) Risk management strategies.--Each agencywide 
     information security program under subsection (b)(2) shall 
     include the development and maintenance of a risk management 
     strategy for information security. The risk management 
     strategy shall include--
       ``(A) consideration of information security incidents, 
     cyber threat information, and deterioration of security 
     controls; and
       ``(B) consideration of the consequences that could result 
     from the unauthorized access, use, disclosure, disruption, 
     modification, or destruction of information and information 
     systems that support the operations and assets of the agency, 
     including any information system provided or managed by a 
     contractor, other agency, or other source on behalf of the 
     agency;
       ``(3) Policies and procedures.--Each agencywide information 
     security program under subsection (b)(2) shall include 
     policies and procedures that--
       ``(A) are based on the risk management strategy under 
     paragraph (2);
       ``(B) reduce information security risks to an acceptable 
     level in a cost-effective manner;
       ``(C) ensure that cost-effective and adequate information 
     security is addressed as part of the acquisition and ongoing 
     management of each agency information system; and
       ``(D) ensure compliance with--
       ``(i) this subchapter; and
       ``(ii) any other applicable requirements.
       ``(4) Training requirements.--Each agencywide information 
     security program under subsection (b)(2) shall include 
     information security, privacy, civil rights, civil liberties, 
     and information oversight training that meets any applicable 
     requirements under section 3553. The training shall inform 
     each information security personnel that has access to agency 
     information systems (including contractors and other users of 
     information systems that support the operations and assets of 
     the agency) of--
       ``(A) the information security risks associated with the 
     information security personnel's activities; and
       ``(B) the individual's responsibility to comply with the 
     agency policies and procedures that reduce the risks under 
     subparagraph (A).
       ``(d) Annual Report.--Each agency shall submit a report 
     annually to the Secretary of Homeland Security on its 
     agencywide information security program and information 
     systems.

     ``Sec. 3555. Multiagency ongoing threat assessment

       ``(a) Implementation.--The Director of the Office of 
     Management and Budget, in coordination with the Secretary of 
     Homeland Security, shall designate an entity to implement 
     ongoing security analysis concerning agency information 
     systems--
       ``(1) based on cyber threat information;
       ``(2) based on agency information system and environment of 
     operation changes, including--
       ``(A) an ongoing evaluation of the information system 
     security controls; and
       ``(B) the security state, risk level, and environment of 
     operation of an agency information system, including--
       ``(i) a change in risk level due to a new cyber threat;
       ``(ii) a change resulting from a new technology;
       ``(iii) a change resulting from the agency's mission; and
       ``(iv) a change resulting from the business practice; and
       ``(3) using automated processes to the maximum extent 
     possible--
       ``(A) to increase information system security;
       ``(B) to reduce paper-based reporting requirements; and
       ``(C) to maintain timely and actionable knowledge of the 
     state of the information system security.
       ``(b) Standards.--The National Institute of Standards and 
     Technology may promulgate standards, in coordination with the 
     Secretary of Homeland Security, to assist an agency with its 
     duties under this section.
       ``(c) Compliance.--The head of each appropriate department 
     and agency shall be responsible for ensuring compliance and 
     implementing necessary procedures to comply with this 
     section. The head of each appropriate department and agency, 
     in consultation with the Director of the Office of Management 
     and Budget and the Secretary of Homeland Security, shall--
       ``(1) monitor compliance under this section;
       ``(2) develop a timeline and implement for the department 
     or agency--
       ``(A) adoption of any technology, system, or method that 
     facilitates continuous monitoring and threat assessments of 
     an agency information system;
       ``(B) adoption or updating of any technology, system, or 
     method that prevents, detects, or remediates a significant 
     cyber incident to a Federal information system of the 
     department or agency that has impeded, or is reasonably 
     likely to impede, the performance of a critical mission of 
     the department or agency; and
       ``(C) adoption of any technology, system, or method that 
     satisfies a requirement under this section.
       ``(d) Limitation of Authority.--The authorities of the 
     Director of the Office of Management and Budget and of the 
     Secretary of Homeland Security under this section shall not 
     apply to national security systems.
       ``(e) Report.--Not later than 6 months after the date of 
     enactment of the Cybersecurity Act of 2012, the Government 
     Accountability Office shall issue a report evaluating each 
     agency's status toward implementing this section.

     ``Sec. 3556. Independent evaluations

       ``(a) In General.--The Council of the Inspectors General on 
     Integrity and Efficiency, in consultation with the Director 
     and the Secretary of Homeland Security, the Secretary of 
     Commerce, and the Secretary of Defense, shall issue and 
     maintain criteria for the timely, cost-effective, risk-based, 
     and independent evaluation of each agencywide information 
     security program (and practices) to determine the 
     effectiveness of the agencywide information security program 
     (and practices). The criteria shall include measures to 
     assess any conflicts of interest in the performance of the 
     evaluation and whether the agencywide information security 
     program includes appropriate safeguards against disclosure of 
     information where such disclosure may adversely affect 
     information security.
       ``(b) Annual Independent Evaluations.--Each agency shall 
     perform an annual independent evaluation of its agencywide 
     information security program (and practices) in accordance 
     with the criteria under subsection (a).
       ``(c) Distribution of Reports.--Not later than 30 days 
     after receiving an independent evaluation under subsection 
     (b), each agency head shall transmit a copy of the 
     independent evaluation to the Secretary of Homeland Security, 
     the Secretary of Commerce, and the Secretary of Defense.
       ``(d) National Security Systems.--Evaluations involving 
     national security systems shall be conducted as directed by 
     President.

     ``Sec. 3557. National security systems.

       ``The head of each agency operating or exercising control 
     of a national security system shall be responsible for 
     ensuring that the agency--
       ``(1) provides information security protections 
     commensurate with the risk and magnitude of the harm 
     resulting from the unauthorized access, use, disclosure, 
     disruption, modification, or destruction of the information 
     contained in such system; and
       ``(2) implements information security policies and 
     practices as required by standards and guidelines for 
     national security systems, issued in accordance with law and 
     as directed by the President.''.
       (b) Savings Provisions.--
       (1) Policy and compliance guidance.--Policy and compliance 
     guidance issued by the Director before the date of enactment 
     of this Act under section 3543(a)(1) of title 44, United 
     States Code (as in effect on the day before the date of 
     enactment of this Act), shall continue in effect, according 
     to its terms, until modified, terminated, superseded, or 
     repealed pursuant to section 3553(a)(1) of title 44, United 
     States Code.
       (2) Standards and guidelines.--Standards and guidelines 
     issued by the Secretary of Commerce or by the Director before 
     the date of enactment of this Act under section 11331(a)(1) 
     of title 40, United States Code, (as in effect on the day 
     before the date of enactment of this Act) shall continue in 
     effect, according to their terms, until modified, terminated, 
     superseded, or repealed pursuant to section 11331(a)(1) of 
     title 40, United States Code, as amended by this Act.
       (c) Technical and Conforming Amendments.--
       (1) Chapter analysis.--The chapter analysis for chapter 35 
     of title 44, United States Code, is amended--
       (A) by striking the items relating to sections 3531 through 
     3538;
       (B) by striking the items relating to sections 3541 through 
     3549; and
       (C) by inserting the following:

``3551. Purposes.
``3552. Definitions.
``3553. Federal information security authority and coordination.
``3554. Agency responsibilities.
``3555. Multiagency ongoing threat assessment.
``3556. Independent evaluations.
``3557. National security systems.''.

       (2) Other references.--
       (A) Section 1001(c)(1)(A) of the Homeland Security Act of 
     2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section 
     3532(3)'' and inserting ``section 3552''.
       (B) Section 2222(j)(5) of title 10, United States Code, is 
     amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (C) Section 2223(c)(3) of title 10, United States Code, is 
     amended, by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (D) Section 2315 of title 10, United States Code, is 
     amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552''.
       (E) Section 20 of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-3) is amended--

[[Page 12519]]

       (i) in subsection (a)(2), by striking ``section 
     3532(b)(2)'' and inserting ``section 3552'';
       (ii) in subsection (c)(3), by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (iii) in subsection (d)(1), by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (iv) in subsection (d)(8) by striking ``Director of the 
     Office of Management and Budget'' and inserting ``Secretary 
     of Commerce'';
       (v) in subsection (d)(8), by striking ``submitted to the 
     Director'' and inserting ``submitted to the Secretary'';
       (vi) in subsection (e)(2), by striking ``section 3532(1) of 
     such title'' and inserting ``section 3552 of title 44''; and
       (vii) in subsection (e)(5), by striking ``section 
     3532(b)(2) of such title'' and inserting ``section 3552 of 
     title 44''.
       (F) Section 8(d)(1) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7406(d)(1)) is amended by striking 
     ``section 3534(b)'' and inserting ``section 3554(b)(2)''.

     SEC. 302. MANAGEMENT OF INFORMATION TECHNOLOGY.

       (a) In General.--Section 11331 of title 40, United States 
     Code, is amended to read as follows:

     ``Sec. 11331. Responsibilities for Federal information 
       systems standards

       ``(a) Standards and Guidelines.--
       ``(1) Authority to prescribe.--Except as provided under 
     paragraph (2), the Secretary of Commerce shall prescribe 
     standards and guidelines pertaining to Federal information 
     systems--
       ``(A) in consultation with the Secretary of Homeland 
     Security; and
       ``(B) on the basis of standards and guidelines developed by 
     the National Institute of Standards and Technology under 
     paragraphs (2) and (3) of section 20(a) of the National 
     Institute of Standards and Technology Act (15 U.S.C. 278g-
     3(a)(2) and (a)(3)).
       ``(2) National security systems.--Standards and guidelines 
     for national security systems shall be developed, prescribed, 
     enforced, and overseen as otherwise authorized by law and as 
     directed by the President.
       ``(b) Mandatory Standards and Guidelines.--
       ``(1) Authority to make mandatory standards and 
     guidelines.--The Secretary of Commerce shall make standards 
     and guidelines under subsection (a)(1) compulsory and binding 
     to the extent determined necessary by the Secretary of 
     Commerce to improve the efficiency of operation or security 
     of Federal information systems.
       ``(2) Required mandatory standards and guidelines.--
       ``(A) In general.--Standards and guidelines under 
     subsection (a)(1) shall include information security 
     standards that--
       ``(i) provide minimum information security requirements as 
     determined under section 20(b) of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3(b)); and
       ``(ii) are otherwise necessary to improve the security of 
     Federal information and information systems.
       ``(B) Binding effect.--Information security standards under 
     subparagraph (A) shall be compulsory and binding.
       ``(c) Exercise of Authority.--To ensure fiscal and policy 
     consistency, the Secretary of Commerce shall exercise the 
     authority conferred by this section subject to direction by 
     the President and in coordination with the Director.
       ``(d) Application of More Stringent Standards and 
     Guidelines.--The head of an executive agency may employ 
     standards for the cost-effective information security for 
     information systems within or under the supervision of that 
     agency that are more stringent than the standards and 
     guidelines the Secretary of Commerce prescribes under this 
     section if the more stringent standards and guidelines--
       ``(1) contain at least the applicable standards and 
     guidelines made compulsory and binding by the Secretary of 
     Commerce; and
       ``(2) are otherwise consistent with the policies, 
     directives, and implementation memoranda issued under section 
     3553(a) of title 44.
       ``(e) Decisions on Promulgation of Standards and 
     Guidelines.--The decision by the Secretary of Commerce 
     regarding the promulgation of any standard or guideline under 
     this section shall occur not later than 6 months after the 
     date of submission of the proposed standard to the Secretary 
     of Commerce by the National Institute of Standards and 
     Technology under section 20 of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3).
       ``(f) Notice and Comment.--A decision by the Secretary of 
     Commerce to significantly modify, or not promulgate, a 
     proposed standard submitted to the Secretary by the National 
     Institute of Standards and Technology under section 20 of the 
     National Institute of Standards and Technology Act (15 U.S.C. 
     278g-3) shall be made after the public is given an 
     opportunity to comment on the Secretary's proposed decision.
       ``(g) Definitions.--In this section:
       ``(1) Federal information system.--The term `Federal 
     information system' has the meaning given the term in section 
     3552 of title 44.
       ``(2) Information security.--The term `information 
     security' has the meaning given the term in section 3552 of 
     title 44.
       ``(3) National security system.--The term `national 
     security system' has the meaning given the term in section 
     3552 of title 44.''.

     SEC. 303. NO NEW FUNDING.

       An applicable Federal agency shall carry out the provisions 
     of this title with existing facilities and funds otherwise 
     available, through such means as the head of the agency 
     considers appropriate.

     SEC. 304. TECHNICAL AND CONFORMING AMENDMENTS.

       Section 21(b) of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-4(b)) is amended--
       (1) in paragraph (2), by striking ``and the Director of the 
     Office of Management and Budget'' and inserting ``, the 
     Secretary of Commerce, and the Secretary of Homeland 
     Security''; and
       (2) in paragraph (3), by inserting ``, the Secretary of 
     Homeland Security,'' after ``the Secretary of Commerce''.

     SEC. 305. CLARIFICATION OF AUTHORITIES.

       Nothing in this title shall be construed to convey any new 
     regulatory authority to any government entity implementing or 
     complying with any provision of this title.

                      TITLE IV--CRIMINAL PENALTIES

     SEC. 401. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN 
                   CONNECTION WITH COMPUTERS.

       Section 1030(c) of title 18, United States Code, is amended 
     to read as follows:
       ``(c) The punishment for an offense under subsection (a) or 
     (b) of this section is--
       ``(1) a fine under this title or imprisonment for not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(1) of this section;
       ``(2)(A) except as provided in subparagraph (B), a fine 
     under this title or imprisonment for not more than 3 years, 
     or both, in the case of an offense under subsection (a)(2); 
     or
       ``(B) a fine under this title or imprisonment for not more 
     than ten years, or both, in the case of an offense under 
     subsection (a)(2) of this section, if--
       ``(i) the offense was committed for purposes of commercial 
     advantage or private financial gain;
       ``(ii) the offense was committed in the furtherance of any 
     criminal or tortious act in violation of the Constitution or 
     laws of the United States, or of any State; or
       ``(iii) the value of the information obtained, or that 
     would have been obtained if the offense was completed, 
     exceeds $5,000;
       ``(3) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(3) of this section;
       ``(4) a fine under this title or imprisonment of not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(4) of this section;
       ``(5)(A) except as provided in subparagraph (C), a fine 
     under this title, imprisonment for not more than 20 years, or 
     both, in the case of an offense under subsection (a)(5)(A) of 
     this section, if the offense caused--
       ``(i) loss to 1 or more persons during any 1-year period 
     (and, for purposes of an investigation, prosecution, or other 
     proceeding brought by the United States only, loss resulting 
     from a related course of conduct affecting 1 or more other 
     protected computers) aggregating at least $5,000 in value;
       ``(ii) the modification or impairment, or potential 
     modification or impairment, of the medical examination, 
     diagnosis, treatment, or care of 1 or more individuals;
       ``(iii) physical injury to any person;
       ``(iv) a threat to public health or safety;
       ``(v) damage affecting a computer used by, or on behalf of, 
     an entity of the United States Government in furtherance of 
     the administration of justice, national defense, or national 
     security; or
       ``(vi) damage affecting 10 or more protected computers 
     during any 1-year period;
       ``(B) a fine under this title, imprisonment for not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(5)(B), if the offense caused a harm provided 
     in clause (i) through (vi) of subparagraph (A) of this 
     subsection;
       ``(C) if the offender attempts to cause or knowingly or 
     recklessly causes death from conduct in violation of 
     subsection (a)(5)(A), a fine under this title, imprisonment 
     for any term of years or for life, or both;
       ``(D) a fine under this title, imprisonment for not more 
     than 10 years, or both, for any other offense under 
     subsection (a)(5);
       ``(E) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(6) of this section; or
       ``(F) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(7) of this section.''.

