[Congressional Record (Bound Edition), Volume 163 (2017), Part 14]
[House]
[Pages 19547-19556]
[From the U.S. Government Publishing Office, www.gpo.gov]




      CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY ACT OF 2017

  Mr. McCAUL. Mr. Speaker, I move to suspend the rules and pass the 
bill (H.R. 3359) to amend the Homeland Security Act of 2002 to 
authorize the Cybersecurity and Infrastructure Security Agency of the 
Department of Homeland Security, and for other purposes, as amended.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 3359

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Cybersecurity and 
     Infrastructure Security Agency Act of 2017''.

     SEC. 2. CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY.

       (a) In General.--The Homeland Security Act of 2002 is 
     amended by adding at the end the following new title:

     ``TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

        ``Subtitle A--Cybersecurity and Infrastructure Security

     ``SEC. 2201. DEFINITIONS.

       ``In this subtitle:
       ``(1) Critical infrastructure information.--The term 
     `critical infrastructure information' has the meaning given 
     such term in section 2215.
       ``(2) Cybersecurity risk.--The term `cybersecurity risk' 
     has the meaning given such term in section 2209.
       ``(3) Cybersecurity threat.--The term `cybersecurity 
     threat' has the meaning given such term in paragraph (5) of 
     section 102 of the Cybersecurity Act of 2015 (contained in 
     division N of the Consolidated Appropriations Act, 2016 
     (Public Law 114-113; 6 U.S.C. 1501)).
       ``(4) Federal entity.--The term `Federal entity' has the 
     meaning given such term in paragraph (8) of section 102 of 
     the Cybersecurity Act of 2015 (contained in division N of the 
     Consolidated Appropriations Act, 2016 (Public Law 114-113; 6 
     U.S.C. 1501)).
       ``(5) Non-federal entity.--The term `non-Federal entity' 
     has the meaning given such term in paragraph (14) of section 
     102 of the Cybersecurity Act of 2015 (contained in division N 
     of the Consolidated Appropriations Act, 2016 (Public Law 114-
     113; 6 U.S.C. 1501)).
       ``(6) Sector-specific agency.--The term `Sector-Specific 
     Agency' means a Federal department or agency, designated by 
     law or presidential directive, with responsibility for 
     providing institutional knowledge and specialized expertise 
     of a sector, as well as leading, facilitating, or supporting 
     programs and associated activities of its designated critical 
     infrastructure sector in the all hazards environment in 
     coordination with the Department.
       ``(7) Sharing.--The term `sharing' has the meaning given 
     such term in section 2209.
       ``(8) National cybersecurity asset response activities.--
     The term `national cybersecurity asset response activities' 
     means--
       ``(A) furnishing cybersecurity technical assistance to 
     entities affected by cybersecurity risks to protect assets, 
     mitigate vulnerabilities, and reduce impacts of cyber 
     incidents;
       ``(B) identifying other entities that may be at risk of an 
     incident and assessing risk to the same or similar 
     vulnerabilities;
       ``(C) assessing potential cybersecurity risks to a sector 
     or region, including potential cascading effects, and 
     developing courses of action to mitigate such risks;
       ``(D) facilitating information sharing and operational 
     coordination with threat response; and
       ``(E) providing guidance on how best to utilize Federal 
     resources and capabilities in a timely, effective manner to 
     speed recovery from cybersecurity risks.

     ``SEC. 2202. CYBERSECURITY AND INFRASTRUCTURE SECURITY 
                   AGENCY.

       ``(a) Redesignation.--
       ``(1) In general.--The National Protection and Programs 
     Directorate of the Department shall, on and after the date of 
     the enactment of this subtitle, be known as the 
     `Cybersecurity and Infrastructure Security Agency' (in this 
     subtitle referred to as the `Agency').
       ``(2) References.--Any reference to the National Protection 
     and Programs Directorate of the Department in any law, 
     regulation, map, document, record, or other paper of the 
     United States shall be deemed to be a reference to the 
     Cybersecurity and Infrastructure Security Agency of the 
     Department.
       ``(b) Director.--
       ``(1) In general.--The Agency shall be headed by a Director 
     of Cybersecurity and Infrastructure Security (in this 
     subtitle referred to as the `Director'), who shall report to 
     the Secretary.
       ``(2) Reference.--Any reference to an Under Secretary 
     responsible for overseeing critical infrastructure 
     protection, cybersecurity, and any other related program of 
     the Department as described in section 103(a)(1)(H) as in 
     effect on the day before the date of the enactment of this 
     subtitle in any law, regulation, map, document, record, or 
     other paper of the United States shall be deemed to be a 
     reference to the Director of Cybersecurity and Infrastructure 
     Security of the Department.
       ``(c) Responsibilities.--The Director shall--
       ``(1) lead cybersecurity and critical infrastructure 
     security programs, operations, and associated policy for the 
     Agency, including national cybersecurity asset response 
     activities;
       ``(2) coordinate with Federal entities, including Sector-
     Specific Agencies, and non-Federal entities, including 
     international entities, to carry out the cybersecurity and 
     critical infrastructure activities of the Agency, as 
     appropriate;
       ``(3) carry out the Secretary's responsibilities to secure 
     Federal information and information systems consistent with 
     law, including subchapter II of chapter 35 of title 44, 
     United States Code, and the Cybersecurity Act of 2015 
     (contained in division N of the Consolidated Appropriations 
     Act, 2016 (Public Law 114-113));
       ``(4) coordinate a national effort to secure and protect 
     against critical infrastructure risks, consistent with 
     subsection (e)(1)(E);
       ``(5) upon request provide analyses, expertise, and other 
     technical assistance to critical infrastructure owners and 
     operators and, where appropriate, provide such analyses, 
     expertise, and other technical assistance in coordination 
     with Sector-Specific Agencies and other Federal departments 
     and agencies;
       ``(6) develop and utilize mechanisms for active and 
     frequent collaboration between the Agency and Sector-Specific 
     Agencies to ensure appropriate coordination, situational 
     awareness, and communications with Sector-Specific Agencies;
       ``(7) maintain and utilize mechanisms for the regular and 
     ongoing consultation and collaboration among the Agency's 
     Divisions to further operational coordination, integrated 
     situational awareness, and improved integration across the 
     Agency in accordance with this Act;
       ``(8) develop, coordinate, and implement--
       ``(A) comprehensive strategic plans for the activities of 
     the Agency; and
       ``(B) risk assessments by and for the Agency;
       ``(9) carry out emergency communications responsibilities, 
     in accordance with title XVIII;
       ``(10) carry out cybersecurity, infrastructure security, 
     and emergency communications stakeholder outreach and 
     engagement and coordinate such outreach and engagement with 
     critical infrastructure Sector-Specific Agencies, as 
     appropriate; and
       ``(11) carry out such other duties and powers prescribed by 
     law or delegated by the Secretary.

[[Page 19548]]

