[House Report 115-607]
[From the U.S. Government Publishing Office]


115th Congress }                                          { REPORT
                        HOUSE OF REPRESENTATIVES
  2d Session   }                                          { 115-607

======================================================================
 
             DHS CYBER INCIDENT RESPONSE TEAMS ACT OF 2018

                                _______
                                

 March 19, 2018.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

  Mr. McCaul, from the Committee on Homeland Security, submitted the 
                               following

                              R E P O R T

                        [To accompany H.R. 5074]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security, to whom was referred 
the bill (H.R. 5074) to authorize cyber incident response teams 
at the Department of Homeland Security, and for other purposes, 
having considered the same, report favorably thereon without 
amendment and recommend that the bill do pass.

                                CONTENTS

                                                                   Page
Purpose and Summary..............................................     2
Background and Need for Legislation..............................     2
Hearings.........................................................     3
Committee Consideration..........................................     3
Committee Votes..................................................     3
Committee Oversight Findings.....................................     3
New Budget Authority, Entitlement Authority, and Tax Expenditures     4
Congressional Budget Office Estimate.............................     4
Statement of General Performance Goals and Objectives............     5
Duplicative Federal Programs.....................................     5
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
  Benefits.......................................................     5
Federal Mandates Statement.......................................     5
Preemption Clarification.........................................     5
Disclosure of Directed Rule Makings..............................     5
Advisory Committee Statement.....................................     5
Applicability to Legislative Branch..............................     5
Section-by-Section Analysis of the Legislation...................     6
Changes in Existing Law Made by the Bill, as Reported............     6

                          Purpose and Summary

    The purpose of H.R. 5074 is to amend the Homeland Security 
Act of 2002 to authorize cyber incident response teams at the 
Department of Homeland Security, and for other purposes.
    The Cyber Incident Response Teams Act of 2018 codifies and 
shapes the cyber incident response teams at the Department of 
Homeland Security (DHS). These teams will exist within the 
National Cybersecurity and Communications Integration Center 
(NCCIC) at DHS and shall provide upon request, as appropriate, 
assistance to asset owners and operators following a cyber-
incident. In order to allow for private sector technical 
experts to be leveraged in the response to cyber incidents 
these teams may include cybersecurity specialists from the 
private sector. This program would allow industry professionals 
to bring innovative approaches and ideas into the federal 
government and makes progress in bringing the technical 
expertise and skills that help execute the DHS role in 
cybersecurity. This legislation further directs the NCCIC to 
continually assess and evaluate the cyber incident response 
teams and their operations and to periodically provide to 
Congress the collected information on the metrics used for 
evaluation and assessment of the cyber response teams and 
operations.

                  Background and Need for Legislation

    The DHS's NCCIC currently utilizes cyber incident response 
expertise in a number of ways. The United States Computer 
Emergency Readiness Team (US-CERT), operated within the NCCIC, 
brings advanced network and digital media analysis expertise to 
bear on malicious activity targeting our nation's networks. US-
CERT develops timely and actionable information for 
distribution to federal departments and agencies, state and 
local governments, private sector organizations, and 
international partners. The critical mission activities of US-
CERT's include: providing cybersecurity protection to Federal 
civilian executive branch agencies; responding to incidents and 
analyzing data about emerging cyber threats; and collaborating 
with foreign governments and international entities to enhance 
the nation's cybersecurity posture.
    The NCCIC's Hunt and Incident Response Teams (HIRT) provide 
onsite incident response, free of charge, to organizations that 
require immediate investigation and resolution of cyber 
attacks. Hunt and Incident Response Teams provide DHS's front 
line response for cyber incidents and proactively hunting for 
malicious cyber activity. Upon notification of a cyber 
incident, HIRT will perform a preliminary diagnosis to 
determine the extent of the compromise. When requested, HIRT 
can deploy a team to meet with the affected organization to 
review network topology, identify infected systems and collect 
other data as needed to perform thorough follow on analysis. 
Hunt and Incident Response Teams are able to provide mitigation 
strategies and assist asset owners and operators in restoring 
service and provide recommendations for improving overall 
network and control systems security.
    H.R. 5074 will codify the work of US-CERT and the HIRT 
while providing DHS flexibility to also call upon outside 
expertise.