     SEC. 402. TRAFFICKING IN PASSWORDS.

       Section 1030(a)(6) of title 18, United States Code, is 
     amended to read as follows:
       ``(6) knowingly and with intent to defraud traffics (as 
     defined in section 1029) in any password or similar 
     information or means of access through which a protected 
     computer (as defined in subparagraphs (A) and (B) of 
     subsection (e)(2)) may be accessed without authorization.''.

     SEC. 403. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.

       Section 1030(b) of title 18, United States Code, is amended 
     by inserting ``as if for the

[[Page 12520]]

     completed offense'' after ``punished as provided''.

     SEC. 404. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED 
                   ACTIVITY IN CONNECTION WITH COMPUTERS.

       Section 1030 of title 18, United States Code, is amended by 
     striking subsections (i) and (j) and inserting the following:
       ``(i) Criminal Forfeiture.--
       ``(1) The court, in imposing sentence on any person 
     convicted of a violation of this section, or convicted of 
     conspiracy to violate this section, shall order, in addition 
     to any other sentence imposed and irrespective of any 
     provision of State law, that such person forfeit to the 
     United States--
       ``(A) such persons interest in any property, real or 
     personal, that was used, or intended to be used, to commit or 
     facilitate the commission of such violation; and
       ``(B) any property, real or personal, constituting or 
     derived from any gross proceeds, or any property traceable to 
     such property, that such person obtained, directly or 
     indirectly, as a result of such violation.
       ``(2) The criminal forfeiture of property under this 
     subsection, including any seizure and disposition of the 
     property, and any related judicial or administrative 
     proceeding, shall be governed by the provisions of section 
     413 of the Comprehensive Drug Abuse Prevention and Control 
     Act of 1970 (21 U.S.C. 853), except subsection (d) of that 
     section.
       ``(j) Civil Forfeiture.--
       ``(1) The following shall be subject to forfeiture to the 
     United States and no property right, real or personal, shall 
     exist in them:
       ``(A) Any property, real or personal, that was used, or 
     intended to be used, to commit or facilitate the commission 
     of any violation of this section, or a conspiracy to violate 
     this section.
       ``(B) Any property, real or personal, constituting or 
     derived from any gross proceeds obtained directly or 
     indirectly, or any property traceable to such property, as a 
     result of the commission of any violation of this section, or 
     a conspiracy to violate this section.
       ``(2) Seizures and forfeitures under this subsection shall 
     be governed by the provisions in chapter 46 relating to civil 
     forfeitures, except that such duties as are imposed on the 
     Secretary of the Treasury under the customs laws described in 
     section 981(d) shall be performed by such officers, agents 
     and other persons as may be designated for that purpose by 
     the Secretary of Homeland Security or the Attorney 
     General.''.

     SEC. 405. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.

       (a) In General.--Chapter 47 of title 18, United States 
     Code, is amended by inserting after section 1030 the 
     following:

     ``Sec. 1030A. Aggravated damage to a critical infrastructure 
       computer

       ``(a) Definitions.--In this section--
       ``(1) the term `computer' has the meaning given the term in 
     section 1030;
       ``(2) the term `critical infrastructure computer' means a 
     computer that manages or controls systems or assets vital to 
     national defense, national security, national economic 
     security, public health or safety, or any combination of 
     those matters, whether publicly or privately owned or 
     operated, including--
       ``(A) oil and gas production, storage, conversion, and 
     delivery systems;
       ``(B) water supply systems;
       ``(C) telecommunication networks;
       ``(D) electrical power generation and delivery systems;
       ``(E) finance and banking systems;
       ``(F) emergency services;
       ``(G) transportation systems and services; and
       ``(H) government operations that provide essential services 
     to the public; and
       ``(3) the term `damage' has the meaning given the term in 
     section 1030.
       ``(b) Offense.--It shall be unlawful, during and in 
     relation to a felony violation of section 1030, to knowingly 
     cause or attempt to cause damage to a critical infrastructure 
     computer if the damage results in (or, in the case of an 
     attempt, if completed, would have resulted in) the 
     substantial impairment--
       ``(1) of the operation of the critical infrastructure 
     computer; or
       ``(2) of the critical infrastructure associated with the 
     computer.
       ``(c) Penalty.--Any person who violates subsection (b) 
     shall be--
       ``(1) fined under this title;
       ``(2) imprisoned for not less than 3 years but not more 
     than 20 years; or
       ``(3) penalized under paragraphs (1) and (2).
       ``(d) Consecutive Sentence.--Notwithstanding any other 
     provision of law--
       ``(1) a court shall not place on probation any person 
     convicted of a violation of this section;
       ``(2) except as provided in paragraph (4), no term of 
     imprisonment imposed on a person under this section shall run 
     concurrently with any other term of imprisonment, including 
     any term of imprisonment imposed on the person under any 
     other provision of law, including any term of imprisonment 
     imposed for a felony violation of section 1030;
       ``(3) in determining any term of imprisonment to be imposed 
     for a felony violation of section 1030, a court shall not in 
     any way reduce the term to be imposed for such crime so as to 
     compensate for, or otherwise take into account, any separate 
     term of imprisonment imposed or to be imposed for a violation 
     of this section; and
       ``(4) a term of imprisonment imposed on a person for a 
     violation of this section may, in the discretion of the 
     court, run concurrently, in whole or in part, only with 
     another term of imprisonment that is imposed by the court at 
     the same time on that person for an additional violation of 
     this section, provided that such discretion shall be 
     exercised in accordance with any applicable guidelines and 
     policy statements issued by the United States Sentencing 
     Commission pursuant to section 994 of title 28.''.
       (b) Technical and Conforming Amendment.--The chapter 
     analysis for chapter 47 of title 18, United States Code, is 
     amended by inserting after the item relating to section 1030 
     the following:

``1030A. Aggravated damage to a critical infrastructure computer.''.

     SEC. 406. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.

       Section 1030(e)(6) of title 18, United States Code, is 
     amended by striking ``alter;'' and inserting ``alter, but 
     does not include access in violation of a contractual 
     obligation or agreement, such as an acceptable use policy or 
     terms of service agreement, with an Internet service 
     provider, Internet website, or non-government employer, if 
     such violation constitutes the sole basis for determining 
     that access to a protected computer is unauthorized;''.

     SEC. 407. NO NEW FUNDING.

       An applicable Federal agency shall carry out the provisions 
     of this title with existing facilities and funds otherwise 
     available, through such means as the head of the agency 
     considers appropriate.

            TITLE V--CYBERSECURITY RESEARCH AND DEVELOPMENT

     SEC. 501. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM 
                   PLANNING AND COORDINATION.

       (a) Goals and Priorities.--Section 101 of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511) is amended 
     by adding at the end the following:
       ``(d) Goals and Priorities.--The goals and priorities for 
     Federal high-performance computing research, development, 
     networking, and other activities under subsection (a)(2)(A) 
     shall include--
       ``(1) encouraging and supporting mechanisms for 
     interdisciplinary research and development in networking and 
     information technology, including--
       ``(A) through collaborations across agencies;
       ``(B) through collaborations across Program Component 
     Areas;
       ``(C) through collaborations with industry;
       ``(D) through collaborations with institutions of higher 
     education;
       ``(E) through collaborations with Federal laboratories (as 
     defined in section 4 of the Stevenson-Wydler Technology 
     Innovation Act of 1980 (15 U.S.C. 3703)); and
       ``(F) through collaborations with international 
     organizations;
       ``(2) addressing national, multi-agency, multi-faceted 
     challenges of national importance; and
       ``(3) fostering the transfer of research and development 
     results into new technologies and applications for the 
     benefit of society.''.
       (b) Development of Strategic Plan.--Section 101 of the 
     High-Performance Computing Act of 1991 (15 U.S.C. 5511) is 
     amended by adding at the end the following:
       ``(e) Strategic Plan.--
       ``(1) In general.--Not later than 1 year after the date of 
     enactment of the Cybersecurity Act of 2012, the agencies 
     under subsection (a)(3)(B), working through the National 
     Science and Technology Council and with the assistance of the 
     Office of Science and Technology Policy shall develop a 5-
     year strategic plan to guide the activities under subsection 
     (a)(1).
       ``(2) Contents.--The strategic plan shall specify--
       ``(A) the near-term objectives for the Program;
       ``(B) the long-term objectives for the Program;
       ``(C) the anticipated time frame for achieving the near-
     term objectives;
       ``(D) the metrics that will be used to assess any progress 
     made toward achieving the near-term objectives and the long-
     term objectives; and
       ``(E) how the Program will achieve the goals and priorities 
     under subsection (d).
       ``(3) Implementation roadmap.--
       ``(A) In general.--The agencies under subsection (a)(3)(B) 
     shall develop and annually update an implementation roadmap 
     for the strategic plan.
       ``(B) Requirements.--The information in the implementation 
     roadmap shall be coordinated with the database under section 
     102(c) and the annual report under section 101(a)(3). The 
     implementation roadmap shall--
       ``(i) specify the role of each Federal agency in carrying 
     out or sponsoring research and development to meet the 
     research objectives of the strategic plan, including a 
     description of how progress toward the research objectives 
     will be evaluated, with consideration of any relevant 
     recommendations of the advisory committee;
       ``(ii) specify the funding allocated to each major research 
     objective of the strategic

[[Page 12521]]

     plan and the source of funding by agency for the current 
     fiscal year; and
       ``(iii) estimate the funding required for each major 
     research objective of the strategic plan for the next 3 
     fiscal years.
       ``(4) Recommendations.--The agencies under subsection 
     (a)(3)(B) shall take into consideration when developing the 
     strategic plan under paragraph (1) the recommendations of--
       ``(A) the advisory committee under subsection (b); and
       ``(B) the stakeholders under section 102(a)(3).
       ``(5) Report to congress.--The Director of the Office of 
     Science and Technology Policy shall transmit the strategic 
     plan under this subsection, including the implementation 
     roadmap and any updates under paragraph (3), to--
       ``(A) the advisory committee under subsection (b);
       ``(B) the Committee on Commerce, Science, and 
     Transportation of the Senate; and
       ``(C) the Committee on Science and Technology of the House 
     of Representatives.''.
       (c) Periodic Reviews.--Section 101 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511) is amended by adding 
     at the end the following:
       ``(f) Periodic Reviews.--The agencies under subsection 
     (a)(3)(B) shall--
       ``(1) periodically assess the contents and funding levels 
     of the Program Component Areas and restructure the Program 
     when warranted, taking into consideration any relevant 
     recommendations of the advisory committee under subsection 
     (b); and
       ``(2) ensure that the Program includes national, multi-
     agency, multi-faceted research and development activities, 
     including activities described in section 104.''.
       (d) Additional Responsibilities of Director.--Section 
     101(a)(2) of the High-Performance Computing Act of 1991 (15 
     U.S.C. 5511(a)(2)) is amended--
       (1) by redesignating subparagraphs (E) and (F) as 
     subparagraphs (G) and (H), respectively; and
       (2) by inserting after subparagraph (D) the following:
       ``(E) encourage and monitor the efforts of the agencies 
     participating in the Program to allocate the level of 
     resources and management attention necessary--
       ``(i) to ensure that the strategic plan under subsection 
     (e) is developed and executed effectively; and
       ``(ii) to ensure that the objectives of the Program are 
     met;
       ``(F) working with the Office of Management and Budget and 
     in coordination with the creation of the database under 
     section 102(c), direct the Office of Science and Technology 
     Policy and the agencies participating in the Program to 
     establish a mechanism (consistent with existing law) to track 
     all ongoing and completed research and development projects 
     and associated funding;''.
       (e) Advisory Committee.--Section 101(b) of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is 
     amended--
       (1) in paragraph (1)--
       (A) by inserting after the first sentence the following: 
     ``The co-chairs of the advisory committee shall meet the 
     qualifications of committee members and may be members of the 
     Presidents Council of Advisors on Science and Technology.''; 
     and
       (B) by striking ``high-performance'' in subparagraph (D) 
     and inserting ``high-end''; and
       (2) by amending paragraph (2) to read as follows:
       ``(2) In addition to the duties under paragraph (1), the 
     advisory committee shall conduct periodic evaluations of the 
     funding, management, coordination, implementation, and 
     activities of the Program. The advisory committee shall 
     report its findings and recommendations not less frequently 
     than once every 3 fiscal years to the Committee on Commerce, 
     Science, and Transportation of the Senate and the Committee 
     on Science and Technology of the House of Representatives. 
     The report shall be submitted in conjunction with the update 
     of the strategic plan.''.
       (f) Report.--Section 101(a)(3) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended--
       (1) in subparagraph (C)--
       (A) by striking ``is submitted,'' and inserting ``is 
     submitted, the levels for the previous fiscal year,''; and
       (B) by striking ``each Program Component Area'' and 
     inserting ``each Program Component Area and each research 
     area supported in accordance with section 104'';
       (2) in subparagraph (D)--
       (A) by striking ``each Program Component Area,'' and 
     inserting ``each Program Component Area and each research 
     area supported in accordance with section 104,'';
       (B) by striking ``is submitted,'' and inserting ``is 
     submitted, the levels for the previous fiscal year,''; and
       (C) by striking ``and'' after the semicolon;
       (3) by redesignating subparagraph (E) as subparagraph (G); 
     and
       (4) by inserting after subparagraph (D) the following:
       ``(E) include a description of how the objectives for each 
     Program Component Area, and the objectives for activities 
     that involve multiple Program Component Areas, relate to the 
     objectives of the Program identified in the strategic plan 
     under subsection (e);
       ``(F) include--
       ``(i) a description of the funding required by the Office 
     of Science and Technology Policy to perform the functions 
     under subsections (a) and (c) of section 102 for the next 
     fiscal year by category of activity;
       ``(ii) a description of the funding required by the Office 
     of Science and Technology Policy to perform the functions 
     under subsections (a) and (c) of section 102 for the current 
     fiscal year by category of activity; and
       ``(iii) the amount of funding provided for the Office of 
     Science and Technology Policy for the current fiscal year by 
     each agency participating in the Program; and''.
       (g) Definitions.--Section 4 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5503) is amended--
       (1) by redesignating paragraphs (1) and (2) as paragraphs 
     (2) and (3), respectively;
       (2) by redesignating paragraph (3) as paragraph (6);
       (3) by redesignating paragraphs (6) and (7) as paragraphs 
     (7) and (8), respectively;
       (4) by inserting before paragraph (2), as redesignated, the 
     following:
       ``(1) `cyber-physical systems' means physical or engineered 
     systems whose networking and information technology functions 
     and physical elements are deeply integrated and are actively 
     connected to the physical world through sensors, actuators, 
     or other means to perform monitoring and control 
     functions;'';
       (5) in paragraph (3), as redesignated, by striking ``high-
     performance computing'' and inserting ``networking and 
     information technology'';
       (6) in paragraph (6), as redesignated--
       (A) by striking ``high-performance computing'' and 
     inserting ``networking and information technology''; and
       (B) by striking ``supercomputer'' and inserting ``high-end 
     computing'';
       (7) in paragraph (5), by striking ``network referred to 
     as'' and all that follows through the semicolon and inserting 
     ``network, including advanced computer networks of Federal 
     agencies and departments''; and
       (8) in paragraph (7), as redesignated, by striking 
     ``National High-Performance Computing Program'' and inserting 
     ``networking and information technology research and 
     development program''.

     SEC. 502. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.

       (a) Research in Areas of National Importance.--Title I of 
     the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et 
     seq.) is amended by adding at the end the following:

     ``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.