       ``(d) Deputy Director.--There shall be in the Agency a 
     Deputy Director of Cybersecurity and Infrastructure Security 
     who shall--
       ``(1) assist the Director in the management of the Agency; 
     and
       ``(2) report to the Director.
       ``(e) Cybersecurity and Infrastructure Security Authorities 
     of the Secretary.--
       ``(1) In general.--The responsibilities of the Secretary 
     relating to cybersecurity and infrastructure security shall 
     include the following:
       ``(A) To access, receive, and analyze law enforcement 
     information, intelligence information, and other information 
     from Federal Government agencies, State, local, tribal, and 
     territorial government agencies (including law enforcement 
     agencies), and private sector entities, and to integrate such 
     information, in support of the mission responsibilities of 
     the Department, in order to--
       ``(i) identify and assess the nature and scope of terrorist 
     threats to the homeland;
       ``(ii) detect and identify threats of terrorism against the 
     United States; and
       ``(iii) understand such threats in light of actual and 
     potential vulnerabilities of the homeland.
       ``(B) To carry out comprehensive assessments of the 
     vulnerabilities of the key resources and critical 
     infrastructure of the United States, including the 
     performance of risk assessments to determine the risks posed 
     by particular types of terrorist attacks within the United 
     States (including an assessment of the probability of success 
     of such attacks and the feasibility and potential efficacy of 
     various countermeasures to such attacks). At the discretion 
     of the Secretary, such assessments may be carried out in 
     coordination with Sector-Specific Agencies.
       ``(C) To integrate relevant information, analysis, and 
     vulnerability assessments (regardless of whether such 
     information, analysis, or assessments are provided or 
     produced by the Department) in order to make recommendations, 
     including prioritization, for protective and support measures 
     by the Department, other Federal Government agencies, State, 
     local, tribal, and territorial government agencies and 
     authorities, the private sector, and other entities regarding 
     terrorist and other threats to homeland security.
       ``(D) To ensure, pursuant to section 202, the timely and 
     efficient access by the Department to all information 
     necessary to discharge the responsibilities under this title, 
     including obtaining such information from other Federal 
     Government agencies.
       ``(E) To develop, in coordination with the Sector-Specific 
     Agencies with available expertise, a comprehensive national 
     plan for securing the key resources and critical 
     infrastructure of the United States, including power 
     production, generation, and distribution systems, information 
     technology and telecommunications systems (including 
     satellites), electronic financial and property record storage 
     and transmission systems, emergency communications systems, 
     and the physical and technological assets that support such 
     systems.
       ``(F) To recommend measures necessary to protect the key 
     resources and critical infrastructure of the United States in 
     coordination with other Federal Government agencies, 
     including Sector-Specific Agencies, and in cooperation with 
     State, local, tribal, and territorial government agencies and 
     authorities, the private sector, and other entities.
       ``(G) To review, analyze, and make recommendations for 
     improvements to the policies and procedures governing the 
     sharing of information relating to homeland security within 
     the Federal Government and between Federal Government 
     agencies and State, local, tribal, and territorial government 
     agencies and authorities.
       ``(H) To disseminate, as appropriate, information analyzed 
     by the Department within the Department, to other Federal 
     Government agencies with responsibilities relating to 
     homeland security, and to State, local, tribal, and 
     territorial government agencies and private sector entities 
     with such responsibilities in order to assist in the 
     deterrence, prevention, preemption of, or response to, 
     terrorist attacks against the United States.
       ``(I) To consult with State, local, tribal, and territorial 
     government agencies and private sector entities to ensure 
     appropriate exchanges of information, including law 
     enforcement-related information, relating to threats of 
     terrorism against the United States.
       ``(J) To ensure that any material received pursuant to this 
     Act is protected from unauthorized disclosure and handled and 
     used only for the performance of official duties.
       ``(K) To request additional information from other Federal 
     Government agencies, State, local, tribal, and territorial 
     government agencies, and the private sector relating to 
     threats of terrorism in the United States, or relating to 
     other areas of responsibility assigned by the Secretary, 
     including the entry into cooperative agreements through the 
     Secretary to obtain such information.
       ``(L) To establish and utilize, in conjunction with the 
     chief information officer of the Department, a secure 
     communications and information technology infrastructure, 
     including data-mining and other advanced analytical tools, in 
     order to access, receive, and analyze data and information in 
     furtherance of the responsibilities under this section, and 
     to disseminate information acquired and analyzed by the 
     Department, as appropriate.
       ``(M) To coordinate training and other support to the 
     elements and personnel of the Department, other Federal 
     Government agencies, and State, local, tribal, and 
     territorial government agencies that provide information to 
     the Department, or are consumers of information provided by 
     the Department, in order to facilitate the identification and 
     sharing of information revealed in their ordinary duties and 
     the optimal utilization of information received from the 
     Department.
       ``(N) To coordinate with Federal, State, local, tribal, and 
     territorial law enforcement agencies, and the private sector, 
     as appropriate.
       ``(O) To exercise the authorities and oversight of the 
     functions, personnel, assets, and liabilities of those 
     components transferred to the Department pursuant to section 
     201(g).
       ``(P) To carry out the functions of the national 
     cybersecurity and communications integration center under 
     section 2209.
       ``(Q) To carry out requirements of the Chemical Facilities 
     Anti-Terrorism Standards Program established under title XXI 
     and the secure handling of ammonium nitrate established under 
     subtitle J of title VIII.
       ``(2) Reallocation.--The Secretary may reallocate within 
     the Agency the functions specified in sections 2203(b) and 
     2204(b), consistent with the responsibilities provided in 
     paragraph (1) of this subsection, upon certifying to and 
     briefing the appropriate congressional committees, and making 
     available to the public, at least 60 days prior to any such 
     reallocation that such reallocation is necessary for carrying 
     out the activities of the Agency.
       ``(3) Staff.--
       ``(A) In general.--The Secretary shall provide the Agency 
     with a staff of analysts having appropriate expertise and 
     experience to assist the Agency in discharging its 
     responsibilities under this section.
       ``(B) Private sector analysts.--Analysts under this 
     subsection may include analysts from the private sector.
       ``(C) Security clearances.--Analysts under this subsection 
     shall possess security clearances appropriate for their work 
     under this section.
       ``(4) Detail of personnel.--
       ``(A) In general.--In order to assist the Agency in 
     discharging its responsibilities under this section, 
     personnel of the Federal agencies referred to in subparagraph 
     (B) may be detailed to the Agency for the performance of 
     analytic functions and related duties.
       ``(B) Agencies specified.--The Federal agencies referred to 
     in subparagraph (A) are the following:
       ``(i) The Department of State.
       ``(ii) The Central Intelligence Agency.
       ``(iii) The Federal Bureau of Investigation.
       ``(iv) The National Security Agency.
       ``(v) The National Geospatial-Intelligence Agency.
       ``(vi) The Defense Intelligence Agency.
       ``(vii) Sector-Specific Agencies.
       ``(viii) Any other agency of the Federal Government that 
     the President considers appropriate.
       ``(C) Interagency agreements.--The Secretary and the head 
     of an agency specified in subparagraph (B) may enter into 
     agreements for the purpose of detailing personnel under this 
     paragraph.
       ``(D) Basis.--The detail of personnel under this paragraph 
     may be on a reimbursable or non-reimbursable basis.
       ``(f) Composition.--The Agency shall be composed of the 
     following divisions:
       ``(1) The Cybersecurity Division, headed by an Assistant 
     Director.
       ``(2) The Infrastructure Security Division, headed by an 
     Assistant Director.
       ``(3) The Emergency Communications Division under title 
     XVIII, headed by an Assistant Director.
       ``(g) Co-Location.--To the maximum extent practicable, the 
     Director shall examine the establishment of central locations 
     in geographical regions with a significant Agency presence. 
     When establishing such locations, the Director shall 
     coordinate with component heads and the Under Secretary for 
     Management to co-locate or partner on any new real property 
     leases, renewing any occupancy agreements for existing 
     leases, or agreeing to extend or newly occupy any Federal 
     space or new construction.
       ``(h) Privacy.--
       ``(1) In general.--There shall be a Privacy Officer of the 
     Agency with primary responsibility for privacy policy and 
     compliance for the Agency.
       ``(2) Responsibilities.--The responsibilities of the 
     Privacy Officer of the Agency shall include--
       ``(A) assuring that the use of technologies by the Agency 
     sustain, and do not erode, privacy protections relating to 
     the use, collection, and disclosure of personal information;
       ``(B) assuring that personal information contained in 
     Privacy Act systems of records of the Agency is handled in 
     full compliance with fair information practices as specified 
     in the Privacy Act of 1974;

[[Page 19549]]

       ``(C) evaluating legislative and regulatory proposals 
     involving collection, use, and disclosure of personal 
     information by the Agency; and
       ``(D) conducting a privacy impact assessment of proposed 
     rules of the Agency on the privacy of personal information, 
     including the type of personal information collected and the 
     number of people affected.
       ``(i) Savings.--Nothing in this title may be construed as 
     affecting in any manner the authority, existing on the day 
     before the date of the enactment of this title, of any other 
     component of the Department or any other Federal department 
     or agency.

     ``SEC. 2203. CYBERSECURITY DIVISION.

       ``(a) Establishment.--
       ``(1) In general.--There is established in the Agency a 
     Cybersecurity Division.
       ``(2) Assistant director.--The Cybersecurity Division shall 
     be headed by an Assistant Director for Cybersecurity (in this 
     subtitle referred to as the `Assistant Director'), who 
     shall--
       ``(A) be at the level of Assistant Secretary within the 
     Department;
       ``(B) be appointed by the President without the advice and 
     consent of the Senate; and
       ``(C) report to the Director.
       ``(3) Reference.--Any reference to the Assistant Secretary 
     for Cybersecurity and Communications in any law, regulation, 
     map, document, record, or other paper of the United States 
     shall be deemed to be a reference to the Assistant Director 
     for Cybersecurity.
       ``(b) Functions.--The Assistant Director shall--
       ``(1) direct the cybersecurity efforts of the Agency;
       ``(2) carry out activities, at the direction of the 
     Director, related to the security of Federal information and 
     Federal information systems consistent with law, including 
     subchapter II of chapter 35 of title 44, United States Code, 
     and the Cybersecurity Act of 2015 (contained in division N of 
     the Consolidated Appropriations Act, 2016 (Public Law 114-
     113));
       ``(3) fully participate in the mechanisms required under 
     subsection (c)(7) of section 2202; and
       ``(4) carry out such other duties and powers as prescribed 
     by the Director.

     ``SEC. 2204. INFRASTRUCTURE SECURITY DIVISION.

