[House Report 115-777]
[From the U.S. Government Publishing Office]
115th Congress } { Report
HOUSE OF REPRESENTATIVES
2d Session } { 115-777
======================================================================
DHS INDUSTRIAL CONTROL SYSTEMS CAPABILITIES ENHANCEMENT ACT OF 2018
_______
June 22, 2018.--Committed to the Committee of the Whole House on the
State of the Union and ordered to be printed
_______
Mr. McCaul, from the Committee on Homeland Security, submitted the
following
R E P O R T
[To accompany H.R. 5733]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security, to whom was referred
the bill (H.R. 5733) to amend the Homeland Security Act of 2002
to provide for the responsibility of the National Cybersecurity
and Communications Integration Center to maintain capabilities
to identify threats to industrial control systems, and for
other purposes, having considered the same, report favorably
thereon with an amendment and recommend that the bill as
amended do pass.
CONTENTS
Page
Purpose and Summary.............................................. 2
Background and Need for Legislation.............................. 3
Hearings......................................................... 3
Committee Consideration.......................................... 4
Committee Votes.................................................. 4
Committee Oversight Findings..................................... 4
New Budget Authority, Entitlement Authority, and Tax Expenditures 4
Congressional Budget Office Estimate............................. 5
Statement of General Performance Goals and Objectives............ 6
Duplicative Federal Programs..................................... 6
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff
Benefits....................................................... 6
Federal Mandates Statement....................................... 6
Preemption Clarification......................................... 6
Disclosure of Directed Rule Makings.............................. 6
Advisory Committee Statement..................................... 6
Applicability to Legislative Branch.............................. 6
Section-by-Section Analysis of the Legislation................... 7
Changes in Existing Law Made by the Bill, as Reported............ 7
The amendment is as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``DHS Industrial Control Systems
Capabilities Enhancement Act of 2018''.
SEC. 2. CAPABILITIES OF NATIONAL CYBERSECURITY AND COMMUNICATIONS
INTEGRATION CENTER TO IDENTIFY THREATS TO
INDUSTRIAL CONTROL SYSTEMS.
(a) In General.--Section 227 of the Homeland Security Act of 2002 (6
U.S.C. 148) is amended--
(1) in subsection (e)(1)--
(A) in subparagraph (G), by striking ``and'' after
the semicolon;
(B) in subparagraph (H), by inserting ``and'' after
the semicolon; and
(C) by adding at the end the following new
subparagraph:
``(I) activities of the Center address the security
of both information technology and operational
technology, including industrial control systems;'';
(2) by redesignating subsections (f) through (m) as
subsections (g) through (n), respectively; and
(3) by inserting after subsection (e) the following new
subsection:
``(f) Industrial Control Systems.--The Center shall maintain
capabilities to identify and address threats and vulnerabilities to
products and technologies intended for use in the automated control of
critical infrastructure processes. In carrying out this subsection, the
Center shall--
``(1) lead, in coordination with relevant sector specific
agencies, Federal Government efforts to identify and mitigate
cybersecurity threats to industrial control systems, including
supervisory control and data acquisition systems;
``(2) maintain cross-sector incident response capabilities to
respond to industrial control system cybersecurity incidents;
``(3) provide cybersecurity technical assistance to industry
end-users, product manufacturers, and other industrial control
system stakeholders to identify and mitigate vulnerabilities;
``(4) collect, coordinate, and provide vulnerability
information to the industrial control systems community by, as
appropriate, working closely with security researchers,
industry end-users, product manufacturers, and other industrial
control systems stakeholders; and
``(5) conduct such other efforts and assistance as the
Secretary determines appropriate.''.
(b) Report to Congress.--Not later than 180 days after the date of
the enactment of this Act, and every 6 months thereafter during the
subsequent four-year period, the National Cybersecurity and
Communications Integration Center shall provide to the Committee on
Homeland Security of the House of Representatives and the Committee on
Homeland Security and Governmental Affairs of the Senate a briefing on
the industrial control systems capabilities of the Center under
subsection (f) of section 227 of the Homeland Security Act of 2002 (6
U.S.C. 148), as added by subsection (a).
