[House Report 114-284]
[From the U.S. Government Publishing Office]


114th Congress   }                                       {      Report
                        HOUSE OF REPRESENTATIVES
 1st Session     }                                       {     114-284

======================================================================



 
   DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY STRATEGY ACT OF 2015

                                _______
                                

October 6, 2015.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

  Mr. McCaul, from the Committee on Homeland Security, submitted the 
                               following

                              R E P O R T

                        [To accompany H.R. 3510]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security, to whom was referred 
the bill (H.R. 3510) to amend the Homeland Security Act of 2002 
to require the Secretary of Homeland Security to develop a 
cybersecurity strategy for the Department of Homeland Security, 
and for other purposes, having considered the same, reports 
favorably thereon with an amendment and recommends that the 
bill as amended do pass.

                                CONTENTS

                                                                   Page
Purpose and Summary..............................................     3
Background and Need for Legislation..............................     3
Hearings.........................................................     4
Committee Consideration..........................................     4
Committee Votes..................................................     5
Committee Oversight Findings.....................................     5
New Budget Authority, Entitlement Authority, and Tax Expenditures     5
Congressional Budget Office Estimate.............................     5
Statement of General Performance Goals and Objectives............     6
Duplicative Federal Programs.....................................     6
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
  Benefits.......................................................     7
Federal Mandates Statement.......................................     7
Preemption Clarification.........................................     7
Disclosure of Directed Rule Makings..............................     7
Advisory Committee Statement.....................................     7
Applicability to Legislative Branch..............................     7
Section-by-Section Analysis of the Legislation...................     7
Changes in Existing Law Made by the Bill, as Reported............    10
    The amendment is as follows:
  Strike all after the enacting clause and insert the 
following:

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``Department of Homeland Security 
Cybersecurity Strategy Act of 2015''.

SEC. 2. CYBERSECURITY STRATEGY FOR THE DEPARTMENT OF HOMELAND SECURITY.

  (a) In General.--Subtitle C of title II of the Homeland Security Act 
of 2002 (6 U.S.C. 141 et seq.) is amended by adding at the end the 
following new section:

``SEC. 230. CYBERSECURITY STRATEGY.

  ``(a) In General.--Not later than 60 days after the date of the 
enactment of this section, the Secretary shall develop a departmental 
strategy to carry out cybersecurity responsibilities as set forth in 
law.
  ``(b) Contents.--The strategy required under subsection (a) shall 
include the following:
          ``(1) Strategic and operational goals and priorities to 
        successfully execute the full range of the Secretary's 
        cybersecurity responsibilities.
          ``(2) Information on the programs, policies, and activities 
        that are required to successfully execute the full range of the 
        Secretary's cybersecurity responsibilities, including programs, 
        policies, and activities in furtherance of the following:
                  ``(A) Cybersecurity functions set forth in the second 
                section 226 (relating to the national cybersecurity and 
                communications integration center).
                  ``(B) Cybersecurity investigations capabilities.
                  ``(C) Cybersecurity research and development.
                  ``(D) Engagement with international cybersecurity 
                partners.
  ``(c) Considerations.--In developing the strategy required under 
subsection (a), the Secretary shall--
          ``(1) consider--
                  ``(A) the cybersecurity strategy for the Homeland 
                Security Enterprise published by the Secretary in 
                November 2011;
                  ``(B) the Department of Homeland Security Fiscal 
                Years 2014 2018 Strategic Plan; and
                  ``(C) the most recent Quadrennial Homeland Security 
                Review issued pursuant to section 707; and
          ``(2) include information on the roles and responsibilities 
        of components and offices of the Department, to the extent 
        practicable, to carry out such strategy.
  ``(d) Implementation Plan.--Not later than 90 days after the 
development of the strategy required under subsection (a), the 
Secretary shall issue an implementation plan for the strategy that 
includes the following:
          ``(1) Strategic objectives and corresponding tasks.
          ``(2) Projected timelines and costs for such tasks.
          ``(3) Metrics to evaluate performance of such tasks.
  ``(e) Congressional Oversight.--The Secretary shall submit to the 
Committee on Homeland Security of the House of Representatives and the 
Committee on Homeland Security and Governmental Affairs of the Senate 
for assessment the following:
          ``(1) A copy of the strategy required under subsection (a) 
        upon issuance.
          ``(2) A copy of the implementation plan required under 
        subsection (d) upon issuance, together with detailed 
        information on any associated legislative or budgetary 
        proposals.
  ``(f) Prohibition on Reorganization.--In the event that the strategy 
required under subsection (a) or implementation plan required under 
subsection (d) includes actions to reorganize departmental components 
or offices, such actions may not be executed without prior 
congressional authorization.
  ``(g) Classified Information.--The strategy required under subsection 
(a) shall be in an unclassified form but may contain a classified 
annex.
  ``(h) Rule of Construction.--Nothing in this section may be construed 
as permitting the Department to engage in monitoring, surveillance, 
exfiltration, or other collection activities for the purpose of 
tracking an individual's personally identifiable information.
  ``(i) Definitions.--In this section:
          ``(1) Cybersecurity risk.--The term `cybersecurity risk' has 
        the meaning given such term in the second section 226, relating 
        to the national cybersecurity and communications integration 
        center.
          ``(2) Homeland security enterprise.--The term `Homeland 
        Security Enterprise' means relevant governmental and 
        nongovernmental entities involved in homeland security, 
        including Federal, State, local, and tribal government 
        officials, private sector representatives, academics, and other 
        policy experts.
          ``(3) Incident.--The term `incident' has the meaning given 
        such term in the second section 226, relating to the national 
        cybersecurity and communications integration center.''.
  (b) Clerical Amendment.--The table of contents in section 1(b) of the 
Homeland Security Act of 2002 is amended by adding at the end of the 
list of items for subtitle C of title II the following new item:

``Sec. 230. Cybersecurity strategy.''.

  (c) Amendment to Definition.--Paragraph (2) of subsection (a) of the 
second section 226 of the Homeland Security Act of 2002 (6 U.S.C. 148; 
relating to the national cybersecurity and communications integration 
center) is amended to read as follows:
          ``(2) the term `incident' means an occurrence that actually 
        or imminently jeopardizes, without lawful authority, the 
        integrity, confidentiality, or availability of information on 
        an information system, or actually or imminently jeopardizes, 
        without lawful authority, an information system;''.

                          Purpose and Summary

    The purpose of H.R. 3510 is to amend the Homeland Security 
Act of 2002 to instruct the Secretary of the Department of 
Homeland Security (Department or DHS) to develop a departmental 
cybersecurity strategy and implementation plan to carry out the 
cybersecurity responsibilities of the department and to 
prohibit the department from reorganizing or realigning offices 
within the National Protection and Programs Directorate without 
Congressional approval.

                  Background and Need for Legislation

    Cyber attacks stand to disrupt the operations of 
government, businesses, and the lives of the American people. 
Increasingly sophisticated cyber threats have underscored the 
need to manage and strengthen the cybersecurity of the nation's 
critical infrastructure. The Government Accountability Office 
(GAO) recommended that an overarching Federal cybersecurity 
strategy be implemented and that such strategy should define 
key elements of a national strategy including roles and 
responsibilities. H.R.3510 ensures DHS develops such a 
strategy.
    On September 4, 2015, the Department's Inspector General 
issued a report entitled ``DHS Can Strengthen Its Cyber Mission 
Coordination Efforts''' that recommended that DHS develop a 
comprehensive, cross-departmental strategic implementation plan 
that defines components' cyber missions and responsibilities, 
including long-term goals, performance metrics, and milestones 
to measure progress in unifying the Department's incident 
response and coordination efforts'' (DHS-OIG-15-140). H.R. 3510 
directs the Department to develop a department-wide strategy 
and implementation plan to ensure performance of its multi-
faceted cybersecurity mission.
    At present, efforts are underway within the Department for 
a wide-scale reorganization of the National Protection and 
Programs Directorate (NPPD). It is critical that Congress be a 
legislative proposal to determine whether or not the proposed 
changes would provide a clear mission, streamline the 
organization's structure, and ensure a qualified workforce to 
successfully carry out its mission. H.R. 3510 also seeks to 
ensure such congressional oversight by requiring congressional 
authorization for any such action.
    The Committee is concerned with the lack of transparency on 
the Department's efforts to reorganize to carry out its 
cybersecurity and infrastructure protection missions. The 
Committee communicated this concern to the Secretary of 
Homeland Security in a letter sent September 15, 2015, and made 
it clear that any reorganization or realignment will require 
Congressional authorization. Given this Committee's legislative 
and oversight efforts to strengthen Departmental cybersecurity 
functions, it's essential that DHS submit any proposal to 
Congress prior to reorganization or realignment. Congressional 
interest is evident in the numerous pieces of legislation this 
Committee has considered and hearings this Committee has 
conducted.