       ``(a) In General.--The Program shall encourage agencies 
     under section 101(a)(3)(B) to support, maintain, and improve 
     national, multi-agency, multi-faceted, research and 
     development activities in networking and information 
     technology directed toward application areas that have the 
     potential for significant contributions to national economic 
     competitiveness and for other significant societal benefits.
       ``(b) Technical Solutions.--An activity under subsection 
     (a) shall be designed to advance the development of research 
     discoveries by demonstrating technical solutions to important 
     problems in areas including--
       ``(1) cybersecurity;
       ``(2) health care;
       ``(3) energy management and low-power systems and devices;
       ``(4) transportation, including surface and air 
     transportation;
       ``(5) cyber-physical systems;
       ``(6) large-scale data analysis and modeling of physical 
     phenomena;
       ``(7) large scale data analysis and modeling of behavioral 
     phenomena;
       ``(8) supply chain quality and security; and
       ``(9) privacy protection and protected disclosure of 
     confidential data.
       ``(c) Recommendations.--The advisory committee under 
     section 101(b) shall make recommendations to the Program for 
     candidate research and development areas for support under 
     this section.
       ``(d) Characteristics.--
       ``(1) In general.--Research and development activities 
     under this section--
       ``(A) shall include projects selected on the basis of 
     applications for support through a competitive, merit-based 
     process;
       ``(B) shall leverage, when possible, Federal investments 
     through collaboration with related State initiatives;
       ``(C) shall include a plan for fostering the transfer of 
     research discoveries and the results of technology 
     demonstration activities, including from institutions of 
     higher education and Federal laboratories, to industry for 
     commercial development;
       ``(D) shall involve collaborations among researchers in 
     institutions of higher education and industry; and
       ``(E) may involve collaborations among nonprofit research 
     institutions and Federal laboratories, as appropriate.
       ``(2) Cost-sharing.--In selecting applications for support, 
     the agencies under section 101(a)(3)(B) shall give special 
     consideration to projects that include cost sharing from non-
     Federal sources.

[[Page 12522]]

       ``(3) Multidisciplinary research centers.--Research and 
     development activities under this section shall be supported 
     through multidisciplinary research centers, including Federal 
     laboratories, that are organized to investigate basic 
     research questions and carry out technology demonstration 
     activities in areas described in subsection (a). Research may 
     be carried out through existing multidisciplinary centers, 
     including those authorized under section 7024(b)(2) of the 
     America COMPETES Act (42 U.S.C. 1862o-10(2)).''.
       (b) Cyber-Physical Systems.--Section 101(a)(1) of the High-
     Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is 
     amended--
       (1) in subparagraph (H), by striking ``and'' after the 
     semicolon;
       (2) in subparagraph (I), by striking the period at the end 
     and inserting a semicolon; and
       (3) by adding at the end the following:
       ``(J) provide for increased understanding of the scientific 
     principles of cyber-physical systems and improve the methods 
     available for the design, development, and operation of 
     cyber-physical systems that are characterized by high 
     reliability, safety, and security; and
       ``(K) provide for research and development on human-
     computer interactions, visualization, and big data.''.
       (c) Task Force.--Title I of the High-Performance Computing 
     Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section 
     502(a) of this Act, is amended by adding at the end the 
     following:

     ``SEC. 105. TASK FORCE.

       ``(a) Establishment.--Not later than 180 days after the 
     date of enactment the Cybersecurity Act of 2012, the Director 
     of the Office of Science and Technology Policy under section 
     102 shall convene a task force to explore mechanisms for 
     carrying out collaborative research and development 
     activities for cyber-physical systems (including the related 
     technologies required to enable these systems) through a 
     consortium or other appropriate entity with participants from 
     institutions of higher education, Federal laboratories, and 
     industry.
       ``(b) Functions.--The task force shall--
       ``(1) develop options for a collaborative model and an 
     organizational structure for such entity under which the 
     joint research and development activities could be planned, 
     managed, and conducted effectively, including mechanisms for 
     the allocation of resources among the participants in such 
     entity for support of such activities;
       ``(2) propose a process for developing a research and 
     development agenda for such entity, including guidelines to 
     ensure an appropriate scope of work focused on nationally 
     significant challenges and requiring collaboration and to 
     ensure the development of related scientific and 
     technological milestones;
       ``(3) define the roles and responsibilities for the 
     participants from institutions of higher education, Federal 
     laboratories, and industry in such entity;
       ``(4) propose guidelines for assigning intellectual 
     property rights and for transferring research results to the 
     private sector; and
       ``(5) make recommendations for how such entity could be 
     funded from Federal, State, and non-governmental sources.
       ``(c) Composition.--In establishing the task force under 
     subsection (a), the Director of the Office of Science and 
     Technology Policy shall appoint an equal number of 
     individuals from institutions of higher education and from 
     industry with knowledge and expertise in cyber-physical 
     systems, and may appoint not more than 2 individuals from 
     Federal laboratories.
       ``(d) Report.--Not later than 1 year after the date of 
     enactment of the Cybersecurity Act of 2012, the Director of 
     the Office of Science and Technology Policy shall transmit to 
     the Committee on Commerce, Science, and Transportation of the 
     Senate and the Committee on Science and Technology of the 
     House of Representatives a report describing the findings and 
     recommendations of the task force.
       ``(e) Termination.--The task force shall terminate upon 
     transmittal of the report required under subsection (d).
       ``(f) Compensation and Expenses.--Members of the task force 
     shall serve without compensation.''.

     SEC. 503. PROGRAM IMPROVEMENTS.

       Section 102 of the High-Performance Computing Act of 1991 
     (15 U.S.C. 5512) is amended to read as follows:

     ``SEC. 102. PROGRAM IMPROVEMENTS.

       ``(a) Functions.--The Director of the Office of Science and 
     Technology Policy shall continue--
       ``(1) to provide technical and administrative support to--
       ``(A) the agencies participating in planning and 
     implementing the Program, including support needed to develop 
     the strategic plan under section 101(e); and
       ``(B) the advisory committee under section 101(b);
       ``(2) to serve as the primary point of contact on Federal 
     networking and information technology activities for 
     government agencies, academia, industry, professional 
     societies, State computing and networking technology 
     programs, interested citizen groups, and others to exchange 
     technical and programmatic information;
       ``(3) to solicit input and recommendations from a wide 
     range of stakeholders during the development of each 
     strategic plan under section 101(e) by convening at least 1 
     workshop with invitees from academia, industry, Federal 
     laboratories, and other relevant organizations and 
     institutions;
       ``(4) to conduct public outreach, including the 
     dissemination of the advisory committee's findings and 
     recommendations, as appropriate;
       ``(5) to promote access to and early application of the 
     technologies, innovations, and expertise derived from Program 
     activities to agency missions and systems across the Federal 
     Government and to United States industry;
       ``(6) to ensure accurate and detailed budget reporting of 
     networking and information technology research and 
     development investment; and
       ``(7) to encourage agencies participating in the Program to 
     use existing programs and resources to strengthen networking 
     and information technology education and training, and 
     increase participation in such fields, including by women and 
     underrepresented minorities.
       ``(b) Source of Funding.--
       ``(1) In general.--The functions under this section shall 
     be supported by funds from each agency participating in the 
     Program.
       ``(2) Specifications.--The portion of the total budget of 
     the Office of Science and Technology Policy that is provided 
     by each agency participating in the Program for each fiscal 
     year shall be in the same proportion as each agency's share 
     of the total budget for the Program for the previous fiscal 
     year, as specified in the database under section 102(c).
       ``(c) Database.--
       ``(1) In general.--The Director of the Office of Science 
     and Technology Policy shall develop and maintain a database 
     of projects funded by each agency for the fiscal year for 
     each Program Component Area.
       ``(2) Public accessibility.--The Director of the Office of 
     Science and Technology Policy shall make the database 
     accessible to the public.
       ``(3) Database contents.--The database shall include, for 
     each project in the database--
       ``(A) a description of the project;
       ``(B) each agency, industry, institution of higher 
     education, Federal laboratory, or international institution 
     involved in the project;
       ``(C) the source funding of the project (set forth by 
     agency);
       ``(D) the funding history of the project; and
       ``(E) whether the project has been completed.''.

     SEC. 504. IMPROVING EDUCATION OF NETWORKING AND INFORMATION 
                   TECHNOLOGY, INCLUDING HIGH PERFORMANCE 
                   COMPUTING.

       Section 201(a) of the High-Performance Computing Act of 
     1991 (15 U.S.C. 5521(a)) is amended--
       (1) by redesignating paragraphs (2) through (4) as 
     paragraphs (3) through (5), respectively; and
       (2) by inserting after paragraph (1) the following:
       ``(2) the National Science Foundation shall use its 
     existing programs, in collaboration with other agencies, as 
     appropriate, to improve the teaching and learning of 
     networking and information technology at all levels of 
     education and to increase participation in networking and 
     information technology fields;''.

     SEC. 505. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH-
                   PERFORMANCE COMPUTING ACT OF 1991.

       (a) Section 3.--Section 3 of the High-Performance Computing 
     Act of 1991 (15 U.S.C. 5502) is amended--
       (1) in the matter preceding paragraph (1), by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology'';
       (2) in paragraph (1)--
       (A) in the matter preceding subparagraph (A), by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology'';
       (B) in subparagraphs (A), (F), and (G), by striking ``high-
     performance computing'' each place it appears and inserting 
     ``networking and information technology''; and
       (C) in subparagraph (H), by striking ``high-performance'' 
     and inserting ``high-end''; and
       (3) in paragraph (2)--
       (A) by striking ``high-performance computing and'' and 
     inserting ``networking and information technology, and''; and
       (B) by striking ``high-performance computing network'' and 
     inserting ``networking and information technology''.
       (b) Title Heading.--The heading of title I of the High-
     Performance Computing Act of 1991 (105 Stat. 1595) is amended 
     by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting 
     ``NETWORKING AND INFORMATION TECHNOLOGY''.
       (c) Section 101.--Section 101 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5511) is amended--
       (1) in the section heading, by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology research and development'';
       (2) in subsection (a)--

[[Page 12523]]

       (A) in the subsection heading, by striking ``National High-
     Performance Computing'' and inserting ``Networking and 
     Information Technology Research and Development'';
       (B) in paragraph (1)--
       (i) by striking ``National High-Performance Computing 
     Program'' and inserting ``networking and information 
     technology research and development program'';
       (ii) in subparagraph (A), by striking ``high-performance 
     computing, including networking'' and inserting ``networking 
     and information technology'';
       (iii) in subparagraphs (B) and (G), by striking ``high-
     performance'' each place it appears and inserting ``high-
     end''; and
       (iv) in subparagraph (C), by striking ``high-performance 
     computing and networking'' and inserting ``high-end 
     computing, distributed, and networking''; and
       (C) in paragraph (2)--
       (i) in subparagraphs (A) and (C)--

       (I) by striking ``high-performance computing'' each place 
     it appears and inserting ``networking and information 
     technology''; and
       (II) by striking ``development, networking,'' each place it 
     appears and inserting ``development,''; and

       (ii) in subparagraphs (G) and (H), as redesignated by 
     section 501(d) of this Act, by striking ``high-performance'' 
     each place it appears and inserting ``high-end'';
       (3) in subsection (b)(1), in the matter preceding 
     subparagraph (A), by striking ``high-performance computing'' 
     each place it appears and inserting ``networking and 
     information technology''; and
       (4) in subsection (c)(1)(A), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology''.
       (d) Section 201.--Section 201(a)(1) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by 
     striking ``high-performance computing and advanced high-speed 
     computer networking'' and inserting ``networking and 
     information technology research and development''.
       (e) Section 202.--Section 202(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by 
     striking ``high-performance computing'' and inserting 
     ``networking and information technology''.
       (f) Section 203.--Section 203(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5523(a)) is amended--
       (1) in paragraph (1), by striking ``high-performance 
     computing and networking'' and inserting ``networking and 
     information technology''; and
       (2) in paragraph (2)(A), by striking ``high-performance'' 
     and inserting ``high-end''.
       (g) Section 204.--Section 204 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5524) is amended--
       (1) in subsection (a)(1)--
       (A) in subparagraph (A), by striking ``high-performance 
     computing systems and networks'' and inserting ``networking 
     and information technology systems and capabilities'';
       (B) in subparagraph (B), by striking ``interoperability of 
     high-performance computing systems in networks and for common 
     user interfaces to systems'' and inserting ``interoperability 
     and usability of networking and information technology 
     systems''; and
       (C) in subparagraph (C), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technology''; and
       (2) in subsection (b)--
       (A) by striking ``High-Performance Computing and Network'' 
     in the heading and inserting ``Networking and Information 
     Technology''; and
       (B) by striking ``sensitive''.
       (h) Section 205.--Section 205(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by 
     striking ``computational'' and inserting ``networking and 
     information technology''.
       (i) Section 206.--Section 206(a) of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by 
     striking ``computational research'' and inserting 
     ``networking and information technology research''.
       (j) Section 207.--Section 207 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5527) is amended by striking 
     ``high-performance computing'' and inserting ``networking and 
     information technology''.
       (k) Section 208.--Section 208 of the High-Performance 
     Computing Act of 1991 (15 U.S.C. 5528) is amended--
       (1) in the section heading, by striking ``HIGH-PERFORMANCE 
     COMPUTING'' and inserting ``NETWORKING AND INFORMATION 
     TECHNOLOGY''; and
       (2) in subsection (a)--
       (A) in paragraph (1), by striking ``High-performance 
     computing and associated'' and inserting ``Networking and 
     information'';
       (B) in paragraph (2), by striking ``high-performance 
     computing'' and inserting ``networking and information 
     technologies'';
       (C) in paragraph (3), by striking ``high-performance'' and 
     inserting ``high-end'';
       (D) in paragraph (4), by striking ``high-performance 
     computers and associated'' and inserting ``networking and 
     information''; and
       (E) in paragraph (5), by striking ``high-performance 
     computing and associated'' and inserting ``networking and 
     information''.

     SEC. 506. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.