                                Hearings

    The Committee did not hold any hearings on H.R. 5074, 
however the following hearings informed the Committee on this 
legislation.
    On March 9, 2017, the Subcommittee on Cybersecurity and 
Infrastructure Protection held a hearing entitled ``The Current 
State of DHS Private Sector Engagement for Cybersecurity.'' The 
Subcommittee received testimony from Mr. Daniel Nutkis, Chief 
Executive Officer, HITRUST Alliance; Mr. Scott Montgomery, Vice 
President and Chief Technical Strategist, Intel Security Group, 
Intel Corporation; Mr. Jeffrey Greene, Senior Director, Global 
Government Affairs and Policy Symantec; Mr. Ryan M. Gillis, 
Vice President of Cybersecurity Strategy and Global Policy, 
Palo Alto Networks; and Ms. Robyn Greene, Policy Counsel and 
Government Affairs Lead, Open Technology Institute, New 
America.
    On March 22, 2017, the Committee held a hearing entitled 
``A Borderless Battle: Defending Against Cyber Threats.'' The 
Committee received testimony from GEN Keith B. Alexander (Ret. 
USA), President and Chief Executive Officer, IronNet 
Cybersecurity; Mr. Michael Daniel, President, Cyber Threat 
Alliance; Mr. Frank J. Cilluffo, Director, Center for Cyber and 
Homeland Security, George Washington University; and Mr. Bruce 
W. McConnell, Global Vice President, EastWest Institute.
    On October 3, 2017, the Subcommittee on Cybersecurity and 
Infrastructure Protection held a hearing entitled ``Examining 
DHS's Cybersecurity Mission.'' The Subcommittee received 
testimony from Mr. Christopher Krebs, Senior Official 
Performing the Duties of the Under Secretary, National 
Protection and Programs Directorate, U.S. Department of 
Homeland Security; Ms. Jeanette Manfra, Assistant Secretary for 
Cybersecurity and Communications, National Protection and 
Programs Directorate, U.S. Department of Homeland Security; and 
Ms. Patricia Hoffman, Acting Assistant Secretary, Office of 
Electricity Delivery and Energy Reliability, U.S. Department of 
Energy.

                        Committee Consideration

    The Committee met on March 7, 2018, to consider H.R. 5074, 
and ordered the measure to be reported to the House with a 
favorable recommendation, without amendment, by unanimous 
consent.

                            Committee Votes

    Clause 3(b) of Rule XIII of the Rules of the House of 
Representatives requires the Committee to list the recorded 
votes on the motion to report legislation and amendments 
thereto.
    No recorded votes were requested during consideration of 
H.R. 5074.

                      Committee Oversight Findings

    Pursuant to clause 3(c)(1) of Rule XIII of the Rules of the 
House of Representatives, the Committee has held oversight 
hearings and made findings that are reflected in this report.

   New Budget Authority, Entitlement Authority, and Tax Expenditures

    In compliance with clause 3(c)(2) of Rule XIII of the Rules 
of the House of Representatives, the Committee finds that H.R. 
5074, the DHS Cyber Incident Response Teams Act of 2018, would 
result in no new or increased budget authority, entitlement 
authority, or tax expenditures or revenues.

                  Congressional Budget Office Estimate

    The Committee adopts as its own the cost estimate prepared 
by the Director of the Congressional Budget Office pursuant to 
section 402 of the Congressional Budget Act of 1974.

                                     U.S. Congress,
                               Congressional Budget Office,
                                    Washington, DC, March 15, 2018.
Hon. Michael McCaul,
Chairman, Committee on Homeland Security,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 5074, the DHS 
Cyber Incident Response Teams Act of 2018.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is William Ma.
            Sincerely,
                                                Keith Hall,
                                                          Director.
    Enclosure.