                                Hearings

    The Committee on Homeland Security did not hold any 
legislative hearings on H.R. 3510, however the Committee held 
oversight hearings listed below.
    On February 12, 2015, the Subcommittee held a hearing 
entitled ``Emerging Threats and Technologies to Protect the 
Homeland.'' The Subcommittee received testimony from Mr. Andy 
Ozment, Assistant Secretary, Office of Cybersecurity and 
Communications, National Protection and Programs Directorate, 
U.S. Department of Homeland Security; Dr. Huban Gowadia, 
Director, Domestic Nuclear Detection Office, U.S. Department of 
Homeland Security; Mr.Joseph Martin, Acting Director, Homeland 
Security Enterprise and First Responders Group, Science and 
Technology Directorate, U.S. Department of Homeland Security; 
Mr. William Noonan, Deputy Special Agent in Charge, Criminal 
Investigative Division, Cyber Operations Branch, United States 
Secret Service, U.S. Department of Homeland Security; and Mr. 
William Painter, Analyst, Government and Finance Division, 
Congressional Research Service, Library of Congress.
    On March 4, 2015, the Subcommittee held a hearing entitled 
``Industry Perspectives on the President's Cybersecurity 
Information Sharing Proposal.'' The Subcommittee received 
testimony from Mr.Matthew J. Eggers, Senior Director, National 
Security and Emergency Preparedness, U.S. Chamber of Commerce; 
Ms. Mary Ellen Callahan, Jenner & Block and the Former Chief 
Privacy Officer, U.S. Department of Homeland Security; Mr. 
Gregory T. Garcia, Executive Director, Financial Services 
Sector Coordinating Council; and Dr. Martin Libicki, The RAND 
Corporation.
    On June 24, 2015, the Subcommittee held a hearing entitled 
``DHS' Efforts to Secure .Gov.'' The Subcommittee received 
testimony from Dr. Andy Ozment, Assistant Secretary, Office of 
Cybersecurity and Communications, National Protections and 
Programs Directorate, U.S. Department of Homeland Security; Mr. 
Gregory C. Wilshusen, Director, Information Security Issues, 
Government Accountability Office; and Dr. Daniel M. Gerstein, 
The RAND Corporation.

                        Committee Consideration

    The Committee met on September 30, 2015, to consider 
H.R.3510, and ordered the measure to be reported to the House 
with a favorable recommendation, as amended, by voice vote. The 
Committee took the following actions:
    The following amendments were offered:
 An Amendment offered by Mr. Clawson (#1); was AGREED TO by 
voice vote.

 Page 5, line 4, insert a new clause entitled ``(h) Rule of 
Construction.''

    The Subcommittee on Cybersecurity, Infrastructure 
Protection, and Security Technologies met on September 17, 
2015, to consider H.R. 3510 and reported the measure to the 
Full Committee with a favorable recommendation, without 
amendment, by voice vote.

                            Committee Votes

    Clause 3(b) of rule XIII of the Rules of the House of 
Representatives requires the Committee to list the recorded 
votes on the motion to report legislation and amendments 
thereto.
    No recorded votes were requested during consideration of 
H.R.3510.

                      Committee Oversight Findings

    Pursuant to clause 3(c)(1) of rule XIII of the Rules of the 
House of Representatives, the Committee has held oversight 
hearings and made findings that are reflected in this report.

   New Budget Authority, Entitlement Authority, and Tax Expenditures

    In compliance with clause 3(c)(2) of rule XIII of the Rules 
of the House of Representatives, the Committee finds that H.R. 
3510, the Department of Homeland Security Cybersecurity 
Strategy Act of 2015, would result in no new or increased 
budget authority, entitlement authority, or tax expenditures or 
revenues.