       (a) In General.--The Director of the National Science 
     Foundation, in coordination with the Secretary of Homeland 
     Security, shall carry out a Federal cyber scholarship-for-
     service program to recruit and train the next generation of 
     information technology professionals and security managers to 
     meet the needs of the cybersecurity mission for the Federal 
     government.
       (b) Program Description and Components.--The program 
     shall--
       (1) annually assess the workforce needs of the Federal 
     government for cybersecurity professionals, including network 
     engineers, software engineers, and other experts in order to 
     determine how many scholarships should be awarded annually to 
     ensure that the workforce needs following graduation match 
     the number of scholarships awarded;
       (2) provide scholarships for up to 1,000 students per year 
     in their pursuit of undergraduate or graduate degrees in the 
     cybersecurity field, in an amount that may include coverage 
     for full tuition, fees, and a stipend;
       (3) require each scholarship recipient, as a condition of 
     receiving a scholarship under the program, to serve in a 
     Federal information technology workforce for a period equal 
     to one and one-half times each year, or partial year, of 
     scholarship received, in addition to an internship in the 
     cybersecurity field, if applicable, following graduation;
       (4) provide a procedure for the National Science Foundation 
     or a Federal agency, consistent with regulations of the 
     Office of Personnel Management, to request and fund a 
     security clearance for a scholarship recipient, including 
     providing for clearance during a summer internship and upon 
     graduation; and
       (5) provide opportunities for students to receive temporary 
     appointments for meaningful employment in the Federal 
     information technology workforce during school vacation 
     periods and for internships.
       (c) Hiring Authority.--
       (1) In general.--For purposes of any law or regulation 
     governing the appointment of an individual in the Federal 
     civil service, upon the successful completion of the 
     student's studies, a student receiving a scholarship under 
     the program may--
       (A) be hired under section 213.3102(r) of title 5, Code of 
     Federal Regulations; and
       (B) be exempt from competitive service.
       (2) Competitive service.--Upon satisfactory fulfillment of 
     the service term under paragraph (1), an individual may be 
     converted to a competitive service position without 
     competition if the individual meets the requirements for that 
     position.
       (d) Eligibility.--The eligibility requirements for a 
     scholarship under this section shall include that a 
     scholarship applicant--
       (1) be a citizen of the United States;
       (2) be eligible to be granted a security clearance;
       (3) maintain a grade point average of 3.2 or above on a 4.0 
     scale for undergraduate study or a 3.5 or above on a 4.0 
     scale for postgraduate study;
       (4) demonstrate a commitment to a career in improving the 
     security of the information infrastructure; and
       (5) has demonstrated a level of proficiency in math or 
     computer sciences.
       (e) Failure to Complete Service Obligation.--
       (1) In general.--A scholarship recipient under this section 
     shall be liable to the United States under paragraph (2) if 
     the scholarship recipient--
       (A) fails to maintain an acceptable level of academic 
     standing in the educational institution in which the 
     individual is enrolled, as determined by the Director;
       (B) is dismissed from such educational institution for 
     disciplinary reasons;
       (C) withdraws from the program for which the award was made 
     before the completion of such program;
       (D) declares that the individual does not intend to fulfill 
     the service obligation under this section;
       (E) fails to fulfill the service obligation of the 
     individual under this section; or
       (F) loses a security clearance or becomes ineligible for a 
     security clearance.
       (2) Repayment amounts.--
       (A) Less than 1 year of service.--If a circumstance under 
     paragraph (1) occurs before the completion of 1 year of a 
     service obligation under this section, the total amount of 
     awards received by the individual under this section shall be 
     repaid.
       (B) One or more years of service.--If a circumstance 
     described in subparagraph (D) or (E) of paragraph (1) occurs 
     after the completion of 1 year of a service obligation under 
     this section, the total amount of scholarship awards received 
     by the individual under this section, reduced by the ratio of 
     the number of years of service completed divided by the 
     number of years of service required, shall be repaid.
       (f) Evaluation and Report.--The Director of the National 
     Science Foundation shall--
       (1) evaluate the success of recruiting individuals for 
     scholarships under this section and of hiring and retaining 
     those individuals in the public sector workforce, including 
     the annual cost and an assessment of how the program actually 
     improves the Federal workforce; and
       (2) periodically report the findings under paragraph (1) to 
     Congress.

[[Page 12524]]

       (g) Authorization of Appropriations.--From amounts made 
     available under section 503 of the America COMPETES 
     Reauthorization Act of 2010 (124 Stat. 4005), the Director 
     may use funds to carry out the requirements of this section 
     for fiscal years 2012 through 2013.

     SEC. 507. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF 
                   INFORMATION INFRASTRUCTURE PROFESSIONALS.

       (a) Study.--The President shall enter into an agreement 
     with the National Academies to conduct a comprehensive study 
     of government, academic, and private-sector accreditation, 
     training, and certification programs for personnel working in 
     information infrastructure. The agreement shall require the 
     National Academies to consult with sector coordinating 
     councils and relevant governmental agencies, regulatory 
     entities, and nongovernmental organizations in the course of 
     the study.
       (b) Scope.--The study shall include--
       (1) an evaluation of the body of knowledge and various 
     skills that specific categories of personnel working in 
     information infrastructure should possess in order to secure 
     information systems;
       (2) an assessment of whether existing government, academic, 
     and private-sector accreditation, training, and certification 
     programs provide the body of knowledge and various skills 
     described in paragraph (1);
       (3) an analysis of any barriers to the Federal Government 
     recruiting and hiring cybersecurity talent, including 
     barriers relating to compensation, the hiring process, job 
     classification, and hiring flexibility; and
       (4) an analysis of the sources and availability of 
     cybersecurity talent, a comparison of the skills and 
     expertise sought by the Federal Government and the private 
     sector, an examination of the current and future capacity of 
     United States institutions of higher education, including 
     community colleges, to provide current and future 
     cybersecurity professionals, through education and training 
     activities, with those skills sought by the Federal 
     Government, State and local entities, and the private sector.
       (c) Report.--Not later than 1 year after the date of 
     enactment of this Act, the National Academies shall submit to 
     the President and Congress a report on the results of the 
     study. The report shall include--
       (1) findings regarding the state of information 
     infrastructure accreditation, training, and certification 
     programs, including specific areas of deficiency and 
     demonstrable progress; and
       (2) recommendations for the improvement of information 
     infrastructure accreditation, training, and certification 
     programs.

     SEC. 508. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.

       (a) In General.--The Director of the National Institute of 
     Standards and Technology, in coordination with appropriate 
     Federal authorities, shall--
       (1) as appropriate, ensure coordination of Federal agencies 
     engaged in the development of international technical 
     standards related to information system security; and
       (2) not later than 1 year after the date of enactment of 
     this Act, develop and transmit to Congress a plan for 
     ensuring such Federal agency coordination.
       (b) Consultation With the Private Sector.--In carrying out 
     the activities under subsection (a)(1), the Director shall 
     ensure consultation with appropriate private sector 
     stakeholders.

     SEC. 509. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.

       The Director of the National Institute of Standards and 
     Technology shall continue a program to support the 
     development of technical standards, metrology, testbeds, and 
     conformance criteria, taking into account appropriate user 
     concerns--
       (1) to improve interoperability among identity management 
     technologies;
       (2) to strengthen authentication methods of identity 
     management systems;
       (3) to improve privacy protection in identity management 
     systems, including health information technology systems, 
     through authentication and security protocols; and
       (4) to improve the usability of identity management 
     systems.

     SEC. 510. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.

       (a) National Science Foundation Computer and Network 
     Security Research Grant Areas.--Section 4(a)(1) of the Cyber 
     Security Research and Development Act (15 U.S.C. 7403(a)(1)) 
     is amended--
       (1) in subparagraph (H), by striking ``and'' after the 
     semicolon;
       (2) in subparagraph (I), by striking ``property.'' and 
     inserting ``property;''; and
       (3) by adding at the end the following:
       ``(J) secure fundamental protocols that are at the heart of 
     inter-network communications and data exchange;
       ``(K) system security that addresses the building of secure 
     systems from trusted and untrusted components;
       ``(L) monitoring and detection; and
       ``(M) resiliency and rapid recovery methods.''.
       (b) National Science Foundation Computer and Network 
     Security Grants.--Section 4(a)(3) of the Cyber Security 
     Research and Development Act (15 U.S.C. 7403(a)(3)) is 
     amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (c) Computer and Network Security Centers.--Section 4(b)(7) 
     of the Cyber Security Research and Development Act (15 U.S.C. 
     7403(b)(7)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (d) Computer and Network Security Capacity Building 
     Grants.--Section 5(a)(6) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7404(a)(6)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (e) Scientific and Advanced Technology Act Grants.--Section 
     5(b)(2) of the Cyber Security Research and Development Act 
     (15 U.S.C. 7404(b)(2)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
       (f) Graduate Traineeships in Computer and Network Security 
     Research.--Section 5(c)(7) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7404(c)(7)) is amended--
       (1) in subparagraph (D), by striking ``and'';
       (2) in subparagraph (E), by striking ``2007.'' and 
     inserting ``2007;''; and
       (3) by adding at the end the following:
       ``(F) such funds from amounts made available under section 
     503 of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 4005), as the Director finds necessary to carry out the 
     requirements of this subsection for fiscal years 2012 through 
     2013.''.
                                 ______
                                 
  SA 2616. Mrs. SHAHEEN (for herself and Mr. Portman) submitted an 
amendment intended to be proposed by him to the bill S. 3414, to 
enhance the security and resiliency of the cyber and communications 
infrastructure of the United States; which was ordered to lie on the 
table; as follows:

       At the end of the bill, add the following:

       TITLE VIII--ENERGY SAVINGS AND INDUSTRIAL COMPETITIVENESS

     SEC. 801. SHORT TITLE.

       This title may be cited as the ``Energy Savings and 
     Industrial Competitiveness Act of 2012''.

                         Subtitle A--Buildings

                     PART I--BUILDING ENERGY CODES

     SEC. 811. GREATER ENERGY EFFICIENCY IN BUILDING CODES.

       (a) Definitions.--Section 303 of the Energy Conservation 
     and Production Act (42 U.S.C. 6832) is amended--
       (1) by striking paragraph (14) and inserting the following:
       ``(14) Model building energy code.--The term `model 
     building energy code' means a voluntary building energy code 
     and standards developed and updated through a consensus 
     process among interested persons, such as the IECC or the 
     code used by--
       ``(A) the Council of American Building Officials;
       ``(B) the American Society of Heating, Refrigerating, and 
     Air-Conditioning Engineers; or
       ``(C) other appropriate organizations.''; and
       (2) by adding at the end the following:
       ``(17) IECC.--The term `IECC' means the International 
     Energy Conservation Code.
       ``(18) Indian tribe.--The term `Indian tribe' has the 
     meaning given the term in section 4 of the Native American 
     Housing Assistance and Self-Determination Act of 1996 (25 
     U.S.C. 4103).''.
       (b) State Building Energy Efficiency Codes.--Section 304 of 
     the Energy Conservation and Production Act (42 U.S.C. 6833) 
     is amended to read as follows:

     ``SEC. 304. UPDATING STATE BUILDING ENERGY EFFICIENCY CODES.

       ``(a) In General.--The Secretary shall--
       ``(1) encourage and support the adoption of building energy 
     codes by States, Indian

[[Page 12525]]

     tribes, and, as appropriate, by local governments that meet 
     or exceed the model building energy codes, or achieve 
     equivalent or greater energy savings; and
       ``(2) support full compliance with the State and local 
     codes.
       ``(b) State and Indian Tribe Certification of Building 
     Energy Code Updates.--
       ``(1) Review and updating of codes by each state and indian 
     tribe.--
       ``(A) In general.--Not later than 2 years after the date on 
     which a model building energy code is updated, each State or 
     Indian tribe shall certify whether or not the State or Indian 
     tribe, respectively, has reviewed and updated the energy 
     provisions of the building code of the State or Indian tribe, 
     respectively.
       ``(B) Demonstration.--The certification shall include a 
     demonstration of whether or not the energy savings for the 
     code provisions that are in effect throughout the State or 
     Indian tribal territory meet or exceed--
       ``(i) the energy savings of the updated model building 
     energy code; or
       ``(ii) the targets established under section 307(b)(2).
       ``(C) No model building energy code update.--If a model 
     building energy code is not updated by a target date 
     established under section 307(b)(2)(D), each State or Indian 
     tribe shall, not later than 2 years after the specified date, 
     certify whether or not the State or Indian tribe, 
     respectively, has reviewed and updated the energy provisions 
     of the building code of the State or Indian tribe, 
     respectively, to meet or exceed the target in section 
     307(b)(2).
       ``(2) Validation by secretary.--Not later than 90 days 
     after a State or Indian tribe certification under paragraph 
     (1), the Secretary shall--
       ``(A) determine whether the code provisions of the State or 
     Indian tribe, respectively, meet the criteria specified in 
     paragraph (1); and
       ``(B) if the determination is positive, validate the 
     certification.
       ``(c) Improvements in Compliance With Building Energy 
     Codes.--
       ``(1) Requirement.--
       ``(A) In general.--Not later than 3 years after the date of 
     a certification under subsection (b), each State and Indian 
     tribe shall certify whether or not the State and Indian 
     tribe, respectively, has--
       ``(i) achieved full compliance under paragraph (3) with the 
     applicable certified State and Indian tribe building energy 
     code or with the associated model building energy code; or
       ``(ii) made significant progress under paragraph (4) toward 
     achieving compliance with the applicable certified State and 
     Indian tribe building energy code or with the associated 
     model building energy code.
       ``(B) Repeat certifications.--If the State or Indian tribe 
     certifies progress toward achieving compliance, the State or 
     Indian tribe shall repeat the certification until the State 
     or Indian tribe certifies that the State or Indian tribe has 
     achieved full compliance, respectively.
       ``(2) Measurement of compliance.--A certification under 
     paragraph (1) shall include documentation of the rate of 
     compliance based on--
       ``(A) independent inspections of a random sample of the 
     buildings covered by the code in the preceding year; or
       ``(B) an alternative method that yields an accurate measure 
     of compliance.
       ``(3) Achievement of compliance.--A State or Indian tribe 
     shall be considered to achieve full compliance under 
     paragraph (1) if--
       ``(A) at least 90 percent of building space covered by the 
     code in the preceding year substantially meets all the 
     requirements of the applicable code specified in paragraph 
     (1), or achieves equivalent or greater energy savings level; 
     or
       ``(B) the estimated excess energy use of buildings that did 
     not meet the applicable code specified in paragraph (1) in 
     the preceding year, compared to a baseline of comparable 
     buildings that meet this code, is not more than 5 percent of 
     the estimated energy use of all buildings covered by this 
     code during the preceding year.
       ``(4) Significant progress toward achievement of 
     compliance.--A State or Indian tribe shall be considered to 
     have made significant progress toward achieving compliance 
     for purposes of paragraph (1) if the State or Indian tribe--
       ``(A) has developed and is implementing a plan for 
     achieving compliance during the 8-year-period beginning on 
     the date of enactment of this paragraph, including annual 
     targets for compliance and active training and enforcement 
     programs; and
       ``(B) has met the most recent target under subparagraph 
     (A).
       ``(5) Validation by secretary.--Not later than 90 days 
     after a State or Indian tribe certification under paragraph 
     (1), the Secretary shall--
       ``(A) determine whether the State or Indian tribe has 
     demonstrated meeting the criteria of this subsection, 
     including accurate measurement of compliance; and
       ``(B) if the determination is positive, validate the 
     certification.
       ``(d) States or Indian Tribes That Do Not Achieve 
     Compliance.--
       ``(1) Reporting.--A State or Indian tribe that has not made 
     a certification required under subsection (b) or (c) by the 
     applicable deadline shall submit to the Secretary a report 
     on--
       ``(A) the status of the State or Indian tribe with respect 
     to meeting the requirements and submitting the certification; 
     and
       ``(B) a plan for meeting the requirements and submitting 
     the certification.
       ``(2) Federal support.--For any State or Indian tribe for 
     which the Secretary has not validated a certification by a 
     deadline under subsection (b) or (c), the lack of the 
     certification may be a consideration for Federal support 
     authorized under this section for code adoption and 
     compliance activities.
       ``(3) Local government.--In any State or Indian tribe for 
     which the Secretary has not validated a certification under 
     subsection (b) or (c), a local government may be eligible for 
     Federal support by meeting the certification requirements of 
     subsections (b) and (c).
       ``(4) Annual reports by secretary.--
       ``(A) In general.--The Secretary shall annually submit to 
     Congress, and publish in the Federal Register, a report on--
       ``(i) the status of model building energy codes;
       ``(ii) the status of code adoption and compliance in the 
     States and Indian tribes;
       ``(iii) implementation of this section; and
       ``(iv) improvements in energy savings over time as result 
     of the targets established under section 307(b)(2).
       ``(B) Impacts.--The report shall include estimates of 
     impacts of past action under this section, and potential 
     impacts of further action, on--
       ``(i) upfront financial and construction costs, cost 
     benefits and returns (using investment analysis), and 
     lifetime energy use for buildings;
       ``(ii) resulting energy costs to individuals and 
     businesses; and
       ``(iii) resulting overall annual building ownership and 
     operating costs.
       ``(e) Technical Assistance to States and Indian Tribes.--
     The Secretary shall provide technical assistance to States 
     and Indian tribes to implement the goals and requirements of 
     this section, including procedures and technical analysis for 
     States and Indian tribes--
       ``(1) to improve and implement State residential and 
     commercial building energy codes;
       ``(2) to demonstrate that the code provisions of the States 
     and Indian tribes achieve equivalent or greater energy 
     savings than the model building energy codes and targets;
       ``(3) to document the rate of compliance with a building 
     energy code; and
       ``(4) to otherwise promote the design and construction of 
     energy efficient buildings.
       ``(f) Availability of Incentive Funding.--
       ``(1) In general.--The Secretary shall provide incentive 
     funding to States and Indian tribes--
       ``(A) to implement the requirements of this section;
       ``(B) to improve and implement residential and commercial 
     building energy codes, including increasing and verifying 
     compliance with the codes and training of State, tribal, and 
     local building code officials to implement and enforce the 
     codes; and
       ``(C) to promote building energy efficiency through the use 
     of the codes.
       ``(2) Additional funding.--Additional funding shall be 
     provided under this subsection for implementation of a plan 
     to achieve and document full compliance with residential and 
     commercial building energy codes under subsection (c)--
       ``(A) to a State or Indian tribe for which the Secretary 
     has validated a certification under subsection (b) or (c); 
     and
       ``(B) in a State or Indian tribe that is not eligible under 
     subparagraph (A), to a local government that is eligible 
     under this section.
       ``(3) Training.--Of the amounts made available under this 
     subsection, the State may use amounts required, but not to 
     exceed $750,000 for a State, to train State and local 
     building code officials to implement and enforce codes 
     described in paragraph (2).
       ``(4) Local governments.--States may share grants under 
     this subsection with local governments that implement and 
     enforce the codes.
       ``(g) Stretch Codes and Advanced Standards.--
       ``(1) In general.--The Secretary shall provide technical 
     and financial support for the development of stretch codes 
     and advanced standards for residential and commercial 
     buildings for use as--
       ``(A) an option for adoption as a building energy code by 
     local, tribal, or State governments; and
       ``(B) guidelines for energy-efficient building design.
       ``(2) Targets.--The stretch codes and advanced standards 
     shall be designed--
       ``(A) to achieve substantial energy savings compared to the 
     model building energy codes; and
       ``(B) to meet targets under section 307(b), if available, 
     at least 3 to 6 years in advance of the target years.
       ``(h) Studies.--The Secretary, in consultation with 
     building science experts from the National Laboratories and 
     institutions of higher education, designers and builders of 
     energy-efficient residential and commercial buildings, code 
     officials, and other stakeholders, shall undertake a study of 
     the feasibility, impact, economics, and merit of--

