[House Report 115-777]
[From the U.S. Government Publishing Office]


115th Congress  }                                    {         Report
                        HOUSE OF REPRESENTATIVES
 2d Session     }                                    {        115-777

======================================================================



 
  DHS INDUSTRIAL CONTROL SYSTEMS CAPABILITIES ENHANCEMENT ACT OF 2018

                                _______
                                

 June 22, 2018.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

  Mr. McCaul, from the Committee on Homeland Security, submitted the 
                               following

                              R E P O R T

                        [To accompany H.R. 5733]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security, to whom was referred 
the bill (H.R. 5733) to amend the Homeland Security Act of 2002 
to provide for the responsibility of the National Cybersecurity 
and Communications Integration Center to maintain capabilities 
to identify threats to industrial control systems, and for 
other purposes, having considered the same, report favorably 
thereon with an amendment and recommend that the bill as 
amended do pass.

                                CONTENTS

                                                                   Page
Purpose and Summary..............................................     2
Background and Need for Legislation..............................     3
Hearings.........................................................     3
Committee Consideration..........................................     4
Committee Votes..................................................     4
Committee Oversight Findings.....................................     4
New Budget Authority, Entitlement Authority, and Tax Expenditures     4
Congressional Budget Office Estimate.............................     5
Statement of General Performance Goals and Objectives............     6
Duplicative Federal Programs.....................................     6
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
  Benefits.......................................................     6
Federal Mandates Statement.......................................     6
Preemption Clarification.........................................     6
Disclosure of Directed Rule Makings..............................     6
Advisory Committee Statement.....................................     6
Applicability to Legislative Branch..............................     6
Section-by-Section Analysis of the Legislation...................     7
Changes in Existing Law Made by the Bill, as Reported............     7

    The amendment is as follows:
    Strike all after the enacting clause and insert the 
following:

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``DHS Industrial Control Systems 
Capabilities Enhancement Act of 2018''.

SEC. 2. CAPABILITIES OF NATIONAL CYBERSECURITY AND COMMUNICATIONS 
                    INTEGRATION CENTER TO IDENTIFY THREATS TO 
                    INDUSTRIAL CONTROL SYSTEMS.

  (a) In General.--Section 227 of the Homeland Security Act of 2002 (6 
U.S.C. 148) is amended--
          (1) in subsection (e)(1)--
                  (A) in subparagraph (G), by striking ``and'' after 
                the semicolon;
                  (B) in subparagraph (H), by inserting ``and'' after 
                the semicolon; and
                  (C) by adding at the end the following new 
                subparagraph:
                  ``(I) activities of the Center address the security 
                of both information technology and operational 
                technology, including industrial control systems;'';
          (2) by redesignating subsections (f) through (m) as 
        subsections (g) through (n), respectively; and
          (3) by inserting after subsection (e) the following new 
        subsection:
  ``(f) Industrial Control Systems.--The Center shall maintain 
capabilities to identify and address threats and vulnerabilities to 
products and technologies intended for use in the automated control of 
critical infrastructure processes. In carrying out this subsection, the 
Center shall--
          ``(1) lead, in coordination with relevant sector specific 
        agencies, Federal Government efforts to identify and mitigate 
        cybersecurity threats to industrial control systems, including 
        supervisory control and data acquisition systems;
          ``(2) maintain cross-sector incident response capabilities to 
        respond to industrial control system cybersecurity incidents;
          ``(3) provide cybersecurity technical assistance to industry 
        end-users, product manufacturers, and other industrial control 
        system stakeholders to identify and mitigate vulnerabilities;
          ``(4) collect, coordinate, and provide vulnerability 
        information to the industrial control systems community by, as 
        appropriate, working closely with security researchers, 
        industry end-users, product manufacturers, and other industrial 
        control systems stakeholders; and
          ``(5) conduct such other efforts and assistance as the 
        Secretary determines appropriate.''.
  (b) Report to Congress.--Not later than 180 days after the date of 
the enactment of this Act, and every 6 months thereafter during the 
subsequent four-year period, the National Cybersecurity and 
Communications Integration Center shall provide to the Committee on 
Homeland Security of the House of Representatives and the Committee on 
Homeland Security and Governmental Affairs of the Senate a briefing on 
the industrial control systems capabilities of the Center under 
subsection (f) of section 227 of the Homeland Security Act of 2002 (6 
U.S.C. 148), as added by subsection (a).