H.R. 5074--DHS Cyber Incident Response Teams Act of 2018

    H.R. 5074 would codify the establishment and 
responsibilities of hunt and incident response teams (HIRTs) 
under the authority of the National Cybersecurity and 
Communications Integration Center (NCCIC) in the Department of 
Homeland Security (DHS). Under the bill, HIRTs would continue 
to provide assistance to federal and non-federal entities 
affected by malicious cyber activity.
    H.R. 5074 also would require the NCCIC to report to the 
Congress on HIRTs activities at the end of each of the first 
four fiscal years following the bill's enactment. Using 
information from DHS and considering information about similar 
reporting requirements, CBO estimates that enacting H.R. 5074 
would cost less than $500,000 over the 2018-2022 period; such 
spending would be subject to the availability of appropriated 
funds.
    Enacting H.R. 5074 would not affect direct spending or 
revenues; therefore, pay-as-you-go procedures do not apply.
    CBO estimates that enacting H.R. 5074 would not increase 
net direct spending or on-budget deficits in any of the four 
consecutive 10-year periods beginning in 2028.
    H.R. 5074 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act.
    The CBO staff contact for this estimate is William Ma. The 
estimate was approved by Leo Lex, Deputy Assistant Director for 
Budget Analysis.

         Statement of General Performance Goals and Objectives

    Pursuant to clause 3(c)(4) of Rule XIII of the Rules of the 
House of Representatives, H.R. 5074 contains the following 
general performance goals and objectives, including outcome 
related goals and objectives authorized.
    H.R. 5074 mandates that the Department of Homeland Security 
continuously assess and assign metrics to the cyber incident 
response teams operations, and that it provides those metrics 
to Congress the first four years after enactment of the bill.

                      Duplicative Federal Programs

    Pursuant to clause 3(c) of Rule XIII, the Committee finds 
that H.R. 5074 does not contain any provision that establishes 
or reauthorizes a program known to be duplicative of another 
Federal program.

   Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
                                Benefits

    In compliance with Rule XXI of the Rules of the House of 
Representatives, this bill, as reported, contains no 
congressional earmarks, limited tax benefits, or limited tariff 
benefits as defined in clause 9(e), 9(f), or 9(g) of the Rule 
XXI.

                       Federal Mandates Statement

    The Committee adopts as its own the estimate of Federal 
mandates prepared by the Director of the Congressional Budget 
Office pursuant to section 423 of the Unfunded Mandates Reform 
Act.

                        Preemption Clarification

    In compliance with section 423 of the Congressional Budget 
Act of 1974, requiring the report of any Committee on a bill or 
joint resolution to include a statement on the extent to which 
the bill or joint resolution is intended to preempt State, 
local, or Tribal law, the Committee finds that H.R. 5074 does 
not preempt any State, local, or Tribal law.

                  Disclosure of Directed Rule Makings

    The Committee estimates that H.R. 5074 would require no 
directed rule makings.

                      Advisory Committee Statement

    No advisory committees within the meaning of section 5(b) 
of the Federal Advisory Committee Act were created by this 
legislation.

                  Applicability to Legislative Branch

    The Committee finds that the legislation does not relate to 
the terms and conditions of employment or access to public 
services or accommodations within the meaning of section 
102(b)(3) of the Congressional Accountability Act.

             Section-by-Section Analysis of the Legislation


Section 1.   Short Title.

    This section provides that this bill may be cited as the 
``DHS Cyber Incident Response Teams Act of 2018''.

Sec. 2.   Department of Homeland Security Cyber Incident Response 
        Teams.

    This section amends the second section 227 of the Homeland 
Security Act (HSA).
    This section formally codifies the NCCIC's cyber incident 
response teams. The cyber hunt and incident response teams can 
provide, as appropriate and upon request: assistance to owners 
and operators following a cyber-incident; identification of 
cyber risk and unauthorized cyber activity; risk management and 
mitigation strategies for private sector entities; overall 
recommendations for network and system controls; and other 
capabilities that may be deemed appropriate all of which are on 
a voluntary, requested basis. The Committee intends to continue 
to support the work of these important teams with the formal 
authorization of this program.
    This section also authorizes the Secretary to utilize 
private sector cybersecurity specialists on the cyber hunt and 
incident response teams. The Committee intends for the cyber 
hunt and incident response teams to work hand in hand with 
private sector cybersecurity specialists, when the Secretary 
deems necessary. The Committee intends for this provision to 
increase the talent pool from which DHS can draw in order to 
continue to accomplish the Department's cybersecurity mission.
    This section requires the NCCIC to continually assess and 
assign metrics to the cyber incident response team's 
operations. This section requires the Center to submit to the 
U.S. House of Representatives Committee on Homeland Security 
and U.S. Senate Committee on Homeland Security and Governmental 
Affairs, for the first four years after the enactment of this 
bill, information on the activities of these teams. The NCCIC 
is required to provide information on metrics, the total number 
of incident response requests receive, the number of incident 
response tickets opened, all interagency staffing of incident 
response teams, and the interagency collaborations established 
to support incident response teams.
    No additional funds are authorized to carry out the 
requirements of this Act.

         Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in black brackets, new 
matter is printed in italic, and existing law in which no 
change is proposed is shown in roman):

                     HOMELAND SECURITY ACT OF 2002



           *       *       *       *       *       *       *
TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION

           *       *       *       *       *       *       *


Subtitle C--Information Security

           *       *       *       *       *       *       *


SEC. 227. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER.

  (a) Definitions.--In this section--
          (1) the term ``cybersecurity risk''--
                  (A) means threats to and vulnerabilities of 
                information or information systems and any 
                related consequences caused by or resulting 
                from unauthorized access, use, disclosure, 
                degradation, disruption, modification, or 
                destruction of such information or information 
                systems, including such related consequences 
                caused by an act of terrorism; and
                  (B) does not include any action that solely 
                involves a violation of a consumer term of 
                service or a consumer licensing agreement;
          (2) the terms ``cyber threat indicator'' and 
        ``defensive measure'' have the meanings given those 
        terms in section 102 of the Cybersecurity Act of 2015;
          (3) the term ``incident'' means an occurrence that 
        actually or imminently jeopardizes, without lawful 
        authority, the integrity, confidentiality, or 
        availability of information on an information system, 
        or actually or imminently jeopardizes, without lawful 
        authority, an information system;
          (4) the term ``information sharing and analysis 
        organization'' has the meaning given that term in 
        section 212(5);
          (5) the term ``information system'' has the meaning 
        given that term in section 3502(8) of title 44, United 
        States Code; and
          (6) the term ``sharing'' (including all conjugations 
        thereof) means providing, receiving, and disseminating 
        (including all conjugations of each of such terms).
  (b) Center.--There is in the Department a national 
cybersecurity and communications integration center (referred 
to in this section as the ``Center'') to carry out certain 
responsibilities of the Under Secretary appointed under section 
103(a)(1)(H).
  (c) Functions.--The cybersecurity functions of the Center 
shall include--
          (1) being a Federal civilian interface for the multi-
        directional and cross-sector sharing of information 
        related to cyber threat indicators, defensivemeasures, 
        cybersecurity risks, incidents, analysis, and warnings 
        for Federal and non-Federal entities, including the 
        implementationof title I of the Cybersecurity Act of 
        2015;
          (2) providing shared situational awareness to enable 
        real-time, integrated, and operational actions across 
        the Federal Government and non-Federal entities to 
        address cybersecurity risks and incidents to Federal 
        and non-Federal entities;
          (3) coordinating the sharing of information related 
        to cyber threat indicators, defensive 
        measures,cybersecurity risks, and incidents across the 
        Federal Government;
          (4) facilitating cross-sector coordination to address 
        cybersecurity risks and incidents, including 
        cybersecurity risks and incidents that may be related 
        or could have consequential impacts across multiple 
        sectors;
          (5)(A) conducting integration and analysis, including 
        cross-sector integration and analysis, of cyber threat 
        indicators, defensivemeasures, cybersecurity risks, and 
        incidents; and
          (B) sharing the analysis conducted under subparagraph 
        (A) with Federal and non-Federal entities;
          (6) upon request, providing timely technical 
        assistance, risk management support, and incident 
        response capabilities to Federal and non-Federal 
        entities with respect to cyber threat indicators, 
        defensive measures, cybersecurityrisks, and incidents, 
        which may include attribution, mitigation, and 
        remediation;
          (7) providing information and recommendations on 
        security and resilience measures to Federal and non-
        Federal entities, including information and 
        recommendations to--
                  (A) facilitate information security;
                  (B) strengthen information systems against 
                cybersecurity risks and incidents; and
                  (C) sharing cyber threat indicators and 
                defensive measures;
          (8) engaging with international partners, in 
        consultation with other appropriate agencies, to--
                  (A) collaborate on cyber threat indicators, 
                defensive measures, and information related to 
                cybersecurity risks and incidents; and
                  (B) enhance the security and resilience of 
                global cybersecurity;
          (9) sharing cyber threat indicators, defensive 
        measures, and other information related to 
