[House Report 116-193]
[From the U.S. Government Publishing Office]


116th Congress    }                                      {      Report
                        HOUSE OF REPRESENTATIVES
 1st Session      }                                      {     116-193

======================================================================



 
              CYBERSECURITY VULNERABILITY REMEDIATION ACT

                                _______
                                

August 30, 2019.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

 Mr. Thompson of Mississippi, from the Committee on Homeland Security, 
                        submitted the following

                              R E P O R T

                        [To accompany H.R. 3710]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security, to whom was referred 
the bill (H.R. 3710) to amend the Homeland Security Act of 2002 
to provide for the remediation of cybersecurity 
vulnerabilities, and for other purposes, having considered the 
same, report favorably thereon without amendment and recommend 
that the bill do pass.

                                CONTENTS

                                                                   Page
Purpose and Summary..............................................     1
Background and Need for Legislation..............................     2
Hearings.........................................................     2
Committee Consideration..........................................     2
Committee Votes..................................................     3
Committee Oversight Findings.....................................     3
C.B.O. Estimate, New Budget Authority, Entitlement Authority, and 
  Tax Expenditures...............................................     3
Federal Mandates Statement.......................................     5
Statement of General Performance Goals and Objectives
Duplicative Federal Programs.....................................     5
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
  Benefits
Advisory Committee Statement
Applicability to Legislative Branch
Section-by-Section Analysis of the Legislation...................     5
Changes in Existing Law Made by the Bill, as Reported............     6

                          Purpose and Summary

    H.R. 3710, the ``Cybersecurity Vulnerability Remediation 
Act,'' seeks to improve how the Department of Homeland 
Security's (DHS) Cybersecurity and Infrastructure Security 
Agency (CISA) helps Federal and non-Federal entities manage 
known cybersecurity risks. Toward that end, the bill would 
authorize the CISA Director to identify, develop, and 
disseminate actionable protocols to mitigate cybersecurity 
vulnerabilities--including for software or hardware that is no 
longer supported by the vendor. Additionally, the bill would 
authorize the DHS Under Secretary for Science and Technology to 
establish an incentive-based program that allows industry, 
individuals, academia, and others to compete in providing 
remediation solutions for cybersecurity vulnerabilities.

                  Background and Need for Legislation

    The Cybersecurity and Infrastructure Security Agency (CISA) 
is responsible for Federal network protection and providing 
voluntary cybersecurity services to non-Federal entities. 
Toward that end, CISA has invested in developing systems to 
catalogue cybersecurity vulnerabilities. Leveraging the Common 
Vulnerabilities and Exposures (CVE) database and in partnership 
with the National Institute of Standard and Technology (NIST), 
CISA established the National Vulnerability Database (NVD) to 
assess the severity of cybersecurity vulnerabilities.
    Even with these this tools, however, owners and operators 
of public and private information systems are not consistently 
able to manage known security risks and combat cyber threats. 
H.R. 3710 would authorize CISA to develop and distribute 
``playbooks,'' in consultation with private sector experts, to 
provide procedures and mitigation strategies for the most 
critical, known vulnerabilities--especially those affecting 
software or hardware that is no longer supported by a vendor. 
The playbooks would be available to Federal agencies, industry, 
and other stakeholders. H.R. 3710 would also allow for the DHS 
Science and Technology Directorate (S&T), in consultation with 
CISA, to establish a competition program for industry, 
individuals, academia, and others to provide remediation 
solutions for cybersecurity vulnerabilities that are no longer 
supported.

                                Hearings

    For the purpose of section 103(i) of H. Res. 6 of the 116th 
Congress the following related hearings were held:
    A Full Committee hearing entitled ``Defending Our 
Democracy: Building Partnerships to Protect America's 
Elections,'' on February 13, 2019 and a June 25, 2019, a 
hearing held by the Subcommittee on Cybersecurity, 
Infrastructure Protection, and Innovation entitled 
``Cybersecurity Challenges for State and Local Governments: 
Assessing How the Federal Government Can Help.''

                        Committee Consideration

    The Committee met on July 17, 2019, with a quorum being 
present, to consider H.R. 3710 and ordered the measure to be 
reported to the House with a favorable recommendation, without 
amendment, by unanimous consent.