                          Purpose and Summary

    The purpose of H.R. 5733 is to amend the Homeland Security 
Act of 2002 (Pub. L. 107-296) to provide for the responsibility 
of the National Cybersecurity and Communications Integration 
Center to maintain capabilities to identify threats to 
industrial control systems, and for other purposes.
    The DHS Industrial Control Systems Capabilities Enhancement 
Act of 2018 codifies the role of the Department of Homeland 
Security's (DHS) National Cybersecurity and Communications 
Integration Center (NCCIC) in addressing the security of both 
information technology and operational technology for 
industrial control systems. NCCIC will maintain capabilities to 
identify and address threats and vulnerabilities to products 
and technologies intended for use in the automated control of 
critical infrastructure processes. NCCIC will lead Federal 
Government efforts to mitigate cybersecurity threats to 
industrial control systems (ICS), and maintain cross-sector 
incident response capabilities to respond to ICS cybersecurity 
incidents. NCCIC can provide cybersecurity technical assistance 
to ICS end users, product manufacturers and other stakeholders 
to mitigate and identify vulnerabilities. As part of this 
legislation, DHS is directed to periodically provide to the 
House Committee on Homeland Security and the Senate Homeland 
Security and Government Affairs Committee regarding the 
industrial control systems capabilities at NCCIC.

                  Background and Need for Legislation

    Much of our Nation's critical infrastructure is dependent 
on industrial control systems to monitor, control, and 
safeguard operational processes. ICS are common systems and 
devices that can be found across all sixteen critical 
infrastructure sectors and are not unique to any one sector. 
ICS perform critical functions in managing the operation of 
critical infrastructure such as electric power generators, 
dams, water treatment facilities, medical devices, nuclear 
power plants, and natural gas pipelines. ICS are the 
operational technology that include Supervisory Control and 
Data Acquisition (SCADA) systems, Process Control Systems 
(PCS), and Distributed Control Systems (DCS).
    DHS's NCCIC currently works with ICS operators and 
manufacturers in several ways: NCICC's ICS cybersecurity 
capabilities include malware and vulnerability analysis; an 
operational watch floor to monitor, track, and investigate 
cyber incidents; incident response; international stakeholder 
coordination; and creation and dissemination of threat 
briefings, security bulletins, and notices related to emerging 
threats and vulnerabilities. DHS operates a central hub for ICS 
information exchange, technical expertise, operational 
partnerships, and ICS-focused cybersecurity capabilities.
    H.R. 5733 will codify the work NCCIC already performs 
regarding identifying and mitigating ICS vulnerabilities while 
ensuring that private industry has a centralized and permanent 
place for assistance with addressing cybersecurity risk to 
industrial control systems.