        cybersecurity risks and incidents with Federal and non-
        Federal entities, including across sectors of critical 
        infrastructure and with State and major urban area 
        fusion centers, as appropriate;
          (10) participating, as appropriate, in national 
        exercises run by the Department; and
          (11) in coordination with the Office of Emergency 
        Communications of the Department, assessing and 
        evaluating consequence, vulnerability, and threat 
        information regarding cyber incidents to public safety 
        communications to help facilitate continuous 
        improvements to the security and resiliency of such 
        communications.
  (d) Composition.--
          (1) In general.--The Center shall be composed of--
                  (A) appropriate representatives of Federal 
                entities, such as--
                          (i) sector-specific agencies;
                          (ii) civilian and law enforcement 
                        agencies; and
                          (iii) elements of the intelligence 
                        community, as that term is defined 
                        under section 3(4) of the National 
                        Security Act of 1947 (50 U.S.C. 
                        3003(4));
                  (B) appropriate representatives of non-
                Federal entities, such as--
                          (i) State, local, and tribal 
                        governments;
                          (ii) information sharing and analysis 
                        organizations, including information 
                        sharing and analysis centers;
                          (iii) owners and operators of 
                        critical information systems; and
                          (iv) private entities, including 
                        cybersecurity specialists;
                  (C) components within the Center that carry 
                out cybersecurity and communications 
                activities;
                  (D) a designated Federal official for 
                operational coordination with and across each 
                sector;
                  (E) an entity that collaborates with State 
                and local governments on cybersecurity risks 
                and incidents, and has entered into a voluntary 
                information sharing relationship with the 
                Center; and
                  (F) other appropriate representatives or 
                entities, as determined by the Secretary.
          (2) Incidents.--In the event of an incident, during 
        exigent circumstances the Secretary may grant a Federal 
        or non-Federal entity immediate temporary access to the 
        Center.
  (f) Cyber Incident Response Teams.--
          (1) In general.--The Center shall maintain cyber hunt 
        and incident response teams for the purpose of 
        providing, as appropriate and upon request, assistance, 
        including the following:
                  (A) Assistance to asset owners and operators 
                in restoring services following a cyber 
                incident.
                  (B) The identification of cybersecurity risk 
                and unauthorized cyber activity.
                  (C) Mitigation strategies to prevent, deter, 
                and protect against cybersecurity risks.
                  (D) Recommendations to asset owners and 
                operators for improving overall network and 
                control systems security to lower cybersecurity 
                risks, and other recommendations, as 
                appropriate.
                  (E) Such other capabilities as the Under 
                Secretary appointed under section 103(a)(1)(H) 
                determines appropriate.
          (2) Cybersecurity specialists.--The Secretary may 
        include cybersecurity specialists from the private 
        sector on cyber hunt and incident response teams.
          (3) Associated metrics.--The Center shall continually 
        assess and evaluate the cyber incident response teams 
        and their operations using robust metrics.
          (4) Submittal of information to congress.--Upon the 
        conclusion of each of the first four fiscal years 
        ending after the date of the enactment of this 
        subsection, the Center shall submit to the Committee on 
        Homeland Security of the House of Representatives and 
        the Homeland Security and Governmental Affairs 
        Committee of the Senate, information on the metrics 
        used for evaluation and assessment of the cyber 
        incident response teams and operations pursuant to 
        paragraph (3), including the resources and staffing of 
        such cyber incident response teams. Such information 
        shall include each of the following for the period 
        covered by the report:
                  (A) The total number of incident response 
                requests received.
                  (B) The number of incident response tickets 
                opened.
                  (C) All interagency staffing of incident 
                response teams.
                  (D) The interagency collaborations 
                established to support incident response teams.
  (e) Principles.--In carrying out the functions under 
subsection (c), the Center shall ensure--