                            Committee Votes

    Clause 3(b) of rule XIII of the Rules of the House of 
Representatives requires the Committee to list the recorded 
votes on the motion to report legislation and amendments 
thereto.

                      Committee Oversight Findings

    In compliance with clause 3(c)(1) of rule XIII of the Rules 
of the House of Representatives, the Committee advises that the 
findings and recommendations of the Committee, based on 
oversight activities under clause 2(b)(1) of rule X of the 
Rules of the House of Representatives, are incorporated in the 
descriptive portions of this report.

Congressional Budget Office Estimate New Budget Authority, Entitlement 
                    Authority, and Tax Expenditures

    With respect to the requirements of clause 3(c)(2) of rule 
XIII of the Rules of the House of Representatives and section 
308(a) of the Congressional Budget Act of 1974 and with respect 
to requirements of clause (3)(c)(3) of rule XIII of the Rules 
of the House of Representatives and section 402 of the 
Congressional Budget Act of 1974, The Committee adopts as its 
own the cost estimate prepared by the Director of the 
Congressional Budget Office.

                                     U.S. Congress,
                               Congressional Budget Office,
                                    Washington, DC, August 1, 2019.
Hon. Bennie G. Thompson,
Chairman, Committee on Homeland Security,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 3710, the 
Cybersecurity Vulnerability Remediation Act.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Aldo 
Prosperi.
            Sincerely,
                                         Phillip L. Swagel,
                                                          Director.
    Enclosure.

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    

    H.R. 3710 would authorize the Department of Homeland 
Security (DHS) to disseminate information to the public about 
vulnerabilities in the software and hardware of information 
systems. The bill also would authorize DHS to establish an 
award program to encourage independent researchers to identify 
and report vulnerabilities and solutions for those 
vulnerabilities to the department.
    DHS is already performing many of the cybersecurity 
activities that would be authorized by H.R. 3710. The 
department manages several programs that provide services and 
information to help system administrators, software 
manufacturers, and the general public identify cyber 
vulnerabilities. For example, the DHS Common Vulnerabilities 
and Exposures program helps software vendors identify risks and 
communicate to their customers how vulnerabilities affect their 
products and services.
    To estimate the cost of providing incentive payments to 
independent researchers, CBO used information about similar 
programs of other federal agencies. For example, the General 
Services Administration (GSA) offers payments to individual 
researchers through its Bug Bounty program for each 
vulnerability identified. Those payments range from $150 to 
$5,000 based on how critical the potential target is to GSA's 
operations. On the basis of budget data from those related 
programs, CBO estimates that making incentive payments to 
independent researchers for identifying vulnerabilities would 
cost $11 million each year. CBO expects that DHS would be ready 
to implement the program beginning in 2021. Thus, CBO estimates 
that enacting H.R. 3710 would cost $44 million over the 2019-
2024 period. Such spending would be subject to availability of 
appropriated funds.
    Areas of uncertainty in that estimate include expectations 
about the criteria DHS would use in awarding payments to 
independent researchers. H.R. 3710 would give DHS broad 
latitude in establishing the criteria under which it would 
provide cash payments. CBO assumes that the department would 
limit payments to actions that protect government systems. The 
budgetary effects of the bill would be significantly larger 
than this estimate if DHS also provides payments for actions 
that protect nonfederal systems.
    The CBO staff contact for this estimate is Aldo Prosperi. 
The estimate was reviewed by Leo Lex, Deputy Assistant Director 
for Budget Analysis.

                       Federal Mandates Statement

    The Committee adopts as its own the cost estimate prepared 
by the Director of the Congressional Budget Office.

                      Duplicative Federal Programs

    Pursuant to clause 3(c) of rule XIII, the Committee finds 
that H.R. 3710 does not contain any provision that establishes 
or reauthorizes a program known to be duplicative of another 
Federal program.

                    Performance Goals and Objectives

    The Committee states that pursuant to clause 3(c)(4) of 
rule XIII of the Rules of the House of Representatives, H.R. 
3710 would authorize the CISA Director to identify, develop, 
and share mitigation protocols for managing security 
vulnerabilities and addressing cybersecurity risk. Additionally 
the bill would authorize the DHS Under Secretary for Science 
and Technology to establish an incentive-based program that 
allows industry, individuals, academia, and others to compete 
in providing remediation solutions for cybersecurity 
vulnerabilities.