[[Page 12526]]

       ``(1) code improvements that would require that buildings 
     be designed, sited, and constructed in a manner that makes 
     the buildings more adaptable in the future to become zero-
     net-energy after initial construction, as advances are 
     achieved in energy-saving technologies;
       ``(2) code procedures to incorporate measured lifetimes, 
     not just first-year energy use, in trade-offs and performance 
     calculations; and
       ``(3) legislative options for increasing energy savings 
     from building energy codes, including additional incentives 
     for effective State and local action, and verification of 
     compliance with and enforcement of a code other than by a 
     State or local government.
       ``(i) Effect on Other Laws.--Nothing in this section or 
     section 307 supersedes or modifies the application of 
     sections 321 through 346 of the Energy Policy and 
     Conservation Act (42 U.S.C. 6291 et seq.).
       ``(j) Authorization of Appropriations.--There are 
     authorized to be appropriated to carry out this section and 
     section 307 $200,000,000, to remain available until 
     expended.''.
       (c) Federal Building Energy Efficiency Standards.--Section 
     305 of the Energy Conservation and Production Act (42 U.S.C. 
     6834) is amended by striking ``voluntary building energy 
     code'' each place it appears in subsections (a)(2)(B) and (b) 
     and inserting ``model building energy code''.
       (d) Model Building Energy Codes.--Section 307 of the Energy 
     Conservation and Production Act (42 U.S.C. 6836) is amended 
     to read as follows:

     ``SEC. 307. SUPPORT FOR MODEL BUILDING ENERGY CODES.

       ``(a) In General.--The Secretary shall support the updating 
     of model building energy codes.
       ``(b) Targets.--
       ``(1) In general.--The Secretary shall support the updating 
     of the model building energy codes to enable the achievement 
     of aggregate energy savings targets established under 
     paragraph (2).
       ``(2) Targets.--
       ``(A) In general.--The Secretary shall work with State, 
     Indian tribes, local governments, nationally recognized code 
     and standards developers, and other interested parties to 
     support the updating of model building energy codes by 
     establishing 1 or more aggregate energy savings targets to 
     achieve the purposes of this section.
       ``(B) Separate targets.--The Secretary may establish 
     separate targets for commercial and residential buildings.
       ``(C) Baselines.--The baseline for updating model building 
     energy codes shall be the 2009 IECC for residential buildings 
     and ASHRAE Standard 90.1-2010 for commercial buildings.
       ``(D) Specific years.--
       ``(i) In general.--Targets for specific years shall be 
     established and revised by the Secretary through rulemaking 
     and coordinated with nationally recognized code and standards 
     developers at a level that--

       ``(I) is at the maximum level of energy efficiency that is 
     technologically feasible and life-cycle cost effective, while 
     accounting for the economic considerations under paragraph 
     (4);
       ``(II) is higher than the preceding target; and
       ``(III) promotes the achievement of commercial and 
     residential high-performance buildings through high 
     performance energy efficiency (within the meaning of section 
     401 of the Energy Independence and Security Act of 2007 (42 
     U.S.C. 17061)).

       ``(ii) Initial targets.--Not later than 1 year after the 
     date of enactment of this clause, the Secretary shall 
     establish initial targets under this subparagraph.
       ``(iii) Different target years.--Subject to clause (i), 
     prior to the applicable year, the Secretary may set a later 
     target year for any of the model building energy codes 
     described in subparagraph (A) if the Secretary determines 
     that a target cannot be met.
       ``(iv) Small business.--When establishing targets under 
     this paragraph through rulemaking, the Secretary shall ensure 
     compliance with the Small Business Regulatory Enforcement 
     Fairness Act of 1996 (5 U.S.C. 601 note; Public Law 104-121).
       ``(3) Appliance standards and other factors affecting 
     building energy use.--In establishing building code targets 
     under paragraph (2), the Secretary shall develop and adjust 
     the targets in recognition of potential savings and costs 
     relating to--
       ``(A) efficiency gains made in appliances, lighting, 
     windows, insulation, and building envelope sealing;
       ``(B) advancement of distributed generation and on-site 
     renewable power generation technologies;
       ``(C) equipment improvements for heating, cooling, and 
     ventilation systems;
       ``(D) building management systems and SmartGrid 
     technologies to reduce energy use; and
       ``(E) other technologies, practices, and building systems 
     that the Secretary considers appropriate regarding building 
     plug load and other energy uses.
       ``(4) Economic considerations.--In establishing and 
     revising building code targets under paragraph (2), the 
     Secretary shall consider the economic feasibility of 
     achieving the proposed targets established under this section 
     and the potential costs and savings for consumers and 
     building owners, including a return on investment analysis.
       ``(c) Technical Assistance to Model Building Energy Code-
     setting and Standard Development Organizations.--
       ``(1) In general.--The Secretary shall, on a timely basis, 
     provide technical assistance to model building energy code-
     setting and standard development organizations consistent 
     with the goals of this section.
       ``(2) Assistance.--The assistance shall include, as 
     requested by the organizations, technical assistance in--
       ``(A) evaluating code or standards proposals or revisions;
       ``(B) building energy analysis and design tools;
       ``(C) building demonstrations;
       ``(D) developing definitions of energy use intensity and 
     building types for use in model building energy codes to 
     evaluate the efficiency impacts of the model building energy 
     codes;
       ``(E) performance-based standards;
       ``(F) evaluating economic considerations under subsection 
     (b)(4); and
       ``(G) developing model building energy codes by Indian 
     tribes in accordance with tribal law.
       ``(3) Amendment proposals.--The Secretary may submit timely 
     model building energy code amendment proposals to the model 
     building energy code-setting and standard development 
     organizations, with supporting evidence, sufficient to enable 
     the model building energy codes to meet the targets 
     established under subsection (b)(2).
       ``(4) Analysis methodology.--The Secretary shall make 
     publicly available the entire calculation methodology 
     (including input assumptions and data) used by the Secretary 
     to estimate the energy savings of code or standard proposals 
     and revisions.
       ``(d) Determination.--
       ``(1) Revision of model building energy codes.--If the 
     provisions of the IECC or ASHRAE Standard 90.1 regarding 
     building energy use are revised, the Secretary shall make a 
     preliminary determination not later than 90 days after the 
     date of the revision, and a final determination not later 
     than 15 months after the date of the revision, on whether or 
     not the revision will--
       ``(A) improve energy efficiency in buildings compared to 
     the existing model building energy code; and
       ``(B) meet the applicable targets under subsection (b)(2).
       ``(2) Codes or standards not meeting targets.--
       ``(A) In general.--If the Secretary makes a preliminary 
     determination under paragraph (1)(B) that a code or standard 
     does not meet the targets established under subsection 
     (b)(2), the Secretary may at the same time provide the model 
     building energy code or standard developer with proposed 
     changes that would result in a model building energy code 
     that meets the targets and with supporting evidence, taking 
     into consideration--
       ``(i) whether the modified code is technically feasible and 
     life-cycle cost effective;
       ``(ii) available appliances, technologies, materials, and 
     construction practices; and
       ``(iii) the economic considerations under subsection 
     (b)(4).
       ``(B) Incorporation of changes.--
       ``(i) In general.--On receipt of the proposed changes, the 
     model building energy code or standard developer shall have 
     an additional 270 days to accept or reject the proposed 
     changes of the Secretary to the model building energy code or 
     standard for the Secretary to make a final determination.
       ``(ii) Final determination.--A final determination under 
     paragraph (1) shall be on the modified model building energy 
     code or standard.
       ``(e) Administration.--In carrying out this section, the 
     Secretary shall--
       ``(1) publish notice of targets and supporting analysis and 
     determinations under this section in the Federal Register to 
     provide an explanation of and the basis for such actions, 
     including any supporting modeling, data, assumptions, 
     protocols, and cost-benefit analysis, including return on 
     investment; and
       ``(2) provide an opportunity for public comment on targets 
     and supporting analysis and determinations under this 
     section.
       ``(f) Voluntary Codes and Standards.--Nothwithstanding any 
     other provision of this section, any model building code or 
     standard established under this section shall not be binding 
     on a State, local government, or Indian tribe as a matter of 
     Federal law.''.

             PART II--WORKER TRAINING AND CAPACITY BUILDING

     SEC. 821. BUILDING TRAINING AND ASSESSMENT CENTERS.

       (a) In General.--The Secretary of Energy shall provide 
     grants to institutions of higher education (as defined in 
     section 101 of the Higher Education Act of 1965 (20 U.S.C. 
     1001)) and Tribal Colleges or Universities (as defined in 
     section 316(b) of that Act (20 U.S.C. 1059c(b)) to establish 
     building training and assessment centers--
       (1) to identify opportunities for optimizing energy 
     efficiency and environmental performance in buildings;
       (2) to promote the application of emerging concepts and 
     technologies in commercial and institutional buildings;

[[Page 12527]]

       (3) to train engineers, architects, building scientists, 
     building energy permitting and enforcement officials, and 
     building technicians in energy-efficient design and 
     operation;
       (4) to assist institutions of higher education and Tribal 
     Colleges or Universities in training building technicians;
       (5) to promote research and development for the use of 
     alternative energy sources and distributed generation to 
     supply heat and power for buildings, particularly energy-
     intensive buildings; and
       (6) to coordinate with and assist State-accredited 
     technical training centers, community colleges, Tribal 
     Colleges or Universities, and local offices of the National 
     Institute of Food and Agriculture and ensure appropriate 
     services are provided under this section to each region of 
     the United States.
       (b) Coordination and Nonduplication.--
       (1) In general.--The Secretary shall coordinate the program 
     with the Industrial Assessment Centers program and with other 
     Federal programs to avoid duplication of effort.
       (2) Collocation.--To the maximum extent practicable, 
     building, training, and assessment centers established under 
     this section shall be collocated with Industrial Assessment 
     Centers.

                Subtitle B--Building Efficiency Finance

     SEC. 831. LOAN PROGRAM FOR ENERGY EFFICIENCY UPGRADES TO 
                   EXISTING BUILDINGS.

       Title XVII of the Energy Policy Act of 2005 (42 U.S.C. 
     16511 et seq.) is amended by adding at the end the following:

     ``SEC. 1706. BUILDING RETROFIT FINANCING PROGRAM.

       ``(a) Definitions.--In this section:
       ``(1) Credit support.--The term `credit support' means a 
     guarantee or commitment to issue a guarantee or other forms 
     of credit enhancement to ameliorate risks for efficiency 
     obligations.
       ``(2) Efficiency obligation.--The term `efficiency 
     obligation' means a debt or repayment obligation incurred in 
     connection with financing a project, or a portfolio of such 
     debt or payment obligations.
       ``(3) Project.--The term `project' means the installation 
     and implementation of efficiency, advanced metering, 
     distributed generation, or renewable energy technologies and 
     measures in a building (or in multiple buildings on a given 
     property) that are expected to increase the energy efficiency 
     of the building (including fixtures) in accordance with 
     criteria established by the Secretary.
       ``(b) Eligible Projects.--
       ``(1) In general.--Notwithstanding sections 1703 and 1705, 
     the Secretary may provide credit support under this section, 
     in accordance with section 1702.
       ``(2) Inclusions.--Buildings eligible for credit support 
     under this section include commercial, multifamily 
     residential, industrial, municipal, government, institution 
     of higher education, school, and hospital facilities that 
     satisfy criteria established by the Secretary.
       ``(c) Guidelines.--
       ``(1) In general.--Not later than 180 days after the date 
     of enactment of this section, the Secretary shall--
       ``(A) establish guidelines for credit support provided 
     under this section; and
       ``(B) publish the guidelines in the Federal Register; and
       ``(C) provide for an opportunity for public comment on the 
     guidelines.
       ``(2) Requirements.--The guidelines established by the 
     Secretary under this subsection shall include--
       ``(A) standards for assessing the energy savings that could 
     reasonably be expected to result from a project;
       ``(B) examples of financing mechanisms (and portfolios of 
     such financing mechanisms) that qualify as efficiency 
     obligations;
       ``(C) the threshold levels of energy savings that a 
     project, at the time of issuance of credit support, shall be 
     reasonably expected to achieve to be eligible for credit 
     support;
       ``(D) the eligibility criteria the Secretary determines to 
     be necessary for making credit support available under this 
     section; and
       ``(E) notwithstanding subsections (d)(3) and (g)(2)(B) of 
     section 1702, any lien priority requirements that the 
     Secretary determines to be necessary, in consultation with 
     the Director of the Office of Management and Budget, which 
     may include--
       ``(i) requirements to preserve priority lien status of 
     secured lenders and creditors in buildings eligible for 
     credit support;
       ``(ii) remedies available to the Secretary under chapter 
     176 of title 28, United States Code, in the event of default 
     on the efficiency obligation by the borrower; and
       ``(iii) measures to limit the exposure of the Secretary to 
     financial risk in the event of default, such as--

       ``(I) the collection of a credit subsidy fee from the 
     borrower as a loan loss reserve, taking into account the 
     limitation on credit support under subsection (d);
       ``(II) minimum debt-to-income levels of the borrower;
       ``(III) minimum levels of value relative to outstanding 
     mortgage or other debt on a building eligible for credit 
     support;
       ``(IV) allowable thresholds for the percent of the 
     efficiency obligation relative to the amount of any mortgage 
     or other debt on an eligible building;
       ``(V) analysis of historic and anticipated occupancy levels 
     and rental income of an eligible building;
       ``(VI) requirements of third-party contractors to guarantee 
     energy savings that will result from a retrofit project, and 
     whether financing on the efficiency obligation will amortize 
     from the energy savings;
       ``(VII) requirements that the retrofit project incorporate 
     protocols to measure and verify energy savings; and
       ``(VIII) recovery of payments equally by the Secretary and 
     the retrofit.