Purpose and Summary
The purpose of H.R. 5733 is to amend the Homeland Security
Act of 2002 (Pub. L. 107-296) to provide for the responsibility
of the National Cybersecurity and Communications Integration
Center to maintain capabilities to identify threats to
industrial control systems, and for other purposes.
The DHS Industrial Control Systems Capabilities Enhancement
Act of 2018 codifies the role of the Department of Homeland
Security's (DHS) National Cybersecurity and Communications
Integration Center (NCCIC) in addressing the security of both
information technology and operational technology for
industrial control systems. NCCIC will maintain capabilities to
identify and address threats and vulnerabilities to products
and technologies intended for use in the automated control of
critical infrastructure processes. NCCIC will lead Federal
Government efforts to mitigate cybersecurity threats to
industrial control systems (ICS), and maintain cross-sector
incident response capabilities to respond to ICS cybersecurity
incidents. NCCIC can provide cybersecurity technical assistance
to ICS end users, product manufacturers and other stakeholders
to mitigate and identify vulnerabilities. As part of this
legislation, DHS is directed to periodically provide to the
House Committee on Homeland Security and the Senate Homeland
Security and Government Affairs Committee regarding the
industrial control systems capabilities at NCCIC.
Background and Need for Legislation
Much of our Nation's critical infrastructure is dependent
on industrial control systems to monitor, control, and
safeguard operational processes. ICS are common systems and
devices that can be found across all sixteen critical
infrastructure sectors and are not unique to any one sector.
ICS perform critical functions in managing the operation of
critical infrastructure such as electric power generators,
dams, water treatment facilities, medical devices, nuclear
power plants, and natural gas pipelines. ICS are the
operational technology that include Supervisory Control and
Data Acquisition (SCADA) systems, Process Control Systems
(PCS), and Distributed Control Systems (DCS).
DHS's NCCIC currently works with ICS operators and
manufacturers in several ways: NCICC's ICS cybersecurity
capabilities include malware and vulnerability analysis; an
operational watch floor to monitor, track, and investigate
cyber incidents; incident response; international stakeholder
coordination; and creation and dissemination of threat
briefings, security bulletins, and notices related to emerging
threats and vulnerabilities. DHS operates a central hub for ICS
information exchange, technical expertise, operational
partnerships, and ICS-focused cybersecurity capabilities.
H.R. 5733 will codify the work NCCIC already performs
regarding identifying and mitigating ICS vulnerabilities while
ensuring that private industry has a centralized and permanent
place for assistance with addressing cybersecurity risk to
industrial control systems.
Hearings
No hearings were held on H.R.5733 in the 115th Congress.
However the Committee held the following oversight hearings
which informed the legilsation.
On March 9, 2017, the Subcommittee on Cybersecurity and
Infrastructure Protection held a hearing entitled ``The Current
State of DHS Private Sector Engagement for Cybersecurity.'' The
Subcommittee received testimony from Mr. Daniel Nutkis, Chief
Executive Officer, HITRUST Alliance; Mr. Scott Montgomery, Vice
President and Chief Technical Strategist, Intel Security Group,
Intel Corporation; Mr. Jeffrey Greene, Senior Director, Global
Government Affairs and Policy Symantec; Mr. Ryan M Gillis, Vice
President of Cybersecurity Strategy and Global Policy, Palo
Alto Networks; and Ms. Robyn Greene, Policy Counsel and
Government Affairs Lead, Open Technology Institute, New
America.
On March 22, 2017, the Committee held a hearing entitled
``A Borderless Battle: Defending Against Cyber Threats.'' The
Committee received testimony from GEN Keith B. Alexander (Ret.
USA), President and Chief Executive Officer, IronNet
Cybersecurity; Mr. Michael Daniel, President, Cyber Threat
Alliance; Mr. Frank J. Cilluffo, Director, Center for Cyber and
Homeland Security, George Washington University; and Mr. Bruce
W. McConnell, Global Vice President, EastWest Institute.
On October 3, 2017, the Subcommittee on Cybersecurity and
Infrastructure Protection held a hearing entitled ``Examining
DHS's Cybersecurity Mission.'' The Subcommittee received
testimony from Mr. Christopher Krebs, Senior Official
Performing the Duties of the Under Secretary, National
Protection and Programs Directorate, U.S. Department of
Homeland Security; Ms. Jeanette Manfra, Assistant Secretary for
Cybersecurity and Communications, National Protection and
Programs Directorate, U.S. Department of Homeland Security; and
Ms. Patricia Hoffman, Acting Assistant Secretary, Office of
Electricity Delivery and Energy Reliability, U.S. Department of
Energy.