                          Advisory on Earmarks

    In compliance with rule XXI of the Rules of the House of 
Representatives, this bill, as reported, contains no 
congressional earmarks, limited tax benefits, or limited tariff 
benefits as defined in clause 9(d), 9(e), or 9(f) of the rule 
XXI.

             Section-by-Section Analysis of the Legislation


Section 1. Short title

    This section provides that the bill may be cited as the 
``Cybersecurity Vulnerability Remediation Act''.

Sec 2. Cybersecurity vulnerabilities

    This section provides that the term ``cybersecurity 
vulnerability'' has the meaning given the term ``security 
vulnerability'' in section 102 of the Cybersecurity Information 
Sharing Act of 2015.
    The section authorizes the CISA Director to, as 
appropriate, identify, develop, and disseminate actionable 
protocols to mitigate cybersecurity vulnerabilities, including 
in circumstances in which such vulnerabilities exist because 
software or hardware is no longer supported by a vendor. The 
section further provides that the National Cybersecurity and 
Communications Integration Center shall share mitigation 
protocols to counter cybersecurity vulnerabilities.

Sec 3. Report on cybersecurity vulnerabilities

    This section provides that not later than one year after 
the date of the enactment of this Act, the CISA Director shall 
submit to the Committee on Homeland Security of the House of 
Representatives and the Committee on Homeland Security and 
Governmental Affairs of the Senate a report on how the Agency 
carries out subsection (m) of section 2209 of the Homeland 
Security Act of 2002 to coordinate vulnerability disclosures, 
including disclosures of cybersecurity vulnerabilities (as such 
term is defined in such section), and subsection (n) of such 
section (as added by section 2) to disseminate actionable 
protocols to mitigate cybersecurity vulnerabilities, that 
includes the following: a description of the policies and 
procedures relating to the coordination of vulnerability 
disclosures; a description of the levels of activity in 
furtherance of such subsections (m) and (n) of such section 
2209; any plans to make further improvements to how information 
provided pursuant to such subsections can be shared (as such 
term is defined in such section 2209) between the Department 
and industry and other stakeholders; any available information 
on the degree to which such information was acted upon by 
industry and other stakeholders; a description of how privacy 
and civil liberties are preserved in the collection, retention, 
use, and sharing of vulnerability disclosures.

Sec 4. Competition relating to cybersecurity vulnerabilities

    This section authorizes the Under Secretary for Science and 
Technology at the Department of Homeland Security, consultation 
with the CISA Director, to establish an incentive-based program 
that allows industry, individuals, academia, and others to 
compete in providing remediation solutions for cybersecurity 
vulnerabilities (as such term is defined in section 2209 of the 
Homeland Security Act of 2002, as amended by section 2). The 
Committee believes that the establishment of an incentives-
based program could enhance CISA's ability to develop timely 
playbooks to mitigate known cybersecurity vulnerabilities that 
could be exploited.

         Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in black brackets, new 
matter is printed in italic, and existing law in which no 
change is proposed is shown in roman):

                     HOMELAND SECURITY ACT OF 2002



           *       *       *       *       *       *       *
      TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

Subtitle A--Cybersecurity and Infrastructure Security

           *       *       *       *       *       *       *


SEC. 2209. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION 
                    CENTER.