       ``(a) Establishment.--
       ``(1) In general.--There is established in the Agency an 
     Infrastructure Security Division.
       ``(2) Assistant director.--The Infrastructure Security 
     Division shall be headed by an Assistant Director of 
     Infrastructure Security (in this section referred to as the 
     `Assistant Director'), who shall--
       ``(A) be at the level of Assistant Secretary within the 
     Department;
       ``(B) be appointed by the President without the advice and 
     consent of the Senate; and
       ``(C) report to the Director.
       ``(3) Reference.--Any reference to the Assistant Secretary 
     for Infrastructure Protection in any law, regulation, map, 
     document, record, or other paper of the United States shall 
     be deemed to be a reference to the Assistant Director for 
     Infrastructure Security.
       ``(b) Functions.--The Assistant Director shall--
       ``(1) direct the critical infrastructure security efforts 
     of the Agency;
       ``(2) carry, at the direction of the Director, the Chemical 
     Facilities Anti-Terrorism Standards Program established under 
     title XXI and the secure handling of ammonium nitrate 
     established under subtitle J of title VIII or successor 
     program;
       ``(3) fully participate in the mechanisms required under 
     subsection (c)(7) of section 2202; and
       ``(4) carry out such other duties and powers as prescribed 
     by the Director.''.
       (b) Treatment of Certain Positions.--
       (1) Under secretary.--The individual serving as the Under 
     Secretary appointed pursuant to section 103(a)(1)(H) of the 
     Homeland Security Act of 2002 (6 U.S.C. 113(a)(1)) of the 
     Department of Homeland Security on the day before the date of 
     the enactment of this Act may continue to serve as the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency of the Department on and after such date.
       (2) Director for emergency communications.--The individual 
     serving as the Director for Emergency Communications of the 
     Department of Homeland Security on the day before the date of 
     the enactment of this Act may continue to serve as the 
     Assistant Director for Emergency Communications of the 
     Department on and after such date.
       (3) Assistant secretary for cybersecurity and 
     communications.--The individual serving as the Assistant 
     Secretary for Cybersecurity and Communications on the day 
     before the date of the enactment of this Act may continue to 
     serve as the Assistant Director for Cybersecurity on and 
     after such date.
       (4) Assistant secretary for infrastructure security.--The 
     individual serving as the Assistant Secretary for 
     Infrastructure Protection on the day before the date of the 
     enactment of this Act may continue to serve as the Assistant 
     Director for Infrastructure Security on and after such date.
       (c) Reference.--Any reference to--
       (1) the Office of Emergency Communications in any law, 
     regulation, map, document, record, or other paper of the 
     United States shall be deemed to be a reference to the 
     Emergency Communications Division; and
       (2) the Director for Emergency Communications in any law, 
     regulation, map, document, record, or other paper of the 
     United States shall be deemed to be a reference to the 
     Assistant Director for Emergency Communications.
       (d) Oversight.--The Director of the Cybersecurity and 
     Infrastructure Security Agency of the Department of Homeland 
     Security shall provide to Congress, in accordance with the 
     deadlines specified in paragraphs (1) and (2), information on 
     the following:
       (1) Not later than 60 days after the date of the enactment 
     of this Act, a briefing on the activities of the Agency 
     relating to the development and use of the mechanisms 
     required pursuant to section 2202(c)(6) of the Homeland 
     Security Act of 2002 (as added by subsection (a) of this 
     section).
       (2) Not later than one year after the date of the enactment 
     of this Act, a briefing on the activities of the Agency 
     relating to its use and improvement of the mechanisms 
     required pursuant to section 2202(c)(6) of the Homeland 
     Security Act of 2002 and how such activities have impacted 
     coordination, situational awareness, and communications with 
     Sector-Specific Agencies.
       (3) Not later than 90 days after the date of the enactment 
     of this Act, information on the Agency's mechanisms for 
     regular and ongoing consultation and collaboration, as 
     required pursuant to section 2202(c)(7) of the Homeland 
     Security Act of 2002 (as added by subsection (a) of this 
     section).
       (4) Not later than one year after the date of the enactment 
     of this Act, the activities of the Agency's consultation and 
     collaboration mechanisms as required pursuant to section 
     2202(c)(7) of the Homeland Security Act of 2002, and how such 
     mechanisms have impacted operational coordination, 
     situational awareness, and integration across the Agency.
       (e) Cyber Workforce.--Not later than 90 days after the date 
     of the enactment of this subtitle, the Director of the 
     Cybersecurity and Infrastructure Security Agency of the 
     Department of Homeland Security shall submit to Congress a 
     report detailing how the Agency is meeting legislative 
     requirements under the Cybersecurity Workforce Assessment Act 
     (Public Law 113-246) and the Homeland Security Cybersecurity 
     Workforce Assessment Act (enacted as section 4 of the Border 
     Patrol Agent Pay Reform Act of 2014; Public Law 113-277) to 
     address cyber workforce needs.
       (f) Facility.--Not later than 180 days after the date of 
     the enactment of this Act, the Director of the Cybersecurity 
     and Infrastructure Security Agency of the Department of 
     Homeland Security shall report to Congress on the most 
     efficient and effective methods of consolidating Agency 
     facilities, personnel, and programs to most effectively carry 
     out the Agency's mission.
       (g) Conforming Amendments to the Homeland Security Act of 
     2002.--The Homeland Security Act of 2002 is amended--
       (1) in title I, by amending subparagraph (H) of section 
     103(a)(1) (6 U.S.C. 113(a)(1)) to read as follows:
       ``(H) A Director of the Cybersecurity and Infrastructure 
     Security Agency.'';
       (2) in title II (6 U.S.C. 121 et seq.)--
       (A) in the title heading, by striking ``AND INFRASTRUCTURE 
     PROTECTION'';
       (B) in the subtitle A heading, by striking ``and 
     Infrastructure Protection'';
       (C) in section 201 (6 U.S.C. 121)--
       (i) in the section heading, by striking ``and 
     infrastructure protection'';
       (ii) in subsection (a)--

       (I) in the heading, by striking ``and Infrastructure 
     Protection''; and
       (II) by striking ``and an Office of Infrastructure 
     Protection'';

       (iii) in subsection (b)--

       (I) in the heading, by striking ``and Assistant Secretary 
     for Infrastructure Protection''; and
       (II) by striking paragraph (3);

       (iv) in subsection (c)--

       (I) by striking ``and infrastructure protection''; and
       (II) by striking ``or the Assistant Secretary for 
     Infrastructure Protection, as appropriate'';

       (v) in subsection (d)--

       (I) in the heading, by striking ``and Infrastructure 
     Protection'';
       (II) in the matter preceding paragraph (1), by striking 
     ``and infrastructure protection'';
       (III) by striking paragraphs (5) and (6) and redesignating 
     paragraphs (7) through (26) as paragraphs (5) through (24), 
     respectively;
       (IV) by striking paragraph (23), as so redesignated; and
       (V) by redesignating paragraph (24), as so redesignated, as 
     paragraph (23);

       (vi) in subsection (e)(1), by striking ``and the Office of 
     Infrastructure Protection''; and
       (vii) in subsection (f)(1), by striking ``and the Office of 
     Infrastructure Protection'';
       (D) in section 204 (6 U.S.C. 124a)--
       (i) in subsection (c)(1), in the matter preceding 
     subparagraph (A), by striking ``Assistant Secretary for 
     Infrastructure Protection'' and inserting ``Director of the 
     Cybersecurity and Infrastructure Security Agency''; and

[[Page 19550]]

       (ii) in subsection (d)(1), in the matter preceding 
     subparagraph (A), by striking ``Assistant Secretary for 
     Infrastructure Protection'' and inserting ``Director of the 
     Cybersecurity and Infrastructure Security Agency'';
       (E) in subparagraph (B) of section 210A(c)(2) (6 U.S.C. 
     124h(c)(2)), by striking ``Office of Infrastructure 
     Protection'' and inserting ``Cybersecurity and Infrastructure 
     Security Agency'';
       (F) by transferring section 210E (6 U.S.C. 124) to appear 
     after section 2213 (as redesignated by subparagraph (H) of 
     this paragraph) and redesignating such section 210E as 
     section 2214;
       (G) in subtitle B, by redesignating sections 211 through 
     215 (6 U.S.C. 101 note through 134) as sections 2221 through 
     2225, respectively, and inserting such redesignated sections, 
     including the enumerator and heading of subtitle B 
     (containing such redesignated sections), after section 2214, 
     as redesignated by subparagraph (F) of this paragraph; and
       (H) by redesignating sections 223 through 230 (6 U.S.C. 143 
     through 151) as sections 2205 through 2213, respectively, and 
     inserting such redesignated sections after section 2204, as 
     added by this Act;
       (3) in title III, in paragraph (3) of section 302 (6 U.S.C. 
     182), by striking ``Assistant Secretary for Infrastructure 
     Protection'' and inserting ``Director of the Cybersecurity 
     and Infrastructure Security Agency'';
       (4) in title V--
       (A) in section 514 (6 U.S.C. 321c), by--
       (i) striking subsection (b); and
       (ii) redesignating subsection (c) as subsection (b);
       (B) in section 523 (6 U.S.C. 321l)--
       (i) in subsection (a), in the matter preceding paragraph 
     (1), by striking ``Assistant Secretary for Infrastructure 
     Protection'' and inserting ``Director of the Cybersecurity 
     and Infrastructure Security Agency''; and
       (ii) in subsection (c), by striking ``Assistant Secretary 
     for Infrastructure Protection'' and inserting ``Director of 
     the Cybersecurity and Infrastructure Security Agency''; and
       (C) in section 524(a)(2)(B) (6 U.S.C. 321m(a)(2)(B)), in 
     the matter preceding clause (i)--
       (i) by striking ``Assistant Secretary for Infrastructure 
     Protection'' and inserting ``Director of the Cybersecurity 
     and Infrastructure Security Agency''; and
       (ii) by striking ``of the Assistant Secretary'' and 
     inserting ``of the Director'';
       (5) in title VIII, in section 899B(a) (6 U.S.C. 488a(a)), 
     by inserting at the end the following new sentence: ``Such 
     regulations shall be carried out by the Cybersecurity and 
     Infrastructure Security Agency.'';
       (6) in title XVIII (6 U.S.C. 571 et seq.)--
       (A) in section 1801 (6 U.S.C. 571)--
       (i) in the section heading, by striking ``office of 
     emergency communications'' and inserting ``emergency 
     communications division'';
       (ii) in subsection (a)--