Committee Consideration
The Committee met on June 6, 2018, to consider H.R. 5733,
and ordered the measure to be reported to the House with a
favorable recommendation, as amended, by unanimous consent. The
Committee took the following actions:
The following amendments were offered:
An amendment offered by Mr. Langevin (#1); was AGREED TO by
unanimous consent.
Page 3, line 14, strike ``; and'' and insert a semicolon.
Page 3, after line 14, insert the following: ``(4) collect,
coordinate, and provide vulnerability information to the industrial
control systems community by, as appropriate, working closely with
security researchers, industry end-users, product manufacturers, and
other industrial control systems stakeholders; and''.
Page 3, line 15, strike ``(4)'' and insert ``(5)''.
Committee Votes
Clause 3(b) of Rule XIII of the Rules of the House of
Representatives requires the Committee to list the recorded
votes on the motion to report legislation and amendments
thereto.
No recorded votes were requested during consideration of
H.R.5733.
Committee Oversight Findings
Pursuant to clause 3(c)(1) of Rule XIII of the Rules of the
House of Representatives, the Committee has held oversight
hearings and made findings that are reflected in this report.
New Budget Authority, Entitlement Authority, and Tax Expenditures
In compliance with clause 3(c)(2) of Rule XIII of the Rules
of the House of Representatives, the Committee finds that H.R.
5733, the DHS Industrial Control Systems Capabilities
Enhancement Act of 2018, would result in no new or increased
budget authority, entitlement authority, or tax expenditures or
revenues.
Congressional Budget Office Estimate
The Committee adopts as its own the cost estimate prepared
by the Director of the Congressional Budget Office pursuant to
section 402 of the Congressional Budget Act of 1974.
U.S. Congress,
Congressional Budget Office,
Washington, DC, June 21, 2018.
Hon. Michael McCaul,
Chairman, Committee on Homeland Security,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 5733, the DHS
Industrial Control Systems Capabilities Enhancement Act of
2018.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is William Ma.
Sincerely,
Keith Hall,
Director.
Enclosure.
H.R. 5733--DHS Industrial Control Systems Capabilities Enhancement Act
of 2018
H.R. 5733 would require the National Cybersecurity and
Communications Integration Center (NCCIC) in the Department of
Homeland Security (DHS) to develop and maintain capabilities to
identify and mitigate threats and vulnerabilities to products
and technologies used in the automated control of critical
infrastructure processes. The bill also would require DHS to
provide briefings to the Congress on those capabilities not
later than six months after the bill's enactment and every six
months thereafter over the next four years.
On the basis of information from DHS, CBO has concluded
that the NCCIC already provides assistance to owners and
operators of critical infrastructure and control systems
vendors to identify and mitigate security vulnerabilities to
their industrial control systems. The bill would codify those
responsibilities but would not impose any new operating
requirements on the department. Thus, we estimate that
implementing H.R. 5733 would cost less than $500,000 over the
2019-2023 period to prepare and deliver the required briefings;
such spending would be subject to the availability of
appropriated funds.
Enacting H.R. 5733 would not affect direct spending or
revenues; therefore, pay-as-you-go procedures do not apply.
CBO estimates that enacting H.R. 5733 would not increase
net direct spending or on-budget deficits in any of the four
consecutive 10-year periods beginning in 2029.
H.R. 5733 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act.
The CBO staff contact for this estimate is William Ma. The
estimate was reviewed by Leo Lex, Deputy Assistant Director for
Budget Analysis.
Statement of General Performance Goals and Objectives
Pursuant to clause 3(c)(4) of Rule XIII of the Rules of the
House of Representatives, H.R. 5733 contains the following
general performance goals and objectives, including outcome
related goals and objectives authorized.