          (1) to the extent practicable, that--
                  (A) timely, actionable, and relevant cyber 
                threatindicators, defensive measures, and 
                information related to cybersecurity risks, 
                incidents, and analysis is shared;
                  (B) when appropriate, cyber threatindicators, 
                defensive measures, and information related to 
                cybersecurity risks, incidents, and analysis is 
                integrated with other relevant information and 
                tailored to the specific characteristics of a 
                sector;
                  (C) activities are prioritized and conducted 
                based on the level of risk;
                  (D) industry sector-specific, academic, and 
                national laboratory expertise is sought and 
                receives appropriate consideration;
                  (E) continuous, collaborative, and inclusive 
                coordination occurs--
                          (i) across sectors; and
                          (ii) with--
                                  (I) sector coordinating 
                                councils;
                                  (II) information sharing and 
                                analysis organizations; and
                                  (III) other appropriate non-
                                Federal partners;
                  (F) as appropriate, the Center works to 
                develop and use mechanisms for sharing 
                information related to cyber threat indicators, 
                defensive measures,cybersecurity risks, and 
                incidents that are technology-neutral, 
                interoperable, real-time, cost-effective, and 
                resilient;
                  (G) the Center works with other agencies to 
                reduce unnecessarily duplicative sharing of 
                information related to cyber threat 
                indicators,defensive measures, cybersecurity 
                risks, andincidents; and;
                  (H) the Center designates an agency contact 
                for non-Federal entities;
          (2) that information related to cyber threat 
        indicators, defensive measures, cybersecurityrisks, and 
        incidents is appropriately safeguarded against 
        unauthorized access or disclosure; and
          (3) that activities conducted by the Center comply 
        with all policies, regulations, and laws that protect 
        the privacy and civil liberties of United States 
        persons, including by working withthe Privacy Officer 
        appointed under section 222 to ensurethat the Center 
        follows the policies and procedures specifiedin 
        subsections (b) and (d)(5)(C) of section 105 of the 
        CybersecurityAct of 2015.
  [(f)] (g) No Right or Benefit.--
          (1) In general.--The provision of assistance or 
        information to, and inclusion in the Center, or any 
        team or activity of the Center, of, governmental or 
        private entities under this section shall be at the 
        sole and unreviewable discretion of the Under Secretary 
        appointed under section 103(a)(1)(H).
          (2) Certain assistance or information.--The provision 
        of certain assistance or information to, or inclusion 
        in the Center, or any team or activity of the Center, 
        of, one governmental or private entity pursuant to this 
        section shall not create a right or benefit, 
        substantive or procedural, to similar assistance or 
        information for any other governmental or private 
        entity.
  [(g)] (h) Automated Information Sharing.--
          (1) In general.--The Under Secretary appointed under 
        section 103(a)(1)(H), in coordination with industry and 
        other stakeholders, shall develop capabilities making 
        use of existing information technology industry 
        standards and best practices, as appropriate, that 
        support and rapidly advance the development, adoption, 
        and implementation of automated mechanisms for the 
        sharing of cyber threat indicators and defensive 
        measures in accordance with title I of the 
        Cybersecurity Act of 2015.
          (2) Annual report.--The Under Secretary appointed 
        under section 103(a)(1)(H) shall submit to the 
        Committee on Homeland Security and Governmental Affairs 
        of the Senate and the Committee on Homeland Security of 
        the House of Representatives an annual report on the 
        status and progress of the development of the 
        capabilities described in paragraph (1). Such reports 
        shall be required until such capabilities are fully 
        implemented.
  [(h)] (i) Voluntary Information Sharing Procedures.--
          (1) Procedures.--
                  (A) In general.--The Center may enter into a 
                voluntary information sharing relationship with 
                any consenting non-Federal entity for the 
                sharing of cyber threat indicators and 
                defensive measures for cybersecurity purposes 
                in accordance with this section. Nothing in 
                this subsection may be construed to require any 
                non-Federal entity to enter into any such 