       (I) by striking ``Office of Emergency Communications'' and 
     inserting ``Emergency Communications Division''; and
       (II) by adding at the end the following new sentence: ``The 
     Division shall be located in the Cybersecurity and 
     Infrastructure Security Agency.'';

       (iii) by amending subsection (b) to read as follows:
       ``(b) Assistant Director.--The head of the office shall be 
     the Assistant Director for Emergency Communications. The 
     Assistant Director shall report to the Director of the 
     Cybersecurity and Infrastructure Security Agency. All 
     decisions of the Assistant Director that entail the exercise 
     of significant authority shall be subject to the approval of 
     the Director.'';
       (iv) in subsection (c)--

       (I) in the matter preceding paragraph (1), by inserting 
     ``Assistant'' before ``Director'';
       (II) in paragraph (14), by striking ``and'' at the end;
       (III) by redesignating paragraph (15) as paragraph (16); 
     and
       (IV) by inserting after paragraph (14) the following new 
     paragraph:

       ``(15) fully participate in the mechanisms required under 
     subsection (c)(7) of section 2202; and'';
       (v) in subsection (d), by inserting ``Assistant'' before 
     ``Director''; and
       (vi) in subsection (e), in the matter preceding paragraph 
     (1), by inserting ``Assistant'' before ``Director'';
       (B) in sections 1802 through 1805 (6 U.S.C. 575), by 
     striking ``Director for Emergency Communications'' each place 
     it appears and inserting ``Assistant Director for Emergency 
     Communications'';
       (C) in section 1809 (6 U.S.C. 579)--
       (i) by striking ``Director for Emergency Communications'' 
     and inserting ``Assistant Director for Emergency 
     Communications''; and
       (ii) by striking ``Office of Emergency Communications'' 
     each place it appears and inserting ``Emergency 
     Communications Division''; and
       (D) in section 1810 (6 U.S.C. 580)--
       (i) in subsection (a)(1), by striking ``Director of the 
     Office of Emergency Communications (referred to in this 
     section as the `Director')'' and inserting ``Assistant 
     Director for the Emergency Communications Division (referred 
     to in this section as the `Assistant Director')'';
       (ii) in subsection (c), by striking ``Office of Emergency 
     Communications'' and inserting ``Emergency Communications 
     Division''; and
       (iii) by striking ``Director'' each place it appears and 
     inserting ``Assistant Director'';
       (7) in title XXI (6 U.S.C. 621 et seq.)--
       (A) in section 2101 (6 U.S.C. 621)--
       (i) by redesignating paragraphs (4) through (14) as 
     paragraphs (5) through (15), respectively; and
       (ii) by inserting after paragraph (3) the following new 
     paragraph:
       ``(4) the term `Director' means the Director of the 
     Cybersecurity and Infrastructure Security Agency;'';
       (B) in paragraph (1) of section 2102(a) (6 U.S.C. 622(a)), 
     by inserting at the end the following new sentence: ``Such 
     Program shall be located in the Cybersecurity and 
     Infrastructure Security Agency.''; and
       (C) in paragraph (2) of section 2104(c) (6 U.S.C. 624(c)), 
     by striking ``Under Secretary responsible for overseeing 
     critical infrastructure protection, cybersecurity, and other 
     related programs of the Department appointed under section 
     103(a)(1)(H)'' and inserting ``Director of the Cybersecurity 
     and Infrastructure Security Agency''; and
       (8) in title XXII, as added by this Act--
       (A) in section 2205, as so redesignated, in the matter 
     preceding paragraph (1), by striking ``Under Secretary 
     appointed under section 103(a)(1)(H)'' and inserting 
     ``Director of the Cybersecurity and Infrastructure Security 
     Agency'';
       (B) in section 2206, as so redesignated, by striking 
     ``Assistant Secretary for Infrastructure Protection'' and 
     inserting ``Director of the Cybersecurity and Infrastructure 
     Security Agency'';
       (C) in section 2209, as so redesignated--
       (i) by striking ``Under Secretary appointed under section 
     103(a)(1)(H)'' each place it appears and inserting ``Director 
     of the Cybersecurity and Infrastructure Security Agency'';
       (ii) in subsection (b), by adding at the end the following 
     new sentences: ``The Center shall be located in the 
     Cybersecurity and Infrastructure Security Agency. The head of 
     the Center shall report to the Assistant Director for 
     Cybersecurity.''; and
       (iii) in subsection (c)(11), by striking ``Office of 
     Emergency Communications'' and inserting ``Emergency 
     Communications Division'';
       (D) in section 2210, as so redesignated--
       (i) by striking ``section 227'' each place it appears and 
     inserting ``section 2209''; and
       (ii) in subsection (c)--

       (I) by striking ``Under Secretary appointed under section 
     103(a)(1)(H)'' and inserting ``Director of the Cybersecurity 
     and Infrastructure Security Agency''; and
       (II) by striking ``section 212(5)'' and inserting ``section 
     2225(5)'';

       (E) in subsection (b)(2)(A) of section 2211, as so 
     redesignated, by striking ``section 227'' and inserting 
     ``section 2209'';
       (F) in section 2212, as so redesignated, by striking 
     ``section 212(5)'' and inserting ``section 2225(5)''; and
       (G) in section 2213, as so redesignated, in subsection 
     (a)--
       (i) in paragraph (3), by striking ``section 228'' and 
     inserting ``section 2210''; and
       (ii) in paragraph (4), by striking ``section 227'' and 
     inserting ``section 2209''.
       (h) Conforming Amendment to Title 5, United States Code.--
     Section 5314 of title 5, United States Code, is amended by 
     inserting after ``Under Secretaries, Department of Homeland 
     Security.'' the following new item:
       ``Director, Cybersecurity and Infrastructure Security 
     Agency.''.
       (i) Clerical Amendments.--The table of contents in section 
     1(b) of the Homeland Security Act of 2002 is amended--
       (1) in title II--
       (A) in the item relating to the title heading, by striking 
     ``AND INFRASTRUCTURE PROTECTION'';
       (B) in the item relating to the heading of subtitle A, by 
     striking ``and Infrastructure Protection'';
       (C) in the item relating to section 201, by striking ``and 
     Infrastructure Protection'';
       (D) by striking the item relating to section 210E;
       (E) by striking the items relating to subtitle B of title 
     II; and
       (F) by striking the items relating to section 223 through 
     section 230;
       (2) in title XVIII, by amending the item relating to 
     section 1801 to read as follows:

``Sec. 1801. Emergency Communications Division.''; and
       (3) by adding at the end the following new items:

     ``TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

        ``Subtitle A--Cybersecurity and Infrastructure Security

``Sec. 2201. Definitions.
``Sec. 2202. Cybersecurity and Infrastructure Security Agency.
``Sec. 2203. Cybersecurity Division.
``Sec. 2204. Infrastructure Security Division.
``Sec. 2205. Enhancement of Federal and non-Federal cybersecurity.
``Sec. 2206. Net guard.
``Sec. 2207. Cyber Security Enhancement Act of 2002.
``Sec. 2208. Cybersecurity recruitment and retention.
``Sec. 2209. National cybersecurity and communications integration 
              center.

[[Page 19551]]

``Sec. 2210. Cybersecurity plans.
``Sec. 2211. Cybersecurity strategy.
``Sec. 2212. Clearances.
``Sec. 2213. Federal intrusion detection and prevention system.
``Sec. 2214. National Asset Database.

           ``Subtitle B--Critical Infrastructure Information

``Sec. 2221. Short title.
``Sec. 2222. Definitions.
``Sec. 2223. Designation of critical infrastructure protection program.
``Sec. 2224. Protection of voluntarily shared critical infrastructure 
              information.
``Sec. 2225. No private right of action.''.

     SEC. 3. TRANSFER OF OTHER ENTITIES.

       (a) Office of Biometric Identity Management.--The Office of 
     Biometric Identity Management of the Department of Homeland 
     Security located in the National Protection and Programs 
     Directorate of the Department of Homeland Security on the day 
     before the date of the enactment of this Act is hereby 
     transferred to the Management Directorate of the Department.
       (b) Federal Protective Service.--The Secretary of Homeland 
     Security is authorized to transfer the Federal Protective 
     Service, as authorized under section 1315 of title 40, United 
     States Code, to any component, directorate, or other office 
     of the Department of Homeland Security that the Secretary 
     determines appropriate.

     SEC. 4. RULE OF CONSTRUCTION.

       Nothing in this Act may be construed as--
       (1) conferring new authorities to the Secretary of Homeland 
     Security, including programmatic, regulatory, or enforcement 
     authorities, outside of the authorities in existence on the 
     day before the date of the enactment of this Act;
       (2) reducing or limiting the programmatic, regulatory, or 
     enforcement authority vested in any other Federal agency by 
     statute; or
       (3) affecting in any manner the authority, existing on the 
     day before the date of the enactment of this Act, of any 
     other Federal agency or component of the Department of 
     Homeland Security.

     SEC. 5. PROHIBITION ON ADDITIONAL FUNDING.