                  Congressional Budget Office Estimate

    The Committee adopts as its own the cost estimate prepared 
by the Director of the Congressional Budget Office pursuant to 
section 402 of the Congressional Budget Act of 1974.
                                     U.S. Congress,
                               Congressional Budget Office,
                                   Washington, DC, October 5, 2015.
Hon. Michael McCaul,
Chairman, Committee on Homeland Security,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 3510, the 
Department of Homeland Security Cybersecurity Strategy Act of 
2015.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is William Ma.
            Sincerely,
                                                        Keith Hall.
    Enclosure.

H.R. 3510--Department of Homeland Security Cybersecurity Strategy Act 
        of 2015

    H.R. 3510 would require the Department of Homeland Security 
(DHS), within 60 days of the bill's enactment, to develop a 
strategy to execute the department's cybersecurity 
responsibilities under current law. The bill also would require 
DHS to issue a plan to implement that strategy not later than 
90 days after the strategy is developed and to deliver the 
strategy and the plan to the Congress. Because DHS is currently 
developing a cybersecurity strategy and would be able to meet 
the deadlines established in the bill, CBO estimates that 
implementing the bill would not have a significant effect on 
the budget.
    Enacting H.R. 3510 would not affect direct spending or 
revenues; therefore, pay-as-you-go procedures do not apply.
    H.R. 3510 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act and 
would not affect the budgets of state, local, or tribal 
governments.
    The CBO staff contact for this estimate is William Ma. The 
estimate was approved by H. Samuel Papenfuss, Deputy Assistant 
Director for Budget Analysis.

         Statement of General Performance Goals and Objectives

    Pursuant to clause 3(c)(4) of rule XIII of the Rules of the 
House of Representatives, H.R. 3510 contains the following 
general performance goals and objectives, including outcome 
related goals and objectives authorized.
    This legislation requires the Secretary of Homeland 
Security to develop a cybersecurity strategy for the Department 
of Homeland Security (DHS) and to submit such strategy to 
Congress no later than 60 days after the enactment of this 
legislation. The Secretary is also directed to submit an 
implementation plan for the cybersecurity strategy 90 days 
after the development of the strategy. Additionally, this 
legislation would clarify the requirement for DHS to submit 
proposals to Congress prior to reorganization or realignment. 
H.R. 3510 helps to strengthen the security and resiliency of 
cyberspace by requiring the Secretary to thoroughly examine the 
goals, priorities, roles, and responsibilities that are 
necessary to execute its mission. The development of a strategy 
will ensure the Secretary considers cybersecurity functions 
across the Department holistically in order to more effectively 
achieve the cybersecurity priorities of the Department.
    Efforts are presently underway within the Department for a 
wide-scale reorganization of the National Protection and 
Programs Directorate (NPPD). It is critical that Congress be 
provided a legislative proposal to determine whether or not the 
proposed changes would provide a clear mission, streamline the 
organization's structure, and ensure a qualified workforce to 
successfully carry out its mission. H.R. 3510 also seeks to 
ensure proper oversight and transparency and reflects the 
appropriate roles of both the Legislative and Executive 
branches of the Government.

                      Duplicative Federal Programs

    Pursuant to clause 3(c) of rule XIII, the Committee finds 
that H.R. 3510 does not contain any provision that establishes 
or reauthorizes a program known to be duplicative of another 
Federal program.

   Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
                                Benefits

    In compliance with rule XXI of the Rules of the House of 
Representatives, this bill, as reported, contains no 
congressional earmarks, limited tax benefits, or limited tariff 
benefits as defined in clause 9(e), 9(f), or 9(g) of the rule 
XXI.

                       Federal Mandates Statement

    The Committee adopts as its own the estimate of Federal 
mandates prepared by the Director of the Congressional Budget 
Office pursuant to section 423 of the Unfunded Mandates Reform 
Act.

                        Preemption Clarification

    In compliance with section 423 of the Congressional Budget 
Act of 1974, requiring the report of any Committee on a bill or 
joint resolution to include a statement on the extent to which 
the bill or joint resolution is intended to preempt State, 
local, or Tribal law, the Committee finds that H.R. 3510 does 
not preempt any State, local, or Tribal law.