       ``(3) Efficiency obligations.--The financing mechanisms 
     qualified by the Secretary under paragraph (2)(B) may 
     include--
       ``(A) loans, including loans made by the Federal Financing 
     Bank;
       ``(B) power purchase agreements, including energy 
     efficiency power purchase agreements;
       ``(C) energy services agreements, including energy 
     performance contracts;
       ``(D) property assessed clean energy bonds and other tax 
     assessment-based financing mechanisms;
       ``(E) aggregate on-meter agreements that finance retrofit 
     projects; and
       ``(F) any other efficiency obligations the Secretary 
     determines to be appropriate.
       ``(4) Priorities.--In carrying out this section, the 
     Secretary shall prioritize--
       ``(A) the maximization of energy savings with the available 
     credit support funding;
       ``(B) the establishment of a clear application and approval 
     process that allows private building owners, lenders, and 
     investors to reasonably expect to receive credit support for 
     projects that conform to guidelines;
       ``(C) the distribution of projects receiving credit support 
     under this section across States or geographical regions of 
     the United States; and
       ``(D) projects designed to achieve whole-building 
     retrofits.
       ``(d) Limitation.--Notwithstanding section 1702(c), the 
     Secretary shall not issue credit support under this section 
     in an amount that exceeds--
       ``(1) 90 percent of the principal amount of the efficiency 
     obligation that is the subject of the credit support; or
       ``(2) $10,000,000 for any single project.
       ``(e) Aggregation of Projects.--To the extent provided in 
     the guidelines developed in accordance with subsection (c), 
     the Secretary may issue credit support on a portfolio, or 
     pool of projects, that are not required to be geographically 
     contiguous, if each efficiency obligation in the pool 
     fulfills the requirements described in this section.
       ``(f) Application.--
       ``(1) In general.--To be eligible to receive credit support 
     under this section, the applicant shall submit to the 
     Secretary an application at such time, in such manner, and 
     containing such information as the Secretary determines to be 
     necessary.
       ``(2) Contents.--An application submitted under this 
     section shall include assurances by the applicant that--
       ``(A) each contractor carrying out the project meets 
     minimum experience level criteria, including local retrofit 
     experience, as determined by the Secretary;
       ``(B) the project is reasonably expected to achieve energy 
     savings, as set forth in the application using any 
     methodology that meets the standards described in the program 
     guidelines;
       ``(C) the project meets any technical criteria described in 
     the program guidelines;
       ``(D) the recipient of the credit support and the parties 
     to the efficiency obligation will provide the Secretary 
     with--
       ``(i) any information the Secretary requests to assess the 
     energy savings that result from the project, including 
     historical energy usage data, a simulation-based benchmark, 
     and detailed descriptions of the building work, as described 
     in the program guidelines; and
       ``(ii) permission to access information relating to 
     building operations and usage for the period described in the 
     program guidelines; and
       ``(E) any other assurances that the Secretary determines to 
     be necessary.
       ``(3) Determination.--Not later than 90 days after 
     receiving an application, the Secretary shall make a final 
     determination on the application, which may include requests 
     for additional information.
       ``(g) Fees.--
       ``(1) In general.--In addition to the fees required by 
     section 1702(h)(1), the Secretary may charge reasonable fees 
     for credit support provided under this section.
       ``(2) Availability.--Fees collected under this section 
     shall be subject to section 1702(h)(2).
       ``(h) Underwriting.--The Secretary may delegate the 
     underwriting activities under this section to 1 or more 
     entities that the Secretary determines to be qualified.
       ``(i) Report.--Not later than 1 year after commencement of 
     the program, the Secretary shall submit to the appropriate 
     committees of Congress a report that describes in reasonable 
     detail--
       ``(1) the manner in which this section is being carried 
     out;
       ``(2) the number and type of projects supported;

[[Page 12528]]

       ``(3) the types of funding mechanisms used to provide 
     credit support to projects;
       ``(4) the energy savings expected to result from projects 
     supported by this section;
       ``(5) any tracking efforts the Secretary is using to 
     calculate the actual energy savings produced by the projects; 
     and
       ``(6) any plans to improve the tracking efforts described 
     in paragraph (5).
       ``(j) Funding.--
       ``(1) Authorization of appropriations.--There is authorized 
     to be appropriated to the Secretary to carry out this section 
     $400,000,000 for the period of fiscal years 2012 through 
     2021, to remain available until expended.
       ``(2) Administrative costs.--Not more than 1 percent of any 
     amounts made available to the Secretary under paragraph (1) 
     may be used by the Secretary for administrative costs 
     incurred in carrying out this section.''.

         Subtitle C--Industrial Efficiency and Competitiveness

                PART I--MANUFACTURING ENERGY EFFICIENCY

     SEC. 841. STATE PARTNERSHIP INDUSTRIAL ENERGY EFFICIENCY 
                   REVOLVING LOAN PROGRAM.

       Section 399A of the Energy Policy and Conservation Act (42 
     U.S.C. 6371h-1) is amended--
       (1) in the section heading, by inserting ``AND INDUSTRY'' 
     before the period at the end;
       (2) by redesignating subsections (h) and (i) as subsections 
     (i) and (j), respectively; and
       (3) by inserting after subsection (g) the following:
       ``(h) State Partnership Industrial Energy Efficiency 
     Revolving Loan Program.--
       ``(1) In general.--The Secretary shall carry out a program 
     under which the Secretary shall provide grants to eligible 
     lenders to pay the Federal share of creating a revolving loan 
     program under which loans are provided to commercial and 
     industrial manufacturers to implement commercially available 
     technologies or processes that significantly--
       ``(A) reduce systems energy intensity, including the use of 
     energy-intensive feedstocks; and
       ``(B) improve the industrial competitiveness of the United 
     States.
       ``(2) Eligible lenders.--To be eligible to receive cost-
     matched Federal funds under this subsection, a lender shall--
       ``(A) be a community and economic development lender that 
     the Secretary certifies meets the requirements of this 
     subsection;
       ``(B) lead a partnership that includes participation by, at 
     a minimum--
       ``(i) a State government agency; and
       ``(ii) a private financial institution or other provider of 
     loan capital;
       ``(C) submit an application to the Secretary, and receive 
     the approval of the Secretary, for cost-matched Federal funds 
     to carry out a loan program described in paragraph (1); and
       ``(D) ensure that non-Federal funds are provided to match, 
     on at least a dollar-for-dollar basis, the amount of Federal 
     funds that are provided to carry out a revolving loan program 
     described in paragraph (1).
       ``(3) Award.--The amount of cost-matched Federal funds 
     provided to an eligible lender shall not exceed $100,000,000 
     for any fiscal year.
       ``(4) Recapture of awards.--
       ``(A) In general.--An eligible lender that receives an 
     award under paragraph (1) shall be required to repay to the 
     Secretary an amount of cost-match Federal funds, as 
     determined by the Secretary under subparagraph (B), if the 
     eligible lender is unable or unwilling to operate a program 
     described in this subsection for a period of not less than 10 
     years beginning on the date on which the eligible lender 
     first receives funds made available through the award.
       ``(B) Determination by secretary.--The Secretary shall 
     determine the amount of cost-match Federal funds that an 
     eligible lender shall be required to repay to the Secretary 
     under subparagraph (A) based on the consideration by the 
     Secretary of--
       ``(i) the amount of non-Federal funds matched by the 
     eligible lender;
       ``(ii) the amount of loan losses incurred by the revolving 
     loan program described in paragraph (1); and
       ``(iii) any other appropriate factor, as determined by the 
     Secretary.
       ``(C) Use of recaptured cost-match federal funds.--The 
     Secretary may distribute to eligible lenders under this 
     subsection each amount received by the Secretary under this 
     paragraph.
       ``(5) Eligible projects.--A program for which cost-matched 
     Federal funds are provided under this subsection shall be 
     designed to accelerate the implementation of industrial and 
     commercial applications of technologies or processes 
     (including distributed generation, applications or 
     technologies that use sensors, meters, software, and 
     information networks, controls, and drives or that have been 
     installed pursuant to an energy savings performance contract, 
     project, or strategy) that--
       ``(A) improve energy efficiency, including improvements in 
     efficiency and use of water, power factor, or load 
     management;
       ``(B) enhance the industrial competitiveness of the United 
     States; and
       ``(C) achieve such other goals as the Secretary determines 
     to be appropriate.
       ``(6) Evaluation.--The Secretary shall evaluate 
     applications for cost-matched Federal funds under this 
     subsection on the basis of--
       ``(A) the description of the program to be carried out with 
     the cost-matched Federal funds;
       ``(B) the commitment to provide non-Federal funds in 
     accordance with paragraph (2)(D);
       ``(C) program sustainability over a 10-year period;
       ``(D) the capability of the applicant;
       ``(E) the quantity of energy savings or energy feedstock 
     minimization;
       ``(F) the advancement of the goal under this Act of 25-
     percent energy avoidance;
       ``(G) the ability to fund energy efficient projects not 
     later than 120 days after the date of the grant award; and
       ``(H) such other factors as the Secretary determines 
     appropriate.
       ``(7) Authorization of appropriations.--There are 
     authorized to be appropriated to carry out this subsection, 
     $400,000,000 for the period of fiscal years 2012 through 
     2021.''.

     SEC. 842. COORDINATION OF RESEARCH AND DEVELOPMENT OF ENERGY 
                   EFFICIENT TECHNOLOGIES FOR INDUSTRY.

       (a) In General.--As part of the research and development 
     activities of the Industrial Technologies Program of the 
     Department of Energy, the Secretary shall establish, as 
     appropriate, collaborative research and development 
     partnerships with other programs within the Office of Energy 
     Efficiency and Renewable Energy (including the Building 
     Technologies Program), the Office of Electricity Delivery and 
     Energy Reliability, and the Office of Science that--
       (1) leverage the research and development expertise of 
     those programs to promote early stage energy efficiency 
     technology development;
       (2) support the use of innovative manufacturing processes 
     and applied research for development, demonstration, and 
     commercialization of new technologies and processes to 
     improve efficiency (including improvements in efficient use 
     of water), reduce emissions, reduce industrial waste, and 
     improve industrial cost-competitiveness; and
       (3) apply the knowledge and expertise of the Industrial 
     Technologies Program to help achieve the program goals of the 
     other programs.
       (b) Reports.--Not later than 2 years after the date of 
     enactment of this Act and biennially thereafter, the 
     Secretary shall submit to Congress a report that describes 
     actions taken to carry out subsection (a) and the results of 
     those actions.

     SEC. 843. REDUCING BARRIERS TO THE DEPLOYMENT OF INDUSTRIAL 
                   ENERGY EFFICIENCY.

       (a) Definitions.--In this section:
       (1) Industrial energy efficiency.--The term ``industrial 
     energy efficiency'' means the energy efficiency derived from 
     commercial technologies and measures to improve energy 
     efficiency or to generate or transmit electric power and 
     heat, including electric motor efficiency improvements, 
     demand response, direct or indirect combined heat and power, 
     and waste heat recovery.
       (2) Industrial sector.--The term ``industrial sector'' 
     means any subsector of the manufacturing sector (as defined 
     in North American Industry Classification System codes 31-33 
     (as in effect on the date of enactment of this Act)) 
     establishments of which have, or could have, thermal host 
     facilities with electricity requirements met in whole, or in 
     part, by onsite electricity generation, including direct and 
     indirect combined heat and power or waste recovery.
       (3) Secretary.--The term ``Secretary'' means the Secretary 
     of Energy.
       (b) Report on the Deployment of Industrial Energy 
     Efficiency.--
       (1) In general.--Not later than 1 year after the date of 
     enactment of this Act, the Secretary shall submit to the 
     Committee on Energy and Commerce of the House of 
     Representatives and the Committee on Energy and Natural 
     Resources of the Senate a report describing--
       (A) the results of the study conducted under paragraph (2); 
     and
       (B) recommendations and guidance developed under paragraph 
     (3).
       (2) Study.--The Secretary, in coordination with the 
     industrial sector, shall conduct a study of the following:
       (A) The legal, regulatory, and economic barriers to the 
     deployment of industrial energy efficiency in all electricity 
     markets (including organized wholesale electricity markets, 
     and regulated electricity markets), including, as applicable, 
     the following:
       (i) Transmission and distribution interconnection 
     requirements.
       (ii) Standby, back-up, and maintenance fees (including 
     demand ratchets).
       (iii) Exit fees.
       (iv) Life of contract demand ratchets.
       (v) Net metering.
       (vi) Calculation of avoided cost rates.
       (vii) Power purchase agreements.
       (viii) Energy market structures.
       (ix) Capacity market structures.

[[Page 12529]]

       (x) Other barriers as may be identified by the Secretary, 
     in coordination with the industrial sector.
       (B) Examples of --
       (i) successful State and Federal policies that resulted in 
     greater use of industrial energy efficiency;
       (ii) successful private initiatives that resulted in 
     greater use of industrial energy efficiency; and
       (iii) cost-effective policies used by foreign countries to 
     foster industrial energy efficiency.
       (C) The estimated economic benefits to the national economy 
     of providing the industrial sector with Federal energy 
     efficiency matching grants of $5,000,000,000 for 5- and 10-
     year periods, including benefits relating to--
       (i) estimated energy and emission reductions;
       (ii) direct and indirect jobs saved or created;
       (iii) direct and indirect capital investment;
       (iv) the gross domestic product; and
       (v) trade balance impacts.
       (D) The estimated energy savings available from increased 
     use of recycled material in energy-intensive manufacturing 
     processes.
       (3) Recommendations and guidance.--The Secretary, in 
     coordination with the industrial sector, shall develop policy 
     recommendations regarding the deployment of industrial energy 
     efficiency, including proposed regulatory guidance to States 
     and relevant Federal agencies to address barriers to 
     deployment.

     SEC. 844. FUTURE OF INDUSTRY PROGRAM.