       No additional funds are authorized to be appropriated to 
     carry out this Act or the amendments made by this Act. This 
     Act and such amendments shall be carried out using amounts 
     otherwise authorized.

  The SPEAKER pro tempore. Pursuant to the rule, the gentleman from 
Texas (Mr. McCaul) and the gentlewoman from California (Ms. Barragan) 
each will control 20 minutes.
  The Chair recognizes the gentleman from Texas.


                             General Leave

  Mr. McCAUL. Mr. Speaker, I ask unanimous consent that all Members 
have 5 legislative days within which to revise and extend their remarks 
and to include any extraneous material on the bill under consideration.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from Texas?
  There was no objection.
  Mr. McCAUL. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, I rise today in support of the Cybersecurity and 
Infrastructure Security Agency Act.
  Mr. Speaker, with each passing day, nation-states, hackers, and other 
cyber criminals are finding new ways to attack our cyber infrastructure 
and expose new vulnerabilities.
  As technology has advanced, more and more Americans have become 
dependent on computer networks and information technology, making 
everyone a potential victim.
  In September, we learned that Equifax had been successfully hacked 
and 145.5 million people were affected by this breach. Last month, it 
is reported that 57 million people who use Uber might have had their 
personal information stolen in a cyber attack in 2016.
  These attacks are not just aimed at American consumers, however. Our 
foreign adversaries are routinely engaging in cyber warfare as well.
  In 2015, hackers traced back to the Chinese Government accessed 
sensitive material from the Office of Personnel Management on 22 
million persons' security clearances. Last year, Russia was caught 
trying to undermine our democratic process.
  These kinds of attacks are simply unacceptable. We must not allow 
them to continue. Fortunately, we have prioritized cybersecurity issues 
at the Committee on Homeland Security over the last few years and have 
taken strong, bipartisan action. In 2014, committee efforts resulted in 
the enactment of legislation that provided DHS expedited hiring 
authority, ensuring the DHS is assessing its cybersecurity workforce, 
and it clarified the Department's role in the cybersecurity of Federal 
networks.
  In 2015, the Cybersecurity Act provided liability protections for 
public-to-private and private-to-private cyber threat information 
sharing. While these are important actions, we need to do more, and 
today we have a chance to do just that.
  The legislation before us streamlines the infrastructure of the 
National Protection and Programs Directorate and redesignates it as the 
Cybersecurity and Infrastructure Security Agency. This realignment will 
achieve the DHS' goal of creating a stand-alone operational 
organization, focusing on and elevating the vital cybersecurity mission 
of the Department.
  This bill requires the appointment of a Director who is responsible 
for leading cybersecurity and infrastructure programs and operations 
for the agency, developing and utilizing mechanisms for active and 
frequent collaboration with sector-specific agencies, and coordinating 
and implementing comprehensive strategic plans and risk assessments for 
the agency.
  This action enjoys great support from the DHS. Less than two weeks 
ago, while addressing cybersecurity issues in testimony before our 
committee, then-Acting Secretary Elaine Duke stated: ``In the face of 
these digital threats, it is a DHS priority to work with Congress on 
legislation that would focus our cybersecurity and critical 
infrastructure mission at the NPPD.''
  Taking action today reaffirms that priority.
  Cybersecurity is an issue that transcends partisan politics. In light 
of the risk and potential consequence of cyber attacks, we must stand 
together and strengthen the security of digital America and the 
resilience of our cyber networks.
  I would like to thank the members of the Homeland Security Committee, 
Ranking Member Thompson, and the staff for all their hard work.
  I would also like to thank the Energy and Commerce Committee 
chairman, Mr. Walden; the Transportation and Infrastructure Committee 
chairman, Mr. Shuster; and the Oversight and Government Reform 
Committee chairman, Mr. Gowdy, for their efforts to see this through.
  Mr. Speaker, this is another bipartisan example of how varied 
stakeholders can come together and draft and pass important 
legislation. It is an opportunity we have today to elevate the 
importance of cybersecurity at the Department of Homeland Security to 
achieve its goal of protecting the United States. I urge my colleagues 
to support this vital piece of legislation.
  Mr. Speaker, I reserve the balance of my time.

                                         House of Representatives,


                             Committee on Energy and Commerce,

                                 Washington, DC, December 8, 2017.
     Hon. Michael T. McCaul,
     Chairman, Committee on Homeland Security,
     Washington, DC.
       Dear Chairman McCaul: I am writing to notify you that the 
     Committee on Energy and Commerce will forgo action on H.R. 
     3359, Cybersecurity and Infrastructure Security Agency Act of 
     2017, so that it may proceed expeditiously to the House floor 
     for consideration. This is done with the understanding that 
     the Committee's jurisdictional interests over this and 
     similar legislation are in no way diminished or altered. In 
     addition, the Committee reserves the right to seek conferees 
     on H.R. 3359 and expects your support when such a request is 
     made.
       Please include a copy of this letter outlining our mutual 
     understanding with respect to H.R. 3359 in the Congressional 
     Record during consideration of the bill on the House floor.
           Sincerely,
                                                      Greg Warden,
     Chairman.
                                  ____

                                         House of Representatives,


                               Committee on Homeland Security,

                                 Washington, DC, December 7, 2017.
     Hon. Greg Walden,
     Chairman, Committee on Energy and Commerce,
     Washington, DC.
       Dear Chairman Walden: Thank you for your letter regarding 
     H.R. 3359, the ``Cybersecurity and Infrastructure Security 
     Agency Act of 2017.'' I appreciate your support in bringing 
     this legislation before the House of Representatives, and 
     accordingly, understand that the Committee on Energy and 
     Commerce will forego further consideration of the bill.

[[Page 19552]]

       The Committee on Homeland Security concurs with the mutual 
     understanding that by foregoing consideration of this bill at 
     this time, the Committee on Energy and Commerce does not 
     waive any jurisdiction over the subject matter contained in 
     this bill or similar legislation in the future. In addition, 
     should a conference on this bill be necessary, I would 
     support your request to have the Committee represented on the 
     conference committee.
       I will insert copies of this exchange in the report on the 
     bill and in the Congressional Record during consideration of 
     this bill on the House floor. I thank you for your 
     cooperation in this matter.
           Sincerely,
                                                Michael T. McCaul,
     Chairman.
                                  ____

         House of Representatives, Committee on Oversight and 
           Government Reform,
                                 Washington, DC, December 7, 2017.
     Hon. Michael T. McCaul,
     Chairman, Committee on Homeland Security, House of 
         Representatives, Washington, DC.
       Dear Mr. Chairman: I write concerning H.R. 3359, the 
     ``Cybersecurity and Infrastructure Security Agency Act of 
     2017.'' This bill would amend the Homeland Security Act of 
     2002 to authorize the Cybersecurity and Infrastructure 
     Security Agency of the Department of Homeland Security and 
     contains provisions within the jurisdiction of the Committee 
     on Oversight and Government Reform. As a result of your 
     having consulted with me concerning the provisions of the 
     bill that fall within our Rule X jurisdiction, I agree to 
     forgo consideration of the bill, so the bill may proceed 
     expeditiously to the House floor.
       The Committee takes this action with our mutual 
     understanding that by foregoing consideration of H.R. 3359 at 
     this time we do not waive any jurisdiction over the subject 
     matter contained in this or similar legislation, and we will 
     be appropriately consulted and involved as the bill or 
     similar legislation moves forward so that we may address any 
     remaining issues that fall within our Rule X jurisdiction. 
     Further, I request your support for the appointment of 
     conferees from the Committee on Oversight and Government 
     Reform during any House-Senate conference convened on this or 
     related legislation.
       Finally, I would appreciate your response to this letter 
     confirming this understanding and ask that a copy of our 
     exchange of letters on this matter be included in the bill 
     report filed by the Committee on Homeland Security, as well 
     as in the Congressional Record during floor consideration 
     thereof.
           Sincerely,
     Trey Gowdy.
                                  ____

                                         House of Representatives,


                               Committee on Homeland Security,

                                 Washington, DC, December 7, 2017.
     Hon. Trey Gowdy,
     Chairman, Committee on Oversight and Government Reform, 
         Washington, DC.
       Dear Chairman Gowdy: Thank you for your letter regarding 
     H.R. 3359, the ``Cybersecurity and Infrastructure Security 
     Agency Act of 2017.'' I appreciate your support in bringing 
     this legislation before the House of Representatives, and 
     accordingly, understand that the Committee on Oversight and 
     Government Reform will forego further consideration of the 
     bill.
       The Committee on Homeland Security concurs with the mutual 
     understanding that by foregoing consideration of this bill at 
     this time, the Committee on Oversight and Government Reform 
     does not waive any jurisdiction over the subject matter 
     contained in this bill or similar legislation in the future. 
     In addition, should a conference on this bill be necessary, I 
     would support your request to have the Committee represented 
     on the conference committee.
       I will insert copies of this exchange in the report on the 
     bill and in the Congressional Record during consideration of 
     this bill on the House floor. I thank you for your 
     cooperation in this matter.
           Sincerely,
                                                Michael T. McCaul,
     Chairman.
                                  ____