                  Disclosure of Directed Rule Makings

    The Committee estimates that H.R. 3510 would require no 
directed rule makings.

                      Advisory Committee Statement

    No advisory committees within the meaning of section 5(b) 
of the Federal Advisory Committee Act were created by this 
legislation.

                  Applicability to Legislative Branch

    The Committee finds that the legislation does not relate to 
the terms and conditions of employment or access to public 
services or accommodations within the meaning of section 
102(b)(3) of the Congressional Accountability Act.

             Section-by-Section Analysis of the Legislation


Section 1.   Short title

    This section provides that bill may be cited as the 
``Department of Homeland Security Cybersecurity Strategy Act of 
2015''.

Section 2.   Cybersecurity strategy for the Department of Homeland 
        Security

(a) Subtitle C of title II of the Homeland Security Act of 2002 
is amended to add the following new section:

``Sec. 230. Cybersecurity Strategy.''

(a) In General.
    This subsection directs the Secretary of the Department of 
Homeland Security to develop a departmental strategy to carry 
out cybersecurity responsibilities as set forth in law.

(b) Contents of Strategy.
    This subsection details the contents of the strategy to 
include the strategic and operational goals and priorities 
needed to execute the Department's cybersecurity 
responsibilities including information on its programs, 
policies, and activities. These programs, policies, and 
activities should include the Department's cybersecurity 
functions set forth in the second section 226 of the Homeland 
Security Act (HSA), cybersecurity investigations capabilities, 
cybersecurity research and development, and engagement with 
international cybersecurity partners.
    Cybersecurity functions set forth in the second section 226 
of the HSA include: (1) Being a Federal civilian interface for 
the multi-directional and cross-sector sharing of information 
related to cyber- security risks, incidents, analysis, and 
warnings for Federal and non-Federal entities; (2) providing 
shared situational awareness to enable real-time, integrated, 
and operational actions across the Federal Government and non-
Federal entities to address cybersecurity risks and incidents 
to Federal and non-Federal entities; (3) coordinating the 
sharing of information related to cybersecurity risks and 
incidents across the Federal Government; (4) facilitating 
cross-sector coordination to address cybersecurity risks and 
incidents, including cybersecurity risks and incidents that may 
be related or could have consequential impacts across multiple 
sectors; (5)(A) conducting integration and analysis, including 
cross sector integration and analysis, of cybersecurity risks 
and incidents; and (B) sharing the analysis conducted under 
subparagraph (A) with Federal and non Federal entities; (6) 
upon request, providing timely technical assistance, risk 
management support, and incident response capabilities to 
Federal and non-Federal entities with respect to cybersecurity 
risks and incidents, which may include attribution, mitigation, 
and remediation; and (7) providing information and 
recommendations on security and resilience measures to Federal 
and non-Federal entities, including information and 
recommendations to: (A) facilitate information security; and 
(B) strengthen information systems against cybersecurity risks 
and incidents.

(c) Considerations.
    This subsection requires the Secretary to consider other 
DHS strategic documents when developing the cybersecurity 
strategy including the cybersecurity strategy for the Homeland 
Security Enterprise published by the Secretary in November 
2011, the Department of Homeland Security Fiscal Years 2014-
2018 Strategic Plan, the most recent Quadrennial Homeland 
Security Review issued pursuant to section 707 of the HAS. It 
must also include information on the roles and responsibilities 
of components and offices across the Department when developing 
the strategy.

(d) Implementation Plan.
    The Secretary is required no later than 90 days to develop 
a plan for implementing the strategy that includes strategic 
objectives and corresponding tasks, projected timelines and 
costs for such tasks, and metrics to evaluate performance.

(e) Congressional Oversight.
    This subsection requires the Secretary to submit the 
required strategy and the implementation plan, along with 
information on any associated legislative or budgetary 
proposals, to the House Committee on Homeland Security of the 
House of Representatives and the Committee on Homeland Security 
and Governmental Affairs of the Senate for an assessment.