H.R. 5733 requires the NCCIC to provide the appropriate
House and Senate Committees a briefing every six months, for
the subsequent four years, on the industrial control
capabiliites of the Center.
Duplicative Federal Programs
Pursuant to clause 3(c) of Rule XIII, the Committee finds
that H.R. 4911 does not contain any provision that establishes
or reauthorizes a program known to be duplicative of another
Federal program.
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff
Benefits
In compliance with Rule XXI of the Rules of the House of
Representatives, this bill, as reported, contains no
congressional earmarks, limited tax benefits, or limited tariff
benefits as defined in clause 9(e), 9(f), or 9(g) of the Rule
XXI.
Federal Mandates Statement
The Committee adopts as its own the estimate of Federal
mandates prepared by the Director of the Congressional Budget
Office pursuant to section 423 of the Unfunded Mandates Reform
Act.
Preemption Clarification
In compliance with section 423 of the Congressional Budget
Act of 1974, requiring the report of any Committee on a bill or
joint resolution to include a statement on the extent to which
the bill or joint resolution is intended to preempt State,
local, or Tribal law, the Committee finds that H.R. 5733 does
not preempt any State, local, or Tribal law.
Disclosure of Directed Rule Makings
The Committee estimates that H.R. 5733 would require no
directed rule makings.
Advisory Committee Statement
No advisory committees within the meaning of section 5(b)
of the Federal Advisory Committee Act were created by this
legislation.
Applicability to Legislative Branch
The Committee finds that the legislation does not relate to
the terms and conditions of employment or access to public
services or accommodations within the meaning of section
102(b)(3) of the Congressional Accountability Act.
Section-by-Section Analysis of the Legislation
Section 1. Short Title.
This section provides that this bill may be cited as the
``DHS Industrial Control Systems Capabilities Enhancement Act
of 2018''.
Sec. 2. Capabilities of National Cybersecurity and Communications
Integration Center to Identify Threats to Industrial Control
Systems.
This section amends the second section 227 of the Homeland
Security Act (HSA).
This section formally codifies the NCCIC's role in
addressing the security of both information technology and
operational technology, including industrial control systems.
This section indicates that the NCCIC will maintain
capabilities to identify and address threats and
vulnerabilities to products and technologies intended for use
in the automated control of critical infrastructure processes
by leading Federal Government efforts to mitigate cybersecurity
threats to industrial control systems (ICS), and maintaining
cross-sector incident response capabilities to respond to ICS
cybersecurity incidents. NCCIC can provide cybersecurity
technical assistance to ICS end users, product manufacturers
and other stakeholders to mitigate and identify
vulnerabilities. This section includes an amendment to ensure
NCCIC also collects, coordinates and provides vulnerability
information to the ICS community. The Committee intends for DHS
to continue training and outreach efforts to the private sector
so that the mutual exchange with ICS industry stakeholders
allows both the public and private sectors to be fully aware of
the cyber threat landscape.
This section requires the NCCIC to brief the U.S. House of
Representatives Committee on Homeland Security and U.S. Senate
Committee on Homeland Security and Governmental Affairs, for
the first four years after the enactment of this bill, on the
industrial control systems capabilities at NCCIC.
Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3(e) of rule XIII of the Rules of
the House of Representatives, changes in existing law made by
the bill, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
matter is printed in italic, and existing law in which no
change is proposed is shown in roman):
HOMELAND SECURITY ACT OF 2002
* * * * * * *
TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION
* * * * * * *
Subtitle C--Information Security
* * * * * * *
SEC. 227. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER.
(a) Definitions.--In this section--
(1) the term ``cybersecurity risk''--
(A) means threats to and vulnerabilities of
information or information systems and any
related consequences caused by or resulting
from unauthorized access, use, disclosure,
degradation, disruption, modification, or
destruction of such information or information
systems, including such related consequences
caused by an act of terrorism; and
(B) does not include any action that solely
involves a violation of a consumer term of
service or a consumer licensing agreement;
(2) the terms ``cyber threat indicator'' and
``defensive measure'' have the meanings given those
terms in section 102 of the Cybersecurity Act of 2015;
(3) the term ``incident'' means an occurrence that
actually or imminently jeopardizes, without lawful
authority, the integrity, confidentiality, or
availability of information on an information system,
or actually or imminently jeopardizes, without lawful
authority, an information system;
(4) the term ``information sharing and analysis
organization'' has the meaning given that term in
section 212(5);
(5) the term ``information system'' has the meaning
given that term in section 3502(8) of title 44, United
States Code; and
(6) the term ``sharing'' (including all conjugations
thereof) means providing, receiving, and disseminating
(including all conjugations of each of such terms).