         House of Representatives, Committee on Transportation and 
           Infrastructure,
                                 Washington, DC, December 7, 2017.
     Hon. Michael McCaul,
     Chairman, Committee on Homeland Security,
     Washington, DC.
       Dear Chairman McCaul: I write concerning H.R. 3359, the 
     Cybersecurity and Infrastructure Security Agency Act of 2017. 
     This legislation includes matters that fall within the Rule X 
     jurisdiction of the Committee on Transportation and 
     Infrastructure.
       I recognize and appreciate your desire to bring this 
     legislation before the House of Representatives in an 
     expeditious manner, and accordingly, the Committee on 
     Transportation and Infrastructure will forego action on the 
     bill. However, this is conditional on our mutual 
     understanding that foregoing consideration of the bill does 
     not prejudice the Committee with respect to the appointment 
     of conferees or to any future jurisdictional claim over the 
     subject matters contained in the bill or similar legislation 
     that fall within the Committee's Rule X jurisdiction. 
     Further, this is conditional on our understanding that 
     mutually agreed upon changes to the legislation will be 
     incorporated into the bill prior to floor consideration. 
     Lastly, should a conference on the bill be necessary, I 
     request your support for the appointment of conferees from 
     the Committee on Transportation and Infrastructure during any 
     House-Senate conference convened on this or related 
     legislation.
       I would ask that a copy of this letter and your response 
     acknowledging our jurisdictional interest as well as the 
     mutually agreed upon changes to be incorporated into the bill 
     be included in the Congressional Record during consideration 
     of the measure on the House floor, to memorialize our 
     understanding.
       I look forward to working with the Committee on Homeland 
     Security as the bill moves through the legislative process.
           Sincrerely,
                                                     Bill Shuster,
     Chairman.
                                  ____

                                         House of Representatives,


                               Committee on Homeland Security,

                                 Washington, DC, December 7, 2017.
     Hon. Bill Shuster,
     Chairman, Committee on Transportation and Infrastructure, 
         Washington, DC.
       Dear Chairman Shuster: Thank you for your letter regarding 
     H.R. 3359, the ``Cybersecurity and Infrastructure Security 
     Agency Act of 2017.'' I appreciate your support in bringing 
     this legislation before the House of Representatives, and 
     accordingly, understand that the Committee on Transportation 
     and Infrastructure will forego further consideration of the 
     bill.
       The Committee on Homeland Security concurs with the mutual 
     understanding that by foregoing consideration of this bill at 
     this time, the Committee on Transportation and Infrastructure 
     does not waive any jurisdiction over the subject matter 
     contained in this bill or similar legislation in the future. 
     In addition, should a conference on this bill be necessary, I 
     would support your request to have the Committee represented 
     on the conference committee. The Committee on Homeland 
     Security will include mutually agreed upon changes to the 
     legislation into the bill prior to floor consideration.
       I will insert copies of this exchange in the report on the 
     bill and in the Congressional Record during consideration of 
     this bill on the House floor. I thank you for your 
     cooperation in this matter.
           Sincerely,
                                                Michael T. McCaul,
                                                         Chairman.

  Ms. BARRAGAN. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, I rise in support of H.R. 3359, the Cybersecurity and 
Infrastructure Security Agency Act of 2017.
  Mr. Speaker, H.R. 3359 would make long-overdue organizational changes 
within the Department of Homeland Security's National Protection and 
Programs Directorate, otherwise known as NPPD.
  I am a strong supporter of this measure that seeks to empower the DHS 
to carry out one of its most important and difficult missions: helping 
Federal agencies and critical infrastructure owners and operators 
secure themselves against physical and cyber attacks.
  Importantly, it would rename NPPD the Cybersecurity and 
Infrastructure Security Agency, or CISA, to better communicate its 
mission to stakeholders, agency partners, and the cyber talent the DHS 
needs to come work in the Federal Government.
  Now, make no mistake, these are not mere administrative or 
bureaucratic changes. H.R. 3359 would transform NPPD into an 
operational agency on par with the TSA or Customs and Border 
Protection.
  It seems that, with each passing day, we learn of new ways 
adversaries and cyber criminals are looking to exploit the cyber 
weaknesses of Federal agencies and our Nation's critical 
infrastructure. Last year, we found ourselves in uncharted territory 
when we learned that our electoral system was under attack by one of 
the world's most sophisticated cyber actors: the Russian Government.
  Now, to respond to these evolving cyber threats, Congress has put its 
faith in the DHS; and, in turn, the DHS looks to NPPD, a small, under-
resourced headquarters component established a decade ago to carry out 
a far more limited mission than the one it has today.
  Over the past few years, Congress has expanded NPPD's cyber 
authorities and responsibilities without elevating

[[Page 19553]]

NPPD's standing commensurate with its growing mission.
  Further, as NPPD has gotten better at delivering cybersecurity 
assistance and other services to public and private sector partners, it 
has seen a surge in demand for its services. For example, in the wake 
of the Russian efforts to hack the 2016 Presidential election, State 
and local elected officials are now requesting DHS cybersecurity 
services.
  Secretaries of Homeland Security came to us during the Obama 
administration, and now under the Trump administration, to ask for our 
help in organizing the Directorate into an operational cybersecurity 
agency. It is time we grant this request.
  Reorganizing and rebranding NPPD should enhance the DHS' standing 
with respect to its Federal and international peers, clarify its 
organizational mission, and boost workforce morale. Our expectation is 
that, with higher moral and mission clarity, the DHS will be able to 
better compete with the private sector and Federal agencies, like the 
NSA and the CIA, for a short supply of talented cyber professionals.
  Finally, CISA will be in a better position to carry out its core 
cybersecurity and infrastructure protection activities, like risk and 
vulnerability assessments for hospitals, banks, the electrical grid, 
and now election systems. We need NPPD to carry out these activities 
swiftly, effectively, and in a way that respects privacy and civil 
liberties; and we cannot expect it to work with one hand tied behind 
its back.
  This bill is the result of bipartisan negotiations, and I want to 
thank Chairman McCaul and Chairman Ratcliffe for their commitment to 
see this through and working collaboratively to get this done.
  Mr. Speaker, I reserve the balance of my time.
  Mr. McCAUL. Mr. Speaker, I yield 5 minutes to the distinguished 
gentleman from Texas (Mr. Ratcliffe), the chairman of the Subcommittee 
on Cybersecurity and Infrastructure Protection.
  Mr. RATCLIFFE. Mr. Speaker, I rise today in support of the 
Cybersecurity and Infrastructure Security Agency Act of 2017.
  Mr. Speaker, we are here today to take action on what I believe is 
the defining public policy challenge of our generation: the 
cybersecurity posture of the United States.
  We have seen cyber attacks hit every sector of our economy with 
devastating impacts to both government agencies and to the private 
sector alike. It is our duty to ensure that we are doing our very best 
to defend against the very real threats that our cyber adversaries now 
pose.
  The Department of Homeland Security is the Federal Government's lead 
civilian agency for cybersecurity. Within it, the National Protection 
and Programs Directorate, or NPPD, leads our national effort to 
safeguard and to enhance the resilience of our Nation's physical and 
cyber infrastructure, helping Federal agencies and, when requested, 
also helping the private sector to harden their networks and to respond 
to cybersecurity incidents.
  As the cyber threat landscape continues to evolve, Mr. Speaker, so 
should the Department of Homeland Security. H.R. 3359 elevates the 
cybersecurity and the infrastructure security missions of NPPD to 
strengthen the Federal Government's ability to act and react to the 
changing threat landscape.
  The cybersecurity mission today is extremely challenging due to a 
number of factors: the ability of malicious actors to operate from 
anywhere in the world now, the linkages between cyberspace and our 
physical systems, and the difficulty of reducing vulnerabilities and 
consequences in complex cyber networks.
  The Cybersecurity and Infrastructure Security Act of 2017 rises to 
this challenge and prioritizes the Department of Homeland Security's 
vital role in cyberspace. By authorizing the Cybersecurity and 
Infrastructure Security Agency within the DHS, this bill establishes 
the structure, the nomenclature, and the flexibility to best serve the 
American people.
  The Cybersecurity and Infrastructure Security Agency will be 
structured to best work with partners at all levels of government, from 
the private and the nonprofit sectors, to share information and to 
build greater trust in order to make our cyber and our physical 
infrastructure more secure.
  This bill provides the necessary overarching structure and the 
interdepartmental flexibility to best allow the DHS to execute its 
mission in both cybersecurity and the infrastructure security space.
  Mr. Speaker, we consider this legislation at a great time of 
transition and opportunity for the DHS. Just last week, Kirstjen 
Nielsen was sworn in as the Secretary of Homeland Security. In addition 
to an impressive record of public service, Secretary Nielsen brings 
unprecedented cybersecurity experience and savvy to the agency, 
qualifications fitting the threat landscape that she now inherits.