(f) Prohibition of Reorganization.
    The Committee intends this subsection to prohibit the 
reorganization or realignment of NPPD without Congressional 
authorization. It is the role of the legislative branch to 
authorize and appropriate dollars for the Department of 
Homeland Security. In particular, it is this Committee's role 
and responsibility to legislate and oversee Department 
activities.
    The Committee has previously reviewed Administrative 
legislative proposals and worked with DHS to authorize various 
cyber programs. For example; S. 2521, the Federal Information 
Security Modernization Act of 2014, in which the Secretary of 
Homeland Security was given authority to administer the 
implementation of information security policies and practices, 
H.R. 2952, the Cybersecurity Workforce Assessment Act, in which 
the Secretary was directed to conduct an assessment of the 
cybersecurity workforce of the Department of Homeland Security, 
H.R. 3696 which established the National Cybersecurity and 
Communications Integration Center (NCCIC) and required that the 
Secretary of Homeland Security conduct cybersecurity 
activities, H.R. 3107 which directed the Secretary to develop a 
workforce strategy that enhances the readiness, capacity, 
training, recruitment, and retention of the DHS cybersecurity 
workforce, and H.R.1731 which would rename NPPD as 
Cybersecurity and Infrastructure Protection and codify a Deputy 
Under Secretary for Cybersecurity and a Deputy Under Secretary 
for Infrastructure Protection. These and other efforts serve to 
represent the important role of Congressional oversight.

(g) Classified Information.
    This subsection requires that the proposed plan must be 
available in an unclassified form, but that it may have a 
classified annex.

(h) Rule of Construction.
    This subsection ensures that nothing in this act can be 
construed to permit the Department to engage in monitoring, 
surveillance, exfiltration, or other collection activities for 
the purpose of tracking an individual's personally identifiable 
information.

(i) Definitions.
    This subsection defines ``cybersecurity risk'' and 
``incident'' as the meaning given to both in the second section 
226 relating to the national cybersecurity and communications 
integration. ``Homeland Security Enterprise'' is defined as the 
relevant governmental and nongovernmental entities involved in 
homeland security, including Federal, State, local, and tribal 
governmental officials, private sector representatives, 
academics, and other policy experts.

(b) Clerical Amendment.
    This subsection amends the table of contents of the 
Homeland Security Act of 2002.

(c) Amendment to Definition.
    This subsection strikes and replaces the definition of 
``incident'' in the second section 226 of the Homeland Security 
Act to mean an occurrence that actually or imminently 
jeopardizes, without lawful authority, the integrity, 
confidentially, or availability of information on an 
information system, or actually or imminently jeopardizes, 
without lawful authority, an information system.

         Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in black brackets, new 
matter is printed in italic, and existing law in which no 
change is proposed is shown in roman):

                     HOMELAND SECURITY ACT OF 2002

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

  (a) Short Title.--This Act may be cited as the ``Homeland 
Security Act of 2002''.
  (b) Table of Contents.--The table of contents for this Act is 
as follows:

     * * * * * * *

                 TITLE V--NATIONAL EMERGENCY MANAGEMENT

     * * * * * * *
Sec. 230. Cybersecurity strategy.

           *       *       *       *       *       *       *


TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION

           *       *       *       *       *       *       *


Subtitle C--Information Security

           *       *       *       *       *       *       *


SEC. 226. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER.