                                Hearings

    No hearings were held on H.R.5733 in the 115th Congress. 
However the Committee held the following oversight hearings 
which informed the legilsation.
    On March 9, 2017, the Subcommittee on Cybersecurity and 
Infrastructure Protection held a hearing entitled ``The Current 
State of DHS Private Sector Engagement for Cybersecurity.'' The 
Subcommittee received testimony from Mr. Daniel Nutkis, Chief 
Executive Officer, HITRUST Alliance; Mr. Scott Montgomery, Vice 
President and Chief Technical Strategist, Intel Security Group, 
Intel Corporation; Mr. Jeffrey Greene, Senior Director, Global 
Government Affairs and Policy Symantec; Mr. Ryan M Gillis, Vice 
President of Cybersecurity Strategy and Global Policy, Palo 
Alto Networks; and Ms. Robyn Greene, Policy Counsel and 
Government Affairs Lead, Open Technology Institute, New 
America.
    On March 22, 2017, the Committee held a hearing entitled 
``A Borderless Battle: Defending Against Cyber Threats.'' The 
Committee received testimony from GEN Keith B. Alexander (Ret. 
USA), President and Chief Executive Officer, IronNet 
Cybersecurity; Mr. Michael Daniel, President, Cyber Threat 
Alliance; Mr. Frank J. Cilluffo, Director, Center for Cyber and 
Homeland Security, George Washington University; and Mr. Bruce 
W. McConnell, Global Vice President, EastWest Institute.
    On October 3, 2017, the Subcommittee on Cybersecurity and 
Infrastructure Protection held a hearing entitled ``Examining 
DHS's Cybersecurity Mission.'' The Subcommittee received 
testimony from Mr. Christopher Krebs, Senior Official 
Performing the Duties of the Under Secretary, National 
Protection and Programs Directorate, U.S. Department of 
Homeland Security; Ms. Jeanette Manfra, Assistant Secretary for 
Cybersecurity and Communications, National Protection and 
Programs Directorate, U.S. Department of Homeland Security; and 
Ms. Patricia Hoffman, Acting Assistant Secretary, Office of 
Electricity Delivery and Energy Reliability, U.S. Department of 
Energy.

                        Committee Consideration

    The Committee met on June 6, 2018, to consider H.R. 5733, 
and ordered the measure to be reported to the House with a 
favorable recommendation, as amended, by unanimous consent. The 
Committee took the following actions:
    The following amendments were offered:
    An amendment offered by Mr. Langevin (#1); was AGREED TO by 
unanimous consent.

  Page 3, line 14, strike ``; and'' and insert a semicolon.
  Page 3, after line 14, insert the following: ``(4) collect, 
coordinate, and provide vulnerability information to the industrial 
control systems community by, as appropriate, working closely with 
security researchers, industry end-users, product manufacturers, and 
other industrial control systems stakeholders; and''.
  Page 3, line 15, strike ``(4)'' and insert ``(5)''.

                            Committee Votes

    Clause 3(b) of Rule XIII of the Rules of the House of 
Representatives requires the Committee to list the recorded 
votes on the motion to report legislation and amendments 
thereto.
    No recorded votes were requested during consideration of 
H.R.5733.

                      Committee Oversight Findings

    Pursuant to clause 3(c)(1) of Rule XIII of the Rules of the 
House of Representatives, the Committee has held oversight 
hearings and made findings that are reflected in this report.

   New Budget Authority, Entitlement Authority, and Tax Expenditures

    In compliance with clause 3(c)(2) of Rule XIII of the Rules 
of the House of Representatives, the Committee finds that H.R. 
5733, the DHS Industrial Control Systems Capabilities 
Enhancement Act of 2018, would result in no new or increased 
budget authority, entitlement authority, or tax expenditures or 
revenues.

                  Congressional Budget Office Estimate

    The Committee adopts as its own the cost estimate prepared 
by the Director of the Congressional Budget Office pursuant to 
section 402 of the Congressional Budget Act of 1974.

                                     U.S. Congress,
                               Congressional Budget Office,
                                     Washington, DC, June 21, 2018.
Hon. Michael McCaul,
Chairman, Committee on Homeland Security,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 5733, the DHS 
Industrial Control Systems Capabilities Enhancement Act of 
2018.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is William Ma.
            Sincerely,
                                                Keith Hall,
                                                          Director.
    Enclosure.