                              {time}  1645

  We owe it to her and to the dedicated women and men working alongside 
her to ensure that DHS has the proper organization and resources to 
carry out its mission as the lead civilian cybersecurity agency in our 
Federal Government.
  Mr. Speaker, I want to thank Chairman McCaul for his leadership and 
his dogged determination in this effort and getting this bill to the 
floor, as well as the other committees of jurisdiction who worked 
closely to craft this compromise.
  Mr. Speaker, the cybersecurity challenges we face are about more than 
protecting bottom lines or intellectual property or even our Nation's 
most sensitive classified information. Ultimately, our obligation as 
lawmakers to be protective cybersecurity stewards stems from a 
fundamental obligation to safeguard the American people. This is what 
we aim to do with this legislation, and I urge my colleagues to join me 
in supporting it.
  Ms. BARRAGAN. Mr. Speaker, I reserve the balance of my time.
  Mr. McCAUL. Mr. Speaker, I yield 1 minute to the gentleman from 
Wisconsin (Mr. Gallagher).
  Mr. GALLAGHER. Mr. Speaker, I rise today in support of H.R. 3359, of 
which I am a proud cosponsor.
  This bill provides an updated framework to reorganize and grant 
additional authorities to the Department of Homeland Security's 
cybersecurity and infrastructure protection missions.
  Currently, the National Protection and Programs Directorate has 
responsibility for overseeing the Department's cyber roles; and while 
DHS has come a long way since inception in 2002, the rapid adaptation 
of threats in cyberspace demands that we continue to look for ways to 
evolve and demands that we who oversee this are more nimble and that we 
can adapt accordingly and keep outpacing our adversaries.
  As we have seen, Russia, China, Iran, and various nonstate actors 
have all demonstrated a willingness to penetrate American networks. We 
have had high-ranking military officials in our military claim that we 
are already outgunned in cyberspace right now, and it is up to us to 
sound the alarm and make sure that we are staying ahead of our 
adversaries.
  Mr. Speaker, I am proud to be part of that effort. I salute the 
chairman; and, given the Department of Homeland Security's central role 
in protecting the Federal Government's civilian networks, it is 
imperative that Congress, through its oversight role, ensures that the 
men and women at DHS have all the legal authorities they need to carry 
out this mission.
  Mr. Speaker, this bill has been a priority of the Homeland Security 
Committee for several years, and I want to acknowledge the chairman for 
his continued leadership on this issue.
  Ms. BARRAGAN. Mr. Speaker, I reserve the balance of my time.
  Mr. McCAUL. Mr. Speaker, I yield 2 minutes to the gentleman from 
Louisiana (Mr. Higgins).
  Mr. HIGGINS of Louisiana. Mr. Speaker, I rise today in support of 
H.R. 3359, the Cybersecurity and Infrastructure Security Agency Act of 
2017, authored by my colleague, Homeland Security Committee Chairman 
McCaul. I am an original cosponsor of this bill.

[[Page 19554]]

  Mr. Speaker, America faces a new, emerging peril: threats to our 
cyber systems and networks. This bill calls for the authorization of a 
designated cybersecurity agency within DHS by retasking the National 
Protection and Programs Directorate as the Cybersecurity and 
Infrastructure Security Agency. This change will allow DHS to provide 
specific focus on the ever-increasing cyber threats that face our 
Nation. This bill will help to ensure that the United States can 
respond to any attack against our Nation's cyber assets.
  Mr. Speaker, I thank Chairman McCaul for his work on crafting this 
important piece of legislation, and I urge all my colleagues on both 
sides of the aisle to support its passage.
  Ms. BARRAGAN. Mr. Speaker, I yield myself the balance of my time.
  Mr. Speaker, H.R. 3359 has broad support on both sides of the aisle.
  We talk a lot about the need to harden our cyber defenses against an 
evolving array of virtual threats. Reorganizing and rebranding NPPD as 
the Cybersecurity and Infrastructure Security Agency has the potential 
of enhancing DHS' cybersecurity capacity, boosting morale, and bringing 
its critical infrastructure protection workforce together in an 
unprecedented way.
  As an operational agency, CISA will be positioned to foster better 
collaboration between the cyber and physical sides of the house, 
bringing its cybersecurity analysts together with chemical inspectors, 
protective security advisers, emergency communication specialists, and 
Federal Protective Service officers for a more holistic approach to 
critical infrastructure protection.
  Mr. Speaker, mapping out a new agency is a complicated task, but this 
measure is long overdue. I urge my colleagues to support this 
bipartisan legislation, and I yield back the balance of my time.
  Mr. McCAUL. Mr. Speaker, I yield myself the balance of my time.
  Mr. Speaker, I cannot go into the classified space in this setting, 
but I can tell you that our foreign adversaries are looking to hurt us 
and hit us every day, whether it be from Russia, from China, from Iran, 
from North Korea. The attacks have targeted Home Depot, Sony, Equifax, 
20 million security clearances stolen, to other reports that I can't 
even get into. But it is a serious threat.
  When people ask me what keeps me up at night, of course ISIS does and 
of course al Qaida does. What happened today in New York, I was just 
there this morning when the bomb went off. But a cyber attack could 
bring down our power grid, could bring down our stock market, our 
financial institutions, our energy sector. A major cyber attack on this 
Nation could cripple this Nation and its economy and the lives of the 
people in the United States. Mr. Speaker, that is why this bill is so 
important, to elevate the civilian agency within the Department, to 
form a single agency that deals with cybersecurity.
  I am very proud of the work my colleagues have done to get to this 
point. I have been, as Mr. Ratcliffe said, very dogged in my 
determination, and I would urge that the Senate take up this measure 
because we cannot afford to delay because the threat is that great.
  Mr. Speaker, I yield back the balance of my time.
  Mr. LANGEVIN. Mr. Speaker, let me begin by thanking Chairman McCaul 
and Ranking Member Thompson for their dedication to improving our 
cybersecurity posture. Since the Chairman and I founded the 
Congressional Cybersecurity Caucus together nearly a decade ago, I have 
come to firmly believe that cybersecurity is the national and economic 
security challenge of the 21st Century, and both Congress and the 
executive branch must take steps to recognize and mitigate the risks we 
face in our hyper-connected society. Thanks to the leadership of the 
Chairman and Ranking Member, the Committee on Homeland Security has 
consistently been at the forefront on these issues, and while much 
remains to be done, we are worlds away from when I originally took the 
cyber subcommittee gavel in 2007. The bill we have before us today is a 
testament to those efforts, and I strongly support this latest 
iteration of CISA to reorganize the National Protection and Programs 
Directorate (NPPD) and enhance the capabilities and the profile of 
DHS's cybersecurity activities.
  As one of its core missions, DHS is charged with helping Federal 
agencies and critical infrastructure owners and operators secure 
themselves against physical and cyber attacks. For the past decade, 
that mission has been carried out by NPPD, a small headquarters 
component of the Department. Since its establishment, NPPD's role in 
defending the nation and the .gov domain from cyber intrusions has 
grown in concert with the increasing threat to our networks.
  It's a growth that the Committee--and the Congress as a whole--has 
recognized and encouraged, with the passage of laws including the 
National Cybersecurity Protection Act of 2014, which authorized the 
National Cybersecurity and Communications Integration Center, and the 
Cybersecurity Act of 2015, which made NPPD the federal government's 
primary hub for cyber threat indicator sharing. Today, NPPD is home to 
two of the premiere computer security incident response teams in the 
world and has been recognized as the whole-of-government asset response 
lead in the National Cyber Incident Response Plan. It also continues to 
lead efforts in protecting federal networks through the Federal Network 
Resilience Division, which assists other agencies with risk management, 
guides enterprise security policy, and implements programs like 
Continuous Diagnostics and Mitigation and EINSTEIN.
  NPPD is clearly acting in an operational capacity today, but despite 
this fact, Congress has not yet elevated NPPD's standing to be 
commensurate with these added responsibilities. H.R. 3359 acknowledges 
the evolution of the component by transforming NPPD into an operational 
agency on par with TSA or Customs and Border Protection. As part of the 
reorganization, NPPD will be renamed the ``Cybersecurity and 
Infrastructure Security Agency,'' or CISA, to accurately reflect its 
role.
  This restructuring was the top legislative priority of DHS Secretary 
Jeh Johnson before he left office, and I am grateful that Secretary 
Kelly took up the mantle in the new Administration.
  Bringing clarity with the new agency structure also stands to benefit 
the many cyber defenders working tirelessly at the Department to keep 
us safe. I have often said that all of the risk mitigation policies and 
intrusion detection systems in the world are nothing without a skilled 
workforce. Congress and the Department have been working jointly to 
reduce the shortage of cybersecurity analysts at NPPD, and it is my 
hope that an empowered Cybersecurity and Infrastructure Security Agency 
will be able to compete for the best cyber talent. After all, what 
mission is more exciting than protecting your fellow Americans from the 
canniest of adversaries attempting to do us harm in this new domain? I 
hope that all of the young people considering a career in this emerging 
field--young people like the brilliant CyberCorps students I enjoy 
speaking with--will look at Congress's support for DHS's cybersecurity 
work and jump at the opportunity to be in the vanguard at this new 
agency.
  Mr. Speaker, I also want to speak about the important clarity H.R. 
3359 brings to a broader policy debate that has been kicking around 
Washington, DC, for some time now.
  I serve on the House Armed Services Committee, where I am privileged 
to act as Ranking Member of the Subcommittee on Emerging Threats and 
Capabilities. In this role, I oversee United States Cyber Command, and 
I have the utmost respect for the service members in uniform defending 
our country in the digital domain. I have also had the privilege to 
serve on the Permanent Select Committee on Intelligence, where I heard 
weekly about the all-too-often unsung heroes of our Intelligence 
Community and their efforts to protect our national interests in 
cyberspace.
  I say this, Mr. Speaker, because I want to be clear that I have a 
deep understanding of and appreciation for our military and 
intelligence services' cybersecurity prowess.
  But I also believe that the powers and authorities of those entities 
are rightly constrained when it comes to domestic activities. 
Protecting our domestic cyber assets in peacetime needs to be the 
responsibility of a civilian organization, and that organization is the 
Cybersecurity and Infrastructure Security Agency created under this 
bill. We saw this debate play out during consideration of the 
Cybersecurity Information Sharing Act of 2015, where it was also 
decided in favor of a civilian hub, the NCCIC that is at the heart of 
NPPD. I hope passage of H.R. 3359 will help move the debate on from 
where authorities should be housed and instead focus on the 
operationalization of said authorities.
  Mr. Speaker, as I mentioned at the outset, this bill owes its 
existence to the collaborative