  (a) Definitions.--In this section--
          (1) the term ``cybersecurity risk''--
                  (A) means threats to and vulnerabilities of 
                information or information systems and any 
                related consequences caused by or resulting 
                from unauthorized access, use, disclosure, 
                degradation, disruption, modification, or 
                destruction of such information or information 
                systems, including such related consequences 
                caused by an act of terrorism; and
                  (B) does not include any action that solely 
                involves a violation of a consumer term of 
                service or a consumer licensing agreement;
          (2) the terms ``cyber threat indicator'' and 
        ``defensive measure'' have the meanings given those 
        terms in section 102 of the Cybersecurity Act of 2015;
          (3) the term ``incident'' means an occurrence that 
        actually or imminently jeopardizes, without lawful 
        authority, the integrity, confidentiality, or 
        availability of information on an information system, 
        or actually or imminently jeopardizes, without lawful 
        authority, an information system;
          (4) the term ``information sharing and analysis 
        organization'' has the meaning given that term in 
        section 2222(5);
          (5) the term ``information system'' has the meaning 
        given that term in section 3502(8) of title 44, United 
        States Code; [and]
          (6) the term ``cybersecurity vulnerability'' has the 
        meaning given the term ``security vulnerability'' in 
        section 102 of the Cybersecurity Information Sharing 
        Act of 2015 (6 U.S.C. 1501); and
          [(6)] (7) the term ``sharing'' (including all 
        conjugations thereof) means providing, receiving, and 
        disseminating (including all conjugations of each of 
        such terms).
  (b) Center.--There is in the Department a national 
cybersecurity and communications integration center (referred 
to in this section as the ``Center'') to carry out certain 
responsibilities of the Director. The Center shall be located 
in theCybersecurity and Infrastructure Security Agency.The head 
of the Center shall report to the AssistantDirector for 
Cybersecurity.
  (c) Functions.--The cybersecurity functions of the Center 
shall include--
          (1) being a Federal civilian interface for the multi-
        directional and cross-sector sharing of information 
        related to cyber threat indicators, defensivemeasures, 
        cybersecurity risks, incidents, analysis, and warnings 
        for Federal and non-Federal entities, including the 
        implementationof title I of the Cybersecurity Act of 
        2015;
          (2) providing shared situational awareness to enable 
        real-time, integrated, and operational actions across 
        the Federal Government and non-Federal entities to 
        address cybersecurity risks and incidents to Federal 
        and non-Federal entities;
          (3) coordinating the sharing of information related 
        to cyber threat indicators, defensive 
        measures,cybersecurity risks, and incidents across the 
        Federal Government;
          (4) facilitating cross-sector coordination to address 
        cybersecurity risks and incidents, including 
        cybersecurity risks and incidents that may be related 
        or could have consequential impacts across multiple 
        sectors;
          (5)(A) conducting integration and analysis, including 
        cross-sector integration and analysis, of cyber threat 
        indicators, defensivemeasures, cybersecurity risks, and 
        incidents; [and]
          (B) sharing mitigation protocols to counter 
        cybersecurity vulnerabilities pursuant to subsection 
        (n); and
          [(B)] (C) sharing the analysis conducted under 
        subparagraph (A) and mitigation protocols to counter 
        cybersecurity vulnerabilities in accordance with 
        subparagraph (B) with Federal and non-Federal entities;
          (6) upon request, providing timely technical 
        assistance, risk management support, and incident 
        response capabilities to Federal and non-Federal 
        entities with respect to cyber threat indicators, 
        defensive measures, cybersecurityrisks, and incidents, 
        which may include attribution, mitigation, and 
        remediation;
          (7) providing information and recommendations on 
        security and resilience measures to Federal and non-
        Federal entities, including information and 
        recommendations to--
                  (A) facilitate information security;
                  (B) strengthen information systems against 
                cybersecurity risks and incidents; and
                  (C) [sharing] share cyber threat indicators 
                and defensive measures;
          (8) engaging with international partners, in 
        consultation with other appropriate agencies, to--
                  (A) collaborate on cyber threat indicators, 
                defensive measures, and information related to 
                cybersecurity risks and incidents; and
                  (B) enhance the security and resilience of 
                global cybersecurity;
          (9) sharing cyber threat indicators, defensive 
        measures, mitigation protocols to counter cybersecurity 
        vulnerabilities, and other information related to 
        cybersecurity risks and incidents with Federal and non-
        Federal entities, including across sectors of critical 
        infrastructure and with State and major urban area 
        fusion centers, as appropriate;
          (10) participating, as appropriate, in national 
        exercises run by the Department; and
          (11) in coordination with the Emergency 
        Communications Division of the Department, assessing 
        and evaluating consequence, vulnerability, and threat 
        information regarding cyber incidents to public safety 
        communications to help facilitate continuous 
        improvements to the security and resiliency of such 
        communications.
  (d) Composition.--
          (1) In general.--The Center shall be composed of--
