[Senate Report 116-242]
[From the U.S. Government Publishing Office]
Calendar No. 500
116th Congress } { Report
SENATE
2d Session } { 116-242
_______________________________________________________________________
CYBERSECURITY VULNERABILITY IDENTIFICATION AND NOTIFICATION ACT
__________
R E P O R T
OF THE
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
TO ACCOMPANY
S. 3045
TO AMEND THE HOMELAND SECURITY ACT OF 2012 TO PROTECT UNITED STATES
CRITICAL INFRASTRUCTURE BY ENSURING THAT THE CYBERSECURITY AND
INFRASTRUCTURE SECURITY AGENCY HAS THE LEGAL TOOLS IT NEEDS TO NOTIFY
PRIVATE AND PUBLIC SECTOR ENTITIES PUT AT RISK BY CYBERSECURITY
VULNERABILITIES IN THE NETWORKS AND SYSTEMS THAT CONTROL CRITICAL
ASSETS OF THE UNITED STATES
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
July 29, 2020.--Ordered to be printed
__________
U.S. GOVERNMENT PUBLISHING OFFICE
99-010 WASHINGTON : 2020
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
RON JOHNSON, Wisconsin, Chairman
ROB PORTMAN, Ohio GARY C. PETERS, Michigan
RAND PAUL, Kentucky THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma MAGGIE HASSAN, New Hampshire
MITT ROMNEY, Utah KAMALA D. HARRIS, California
RICK SCOTT, Florida KYRSTEN SINEMA, Arizona
MICHAEL B. ENZI, Wyoming JACKY ROSEN, Nevada
JOSH HAWLEY, Missouri
Gabrielle D'Adamo Singer, Staff Director
Joseph C. Folio III, Chief Counsel
Michael Flynn, Senior Counsel
David M. Weinberg, Minority Staff Director
Zachary I. Schram, Minority Chief Counsel
Jeffrey D. Rothblum, Minority Senior Professional Staff Member
Laura W. Kilbride, Chief Clerk
Calendar No. 500
16th Congress } { Report
SENATE
2d Session } { 116-242
======================================================================
CYBERSECURITY VULNERABILITY IDENTIFICATION AND NOTIFICATION ACT
_______
July 29, 2020.--Ordered to be printed
_______
Mr. Johnson, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 3045]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 3045), to amend the
Homeland Security Act of 2002 to protect United States critical
infrastructure by ensuring that the Cybersecurity and
Infrastructure Security Agency has the legal tools it needs to
notify private and public sector entities put a risk by
cybersecurity vulnerabilities in the networks and systems that
control critical assets of the United States, having considered
the same, reports favorably thereon with an amendment (in the
nature of a substitute) and recommends that the bill, as
amended, do pass.
CONTENTS
Page
I. Purpose and Summary..............................................1
II. Background and Need for the Legislation..........................2
III. Legislative History..............................................5
IV. Section-by-Section Analysis......................................5
V. Evaluation of Regulatory Impact..................................7
VI. Congressional Budget Office Cost Estimate........................7
VII. Changes in Existing Law Made by the Bill, as Reported............8
I. Purpose and Summary
The purpose of S. 3045, the Cybersecurity Vulnerability
Notification Act of 2020, is to authorize the Department of
Homeland Security (DHS) Cybersecurity and Infrastructure
Security Agency (CISA) to issue administrative subpoenas for
the purpose of warning U.S. critical infrastructure owners and
operators about CISA-identified potential cybersecurity
vulnerabilities. Specifically, the bill authorizes CISA to
detect, identify, and receive information about security
vulnerabilities related to critical infrastructure for a
cybersecurity purpose. The Director of CISA is then authorized
to issue an administrative subpoena for the production of
information necessary to identify and notify the entity with
the specific cybersecurity vulnerability.
Additionally, the bill requires that the Director of CISA
coordinate the issuance of a subpoena with the Department of
Justice (DOJ), notify any entity identified by the subpoena
within seven days, and that the subpoena be authenticated with
a digital signature. The bill also requires the Director of
CISA to develop procedures to protect nonpublic information
from dissemination, absent certain national security or law
enforcement interests in resolving a cybersecurity incident
related to the vulnerability that gave rise to the subpoena.
The bill includes privacy and transparency protections such as
provisions for the retention and destruction of information by
CISA, the publication of information about the subpoena
process, and an annual report to Congress.