       (a) In General.--Section 452 of the Energy Independence and 
     Security Act of 2007 (42 U.S.C. 17111) is amended by striking 
     the section heading and inserting the following: ``FUTURE OF 
     INDUSTRY PROGRAM''.
       (b) Definition of Energy Service Provider.--Section 452(a) 
     of the Energy Independence and Security Act of 2007 (42 
     U.S.C. 17111(a)) is amended--
       (1) by redesignating paragraphs (3) through (5) as 
     paragraphs (4) through (6), respectively; and
       (2) by inserting after paragraph (3):
       ``(5) Energy service provider.--The term `energy service 
     provider' means any private company or similar entity 
     providing technology or services to improve energy efficiency 
     in an energy-intensive industry.''.
       (c) Industrial Research and Assessment Centers.--
       (1) In general.--Section 452(e) of the Energy Independence 
     and Security Act of 2007 (42 U.S.C. 17111(e)) is amended--
       (A) by redesignating paragraphs (1) through (5) as 
     subparagraphs (A) through (E), respectively, and indenting 
     appropriately;
       (B) by striking ``The Secretary'' and inserting the 
     following:
       ``(1) In general.--The Secretary'';
       (C) in subparagraph (A) (as redesignated by subparagraph 
     (A)), by inserting before the semicolon at the end the 
     following: ``, including assessments of sustainable 
     manufacturing goals and the implementation of information 
     technology advancements for supply chain analysis, logistics, 
     system monitoring, industrial and manufacturing processes, 
     and other purposes''; and
       (D) by adding at the end the following:
       ``(2) Centers of excellence.--
       ``(A) In general.--The Secretary shall establish a Center 
     of Excellence at up to 10 of the highest performing 
     industrial research and assessment centers, as determined by 
     the Secretary.
       ``(B) Duties.--A Center of Excellence shall coordinate with 
     and advise the industrial research and assessment centers 
     located in the region of the Center of Excellence.
       ``(C) Funding.--Subject to the availability of 
     appropriations, of the funds made available under subsection 
     (f), the Secretary shall use to support each Center of 
     Excellence not less than $500,000 for fiscal year 2012 and 
     each fiscal year thereafter, as determined by the Secretary.
       ``(3) Expansion of centers.--The Secretary shall provide 
     funding to establish additional industrial research and 
     assessment centers at institutions of higher education that 
     do not have industrial research and assessment centers 
     established under paragraph (1), taking into account the size 
     of, and potential energy efficiency savings for, the 
     manufacturing base within the region of the proposed center.
       ``(4) Coordination.--
       ``(A) In general.--To increase the value and capabilities 
     of the industrial research and assessment centers, the 
     centers shall--
       ``(i) coordinate with Manufacturing Extension Partnership 
     Centers of the National Institute of Standards and 
     Technology;
       ``(ii) coordinate with the Building Technologies Program of 
     the Department of Energy to provide building assessment 
     services to manufacturers;
       ``(iii) increase partnerships with the National 
     Laboratories of the Department of Energy to leverage the 
     expertise and technologies of the National Laboratories for 
     national industrial and manufacturing needs;
       ``(iv) increase partnerships with energy service providers 
     and technology providers to leverage private sector expertise 
     and accelerate deployment of new and existing technologies 
     and processes for energy efficiency, power factor, and load 
     management;
       ``(v) identify opportunities for reducing greenhouse gas 
     emissions; and
       ``(vi) promote sustainable manufacturing practices for 
     small- and medium-sized manufacturers.
       ``(5) Outreach.--The Secretary shall provide funding for--
       ``(A) outreach activities by the industrial research and 
     assessment centers to inform small- and medium-sized 
     manufacturers of the information, technologies, and services 
     available; and
       ``(B) a full-time equivalent employee at each center of 
     excellence whose primary mission shall be to coordinate and 
     leverage the efforts of the center with--
       ``(i) Federal and State efforts;
       ``(ii) the efforts of utilities and energy service 
     providers;
       ``(iii) the efforts of regional energy efficiency 
     organizations; and
       ``(iv) the efforts of other centers in the region of the 
     center of excellence.
       ``(6) Workforce training.--
       ``(A) In general.--The Secretary shall pay the Federal 
     share of associated internship programs under which students 
     work with or for industries, manufacturers, and energy 
     service providers to implement the recommendations of 
     industrial research and assessment centers.
       ``(B) Federal share.--The Federal share of the cost of 
     carrying out internship programs described in subparagraph 
     (A) shall be 50 percent.
       ``(C) Funding.--Subject to the availability of 
     appropriations, of the funds made available under subsection 
     (f), the Secretary shall use to carry out this paragraph not 
     less than $5,000,000 for fiscal year 2012 and each fiscal 
     year thereafter.
       ``(7) Small business loans.--The Administrator of the Small 
     Business Administration shall, to the maximum practicable, 
     expedite consideration of applications from eligible small 
     business concerns for loans under the Small Business Act (15 
     U.S.C. 631 et seq.) to implement recommendations of 
     industrial research and assessment centers established under 
     paragraph (1).''.

     SEC. 845. SUSTAINABLE MANUFACTURING INITIATIVE.

       (a) In General.--Part E of title III of the Energy Policy 
     and Conservation Act (42 U.S.C. 6341) is amended by adding at 
     the end the following:

     ``SEC. 376. SUSTAINABLE MANUFACTURING INITIATIVE.

       ``(a) In General.--As part of the Industrial Technologies 
     Program of the Department of Energy, the Secretary shall 
     carry out a sustainable manufacturing initiative under which 
     the Secretary, on the request of a manufacturer, shall 
     conduct onsite technical assessments to identify 
     opportunities for--
       ``(1) maximizing the energy efficiency of industrial 
     processes and cross-cutting systems;
       ``(2) preventing pollution and minimizing waste;
       ``(3) improving efficient use of water in manufacturing 
     processes;
       ``(4) conserving natural resources; and
       ``(5) achieving such other goals as the Secretary 
     determines to be appropriate.
       ``(b) Coordination.--The Secretary shall carry out the 
     initiative in coordination with the private sector and 
     appropriate agencies, including the National Institute of 
     Standards and Technology to accelerate adoption of new and 
     existing technologies or processes that improve energy 
     efficiency.
       ``(c) Research and Development Program for Sustainable 
     Manufacturing and Industrial Technologies and Processes.--As 
     part of the Industrial Technologies Program of the Department 
     of Energy, the Secretary shall carry out a joint industry-
     government partnership program to research, develop, and 
     demonstrate new sustainable manufacturing and industrial 
     technologies and processes that maximize the energy 
     efficiency of industrial systems, reduce pollution, and 
     conserve natural resources.
       ``(d) Authorization of Appropriations.--There is authorized 
     to be to carry out this section $10,000,000 for the period of 
     fiscal years 2012 through 2021.''.
       (b) Table of Contents.--The table of contents of the Energy 
     Policy and Conservation Act (42 U.S.C. prec. 6201) is amended 
     by adding at the end of the items relating to part E of title 
     III the following:

``Sec. 376. Sustainable manufacturing initiative.''.

     SEC. 846. STUDY OF ADVANCED ENERGY TECHNOLOGY MANUFACTURING 
                   CAPABILITIES IN THE UNITED STATES.

       (a) In General.--Not later than 60 days after the date of 
     enactment of this Act, the Secretary shall enter into an 
     arrangement with the National Academy of Sciences under which 
     the Academy shall conduct a study of the development of 
     advanced manufacturing capabilities for various energy 
     technologies, including--
       (1) an assessment of the manufacturing supply chains of 
     established and emerging industries;
       (2) an analysis of--
       (A) the manner in which supply chains have changed over the 
     25-year period ending on the date of enactment of this Act;
       (B) current trends in supply chains; and
       (C) the energy intensity of each part of the supply chain 
     and opportunities for improvement;

[[Page 12530]]

       (3) for each technology or manufacturing sector, an 
     analysis of which sections of the supply chain are critical 
     for the United States to retain or develop to be competitive 
     in the manufacturing of the technology;
       (4) an assessment of which emerging energy technologies the 
     United States should focus on to create or enhance 
     manufacturing capabilities; and
       (5) recommendations on leveraging the expertise of energy 
     efficiency and renewable energy user facilities so that best 
     materials and manufacturing practices are designed and 
     implemented.
       (b) Report.--Not later than 2 years after the date on which 
     the Secretary enters into the agreement with the Academy 
     described in subsection (a), the Academy shall submit to the 
     Committee on Energy and Natural Resources of the Senate, the 
     Committee on Energy and Commerce of the House of 
     Representatives, and the Secretary a report describing the 
     results of the study required under this section, including 
     any findings and recommendations.

     SEC. 847. INDUSTRIAL TECHNOLOGIES STEERING COMMITTEE.

       The Secretary shall establish an advisory steering 
     committee that includes national trade associations 
     representing energy-intensive industries or energy service 
     providers to provide recommendations to the Secretary on 
     planning and implementation of the Industrial Technologies 
     Program of the Department of Energy.

                          PART II--SUPPLY STAR

     SEC. 851. SUPPLY STAR.

       Part B of title III of the Energy Policy and Conservation 
     Act (42 U.S.C. 6291) is amended by inserting after section 
     324A (42 U.S.C. 6294a) the following:

     ``SEC. 324B. SUPPLY STAR PROGRAM.

       ``(a) In General.--There is established within the 
     Department of Energy a Supply Star program to identify and 
     promote practices, recognize companies, and, as appropriate, 
     recognize products that use highly efficient supply chains in 
     a manner that conserves energy, water, and other resources.
       ``(b) Coordination.--In carrying out the program described 
     in subsection (a), the Secretary shall--
       ``(1) consult with other appropriate agencies; and
       ``(2) coordinate efforts with the Energy Star program 
     established under section 324A.
       ``(c) Duties.--In carrying out the Supply Star program 
     described in subsection (a), the Secretary shall--
       ``(1) promote practices, recognize companies, and, as 
     appropriate, recognize products that comply with the Supply 
     Star program as the preferred practices, companies, and 
     products in the marketplace for maximizing supply chain 
     efficiency;
       ``(2) work to enhance industry and public awareness of the 
     Supply Star program;
       ``(3) collect and disseminate data on supply chain energy 
     resource consumption;
       ``(4) develop and disseminate metrics, processes, and 
     analytical tools (including software) for evaluating supply 
     chain energy resource use;
       ``(5) develop guidance at the sector level for improving 
     supply chain efficiency;
       ``(6) work with domestic and international organizations to 
     harmonize approaches to analyzing supply chain efficiency, 
     including the development of a consistent set of tools, 
     templates, calculators, and databases; and
       ``(7) work with industry, including small businesses, to 
     improve supply chain efficiency through activities that 
     include--
       ``(A) developing and sharing best practices; and
       ``(B) providing opportunities to benchmark supply chain 
     efficiency.
       ``(d) Evaluation.--In any evaluation of supply chain 
     efficiency carried out by the Secretary with respect to a 
     specific product, the Secretary shall consider energy 
     consumption and resource use throughout the entire lifecycle 
     of a product, including production, transport, packaging, 
     use, and disposal.
       ``(e) Grants and Incentives.--
       ``(1) In general.--The Secretary may award grants or other 
     forms of incentives on a competitive basis to eligible 
     entities, as determined by the Secretary, for the purposes 
     of--
       ``(A) studying supply chain energy resource efficiency; and
       ``(B) demonstrating and achieving reductions in the energy 
     resource consumption of commercial products through changes 
     and improvements to the production supply and distribution 
     chain of the products.
       ``(2) Use of information.--Any information or data 
     generated as a result of the grants or incentives described 
     in paragraph (1) shall be used to inform the development of 
     the Supply Star Program.
       ``(f) Training.--The Secretary shall use funds to support 
     professional training programs to develop and communicate 
     methods, practices, and tools for improving supply chain 
     efficiency.
       ``(g) Effect of Impact on Climate Change.--For purposes of 
     this section, the impact on climate change shall not be a 
     factor in determining supply chain efficiency.
       ``(h) Effect of Outsourcing of American Jobs.--For purposes 
     of this section, the outsourcing of American jobs in the 
     production of a product shall not count as a positive factor 
     in determining supply chain efficiency.
       ``(i) Authorization of Appropriations.--There are 
     authorized to be appropriated to carry out this section 
     $10,000,000 for the period of fiscal years 2012 through 
     2021.''.

                PART III--ELECTRIC MOTOR REBATE PROGRAM

     SEC. 861. ENERGY SAVING MOTOR CONTROL REBATE PROGRAM.

       (a) Establishment.--Not later than January 1, 2012, the 
     Secretary of Energy (referred to in this section as the 
     ``Secretary'') shall establish a program to provide rebates 
     for expenditures made by entities for the purchase and 
     installation of a new constant speed electric motor control 
     that reduces motor energy use by not less than 5 percent.
       (b) Requirements.--
       (1) Application.--To be eligible to receive a rebate under 
     this section, an entity shall submit to the Secretary an 
     application in such form, at such time, and containing such 
     information as the Secretary may require, including--
       (A) demonstrated evidence that the entity purchased a 
     constant speed electric motor control that reduces motor 
     energy use by not less than 5 percent; and
       (B) the physical nameplate of the installed motor of the 
     entity to which the energy saving motor control is attached.
       (2) Authorized amount of rebate.--The Secretary may provide 
     to an entity that meets the requirements of paragraph (1) a 
     rebate the amount of which shall be equal to the product 
     obtained by multiplying--
       (A) the nameplate horsepower of the electric motor to which 
     the energy saving motor control is attached; and
       (B) $25.
       (c) Authorization of Appropriations.--There is authorized 
     to be appropriated to carry out this section $5,000,000 for 
     each of fiscal years 2012 and 2013, to remain available until 
     expended.

                  PART IV--TRANSFORMER REBATE PROGRAM

     SEC. 871. ENERGY EFFICIENT TRANSFORMER REBATE PROGRAM.

       (a) Definition of Qualified Transformer.--In this section, 
     the term ``qualified transformer'' means a transformer that 
     meets or exceeds the National Electrical Manufacturers 
     Association (NEMA) Premium Efficiency designation, calculated 
     to 2 decimal points, as having 30 percent fewer losses than 
     the NEMA TP-1-2002 efficiency standard for a transformer of 
     the same number of phases and capacity, as measured in 
     kilovolt-amperes.
       (b) Establishment.--Not later than January 1, 2012, the 
     Secretary of Energy (referred to in this section as the 
     ``Secretary'') shall establish a program to provide rebates 
     for expenditures made by owners of commercial buildings and 
     multifamily residential buildings for the purchase and 
     installation of a new energy efficient transformers.
       (c) Requirements.--
       (1) Application.--To be eligible to receive a rebate under 
     this section, an owner shall submit to the Secretary an 
     application in such form, at such time, and containing such 
     information as the Secretary may require, including 
     demonstrated evidence that the owner purchased a qualified 
     transformer.
       (2) Authorized amount of rebate.--For qualified 
     transformers, rebates, in dollars per kilovolt-ampere 
     (referred to in this paragraph as ``kVA'') shall be--
       (A) for 3-phase transformers--
       (i) with a capacity of not greater than 10 kVA, $15;
       (ii) with a capacity of not less than 10 kVA and not 
     greater than 100 kVA, the difference between 15 and the 
     quotient obtained by dividing--

       (I) the difference between--

       (aa) the capacity of the transformer in kVA; and
       (bb) 10; by

       (II) 9; and

       (iii) with a capacity greater than or equal to 100 kVA, $5; 
     and
       (B) for single-phase transformers, 75 percent of the rebate 
     for a 3-phase transformer of the same capacity.
       (d) Authorization of Appropriations.--There is authorized 
     to be appropriated to carry out this section $5,000,000 for 
     each of fiscal years 2012 and 2013, to remain available until 
     expended.

              Subtitle D--Federal Agency Energy Efficiency

     SEC. 881. ADOPTION OF PERSONAL COMPUTER POWER SAVINGS 
                   TECHNIQUES BY FEDERAL AGENCIES.

       (a) In General.--Not later than 360 days after the date of 
     enactment of this Act, the Secretary of Energy, in 
     consultation with the Secretary of Defense, the Secretary of 
     Veterans Affairs, and the Administrator of General Services, 
     shall issue guidance for Federal agencies to employ advanced 
     tools allowing energy savings through the use of computer 
     hardware, energy efficiency software, and power management 
     tools.
       (b) Reports on Plans and Savings.--Not later than 180 days 
     after the date of the issuance of the guidance under 
     subsection (a), each Federal agency shall submit to the 
     Secretary of Energy a report that describes--
       (1) the plan of the agency for implementing the guidance 
     within the agency; and
       (2) estimated energy and financial savings from employing 
     the tools described in subsection (a).

[[Page 12531]]



     SEC. 882. AVAILABILITY OF FUNDS FOR DESIGN UPDATES.

       Section 3307 of title 40, United States Code, is amended--
       (1) by redesignating subsections (d) through (h) as 
     subsections (e) through (i), respectively; and
       (2) by inserting after subsection (c) the following:
       ``(d) Availability of Funds for Design Updates.--
       ``(1) In general.--Subject to paragraph (2), for any 
     project for which congressional approval is received under 
     subsection (a) and for which the design has been 
     substantially completed but construction has not begun, the 
     Administrator of General Services may use appropriated funds 
     to update the project design to meet applicable Federal 
     building energy efficiency standards established under 
     section 305 of the Energy Conservation and Production Act (42 
     U.S.C. 6834) and other requirements established under section 
     3312.
       ``(2) Limitation.--The use of funds under paragraph (1) 
     shall not exceed 125 percent of the estimated energy or other 
     cost savings associated with the updates as determined by a 
     life-cycle cost analysis under section 544 of the National 
     Energy Conservation Policy Act (42 U.S.C. 8254).''.