                  (A) appropriate representatives of Federal 
                entities, such as--
                          (i) sector-specific agencies;
                          (ii) civilian and law enforcement 
                        agencies; and
                          (iii) elements of the intelligence 
                        community, as that term is defined 
                        under section 3(4) of the National 
                        Security Act of 1947 (50 U.S.C. 
                        3003(4));
                  (B) appropriate representatives of non-
                Federal entities, such as--
                          (i) State, local, and tribal 
                        governments;
                          (ii) information sharing and analysis 
                        organizations, including information 
                        sharing and analysis centers;
                          (iii) owners and operators of 
                        critical information systems; and
                          (iv) private entities;
                  (C) components within the Center that carry 
                out cybersecurity and communications 
                activities;
                  (D) a designated Federal official for 
                operational coordination with and across each 
                sector;
                  (E) an entity that collaborates with State 
                and local governments on cybersecurity risks 
                and incidents, and has entered into a voluntary 
                information sharing relationship with the 
                Center; and
                  (F) other appropriate representatives or 
                entities, as determined by the Secretary.
          (2) Incidents.--In the event of an incident, during 
        exigent circumstances the Secretary may grant a Federal 
        or non-Federal entity immediate temporary access to the 
        Center.
  (e) Principles.--In carrying out the functions under 
subsection (c), the Center shall ensure--
          (1) to the extent practicable, that--
                  (A) timely, actionable, and relevant cyber 
                threat indicators, defensive measures, and 
                information related to cybersecurity risks, 
                incidents, and analysis is shared;
                  (B) when appropriate, cyber threat 
                indicators, defensive measures, and information 
                related to cybersecurity risks, incidents, and 
                analysis is integrated with other relevant 
                information and tailored to the specific 
                characteristics of a sector;
                  (C) activities are prioritized and conducted 
                based on the level of risk;
                  (D) industry sector-specific, academic, and 
                national laboratory expertise is sought and 
                receives appropriate consideration;
                  (E) continuous, collaborative, and inclusive 
                coordination occurs--
                          (i) across sectors; and
                          (ii) with--
                                  (I) sector coordinating 
                                councils;
                                  (II) information sharing and 
                                analysis organizations; and
                                  (III) other appropriate non-
                                Federal partners;
                  (F) as appropriate, the Center works to 
                develop and use mechanisms for sharing 
                information related to cyber threat indicators, 
                defensive measures, cybersecurity risks, and 
                incidents that are technology-neutral, 
                interoperable, real-time, cost-effective, and 
                resilient;
                  (G) the Center works with other agencies to 
                reduce unnecessarily duplicative sharing of 
                information related to cyber threat indicators, 
                defensive measures, cybersecurity risks, and 
                incidents; and[;]
                  (H) the Center designates an agency contact 
                for non-Federal entities;
          (2) that information related to cyber threat 
        indicators, defensive measures, cybersecurity risks, 
        and incidents is appropriately safeguarded against 
        unauthorized access or disclosure; and
          (3) that activities conducted by the Center comply 
        with all policies, regulations, and laws that protect 
        the privacy and civil liberties of United States 
        persons, including by working with the Privacy Officer 
        appointed under section 222 to ensure that the Center 
        follows the policies and procedures specified in 
        subsections (b) and (d)(5)(C) of section 105 of the 
        Cybersecurity Act of 2015.
  (f) No Right or Benefit.--
          (1) In general.--The provision of assistance or 
        information to, and inclusion in the Center of, 
        governmental or private entities under this section 
        shall be at the sole and unreviewable discretion of the 
        Director.
          (2) Certain assistance or information.--The provision 
        of certain assistance or information to, or inclusion 
        in the Center of, one governmental or private entity 
        pursuant to this section shall not create a right or 
        benefit, substantive or procedural, to similar 
        assistance or information for any other governmental or 
        private entity.
  (g) Automated Information Sharing.--
          (1) In general.--The Director, in coordination with 
        industry and other stakeholders, shall develop 
        capabilities making use of existing information 
        technology industry standards and best practices, as 
        appropriate, that support and rapidly advance the 
        development, adoption, and implementation of automated 
        mechanisms for the sharing of cyber threat indicators 
        and defensive measures in accordance with title I of 
        the Cybersecurity Act of 2015.
          (2) Annual report.--The Director shall submit to the 
        Committee on Homeland Security and Governmental Affairs 
        of the Senate and the Committee on Homeland Security of 