II. Background and the Need for Legislation
In December 2019, the National Infrastructure Advisory
Council issued a report titled, Transforming the U.S. Cyber
Threat Partnership, in which it concluded that, ``[e]scalating
cyber risks to America's critical infrastructure present an
existential threat to continuity of the government, economic
stability, social order, and national security.''\1\ This is
perhaps most evident by the increase and severity of
cyberattacks on our nation's industrial control systems
(ICS).\2\ Facilitating this increase in threat activity is the
use of open source tools that make it easy for nefarious actors
to identify and exploit vulnerabilities in these critical
infrastructure assets.\3\
---------------------------------------------------------------------------
\1\The President's National Infrastructure Advisory Council,
Transforming the U.S. Cyber Threat Partnership, CISA (Dec. 12, 2019),
available at https://www.cisa.gov/sites/default/files/publications/
NIAC-Transforming-US-Cyber-Threat-PartnershipReport-FINAL-508.pdf.
\2\Global Oil and Gas Cyber Threat Perspective, Dragos (Aug. 2019),
available at https://www.dragos.com/wp-content/uploads/Dragos-Oil-and-
Gas-Threat-Perspective-2019.pdf?hsCtaTracking=c1b77456-192a-401c-b33b-
e972fbd923b5%7C197e055e-bf16-4c14-84ee-e3264e2f5716.
\3\Derek Johnson, Why CISA Wants Subpoena Authority to Probe Cyber
Risks, FCW Resource Center (Oct. 16, 2019), available at https://
fcw.com/articles/2019/10/16/cisa-bill-cyber-subpoena.aspx.
---------------------------------------------------------------------------
Mitigating these cyber vulnerabilities requires that our
nation's critical infrastructure owners and operators have
access to timely and actionable vulnerability information, some
of which may be known to the Federal Government. However, in
its March 2020 report, the Cyberspace Solarium Commission found
that the Federal Government is often limited in its ability
``to systematically identify those who are vulnerable or
compromised, notify them, and assist them in mitigating or
reducing vulnerability,'' and recommended that Congress grant
certain agencies, including CISA, with administrative subpoena
authority to enhance their threat detection and response
capabilities.\4\
---------------------------------------------------------------------------
\4\U.S. Cyberspace Solarium Commission, Cyberspace Solarium
Commission Report 102 (Mar. 11, 2020), available at https://
www.solarium.gov/report.
---------------------------------------------------------------------------
As the nation's lead civilian cybersecurity agency, CISA is
charged with facilitating the sharing of information on
cybersecurity vulnerabilities across the nation's critical
infrastructure systems and devices. More specifically, in its
role as the lead agency for national cybersecurity asset
response activities, CISA serves as the primary ``interface''
for the ``real time . . . sharing of information related to
cybersecurity risks, incidents, analysis, and warnings'' with
Federal and non-Federal entities.\5\ While CISA often possesses
actionable information that could improve the nation's critical
systems and assets, the agency is unable to contact at-risk
entities due in part to longstanding legal constraints. CISA is
generally unable to identify the individual or organization
that owns the Internet Protocol (IP) address associated with a
potentially vulnerable critical infrastructure device or
system. Under the Electronic Communications Privacy Act (ECPA),
an Internet Service Provider (ISP)--the company that enables a
customer to access the internet via the assigned IP address-is
prohibited from disclosing customer information to the Federal
Government absent legal process or consent.\6\
---------------------------------------------------------------------------
\5\6 U.S.C. Sec. 659(c)(1),(2); see also 6 U.S.C.
Sec. 659(c)(5)(B), (7), (9).
\6\18 U.S.C. Sec. 2703; see also 18 U.S.C. Sec. 2703(c)(2).