H.R. 5733--DHS Industrial Control Systems Capabilities Enhancement Act 
        of 2018

    H.R. 5733 would require the National Cybersecurity and 
Communications Integration Center (NCCIC) in the Department of 
Homeland Security (DHS) to develop and maintain capabilities to 
identify and mitigate threats and vulnerabilities to products 
and technologies used in the automated control of critical 
infrastructure processes. The bill also would require DHS to 
provide briefings to the Congress on those capabilities not 
later than six months after the bill's enactment and every six 
months thereafter over the next four years.
    On the basis of information from DHS, CBO has concluded 
that the NCCIC already provides assistance to owners and 
operators of critical infrastructure and control systems 
vendors to identify and mitigate security vulnerabilities to 
their industrial control systems. The bill would codify those 
responsibilities but would not impose any new operating 
requirements on the department. Thus, we estimate that 
implementing H.R. 5733 would cost less than $500,000 over the 
2019-2023 period to prepare and deliver the required briefings; 
such spending would be subject to the availability of 
appropriated funds.
    Enacting H.R. 5733 would not affect direct spending or 
revenues; therefore, pay-as-you-go procedures do not apply.
    CBO estimates that enacting H.R. 5733 would not increase 
net direct spending or on-budget deficits in any of the four 
consecutive 10-year periods beginning in 2029.
    H.R. 5733 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act.
    The CBO staff contact for this estimate is William Ma. The 
estimate was reviewed by Leo Lex, Deputy Assistant Director for 
Budget Analysis.

         Statement of General Performance Goals and Objectives

    Pursuant to clause 3(c)(4) of Rule XIII of the Rules of the 
House of Representatives, H.R. 5733 contains the following 
general performance goals and objectives, including outcome 
related goals and objectives authorized.
    H.R. 5733 requires the NCCIC to provide the appropriate 
House and Senate Committees a briefing every six months, for 
the subsequent four years, on the industrial control 
capabiliites of the Center.

                      Duplicative Federal Programs

    Pursuant to clause 3(c) of Rule XIII, the Committee finds 
that H.R. 4911 does not contain any provision that establishes 
or reauthorizes a program known to be duplicative of another 
Federal program.

   Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
                                Benefits

    In compliance with Rule XXI of the Rules of the House of 
Representatives, this bill, as reported, contains no 
congressional earmarks, limited tax benefits, or limited tariff 
benefits as defined in clause 9(e), 9(f), or 9(g) of the Rule 
XXI.

                       Federal Mandates Statement

    The Committee adopts as its own the estimate of Federal 
mandates prepared by the Director of the Congressional Budget 
Office pursuant to section 423 of the Unfunded Mandates Reform 
Act.

                        Preemption Clarification

    In compliance with section 423 of the Congressional Budget 
Act of 1974, requiring the report of any Committee on a bill or 
joint resolution to include a statement on the extent to which 
the bill or joint resolution is intended to preempt State, 
local, or Tribal law, the Committee finds that H.R. 5733 does 
not preempt any State, local, or Tribal law.

                  Disclosure of Directed Rule Makings

    The Committee estimates that H.R. 5733 would require no 
directed rule makings.

                      Advisory Committee Statement

    No advisory committees within the meaning of section 5(b) 
of the Federal Advisory Committee Act were created by this 
legislation.

                  Applicability to Legislative Branch

    The Committee finds that the legislation does not relate to 
the terms and conditions of employment or access to public 
services or accommodations within the meaning of section 
102(b)(3) of the Congressional Accountability Act.

             Section-by-Section Analysis of the Legislation


Section 1.   Short Title.

    This section provides that this bill may be cited as the 
``DHS Industrial Control Systems Capabilities Enhancement Act 
of 2018''.

Sec. 2.   Capabilities of National Cybersecurity and Communications 
        Integration Center to Identify Threats to Industrial Control 
        Systems.