  (a) Definitions.--In this section--
          (1) the term ``cybersecurity risk'' means threats to 
        and vulnerabilities of information or information 
        systems and any related consequences caused by or 
        resulting from unauthorized access, use, disclosure, 
        degradation, disruption, modification, or destruction 
        of information or information systems, including such 
        related consequences caused by an act of terrorism;
          [(2) the term ``incident'' means an occurrence that--
                  [(A) actually or imminently jeopardizes, 
                without lawful authority, the integrity, 
                confidentiality, or availability of information 
                on an information system; or
                  [(B) constitutes a violation or imminent 
                threat of violation of law, security policies, 
                security procedures, or acceptable use 
                policies;]
          (2) the term ``incident'' means an occurrence that 
        actually or imminently jeopardizes, without lawful 
        authority, the integrity, confidentiality, or 
        availability of information on an information system, 
        or actually or imminently jeopardizes, without lawful 
        authority, an information system;
          (3) the term ``information sharing and analysis 
        organization'' has the meaning given that term in 
        section 212(5); and
          (4) the term ``information system'' has the meaning 
        given that term in section 3502(8) of title 44, United 
        States Code.
  (b) Center.--There is in the Department a national 
cybersecurity and communications integration center (referred 
to in this section as the ``Center'') to carry out certain 
responsibilities of the Under Secretary appointed under section 
103(a)(1)(H).
  (c) Functions.--The cybersecurity functions of the Center 
shall include--
          (1) being a Federal civilian interface for the multi-
        directional and cross-sector sharing of information 
        related to cybersecurity risks, incidents, analysis, 
        and warnings for Federal and non-Federal entities;
          (2) providing shared situational awareness to enable 
        real-time, integrated, and operational actions across 
        the Federal Government and non-Federal entities to 
        address cybersecurity risks and incidents to Federal 
        and non-Federal entities;
          (3) coordinating the sharing of information related 
        to cybersecurity risks and incidents across the Federal 
        Government;
          (4) facilitating cross-sector coordination to address 
        cybersecurity risks and incidents, including 
        cybersecurity risks and incidents that may be related 
        or could have consequential impacts across multiple 
        sectors;
          (5)(A) conducting integration and analysis, including 
        cross-sector integration and analysis, of cybersecurity 
        risks and incidents; and
          (B) sharing the analysis conducted under subparagraph 
        (A) with Federal and non-Federal entities;
          (6) upon request, providing timely technical 
        assistance, risk management support, and incident 
        response capabilities to Federal and non-Federal 
        entities with respect to cybersecurity risks and 
        incidents, which may include attribution, mitigation, 
        and remediation; and
          (7) providing information and recommendations on 
        security and resilience measures to Federal and non-
        Federal entities, including information and 
        recommendations to--
                  (A) facilitate information security; and
                  (B) strengthen information systems against 
                cybersecurity risks and incidents.
  (d) Composition.--
          (1) In general.--
    The Center shall be composed of--
                  (A) appropriate representatives of Federal 
                entities, such as--
                          (i) sector-specific agencies;
                          (ii) civilian and law enforcement 
                        agencies; and
                          (iii) elements of the intelligence 
                        community, as that term is defined 
                        under section 3(4) of the National 
                        Security Act of 1947 (50 U.S.C. 
                        3003(4));
                  (B) appropriate representatives of non-
                Federal entities, such as--
                          (i) State and local governments;
                          (ii) information sharing and analysis 
                        organizations; and
                          (iii) owners and operators of 
                        critical information systems;
                  (C) components within the Center that carry 
                out cybersecurity and communications 
                activities;
                  (D) a designated Federal official for 
                operational coordination with and across each 
                sector; and
                  (E) other appropriate representatives or 
                entities, as determined by the Secretary.
          (2) Incidents.--
    In the event of an incident, during exigent circumstances 
the Secretary may grant a Federal or non-Federal entity 
immediate temporary access to the Center.
  (e) Principles.--In carrying out the functions under 
subsection (c), the Center shall ensure--
          (1) to the extent practicable, that--
                  (A) timely, actionable, and relevant 
                information related to cybersecurity risks, 
                incidents, and analysis is shared;
                  (B) when appropriate, information related to 
                cybersecurity risks, incidents, and analysis is 
                integrated with other relevant information and 
                tailored to the specific characteristics of a 
                sector;
                  (C) activities are prioritized and conducted 
                based on the level of risk;
                  (D) industry sector-specific, academic, and 
                national laboratory expertise is sought and 
                receives appropriate consideration;
                  (E) continuous, collaborative, and inclusive 
                coordination occurs--
                          (i) across sectors; and
                          (ii) with--
                                  (I) sector coordinating 
                                councils;
                                  (II) information sharing and 
                                analysis organizations; and
                                  (III) other appropriate non-
                                Federal partners;
                  (F) as appropriate, the Center works to 
                develop and use mechanisms for sharing 
                information related to cybersecurity risks and 
                incidents that are technology-neutral, 
                interoperable, real-time, cost-effective, and 
                resilient; and
                  (G) the Center works with other agencies to 
                reduce unnecessarily duplicative sharing of 
                information related to cybersecurity risks and 
                incidents;
          (2) that information related to cybersecurity risks 
        and incidents is appropriately safeguarded against 
        unauthorized access; and
          (3) that activities conducted by the Center comply 
        with all policies, regulations, and laws that protect 
        the privacy and civil liberties of United States 
        persons.
  (f) No Right or Benefit.--
          (1) In general.--
    The provision of assistance or information to, and 
inclusion in the Center of, governmental or private entities 
under this section shall be at the sole and unreviewable 
discretion of the Under Secretary appointed under section 
103(a)(1)(H).
          (2) Certain assistance or information.--
    The provision of certain assistance or information to, or 
inclusion in the Center of, one governmental or private entity 
pursuant to this section shall not create a right or benefit, 
substantive or procedural, to similar assistance or information 
for any other governmental or private entity.