(b) Center.--There is in the Department a national
cybersecurity and communications integration center (referred
to in this section as the ``Center'') to carry out certain
responsibilities of the Under Secretary appointed under section
103(a)(1)(H).
(c) Functions.--The cybersecurity functions of the Center
shall include--
(1) being a Federal civilian interface for the multi-
directional and cross-sector sharing of information
related to cyber threat indicators, defensivemeasures,
cybersecurity risks, incidents, analysis, and warnings
for Federal and non-Federal entities, including the
implementationof title I of the Cybersecurity Act of
2015;
(2) providing shared situational awareness to enable
real-time, integrated, and operational actions across
the Federal Government and non-Federal entities to
address cybersecurity risks and incidents to Federal
and non-Federal entities;
(3) coordinating the sharing of information related
to cyber threat indicators, defensive
measures,cybersecurity risks, and incidents across the
Federal Government;
(4) facilitating cross-sector coordination to address
cybersecurity risks and incidents, including
cybersecurity risks and incidents that may be related
or could have consequential impacts across multiple
sectors;
(5)(A) conducting integration and analysis, including
cross-sector integration and analysis, of cyber threat
indicators, defensivemeasures, cybersecurity risks, and
incidents; and
(B) sharing the analysis conducted under subparagraph
(A) with Federal and non-Federal entities;
(6) upon request, providing timely technical
assistance, risk management support, and incident
response capabilities to Federal and non-Federal
entities with respect to cyber threat indicators,
defensive measures, cybersecurityrisks, and incidents,
which may include attribution, mitigation, and
remediation;
(7) providing information and recommendations on
security and resilience measures to Federal and non-
Federal entities, including information and
recommendations to--
(A) facilitate information security;
(B) strengthen information systems against
cybersecurity risks and incidents; and
(C) sharing cyber threat indicators and
defensive measures;
(8) engaging with international partners, in
consultation with other appropriate agencies, to--
(A) collaborate on cyber threat indicators,
defensive measures, and information related to
cybersecurity risks and incidents; and
(B) enhance the security and resilience of
global cybersecurity;
(9) sharing cyber threat indicators, defensive
measures, and other information related to
cybersecurity risks and incidents with Federal and non-
Federal entities, including across sectors of critical
infrastructure and with State and major urban area
fusion centers, as appropriate;
(10) participating, as appropriate, in national
exercises run by the Department; and
(11) in coordination with the Office of Emergency
Communications of the Department, assessing and
evaluating consequence, vulnerability, and threat
information regarding cyber incidents to public safety
communications to help facilitate continuous
improvements to the security and resiliency of such
communications.
(d) Composition.--
(1) In general.--The Center shall be composed of--
(A) appropriate representatives of Federal
entities, such as--
(i) sector-specific agencies;
(ii) civilian and law enforcement
agencies; and
(iii) elements of the intelligence
community, as that term is defined
under section 3(4) of the National
Security Act of 1947 (50 U.S.C.
3003(4));
(B) appropriate representatives of non-
Federal entities, such as--
(i) State, local, and tribal
governments;
(ii) information sharing and analysis
organizations, including information
sharing and analysis centers;
(iii) owners and operators of
critical information systems; and
(iv) private entities;
(C) components within the Center that carry
out cybersecurity and communications
activities;
(D) a designated Federal official for
operational coordination with and across each
sector;
(E) an entity that collaborates with State
and local governments on cybersecurity risks
and incidents, and has entered into a voluntary
information sharing relationship with the
Center; and
(F) other appropriate representatives or
entities, as determined by the Secretary.