---------------------------------------------------------------------------
CISA has provided examples of multiple instances in which
the agency was ``delayed, restricted, or altogether foreclosed
in responding to known and actionable cyber risks,'' because of
its inability to identify the at-risk entities.\7\ Further,
CISA informed Congress that information its analysts obtained
from Shodan, a publicly available search engine that scans for
devices connected to the Internet, identified at least 82,000
ICS devices that were directly accessible via (or from) the
Internet at the time the scan was conducted.\8\ During a March
2020 Committee hearing titled, What States, Locals, and the
Business Community Should Know and Do: A Roadmap for Effective
Cybersecurity, CISA Director Christopher Krebs explained how
readily accessible tools such as Shodan are used by nefarious
actors to identify and exploit vulnerabilities stating that
``these automated probes and scans that look for
vulnerabilities, and when they see these vulnerabilities they
then try a number of techniques to get into the system.''\9\
---------------------------------------------------------------------------
\7\Cybersecurity and Infrastructure Security Agency classified
briefing to the S. Comm. On Homeland Sec. & Gov't Affairs, 116th Cong.
(Sept. 17, 2019).
\8\Id.
\9\What States, Locals, and the Business Community Should Know and
Do: A Roadmap for Effective Cybersecurity: Hearing before the Comm. on
Homeland Security & Governmental Affairs, 116th Cong. (2020) (Statement
of CISA Director Krebs), available at https://www.hsgac.senate.gov/
what-states-locals-and-the-business-community-should-know-and-do-a-
roadmap-for-effective-cybersecurity.
---------------------------------------------------------------------------
ECPA allows for ISPs to provide customer information to the
Federal Government through legal processes, and currently law
enforcement agencies can obtain subscriber information with a
subpoena if there is a pending investigation.\10\ However,
there are limits on what information can be shared from pending
investigations with other agencies, and the vulnerabilities
detected by CISA are not often linked to, and may be of no
interest to, pending law enforcement investigations, thereby
leaving CISA with little to no ability to fulfil its statutory
obligation to identify and respond to cyber threat
activity.\11\
---------------------------------------------------------------------------
\10\Id.
\11\Id.
---------------------------------------------------------------------------
S. 3045 provides CISA with the authority to issue
administrative subpoenas to ensure that it has the ability to
warn critical infrastructure owners and operators about
cybersecurity vulnerabilities CISA identifies in critical
infrastructure devices and systems.
The Committee recognizes the importance of the privacy and
civil liberties protections provided by the ECPA, as well as
the concerns inherent when Federal agencies have the authority
to compel the disclosure of personally identifiable
information. Consistent with those concerns this legislation is
limited in scope, includes strict non-dissemination provisions,
and robust reporting requirements. As stated by Director Krebs
during the March 2020 hearing, such subpoena authority if
granted would be used for ``purely defensive vulnerability
mitigation on critical infrastructure systems, not your average
user, not your home device.''\12\ The narrow scope of the
subpoena authority is intended to ensure that the authority
cannot be misused by CISA or to advance the interests of other
Federal agencies.
---------------------------------------------------------------------------
\12\Id.
---------------------------------------------------------------------------
S. 3045 limits CISA's ability to disclose any non-public
information it obtains as a result of the administrative
subpoena with its Federal and non-Federal partners. Similar
authorities have been the subject of misuse by other Federal
agencies, and as such the authorities granted in this bill are
meant to ensure that CISA's compulsory authority is used
strictly to enhance the cybersecurity of the nation's critical
infrastructure.\13\ To ensure that this authority is not used
as the basis for law enforcement or regulatory action, S. 3045
requires any entity identified in the subpoena to be notified
within seven days. The bill also includes an annual report to
Congress specifically requiring detailed information about the
security vulnerability that gave rise to the issuance of the
subpoena and the effectiveness of the subpoena authority in
mitigation the cybersecurity risk.
---------------------------------------------------------------------------
\13\David Kravets, We Don't Need No Stinking Warrant: The
Disturbing, Unchecked Rise of Administrative Subpoena's, Wired Magazine
(Aug. 12, 2008), available at https://www.wired.com/2012/08/
administrative-subpoenas/.
---------------------------------------------------------------------------
S. 3045 also makes explicit the voluntary nature of an at-
risk entity's engagement with CISA by affirming that responding
to the notice from CISA or accepting any services,
capabilities, or resources to mitigate the cybersecurity
vulnerability are done so voluntarily. Consistent with the
principles established in the Cybersecurity Information Sharing
Act of 2015, response by an at-risk entity to a notice from
CISA about a potential vulnerability remains voluntary. As
such, the cybersecurity risk associated with the systems and
devices identified by CISA, remains the responsibility of the
critical infrastructure owners and operators. The at-risk
entity that is identified as a result of the administrative
subpoena will receive a notice regarding the cybersecurity
vulnerability from CISA, but is not required to take any action
thereafter.