    This section amends the second section 227 of the Homeland 
Security Act (HSA).
    This section formally codifies the NCCIC's role in 
addressing the security of both information technology and 
operational technology, including industrial control systems.
    This section indicates that the NCCIC will maintain 
capabilities to identify and address threats and 
vulnerabilities to products and technologies intended for use 
in the automated control of critical infrastructure processes 
by leading Federal Government efforts to mitigate cybersecurity 
threats to industrial control systems (ICS), and maintaining 
cross-sector incident response capabilities to respond to ICS 
cybersecurity incidents. NCCIC can provide cybersecurity 
technical assistance to ICS end users, product manufacturers 
and other stakeholders to mitigate and identify 
vulnerabilities. This section includes an amendment to ensure 
NCCIC also collects, coordinates and provides vulnerability 
information to the ICS community. The Committee intends for DHS 
to continue training and outreach efforts to the private sector 
so that the mutual exchange with ICS industry stakeholders 
allows both the public and private sectors to be fully aware of 
the cyber threat landscape.
    This section requires the NCCIC to brief the U.S. House of 
Representatives Committee on Homeland Security and U.S. Senate 
Committee on Homeland Security and Governmental Affairs, for 
the first four years after the enactment of this bill, on the 
industrial control systems capabilities at NCCIC.

         Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in black brackets, new 
matter is printed in italic, and existing law in which no 
change is proposed is shown in roman):

                     HOMELAND SECURITY ACT OF 2002



           *       *       *       *       *       *       *
TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION

           *       *       *       *       *       *       *


Subtitle C--Information Security

           *       *       *       *       *       *       *


SEC. 227. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER.