(2) Incidents.--In the event of an incident, during
exigent circumstances the Secretary may grant a Federal
or non-Federal entity immediate temporary access to the
Center.
(e) Principles.--In carrying out the functions under
subsection (c), the Center shall ensure--
(1) to the extent practicable, that--
(A) timely, actionable, and relevant cyber
threatindicators, defensive measures, and
information related to cybersecurity risks,
incidents, and analysis is shared;
(B) when appropriate, cyber threatindicators,
defensive measures, and information related to
cybersecurity risks, incidents, and analysis is
integrated with other relevant information and
tailored to the specific characteristics of a
sector;
(C) activities are prioritized and conducted
based on the level of risk;
(D) industry sector-specific, academic, and
national laboratory expertise is sought and
receives appropriate consideration;
(E) continuous, collaborative, and inclusive
coordination occurs--
(i) across sectors; and
(ii) with--
(I) sector coordinating
councils;
(II) information sharing and
analysis organizations; and
(III) other appropriate non-
Federal partners;
(F) as appropriate, the Center works to
develop and use mechanisms for sharing
information related to cyber threat indicators,
defensive measures,cybersecurity risks, and
incidents that are technology-neutral,
interoperable, real-time, cost-effective, and
resilient;
(G) the Center works with other agencies to
reduce unnecessarily duplicative sharing of
information related to cyber threat
indicators,defensive measures, cybersecurity
risks, andincidents; [and];
(H) the Center designates an agency contact
for non-Federal entities; and
(I) activities of the Center address the
security of both information technology and
operational technology, including industrial
control systems;
(2) that information related to cyber threat
indicators, defensive measures, cybersecurityrisks, and
incidents is appropriately safeguarded against
unauthorized access or disclosure; and
(3) that activities conducted by the Center comply
with all policies, regulations, and laws that protect
the privacy and civil liberties of United States
persons, including by working withthe Privacy Officer
appointed under section 222 to ensurethat the Center
follows the policies and procedures specifiedin
subsections (b) and (d)(5)(C) of section 105 of the
CybersecurityAct of 2015.
(f) Industrial Control Systems.--The Center shall maintain
capabilities to identify and address threats and
vulnerabilities to products and technologies intended for use
in the automated control of critical infrastructure processes.
In carrying out this subsection, the Center shall--
(1) lead, in coordination with relevant sector
specific agencies, Federal Government efforts to
identify and mitigate cybersecurity threats to
industrial control systems, including supervisory
control and data acquisition systems;
(2) maintain cross-sector incident response
capabilities to respond to industrial control system
cybersecurity incidents;
(3) provide cybersecurity technical assistance to
industry end-users, product manufacturers, and other
industrial control system stakeholders to identify and
mitigate vulnerabilities;
(4) collect, coordinate, and provide vulnerability
information to the industrial control systems community
by, as appropriate, working closely with security
researchers, industry end-users, product manufacturers,
and other industrial control systems stakeholders; and
(5) conduct such other efforts and assistance as the
Secretary determines appropriate.
[(f)] (g) No Right or Benefit.--
(1) In general.--The provision of assistance or
information to, and inclusion in the Center of,
governmental or private entities under this section
shall be at the sole and unreviewable discretion of the
Under Secretary appointed under section 103(a)(1)(H).
(2) Certain assistance or information.--The provision
of certain assistance or information to, or inclusion
in the Center of, one governmental or private entity
pursuant to this section shall not create a right or
benefit, substantive or procedural, to similar
assistance or information for any other governmental or
private entity.
[(g)] (h) Automated Information Sharing.--
(1) In general.--The Under Secretary appointed under
section 103(a)(1)(H), in coordination with industry and
other stakeholders, shall develop capabilities making
use of existing information technology industry
standards and best practices, as appropriate, that
support and rapidly advance the development, adoption,
and implementation of automated mechanisms for the
sharing of cyber threat indicators and defensive
measures in accordance with title I of the
Cybersecurity Act of 2015.
(2) Annual report.--The Under Secretary appointed
under section 103(a)(1)(H) shall submit to the
Committee on Homeland Security and Governmental Affairs
of the Senate and the Committee on Homeland Security of
the House of Representatives an annual report on the
status and progress of the development of the
capabilities described in paragraph (1). Such reports
shall be required until such capabilities are fully
implemented.