                information sharing relationship with the 
                Center or any other entity. The Center may 
                terminate a voluntary information sharing 
                relationship under this subsection, at the sole 
                and unreviewable discretion of the Secretary, 
                acting through the Under Secretary appointed 
                under section 103(a)(1)(H), for any reason, 
                including if the Center determines that the 
                non-Federal entity with which the Center has 
                entered into such a relationship has violated 
                the terms of this subsection.
                  (B) National security.--The Secretary may 
                decline to enter into a voluntary information 
                sharing relationship under this subsection, at 
                the sole and unreviewable discretion of the 
                Secretary, acting through the Under Secretary 
                appointed under section 103(a)(1)(H), for any 
                reason, including if the Secretary determines 
                that such is appropriate for national security.
          (2) Voluntary information sharing relationships.--A 
        voluntary information sharing relationship under this 
        subsection may be characterized as an agreement 
        described in this paragraph.
                  (A) Standard agreement.--For the use of a 
                non-Federal entity, the Center shall make 
                available a standard agreement, consistent with 
                this section, on the Department's website.
                  (B) Negotiated agreement.--At the request of 
                a non-Federal entity, and if determined 
                appropriate by the Center, at the sole and 
                unreviewable discretion of the Secretary, 
                acting through the Under Secretary appointed 
                under section 103(a)(1)(H), the Department 
                shall negotiate a non-standard agreement, 
                consistent with this section.
                  (C) Existing agreements.--An agreement 
                between the Center and a non-Federal entity 
                that is entered into before the date of 
                enactment of this subsection, or such an 
                agreement that is in effect before such date, 
                shall be deemed in compliance with the 
                requirements of this subsection, 
                notwithstanding any other provision or 
                requirement of this subsection. An agreement 
                under this subsection shall include the 
                relevant privacy protections as in effect under 
                the Cooperative Research and Development 
                Agreement for Cybersecurity Information Sharing 
                and Collaboration, as of December 31, 2014. 
                Nothing in this subsection may be construed to 
                require a non-Federal entity to enter into 
                either a standard or negotiated agreement to be 
                in compliance with this subsection.
  [(i)] (j) Direct Reporting.--The Secretary shall develop 
policies and procedures for direct reporting to the Secretary 
by the Director of the Center regarding significant 
cybersecurity risks and incidents.
  [(j)] (k) Reports on International Cooperation.--Not later 
than 180 days after the date of enactment of this subsection, 
and periodically thereafter, the Secretary of Homeland Security 
shall submit to the Committee on Homeland Security and 
Governmental Affairs of the Senate and the Committee on 
Homeland Security of the House of Representatives a report on 
the range of efforts underway to bolster cybersecurity 
collaboration with relevant international partners in 
accordance with subsection (c)(8).
  [(k)] (l) Outreach.--Not later than 60 days after the date of 
enactment of this subsection, the Secretary, acting through the 
Under Secretary appointed under section 103(a)(1)(H), shall--
          (1) disseminate to the public information about how 
        to voluntarily share cyber threat indicators and 
        defensive measures with the Center; and
          (2) enhance outreach to critical infrastructure 
        owners and operators for purposes of such sharing.
  [(l)] (m) Cybersecurity Outreach.--
          (1) In general.--The Secretary may leverage small 
        business development centers to provide assistance to 
        small business concerns by disseminating information on 
        cyber threat indicators, defense measures, 
        cybersecurity risks, incidents, analyses, and warnings 
        to help small business concerns in developing or 
        enhancing cybersecurity infrastructure, awareness of 
        cyber threat indicators, and cyber training programs 
        for employees.
          (2) Definitions.--For purposes of this subsection, 
        the terms ``small business concern'' and ``small 
        business development center'' have the meaning given 
        such terms, respectively, under section 3 of the Small 
        Business Act.
  [(m)] (n) Coordinated Vulnerability Disclosure.--The 
Secretary, in coordination with industry and other 
stakeholders, may develop and adhere to Department policies and 
procedures for coordinating vulnerability disclosures.

           *       *       *       *       *       *       *


                                  [all]