  (a) Definitions.--In this section--
          (1) the term ``cybersecurity risk''--
                  (A) means threats to and vulnerabilities of 
                information or information systems and any 
                related consequences caused by or resulting 
                from unauthorized access, use, disclosure, 
                degradation, disruption, modification, or 
                destruction of such information or information 
                systems, including such related consequences 
                caused by an act of terrorism; and
                  (B) does not include any action that solely 
                involves a violation of a consumer term of 
                service or a consumer licensing agreement;
          (2) the terms ``cyber threat indicator'' and 
        ``defensive measure'' have the meanings given those 
        terms in section 102 of the Cybersecurity Act of 2015;
          (3) the term ``incident'' means an occurrence that 
        actually or imminently jeopardizes, without lawful 
        authority, the integrity, confidentiality, or 
        availability of information on an information system, 
        or actually or imminently jeopardizes, without lawful 
        authority, an information system;
          (4) the term ``information sharing and analysis 
        organization'' has the meaning given that term in 
        section 212(5);
          (5) the term ``information system'' has the meaning 
        given that term in section 3502(8) of title 44, United 
        States Code; and
          (6) the term ``sharing'' (including all conjugations 
        thereof) means providing, receiving, and disseminating 
        (including all conjugations of each of such terms).
  (b) Center.--There is in the Department a national 
cybersecurity and communications integration center (referred 
to in this section as the ``Center'') to carry out certain 
responsibilities of the Under Secretary appointed under section 
103(a)(1)(H).
  (c) Functions.--The cybersecurity functions of the Center 
shall include--
          (1) being a Federal civilian interface for the multi-
        directional and cross-sector sharing of information 
        related to cyber threat indicators, defensivemeasures, 
        cybersecurity risks, incidents, analysis, and warnings 
        for Federal and non-Federal entities, including the 
        implementationof title I of the Cybersecurity Act of 
        2015;
          (2) providing shared situational awareness to enable 
        real-time, integrated, and operational actions across 
        the Federal Government and non-Federal entities to 
        address cybersecurity risks and incidents to Federal 
        and non-Federal entities;
          (3) coordinating the sharing of information related 
        to cyber threat indicators, defensive 
        measures,cybersecurity risks, and incidents across the 
        Federal Government;
          (4) facilitating cross-sector coordination to address 
        cybersecurity risks and incidents, including 
        cybersecurity risks and incidents that may be related 
        or could have consequential impacts across multiple 
        sectors;
          (5)(A) conducting integration and analysis, including 
        cross-sector integration and analysis, of cyber threat 
        indicators, defensivemeasures, cybersecurity risks, and 
        incidents; and
          (B) sharing the analysis conducted under subparagraph 
        (A) with Federal and non-Federal entities;
          (6) upon request, providing timely technical 
        assistance, risk management support, and incident 
        response capabilities to Federal and non-Federal 
        entities with respect to cyber threat indicators, 
        defensive measures, cybersecurityrisks, and incidents, 
        which may include attribution, mitigation, and 
        remediation;
          (7) providing information and recommendations on 
        security and resilience measures to Federal and non-
        Federal entities, including information and 
        recommendations to--
                  (A) facilitate information security;
                  (B) strengthen information systems against 
                cybersecurity risks and incidents; and
                  (C) sharing cyber threat indicators and 
                defensive measures;
          (8) engaging with international partners, in 
        consultation with other appropriate agencies, to--
                  (A) collaborate on cyber threat indicators, 
                defensive measures, and information related to 
                cybersecurity risks and incidents; and
                  (B) enhance the security and resilience of 
                global cybersecurity;
          (9) sharing cyber threat indicators, defensive 
        measures, and other information related to 
        cybersecurity risks and incidents with Federal and non-
        Federal entities, including across sectors of critical 
        infrastructure and with State and major urban area 
        fusion centers, as appropriate;
          (10) participating, as appropriate, in national 
        exercises run by the Department; and
          (11) in coordination with the Office of Emergency 
        Communications of the Department, assessing and 
        evaluating consequence, vulnerability, and threat 
        information regarding cyber incidents to public safety 
        communications to help facilitate continuous 
        improvements to the security and resiliency of such 
        communications.
  (d) Composition.--
          (1) In general.--The Center shall be composed of--
                  (A) appropriate representatives of Federal 
                entities, such as--
                          (i) sector-specific agencies;
                          (ii) civilian and law enforcement 
                        agencies; and
                          (iii) elements of the intelligence 
                        community, as that term is defined 
                        under section 3(4) of the National 
                        Security Act of 1947 (50 U.S.C. 
                        3003(4));
                  (B) appropriate representatives of non-
                Federal entities, such as--
                          (i) State, local, and tribal 
                        governments;
                          (ii) information sharing and analysis 
                        organizations, including information 
                        sharing and analysis centers;
                          (iii) owners and operators of 
                        critical information systems; and