     SEC. 883. BEST PRACTICES FOR ADVANCED METERING.

       Section 543(e) of the National Energy Conservation Policy 
     Act (42 U.S.C. 8253(e) is amended by striking paragraph (3) 
     and inserting the following:
       ``(3) Plan.--
       ``(A) In general.--Not later than 180 days after the date 
     on which guidelines are established under paragraph (2), in a 
     report submitted by the agency under section 548(a), each 
     agency shall submit to the Secretary a plan describing the 
     manner in which the agency will implement the requirements of 
     paragraph (1), including--
       ``(i) how the agency will designate personnel primarily 
     responsible for achieving the requirements; and
       ``(ii) a demonstration by the agency, complete with 
     documentation, of any finding that advanced meters or 
     advanced metering devices (as those terms are used in 
     paragraph (1)), are not practicable.
       ``(B) Updates.--Reports submitted under subparagraph (A) 
     shall be updated annually.
       ``(4) Best practices report.--
       ``(A) In general.--Not later than 180 days after the date 
     of enactment of the Energy Savings and Industrial 
     Competitiveness Act of 2012, the Secretary of Energy, in 
     consultation with the Secretary of Defense and the 
     Administrator of General Services, shall develop, and issue a 
     report on, best practices for the use of advanced metering of 
     energy use in Federal facilities, buildings, and equipment by 
     Federal agencies.
       ``(B) Updating.--The report described under subparagraph 
     (A) shall be updated annually.
       ``(C) Components.--The report shall include, at a minimum--
       ``(i) summaries and analysis of the reports by agencies 
     under paragraph (3);
       ``(ii) recommendations on standard requirements or 
     guidelines for automated energy management systems, 
     including--

       ``(I) potential common communications standards to allow 
     data sharing and reporting;
       ``(II) means of facilitating continuous commissioning of 
     buildings and evidence-based maintenance of buildings and 
     building systems; and
       ``(III) standards for sufficient levels of security and 
     protection against cyber threats to ensure systems cannot be 
     controlled by unauthorized persons; and

       ``(iii) an analysis of--

       ``(I) the types of advanced metering and monitoring systems 
     being piloted, tested, or installed in Federal buildings; and
       ``(II) existing techniques used within the private sector 
     or other non-Federal government buildings.''.

     SEC. 884. FEDERAL ENERGY MANAGEMENT AND DATA COLLECTION 
                   STANDARD.

       Section 543 of the National Energy Conservation Policy Act 
     (42 U.S.C. 8253) is amended--
       (1) by redesignating the second subsection (f) (as added by 
     section 434(a) of Public Law 110-140 (121 Stat. 1614)) as 
     subsection (g); and
       (2) in subsection (f)(7), by striking subparagraph (A) and 
     inserting the following:
       ``(A) In general.--For each facility that meets the 
     criteria established by the Secretary under paragraph (2)(B), 
     the energy manager shall use the web-based tracking system 
     under subparagraph (B)--
       ``(i) to certify compliance with the requirements for--

       ``(I) energy and water evaluations under paragraph (3);
       ``(II) implementation of identified energy and water 
     measures under paragraph (4); and
       ``(III) follow-up on implemented measures under paragraph 
     (5); and

       ``(ii) to publish energy and water consumption data on an 
     individual facility basis.''.

     SEC. 885. ELECTRIC VEHICLE CHARGING INFRASTRUCTURE.

       Section 804(4) of the National Energy Conservation Policy 
     Act (42 U.S.C. 8287c(4)) is amended--
       (1) in subparagraph (A), by striking ``or'' after the 
     semicolon;
       (2) in subparagraph (B), by striking the period at the end 
     and inserting ``; or''; and
       (3) by adding at the end the following:
       ``(C) a measure to support the use of electric vehicles or 
     the fueling or charging infrastructure necessary for electric 
     vehicles.''.

     SEC. 886. FEDERAL PURCHASE REQUIREMENT.

       Section 203 of the Energy Policy Act of 2005 (42 U.S.C. 
     15852) is amended--
       (1) in subsections (a) and (b)(2), by striking ``electric 
     energy'' each place it appears and inserting ``electric, 
     direct, and thermal energy'';
       (2) in subsection (b)(2)--
       (A) by inserting ``, or avoided by,'' after ``generated 
     from''; and
       (B) by inserting ``(including ground-source, reclaimed, and 
     ground water)''after ``geothermal'';
       (3) by redesignating subsection (d) as subsection (e); and
       (4) by inserting after subsection (c) the following:
       ``(d) Separate Calculation.--Renewable energy produced at a 
     Federal facility, on Federal land, or on Indian land (as 
     defined in section 2601 of the Energy Policy Act of 1992 (25 
     U.S.C. 3501))--
       ``(1) shall be calculated (on a BTU-equivalent basis) 
     separately from renewable energy used; and
       ``(2) may be used individually or in combination to comply 
     with subsection (a).''.

     SEC. 887. STUDY ON FEDERAL DATA CENTER CONSOLIDATION.

       (a) In General.--The Secretary of Energy shall conduct a 
     study on the feasibility of a government-wide data center 
     consolidation, with an overall Federal target of a minimum of 
     800 Federal data center closures by October 1, 2015.
       (b) Coordination.--In conducting the study, the Secretary 
     shall coordinate with Federal data center program managers, 
     facilities managers, and sustainability officers.
       (c) Report.--Not later than 1 year after the date of 
     enactment of this Act, the Secretary shall submit to Congress 
     a report that describes the results of the study, including a 
     description of agency best practices in data center 
     consolidation.

                       Subtitle E--Miscellaneous

     SEC. 891. OFFSETS.

       (a) Zero-Net Energy Commercial Buildings Initiative.--
     Section 422(f) of the Energy Independence and Security Act of 
     2007 (42 U.S.C. 17082(f)) is amended by striking paragraphs 
     (2) through (4) and inserting the following:
       ``(2) $50,000,000 for each of fiscal years 2009 through 
     2012;
       ``(3) $100,000,000 for fiscal year 2013; and
       ``(4) $200,000,000 for each of fiscal years 2014 through 
     2018.''.
       (b) Energy Sustainability and Efficiency Grants and Loans 
     for Institutions.--Subsection (j) of section 399A of the 
     Energy Policy and Conservation Act (42 U.S.C. 6371h-1) (as 
     redesignated by section 841(2)) is amended--
       (1) in paragraph (1), by striking ``through 2013'' and 
     inserting ``and 2010, $100,000,000 for each of fiscal years 
     2011 and 2012, and $250,000,000 for fiscal year 2013''; and
       (2) in paragraph (2), by striking ``through 2013'' and 
     inserting ``and 2010, $100,000,000 for each of fiscal years 
     2011 and 2012, and $425,000,000 for fiscal year 2013''.
       (c) Waste Energy Recovery Incentive Program.--Section 
     373(f)(1) of the Energy Policy and Conservation Act (42 
     U.S.C. 6343(f)(1)) is amended--
       (1) by redesignating subparagraph (B) as subparagraph (D); 
     and
       (2) by striking subparagraph (A) and inserting the 
     following:
       ``(A) $100,000,000 for fiscal year 2008;
       ``(B) $200,000,000 for each of fiscal years 2009 and 2010;
       ``(C) $100,000,000 for each of fiscal years 2011 and 2012; 
     and''.
       (d) Energy-intensive Industries Program.--Section 452(f)(1) 
     of the Energy Independence and Security Act of 2007 (42 
     U.S.C. 17111(f)(1)) is amended--
       (1) in subparagraph (D), by striking ``$202,000,000'' and 
     inserting ``$102,000,000''; and
       (2) in subparagraph (E), by striking ``$208,000,000'' and 
     inserting ``$108,000,000''.

     SEC. 892. ADVANCE APPROPRIATIONS REQUIRED.

       The authorization of amounts under this title and the 
     amendments made by this title shall be effective for any 
     fiscal year only to the extent and in the amount provided in 
     advance in appropriations Acts.
                                 ______
                                 
  SA 2617. Mr. COONS (for himself, Mr. Wyden, Mr. Akaka, Mr. Franken, 
Mr. Udall of New Mexico, and Mr. Sanders) submitted an amendment 
intended to be proposed by him to the bill S. 3414, to enhance the 
security and resiliency of the cyber and communications infrastructure 
of the United States; which was ordered to lie on the table; as 
follows:

       At the end of title VII, add the following:

     SEC. 709. SUNSET.

       (a) In General.--Except as provided in subsection (b), this 
     title shall cease to have effect five years after the date of 
     enactment of this Act.
       (b) Exception.--With respect to any particular disclosure 
     or sharing that occurred

[[Page 12532]]

     before the date on which the provisions referred to in 
     subsection (a) cease to have effect, such provisions shall 
     continue in effect.
                                 ______
                                 
  SA 2618. Mr. AKAKA (for himself, Mr. Blumenthal, Mr. Coons, Mr. 
Franken, Mr. Sanders, Mr. Udall of New Mexico, and Mr. Wyden) submitted 
an amendment intended to be proposed by him to the bill S. 3414, to 
enhance the security and resiliency of the cyber and communications 
infrastructure of the United States; which was ordered to lie on the 
table; as follows:

       On page 105, after the end of the matter between lines 11 
     and 12, insert the following:

     SEC. 205. PRIVACY BREACH REQUIREMENTS.

       (a) In General.--Subchapter II of chapter 35 of title 44, 
     United States Code, as amended by section 201 of this Act, is 
     amended by adding at the end the following:

     ``Sec. 3559. Privacy breach requirements

       ``(a) Policies and Procedures.--The Secretary shall 
     establish and oversee policies and procedures for agencies to 
     follow in the event of a breach of information security 
     involving the disclosure of personally identifiable 
     information, including requirements for--
       ``(1) timely notice to the individuals whose personally 
     identifiable information could be compromised as a result of 
     such breach;
       ``(2) timely reporting to a Federal cybersecurity center 
     (as defined in section 708 of the Cybersecurity Act of 2012), 
     as designated by the Secretary; and
       ``(3) additional actions as necessary and appropriate, 
     including data breach analysis, fraud resolution services, 
     identity theft insurance, and credit protection or monitoring 
     services.
       ``(b) Required Agency Action.--The head of each agency 
     shall ensure that actions taken in response to a breach of 
     information security involving the disclosure of personally 
     identifiable information under the authority or control of 
     the agency comply with policies and procedures established by 
     the Secretary under subsection (a).
       ``(c) Report.--Not later than March 1 of each year, the 
     Secretary shall report to Congress on agency compliance with 
     the policies and procedures established under subsection 
     (a).''.
       (b) Technical and Conforming Amendment.--The table of 
     sections for subtitle II for chapter 35 of title 44, United 
     States Code, as amended by section 201 of this Act, is 
     amended by adding at the end the following:
``3559. Privacy breach requirements.''.

     SEC. 206. AMENDMENTS TO THE E-GOVERNMENT ACT OF 2002.

       Section 208(b)(1)(A) of the E-Government Act of 2002 (44 
     U.S.C. 3501 note; Public Law 107-347) is amended--
       (1) in clause (i), by striking ``or'' at the end;
       (2) in clause (ii), by striking the period at the end and 
     inserting ``; or''; and
       (3) by adding at the end the following:
       ``(iii) using information in an identifiable form 
     purchased, or subscribed to for a fee, from a commercial data 
     source.''.

     SEC. 207. AUTHORITY OF THE DIRECTOR OF THE OFFICE OF 
                   MANAGEMENT AND BUDGET WITH RESPECT TO FEDERAL 
                   INFORMATION POLICY.

       Section 3504(g) of title 44, United States Code, is 
     amended--
       (1) paragraph (1), by striking ``and'' at the end;
       (2) in paragraph (2), by striking the period at the end and 
     inserting ``; and''; and
       (3) by adding at the end the following:
       ``(3) designate a Federal Chief Privacy Officer within the 
     Office of Management and Budget who is a noncareer appointee 
     in a Senior Executive Service position and who is a trained 
     and experienced privacy professional to carry out the 
     responsibilities of the Director with regard to privacy.''.

     SEC. 208. CIVIL REMEDIES UNDER THE PRIVACY ACT.

       Section 552a(g)(4)(A) of title 5, United States Code, is 
     amended--
       (1) by striking ``actual damages'' and inserting ``provable 
     damages, including damages that are not pecuniary damages,''; 
     and
       (2) by striking ``, but in no case shall a person entitled 
     to recovery receive less than the sum of $1,000'' and 
     inserting ``or the sum of $1,000, whichever is greater.''.
       On page 188, lines 5 through 7, strike ``the Chief Privacy 
     and Civil Liberties Officer of the Department of Justice and 
     the Chief Privacy Officer of the Department'' and insert 
     ``the Federal Chief Privacy Officer''.
       On page 191, line 19, strike ``actual damages'' and insert 
     ``provable damages, including damages that are not pecuniary 
     damages,''
                                 ______
                                 
  SA 2619. Mr. DeMINT submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       At the appropriate place, insert the following:

     SEC. __. RIGHT TO WORK.

       (a) Amendments to the National Labor Relations Act.--
       (1) Rights of employees.--Section 7 of the National Labor 
     Relations Act (29 U.S.C. 157) is amended by striking ``except 
     to'' and all that follows through ``authorized in section 
     8(a)(3)''.
       (2) Unfair labor practices.--Section 8 of the National 
     Labor Relations Act (29 U.S.C. 158) is amended--
       (A) in subsection (a)(3), by striking ``: Provided, That'' 
     and all that follows through ``retaining membership'';
       (B) in subsection (b)--
       (i) in paragraph (2), by striking ``or to discriminate'' 
     and all that follows through ``retaining membership''; and
       (ii) in paragraph (5), by striking ``covered by an 
     agreement authorized under subsection (a)(3) of this 
     section''; and
       (C) in subsection (f), by striking clause (2) and 
     redesignating clauses (3) and (4) as clauses (2) and (3), 
     respectively.
       (b) Amendment to the Railway Labor Act.--Section 2 of the 
     Railway Labor Act (45 U.S.C. 152) is amended by striking 
     paragraph Eleven.
                                 ______
                                 
  SA 2620. Mr. HOEVEN submitted an amendment intended to be proposed by 
him to the bill S. 3414, to enhance the security and resiliency of the 
cyber and communications infrastructure of the United States; which was 
ordered to lie on the table; as follows:

       On page 109, strike line 17 and all that follows through 
     page 110, line 20, and insert the following:

     institutions and to provide funds to the military service 
     academies to establish cybersecurity test beds capable of 
     realistic modeling of real-time cyber attacks and defenses.
       (B) Requirement.--The test beds established under 
     subparagraph (A) shall be sufficiently large in order to 
     model the scale and complexity of real world networks and 
     environments.
       (3) Purpose.--The purpose of the program established under 
     paragraph (2) shall be to support the rapid development of 
     new cybersecurity defenses, techniques, and processes by 
     improving understanding and assessing the latest technologies 
     in a real-world environment.
       (e) Coordination With Other Research Initiatives.--The 
     Director shall to the extent practicable, coordinate research 
     and development activities under this section with other 
     ongoing research and development security-related 
     initiatives, including research being conducted by--
       (1) the National Institute of Standards and Technology;
       (2) the Department;
       (3) other Federal agencies;
       (4) other Federal and private research laboratories, 
     research entities, the military service academies, and 
     universities and institutions of higher education, and 
     relevant nonprofit organizations; and

                          ____________________