           *       *       *       *       *       *       *


SEC. 230. CYBERSECURITY STRATEGY.

  (a) In General.--Not later than 60 days after the date of the 
enactment of this section, the Secretary shall develop a 
departmental strategy to carry out cybersecurity 
responsibilities as set forth in law.
  (b) Contents.--The strategy required under subsection (a) 
shall include the following:
          (1) Strategic and operational goals and priorities to 
        successfully execute the full range of the Secretary's 
        cybersecurity responsibilities.
          (2) Information on the programs, policies, and 
        activities that are required to successfully execute 
        the full range of the Secretary's cybersecurity 
        responsibilities, including programs, policies, and 
        activities in furtherance of the following:
                  (A) Cybersecurity functions set forth in the 
                second section 226 (relating to the national 
                cybersecurity and communications integration 
                center).
                  (B) Cybersecurity investigations 
                capabilities.
                  (C) Cybersecurity research and development.
                  (D) Engagement with international 
                cybersecurity partners.
  (c) Considerations.--In developing the strategy required 
under subsection (a), the Secretary shall--
          (1) consider--
                  (A) the cybersecurity strategy for the 
                Homeland Security Enterprise published by the 
                Secretary in November 2011;
                  (B) the Department of Homeland Security 
                Fiscal Years 2014 2018 Strategic Plan; and
                  (C) the most recent Quadrennial Homeland 
                Security Review issued pursuant to section 707; 
                and
          (2) include information on the roles and 
        responsibilities of components and offices of the 
        Department, to the extent practicable, to carry out 
        such strategy.
  (d) Implementation Plan.--Not later than 90 days after the 
development of the strategy required under subsection (a), the 
Secretary shall issue an implementation plan for the strategy 
that includes the following:
          (1) Strategic objectives and corresponding tasks.
          (2) Projected timelines and costs for such tasks.
          (3) Metrics to evaluate performance of such tasks.
  (e) Congressional Oversight.--The Secretary shall submit to 
the Committee on Homeland Security of the House of 
Representatives and the Committee on Homeland Security and 
Governmental Affairs of the Senate for assessment the 
following:
          (1) A copy of the strategy required under subsection 
        (a) upon issuance.
          (2) A copy of the implementation plan required under 
        subsection (d) upon issuance, together with detailed 
        information on any associated legislative or budgetary 
        proposals.
  (f) Prohibition on Reorganization.--In the event that the 
strategy required under subsection (a) or implementation plan 
required under subsection (d) includes actions to reorganize 
departmental components or offices, such actions may not be 
executed without prior congressional authorization.
  (g) Classified Information.--The strategy required under 
subsection (a) shall be in an unclassified form but may contain 
a classified annex.
  (h) Rule of Construction.--Nothing in this section may be 
construed as permitting the Department to engage in monitoring, 
surveillance, exfiltration, or other collection activities for 
the purpose of tracking an individual's personally identifiable 
information.
  (i) Definitions.--In this section:
          (1) Cybersecurity risk.--
    The term ``cybersecurity risk'' has the meaning given such 
term in the second section 226, relating to the national 
cybersecurity and communications integration center.
          (2) Homeland security enterprise.--
    The term ``Homeland Security Enterprise'' means relevant 
governmental and nongovernmental entities involved in homeland 
security, including Federal, State, local, and tribal 
government officials, private sector representatives, 
academics, and other policy experts.
          (3) Incident.--
    The term ``incident'' has the meaning given such term in 
the second section 226, relating to the national cybersecurity 
and communications integration center.

                                  [all]