                          (iv) private entities;
                  (C) components within the Center that carry 
                out cybersecurity and communications 
                activities;
                  (D) a designated Federal official for 
                operational coordination with and across each 
                sector;
                  (E) an entity that collaborates with State 
                and local governments on cybersecurity risks 
                and incidents, and has entered into a voluntary 
                information sharing relationship with the 
                Center; and
                  (F) other appropriate representatives or 
                entities, as determined by the Secretary.
          (2) Incidents.--In the event of an incident, during 
        exigent circumstances the Secretary may grant a Federal 
        or non-Federal entity immediate temporary access to the 
        Center.
  (e) Principles.--In carrying out the functions under 
subsection (c), the Center shall ensure--
          (1) to the extent practicable, that--
                  (A) timely, actionable, and relevant cyber 
                threatindicators, defensive measures, and 
                information related to cybersecurity risks, 
                incidents, and analysis is shared;
                  (B) when appropriate, cyber threatindicators, 
                defensive measures, and information related to 
                cybersecurity risks, incidents, and analysis is 
                integrated with other relevant information and 
                tailored to the specific characteristics of a 
                sector;
                  (C) activities are prioritized and conducted 
                based on the level of risk;
                  (D) industry sector-specific, academic, and 
                national laboratory expertise is sought and 
                receives appropriate consideration;
                  (E) continuous, collaborative, and inclusive 
                coordination occurs--
                          (i) across sectors; and
                          (ii) with--
                                  (I) sector coordinating 
                                councils;
                                  (II) information sharing and 
                                analysis organizations; and
                                  (III) other appropriate non-
                                Federal partners;
                  (F) as appropriate, the Center works to 
                develop and use mechanisms for sharing 
                information related to cyber threat indicators, 
                defensive measures,cybersecurity risks, and 
                incidents that are technology-neutral, 
                interoperable, real-time, cost-effective, and 
                resilient;
                  (G) the Center works with other agencies to 
                reduce unnecessarily duplicative sharing of 
                information related to cyber threat 
                indicators,defensive measures, cybersecurity 
                risks, andincidents; [and];
                  (H) the Center designates an agency contact 
                for non-Federal entities; and
                  (I) activities of the Center address the 
                security of both information technology and 
                operational technology, including industrial 
                control systems;
          (2) that information related to cyber threat 
        indicators, defensive measures, cybersecurityrisks, and 
        incidents is appropriately safeguarded against 
        unauthorized access or disclosure; and
          (3) that activities conducted by the Center comply 
        with all policies, regulations, and laws that protect 
        the privacy and civil liberties of United States 
        persons, including by working withthe Privacy Officer 
        appointed under section 222 to ensurethat the Center 
        follows the policies and procedures specifiedin 
        subsections (b) and (d)(5)(C) of section 105 of the 
        CybersecurityAct of 2015.
  (f) Industrial Control Systems.--The Center shall maintain 
capabilities to identify and address threats and 
vulnerabilities to products and technologies intended for use 
in the automated control of critical infrastructure processes. 
In carrying out this subsection, the Center shall--
          (1) lead, in coordination with relevant sector 
        specific agencies, Federal Government efforts to 
        identify and mitigate cybersecurity threats to 
        industrial control systems, including supervisory 
        control and data acquisition systems;
          (2) maintain cross-sector incident response 
        capabilities to respond to industrial control system 
        cybersecurity incidents;
          (3) provide cybersecurity technical assistance to 
        industry end-users, product manufacturers, and other 
        industrial control system stakeholders to identify and 
        mitigate vulnerabilities;
          (4) collect, coordinate, and provide vulnerability 
        information to the industrial control systems community 
        by, as appropriate, working closely with security 
        researchers, industry end-users, product manufacturers, 
        and other industrial control systems stakeholders; and
          (5) conduct such other efforts and assistance as the 
        Secretary determines appropriate.
  [(f)] (g) No Right or Benefit.--
          (1) In general.--The provision of assistance or 
        information to, and inclusion in the Center of, 
        governmental or private entities under this section 
        shall be at the sole and unreviewable discretion of the 
        Under Secretary appointed under section 103(a)(1)(H).
          (2) Certain assistance or information.--The provision 
        of certain assistance or information to, or inclusion 
        in the Center of, one governmental or private entity 
        pursuant to this section shall not create a right or 
        benefit, substantive or procedural, to similar 
        assistance or information for any other governmental or 
        private entity.
  [(g)] (h) Automated Information Sharing.--
          (1) In general.--The Under Secretary appointed under 
        section 103(a)(1)(H), in coordination with industry and 
        other stakeholders, shall develop capabilities making 
        use of existing information technology industry 
        standards and best practices, as appropriate, that 
        support and rapidly advance the development, adoption, 
        and implementation of automated mechanisms for the 