Some private sector stakeholders have suggested that rather
than seeking the administrative subpoena authority and directly
notifying at-risk entities, CISA could disclose the specific
vulnerability to the ISP.\14\ The ISP could then warn its
subscriber (i.e. the at-risk entity) of the identified
vulnerability.\15\ The challenge with this proposal is that
ISPs are among private sector leaders in the provision of
cybersecurity services and solutions, and often sell those
capabilities to their customers. As a result, when an ISP
contacts a customer notifying it of a vulnerability, as
Director Krebs testified, ``it looks like an upsell.''\16\ As
such, at risk-entities may not readily heed warnings coming
from the ISP.
---------------------------------------------------------------------------
\14\Greg Nojeim, Proposed Administrative Subpoena for Cybersecurity
Vulnerabilities, cdt.org blog (Nov. 26, 2019), available at https://
cdt.org/insights/proposed-administrative-subpoenas-for-cybersecurity-
vulnerabilities/?preview=true&_thumbnail_id=85495.
\15\Id.
\16\What States, Locals, and the Business Community Should Know and
Do: A Roadmap for Effective Cybersecurity: Hearing before the Comm. on
Homeland Security & Governmental Affairs, 116th Cong. (2020) (Statement
of CISA Director Krebs), available at https://www.hsgac.senate.gov/
what-states-locals-and-the-business-community-should-know-and-do-a-
roadmap-for-effective-cybersecurity.
---------------------------------------------------------------------------
S. 3045 does not amend ECPA or expand the scope of the
information ISPs may provide the Federal Government under that
statute. Rather, this bill grants CISA limited authority to
issue an administrative subpoena to obtain specific personal
identifiable information about at-risk entities that is
restricted under ECPA in fulfilment of CISA's statutory
mission. S. 3045 strengthens CISA's cyber threat detection and
assets response capabilities by ensuring the nation's critical
infrastructure owners and operators have the information needed
to mitigate the potentially catastrophe effects of cyber
intrusions.
III. Legislative History
Chairman Ron Johnson (R-WI) introduced S. 3045 on December
12, 2019, with Senator Margaret Wood Hassan (D-NH). The bill
was referred to the Committee on Homeland Security and
Governmental Affairs.
The Committee considered S. 3045 at a business meeting on
March 11, 2020. During the business meeting, a substitute
amendment was offered by Chairman Johnson and Senator Hassan
adding limitations on bulk data collection, liability
protections, and emphasizing voluntary engagement by at risk
entities, among other things. The amendment was adopted by
voice vote en bloc. Senators present for the voice vote were
Johnson, Portman, Lankford, Romney, Scott, Enzi, Hawley,
Peters, Carper, Hassan, Harris, Sinema and Rosen.
Senator Rand Paul offered an amendment, as modified, adding
protections for, and placing limits on, the use of nonpublic
information. The amendment was adopted by voice vote en bloc.
Senators present for the voice vote were Johnson, Portman,
Lankford, Romney, Scott, Enzi, Hawley, Peters, Carper, Hassan,
Harris, Sinema and Rosen.
The bill, as amended, was ordered reported favorably by
voice vote en bloc. The Senators present for the vote were
Johnson, Portman, Lankford, Romney, Scott, Enzi, Hawley,
Peters, Carper, Hassan, Harris, Sinema and Rosen.
IV. Section-by-Section Analysis of the Bill, as Reported
Section 1. Short title
This section provides that the bill may be cited as the
``Cybersecurity Vulnerability Identification and Notification
Act of 2020.''
Section 2. Subpoena authority
Subsection (a) of the bill amends Section 2209 of the
Homeland Security Act of 2002 (HSA) by defining ``security
vulnerability'' and establishes subpoena authority following
the detection and identification of security vulnerabilities.
This subsection also defines ``covered device or system'' as
any device or system frequently used in relation to critical
infrastructure and stipulates that consumer and personal
devices are not included.
Subsection (a) of the bill adds a new subsection (o) at the
end of Section 2209 of the HSA that authorizes the Director of
CISA to issue a subpoena in the event the Director identifies a
specific security vulnerability and has reason to believe that
it is related to critical infrastructure, and the subsection
describes the limitations on that authority. The subpoena
authority extends only to the production of information
necessary to identify and notify the at risk entity. Disclosing
providers are subject to the liability protections specified in
18 U.S.C. 2703(e).
The CISA Director must coordinate with DOJ and the FBI
prior to a subpoena being issued. The subpoena is subject to
procedures set forth by the CISA Director and Attorney General.