[(h)] (i) Voluntary Information Sharing Procedures.--
(1) Procedures.--
(A) In general.--The Center may enter into a
voluntary information sharing relationship with
any consenting non-Federal entity for the
sharing of cyber threat indicators and
defensive measures for cybersecurity purposes
in accordance with this section. Nothing in
this subsection may be construed to require any
non-Federal entity to enter into any such
information sharing relationship with the
Center or any other entity. The Center may
terminate a voluntary information sharing
relationship under this subsection, at the sole
and unreviewable discretion of the Secretary,
acting through the Under Secretary appointed
under section 103(a)(1)(H), for any reason,
including if the Center determines that the
non-Federal entity with which the Center has
entered into such a relationship has violated
the terms of this subsection.
(B) National security.--The Secretary may
decline to enter into a voluntary information
sharing relationship under this subsection, at
the sole and unreviewable discretion of the
Secretary, acting through the Under Secretary
appointed under section 103(a)(1)(H), for any
reason, including if the Secretary determines
that such is appropriate for national security.
(2) Voluntary information sharing relationships.--A
voluntary information sharing relationship under this
subsection may be characterized as an agreement
described in this paragraph.
(A) Standard agreement.--For the use of a
non-Federal entity, the Center shall make
available a standard agreement, consistent with
this section, on the Department's website.
(B) Negotiated agreement.--At the request of
a non-Federal entity, and if determined
appropriate by the Center, at the sole and
unreviewable discretion of the Secretary,
acting through the Under Secretary appointed
under section 103(a)(1)(H), the Department
shall negotiate a non-standard agreement,
consistent with this section.
(C) Existing agreements.--An agreement
between the Center and a non-Federal entity
that is entered into before the date of
enactment of this subsection, or such an
agreement that is in effect before such date,
shall be deemed in compliance with the
requirements of this subsection,
notwithstanding any other provision or
requirement of this subsection. An agreement
under this subsection shall include the
relevant privacy protections as in effect under
the Cooperative Research and Development
Agreement for Cybersecurity Information Sharing
and Collaboration, as of December 31, 2014.
Nothing in this subsection may be construed to
require a non-Federal entity to enter into
either a standard or negotiated agreement to be
in compliance with this subsection.
[(i)] (j) Direct Reporting.--The Secretary shall develop
policies and procedures for direct reporting to the Secretary
by the Director of the Center regarding significant
cybersecurity risks and incidents.
[(j)] (k) Reports on International Cooperation.--Not later
than 180 days after the date of enactment of this subsection,
and periodically thereafter, the Secretary of Homeland Security
shall submit to the Committee on Homeland Security and
Governmental Affairs of the Senate and the Committee on
Homeland Security of the House of Representatives a report on
the range of efforts underway to bolster cybersecurity
collaboration with relevant international partners in
accordance with subsection (c)(8).
[(k)] (l) Outreach.--Not later than 60 days after the date of
enactment of this subsection, the Secretary, acting through the
Under Secretary appointed under section 103(a)(1)(H), shall--
(1) disseminate to the public information about how
to voluntarily share cyber threat indicators and
defensive measures with the Center; and
(2) enhance outreach to critical infrastructure
owners and operators for purposes of such sharing.
[(l)] (m) Cybersecurity Outreach.--
(1) In general.--The Secretary may leverage small
business development centers to provide assistance to
small business concerns by disseminating information on
cyber threat indicators, defense measures,
cybersecurity risks, incidents, analyses, and warnings
to help small business concerns in developing or
enhancing cybersecurity infrastructure, awareness of
cyber threat indicators, and cyber training programs
for employees.
(2) Definitions.--For purposes of this subsection,
the terms ``small business concern'' and ``small
business development center'' have the meaning given
such terms, respectively, under section 3 of the Small
Business Act.
[(m)] (n) Coordinated Vulnerability Disclosure.--The
Secretary, in coordination with industry and other
stakeholders, may develop and adhere to Department policies and
procedures for coordinating vulnerability disclosures.
* * * * * * *
[all]