[[Page 19555]]

efforts of Chairman McCaul and Ranking Member Thompson. But it also 
reflects the bipartisan spirit of two of my good friends who head the 
Subcommittee on Cybersecurity and Infrastructure Protection, Mr. 
Ratcliffe and Mr. Richmond. And, like any effort of this body, it owes 
a great deal to the staff who work tirelessly behind the scenes 
supporting our efforts. In particular, I would like to Kirsten Duncan 
and Moira Bergin, the Majority and Minority staff directors for the 
Cyber Subcommittee for helping to get this bill to the Floor. And I 
would also like to thank their predecessors, Brett DeWitt and Chris 
Schepis, for laying the groundwork for its consideration this Congress.
  This bill is important. It's bipartisan. And it's overdue. I hope my 
colleagues will join me in supporting this important measure, and I 
hope the Senate moves swiftly to pass it through their Chamber.
  Ms. JACKSON LEE. Mr. Speaker, I rise to speak in support of H.R. 
3359, the Cybersecurity and Infrastructure Security Agency Act of 2017.
  I thank Chairman McCaul for introducing this important piece of 
legislation that addresses the cybersecurity needs of our nation.
  H.R. 3359, amends the Homeland Security Act of 2002 to redesignate 
the Department of Homeland Security's (DHS's) National Protection and 
Programs Directorate as the Cybersecurity and Infrastructure Security 
Agency (CISA).
  Under its new designation the CISA would be headed by a Director of 
National Cybersecurity and Infrastructure Security, who will be 
responsible for leading national efforts to protect and enhance the 
security and resilience of U.S. cybersecurity, emergency 
communications, and critical infrastructure.
  CISA will be composed of DHS components reorganized as: the 
Cybersecurity Division; the Infrastructure Security Division; and the 
Emergency Communications Division, which was previously the Office for 
Emergency Communications.
  The agency will also have its own privacy officer to ensure 
compliance with relevant federal laws.
  CISA must carry out DHS's responsibilities concerning chemical 
facilities antiterrorism standards.
  The bill requires DHS to:
  develop, implement, and continually review a maritime cybersecurity 
risk assessment model to evaluate current and future cybersecurity 
risks;
  seek input from at least one information sharing and analysis 
organization representing maritime interests in the National 
Cybersecurity and Communications Integration Center;
  establish voluntary reporting guidelines for maritime-related 
cybersecurity risks and incidents;
  request that the National Maritime Security Advisory Committee report 
and make recommendations to DHS about methods to enhance cybersecurity 
and information sharing among security stakeholders from federal, 
state, local, and tribal governments; public safety and emergency 
response agencies; law enforcement and security organizations; maritime 
industry participants; port owners and operators; and maritime terminal 
owners and operators; and
  ensure that maritime security risk assessments include cybersecurity 
risks to ports and the maritime border of the United States.
  As with other threats that this nation has faced and overcome, we 
must create the resources and the institutional responses to protect 
our nation against cyber threats while preserving our liberties and 
freedoms.
  We cannot accomplish this task without the full cooperation and 
support of the private sector, computing research community and 
academia.
  Earlier this Congress, I introduced H.R. 3202, the Cyber 
Vulnerability Disclosure Reporting Act, which was passed by the full 
Homeland Security Committee.
  H.R. 3202 requires the Secretary of Homeland Security to submit a 
report on the policies and procedures developed for coordinating cyber 
vulnerability disclosures.
  The report will include an annex with information on instances in 
which cyber security vulnerability disclosure policies and procedures 
were used to disclose details on identified weaknesses in computing 
systems that or digital devices at risk.
  The report will provide information on the degree to which the 
information provided by DHS was used by industry and other 
stakeholders.
  The reason that I worked to bring this bill before the committee is 
the problem often referred to as a ``Zero Day Event,'' which describes 
the situation that network security professionals may find themselves 
when a previously unknown error in computing code is exploited by a 
cybercriminal or terrorist.
  I am pleased that the Committee on Homeland Security passed H.R. 3202 
to address the need to support information sharing regarding threats to 
computing networks.
  I look forward to the Full House consideration of H.R. 3202.
  In the first few weeks of this Congress I introduced a number of 
measures on the topic of cybersecurity to address gaps in our nation's 
cyber defensive posture:
  SCOUTS Act--H.R. 940;
  CAPITALS Act--H.R. 54;
  SAFETI Act--H.R. 950;
  Terrorism Prevention and Critical Infrastructure--H.R. 945; and
  Cybersecurity and Federal Workforce Enhancement Act--H.R. 935.
  H.R. 940, the ``Securing Communications of Utilities from Terrorist 
Threats'' or the ``SCOUTS Act,'' directs the Secretary of Homeland 
Security, in coordination with the sector-specific agencies, to work 
with critical infrastructure owners and operators and State, local, 
tribal, and territorial entities to seek voluntary participation on 
ways that DHS can best defend against and recover from terrorist 
attacks that could have a debilitating impact on national security, 
economic stability, public health and safety, or any combination 
thereof.
  H.R. 940, is relevant to today's hearing because it addresses the 
need for a two way communication process that enables private sector 
participants in information sharing arrangements with DHS to 
communicate their views on the effectiveness of the information 
provided; the method of information sharing; and their particular needs 
as time passes.
  Specifically the bill establishes voluntary listening opportunities 
for sector specific entities to communicate their challenges regarding 
cybersecurity, including what needs they may have for critical 
infrastructure protection; and how DHS is helping or not helping to 
meet those needs.
  The Society of Maintenance and Reliability Professionals have 
endorsed H.R. 940, and input on the legislation included the Edison 
Electric Institute, an electric utility association.
  H.R. 54, the Department of Homeland Security's Cybersecurity Asset 
Protection of Infrastructure under Terrorist Attack Logistical 
Structure or CAPITALS Act, which directs the Department of Homeland 
Security (DHS) to produce a report to Congress regarding the 
feasibility of establishing a DHS Civilian Cyber Defense National 
Resource.
  H.R. 950, requires a report and assessment regarding Department of 
Homeland Security's response to terrorist threats to Federal elections. 
The Comptroller General of the United States is directed to conduct an 
assessment of the effectiveness of Department of Homeland Security 
actions to protect election systems from cyber-attacks and to make 
recommendations for improvements to the actions taken by DHS if 
determined appropriate.
  H.R. 935, The ``Cybersecurity and Federal Workforce Enhancement Act'' 
identifies and trains people already in the workforce who can obtain 
the skills to address our nation's deficit in the number of workers and 
positions available for those with needed skills.
  H.R. 940, the ``Securing Communications of Utilities from Terrorist 
Threats'' or the ``SCOUTS Act,'' is the relevant to today's hearing 
because this bill focuses on the communications sent by DHS to sector 
specific entities and the ability of these entities to communicate to 
the agencies their perspective on the usefulness of the information; 
the form of communication that would be most helpful; and requires a 
report to Congress by DHS on the views of critical infrastructure 
owners and operators on the information sharing process related to 
cybersecurity.
  Each of these bills will build upon an aggressive approach for 
securing cyber technology to manage critical infrastructure, chemical 
facilities, and port operations, ranging from communication and 
navigation to engineering, safety, and pipelines, that are critical to 
protect our nation's interest.
  Over the past year, Russian actors' targeted U.S. election 
infrastructure, hackers escalated efforts to breach the domestic energy 
sector, and WannaCry and NotPetya ransomware wreaked havoc on public 
and private infrastructure around the world.
  According to Symantec, a leading provider of cybersecurity solutions, 
said that ``The world of cyber espionage experienced a notable shift 
towards more overt activity, designed to destabilize and disrupt 
targeted organizations and countries.''
  As cyber threats continue to evolve and become more sophisticated, so 
must U.S. efforts to confront them.
  The Department of Homeland Security, through the National Protection 
and Programs Directorate (NPPD), plays a central role in the federal 
government's cybersecurity apparatus and in coordinating federal 
efforts to secure critical infrastructure.
  DHS is charged with coordinating agency efforts to secure the 
(dot).gov Domain, while

[[Page 19556]]

also serving as the hub for cybersecurity information sharing between 
and among the private sector and federal government.
  It is my hope that as this Congress moves forward that we will seek 
out the best ways to bring the brightest and most qualified people into 
the government as cybersecurity professionals.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentleman from Texas (Mr. McCaul) that the House suspend the rules and 
pass the bill, H.R. 3359, as amended.
  The question was taken; and (two-thirds being in the affirmative) the 
rules were suspended and the bill, as amended, was passed.
  A motion to reconsider was laid on the table.

                          ____________________