        sharing of cyber threat indicators and defensive 
        measures in accordance with title I of the 
        Cybersecurity Act of 2015.
          (2) Annual report.--The Under Secretary appointed 
        under section 103(a)(1)(H) shall submit to the 
        Committee on Homeland Security and Governmental Affairs 
        of the Senate and the Committee on Homeland Security of 
        the House of Representatives an annual report on the 
        status and progress of the development of the 
        capabilities described in paragraph (1). Such reports 
        shall be required until such capabilities are fully 
        implemented.
  [(h)] (i) Voluntary Information Sharing Procedures.--
          (1) Procedures.--
                  (A) In general.--The Center may enter into a 
                voluntary information sharing relationship with 
                any consenting non-Federal entity for the 
                sharing of cyber threat indicators and 
                defensive measures for cybersecurity purposes 
                in accordance with this section. Nothing in 
                this subsection may be construed to require any 
                non-Federal entity to enter into any such 
                information sharing relationship with the 
                Center or any other entity. The Center may 
                terminate a voluntary information sharing 
                relationship under this subsection, at the sole 
                and unreviewable discretion of the Secretary, 
                acting through the Under Secretary appointed 
                under section 103(a)(1)(H), for any reason, 
                including if the Center determines that the 
                non-Federal entity with which the Center has 
                entered into such a relationship has violated 
                the terms of this subsection.
                  (B) National security.--The Secretary may 
                decline to enter into a voluntary information 
                sharing relationship under this subsection, at 
                the sole and unreviewable discretion of the 
                Secretary, acting through the Under Secretary 
                appointed under section 103(a)(1)(H), for any 
                reason, including if the Secretary determines 
                that such is appropriate for national security.
          (2) Voluntary information sharing relationships.--A 
        voluntary information sharing relationship under this 
        subsection may be characterized as an agreement 
        described in this paragraph.
                  (A) Standard agreement.--For the use of a 
                non-Federal entity, the Center shall make 
                available a standard agreement, consistent with 
                this section, on the Department's website.
                  (B) Negotiated agreement.--At the request of 
                a non-Federal entity, and if determined 
                appropriate by the Center, at the sole and 
                unreviewable discretion of the Secretary, 
                acting through the Under Secretary appointed 
                under section 103(a)(1)(H), the Department 
                shall negotiate a non-standard agreement, 
                consistent with this section.
                  (C) Existing agreements.--An agreement 
                between the Center and a non-Federal entity 
                that is entered into before the date of 
                enactment of this subsection, or such an 
                agreement that is in effect before such date, 
                shall be deemed in compliance with the 
                requirements of this subsection, 
                notwithstanding any other provision or 
                requirement of this subsection. An agreement 
                under this subsection shall include the 
                relevant privacy protections as in effect under 
                the Cooperative Research and Development 
                Agreement for Cybersecurity Information Sharing 
                and Collaboration, as of December 31, 2014. 
                Nothing in this subsection may be construed to 
                require a non-Federal entity to enter into 
                either a standard or negotiated agreement to be 
                in compliance with this subsection.
  [(i)] (j) Direct Reporting.--The Secretary shall develop 
policies and procedures for direct reporting to the Secretary 
by the Director of the Center regarding significant 
cybersecurity risks and incidents.
  [(j)] (k) Reports on International Cooperation.--Not later 
than 180 days after the date of enactment of this subsection, 
and periodically thereafter, the Secretary of Homeland Security 
shall submit to the Committee on Homeland Security and 
Governmental Affairs of the Senate and the Committee on 
Homeland Security of the House of Representatives a report on 
the range of efforts underway to bolster cybersecurity 
collaboration with relevant international partners in 
accordance with subsection (c)(8).
  [(k)] (l) Outreach.--Not later than 60 days after the date of 
enactment of this subsection, the Secretary, acting through the 
Under Secretary appointed under section 103(a)(1)(H), shall--
          (1) disseminate to the public information about how 
        to voluntarily share cyber threat indicators and 
        defensive measures with the Center; and
          (2) enhance outreach to critical infrastructure 
        owners and operators for purposes of such sharing.
  [(l)] (m) Cybersecurity Outreach.--
          (1) In general.--The Secretary may leverage small 
        business development centers to provide assistance to 
        small business concerns by disseminating information on 
        cyber threat indicators, defense measures, 
        cybersecurity risks, incidents, analyses, and warnings 
        to help small business concerns in developing or 
        enhancing cybersecurity infrastructure, awareness of 
        cyber threat indicators, and cyber training programs 
        for employees.
          (2) Definitions.--For purposes of this subsection, 
        the terms ``small business concern'' and ``small 
        business development center'' have the meaning given 
        such terms, respectively, under section 3 of the Small 
        Business Act.
  [(m)] (n) Coordinated Vulnerability Disclosure.--The 
Secretary, in coordination with industry and other 
stakeholders, may develop and adhere to Department policies and 
procedures for coordinating vulnerability disclosures.

           *       *       *       *       *       *       *


                                  [all]