The CISA Director can request enforcement of a subpoena by the
Attorney General against any person or entity in the
appropriate jurisdiction. The CISA Director must notify any
person or entity identified by the subpoena response within
seven days following compliance with a subpoena. A
cryptographic signature must be applied to any subpoena issued
to ensure its validity.
The CISA Director shall establish internal procedures and
associated training regarding subpoenas issued under new
subsection (o). This includes the protection of and restriction
on dissemination of nonpublic information obtained through the
use of the subpoena. These restrictions include limits on the
use of obtained information and timelines for the the retention
and destruction of non-public information obtained. Within one
year of the date of enactment, the Privacy Officer of the
Agency shall review the procedures developed and notify the
Committee on Homeland Security and Governmental Affairs of the
Senate and House of Representatives of the results of the
review.
The CISA Director must publish information on the website
of the agency regarding the subpoena process within 120 days of
establishing the internal procedures. The CISA Director must
also submit annual reports to the Committee on Homeland
Security and Governmental Affairs of the Senate and House of
Representatives that include a discussion of subpoenas as a
whole and the steps and description of each subpoena issued,
and the statute requires a version of the annual report to be
made public.
The bill establishes the prohibition on the use of
information for unauthorized purposes detailing that any
information obtained pursuant to a subpoena will not be
provided to any other Federal agency for any purpose other than
cybersecurity. Nonpublic information obtained through the use
of the subpoena cannot be shared except with Federal entities
in the event of a national security or law enforcement interest
in resolving a cybersecurity incident related to the
vulnerability that gave rise to the subpoena.
Subsection (b)(1) includes a rule of construction
stipulating that the authorities granted in this bill do not
grant the Secretary of Homeland Security or any other Federal
agency the authority to establish new regulations or standards
relating to private sector cybersecurity.
Subsection (b)(2) states that private sector entities are
not required to request assistance from DHS or if such
assistance is requested by a private sector entity, the entity
is not required to implement any recommendations made by DHS.
V. Evaluation of Regulatory Impact
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform bill (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. Congressional Budget Office Cost Estimate
U.S. Congress,
Congressional Budget Office,
Washington, DC, March 30, 2020.
Hon. Ron Johnson,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S.
Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 3045, the
Cybersecurity Vulnerability Identification and Notification Act
of 2020.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Aldo
Prosperi.
Sincerely,
Phillip L. Swagel,
Director.
Enclosure.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Under current law, the Cybersecurity and Infrastructure
Security Agency (CISA) shares information about cyber threats
with owners and operators of critical infrastructure (such as
power generation and transmission facilities). In rare
instances, the agency cannot do so because it is unable to
identify the owners of computers or devices that are vulnerable
to malicious activity. S. 3045 would authorize CISA to issue
administrative subpoenas in those instances to compel Internet
service providers (ISPs) to disclose the identity of owners of
such critical infrastructure. The bill also would require CISA
to provide annual reports to the Congress on its use of that
authority.
ISPs that do not comply with subpoenas could be subject to
civil and criminal penalties; therefore, the government might
collect additional fines under the legislation. Civil fines are
recorded in the budget as revenues. Criminal fines are recorded
as revenues, deposited in the Crime Victims Fund, and later
spent without further appropriation. CBO expects that few ISPs
would be fined for defying subpoenas. Thus, both revenues and
direct spending would increase by insignificant amounts over
the 2020-2030 period. On net, enacting the bill would reduce
the deficit by an insignificant amount, CBO estimates.
On the basis of information from CISA, satisfying the
bill's reporting requirements would cost less than $500,000
over the 2020-2025 period; such spending would be subject to
the availability of appropriated funds.
On February 24, 2020, CBO transmitted a cost estimate for
H.R. 5680, the Cybersecurity Vulnerability Identification and
Notification Act of 2020, as ordered reported by the House
Committee on Homeland Security on January 29, 2020. The two
pieces of legislation are similar and CBO's estimate of their
budgetary effects is the same.
The CBO staff contact for this estimate is Aldo Prosperi.