        the House of Representatives an annual report on the 
        status and progress of the development of the 
        capabilities described in paragraph (1). Such reports 
        shall be required until such capabilities are fully 
        implemented.
  (h) Voluntary Information Sharing Procedures.--
          (1) Procedures.--
                  (A) In general.--The Center may enter into a 
                voluntary information sharing relationship with 
                any consenting non-Federal entity for the 
                sharing of cyber threat indicators and 
                defensive measures for cybersecurity purposes 
                in accordance with this section. Nothing in 
                this subsection may be construed to require any 
                non-Federal entity to enter into any such 
                information sharing relationship with the 
                Center or any other entity. The Center may 
                terminate a voluntary information sharing 
                relationship under this subsection, at the sole 
                and unreviewable discretion of the Secretary, 
                acting through the Director, for any reason, 
                including if the Center determines that the 
                non-Federal entity with which the Center has 
                entered into such a relationship has violated 
                the terms of this subsection.
                  (B) National security.--The Secretary may 
                decline to enter into a voluntary information 
                sharing relationship under this subsection, at 
                the sole and unreviewable discretion of the 
                Secretary, acting through the Director, for any 
                reason, including if the Secretary determines 
                that such is appropriate for national security.
          (2) Voluntary information sharing relationships.--A 
        voluntary information sharing relationship under this 
        subsection may be characterized as an agreement 
        described in this paragraph.
                  (A) Standard agreement.--For the use of a 
                non-Federal entity, the Center shall make 
                available a standard agreement, consistent with 
                this section, on the Department's website.
                  (B) Negotiated agreement.--At the request of 
                a non-Federal entity, and if determined 
                appropriate by the Center, at the sole and 
                unreviewable discretion of the Secretary, 
                acting through the Director, the Department 
                shall negotiate a non-standard agreement, 
                consistent with this section.
                  (C) Existing agreements.--An agreement 
                between the Center and a non-Federal entity 
                that is entered into before the date of 
                enactment of this subsection, or such an 
                agreement that is in effect before such date, 
                shall be deemed in compliance with the 
                requirements of this subsection, 
                notwithstanding any other provision or 
                requirement of this subsection. An agreement 
                under this subsection shall include the 
                relevant privacy protections as in effect under 
                the Cooperative Research and Development 
                Agreement for Cybersecurity Information Sharing 
                and Collaboration, as of December 31, 2014. 
                Nothing in this subsection may be construed to 
                require a non-Federal entity to enter into 
                either a standard or negotiated agreement to be 
                in compliance with this subsection.
  (i) Direct Reporting.--The Secretary shall develop policies 
and procedures for direct reporting to the Secretary by the 
Director of the Center regarding significant cybersecurity 
risks and incidents.
  (j) Reports on International Cooperation.--Not later than 180 
days after the date of enactment of this subsection, and 
periodically thereafter, the Secretary of Homeland Security 
shall submit to the Committee on Homeland Security and 
Governmental Affairs of the Senate and the Committee on 
Homeland Security of the House of Representatives a report on 
the range of efforts underway to bolster cybersecurity 
collaboration with relevant international partners in 
accordance with subsection (c)(8).
  (k) Outreach.--Not later than 60 days after the date of 
enactment of this subsection, the Secretary, acting through the 
Director, shall--
          (1) disseminate to the public information about how 
        to voluntarily share cyber threat indicators and 
        defensive measures with the Center; and
          (2) enhance outreach to critical infrastructure 
        owners and operators for purposes of such sharing.
  (l) Cybersecurity Outreach.--
          (1) In general.--The Secretary may leverage small 
        business development centers to provide assistance to 
        small business concerns by disseminating information on 
        cyber threat indicators, defense measures, 
        cybersecurity risks, incidents, analyses, and warnings 
        to help small business concerns in developing or 
        enhancing cybersecurity infrastructure, awareness of 
        cyber threat indicators, and cyber training programs 
        for employees.
          (2) Definitions.--For purposes of this subsection, 
        the terms ``small business concern'' and ``small 
        business development center'' have the meaning given 
        such terms, respectively, under section 3 of the Small 
        Business Act.
  (m) Coordinated Vulnerability Disclosure.--The Secretary, in 
coordination with industry and other stakeholders, may develop 
and adhere to Department policies and procedures for 
coordinating vulnerability disclosures.
  (n) Protocols to Counter Cybersecurity Vulnerabilities.--The 
Director may, as appropriate, identify, develop, and 
disseminate actionable protocols to mitigate cybersecurity 
vulnerabilities, including in circumstances in which such 
vulnerabilities exist because software or hardware is no longer 
supported by a vendor.

           *       *       *       *       *       *       *


                                  [all]