The estimate was reviewed by Leo Lex, Deputy Director of Budget
Analysis.
VII. Changes in Existing Law Made by the Bill, as Reported
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, changes in existing law made by
the bill, as reported, are shown as follows: (existing law
proposed to be omitted is enclosed in brackets, new matter is
printed in italic, and existing law in which no change is
proposed is shown in roman):
UNITED STATES CODE
* * * * * * *
TITLE 6--DOMESTIC SECURITY
* * * * * * *
CHAPTER 1--HOMELAND SECURITY
* * * * * * *
Subchapter XVIII--Cybersecurity and Infrastructure Security Agency
* * * * * * *
SEC. 659. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER.
(a) Definitions.--
(1) * * *
* * * * * * *
(5) the term ``information system'' has the meaning
given that term in section 3502(8) of title 44; [and]
(6) the term ``security vulnerability'' has the
meaning given that term in section 102(17) of the
Cybersecurity Information Sharing Act of 2015 (6 7
U.S.C. 1501(17)); and
[(6)] (7) * * *.
(b) * * *
(c) * * *
(1) * * *
* * * * * * *
(10) participating, as appropriate, in national
exercises run by the Department; [and]
(11) in coordination with the Emergency
Communications Division of the Department, assessing
and evaluating consequence, vulnerability, and threat
information regarding cyber incidents to public safety
communications to help facilitate continuous
improvements to the security and resiliency of such
communications[.] and
(12) detecting, identifying, and receiving
information about security vulnerabilities relating to
critical infrastructure in the information systems and
devices of Federal and non-Federal entities for a
cybersecurity purpose, as defined in section 102 of the
Cybersecurity Information Sharing Act of 2015 (6 20
U.S.C. 1501).
* * * * * * *
(o) Subpoena Authority.--
(1) Definition.--In this subsection, the term
``covered device or system''--
(A) means a device or system commonly used to
perform industrial, commercial, scientific, or
governmental functions or processes that relate
to critical infrastructure, including
operational and industrial control systems,
distributed control systems, and programmable
logic controllers; and
(B) does not include personal devices and
systems, such as consumer mobile devices, home
9 computers, residential wireless routers, or
residential internet enabled consumer devices.
(2) Authority.--
(A) In general.--If the Director identifies a
system connected to the internet with a
specific security vulnerability and has reason
to believe that the security vulnerability
relates to critical infrastructure and affects
a covered device or system owned or operated by
a Federal or non-Federal entity, and the
Director is unable to identify the entity at
risk, the Director may issue a subpoena for the
production of information necessary to identify
and notify the entity at risk, in order to
carry out a function authorized under
subsection (c)(12).
(B) Limit of information.--A subpoena issued
under the authority under subparagraph 2 (A)
may seek information--
(i) only in the categories set forth
in subparagraphs (A), (B), (D), and (E)
of section 2703(c)(2) of title 18,
United States Code; and
(ii) for not more than 20 covered
devices or systems.
(C) Liability protections for disclosing
providers.--The provisions of section 2703(e)
of title 18, United States Code, shall apply to
any subpoena issued under the authority under
subparagraph (A).
(3) Coordination.--
(A) In general.--If the Director decides to
exercise the subpoena authority under this
subsection, and in the interest of avoiding
interference with ongoing law enforcement
investigations, the Director shall coordinate
the issuance of any such subpoena with the
Department of Justice, including the Federal
Bureau of Investigation, pursuant to inter-
agency procedures which the Director, in
coordination with the Attorney General, shall
develop not later than 60 days after the date
of enactment of this subsection.
(B) Contents.--The inter-agency procedures
developed under this paragraph shall provide
that a subpoena issued by the Director under
this subsection shall be--
(i) issued in order to carry out a
function described in subsection
(c)(12); and
(ii) subject to the limitations under
this subsection.
(4) Noncompliance.--If any person, partnership,
corporation, association, or entity fails to comply
with any duly served subpoena issued under this
subsection, the Director may request that the Attorney
General seek enforcement of the subpoena in any
judicial district in which such person, partnership,
corporation, association, or entity resides, is found,
or transacts business.
(5) Notice.--Not later than 7 days after the date on
which the Director receives information obtained
through a subpoena issued under this subsection, the
Director shall notify any entity identified by
information obtained under the subpoena regarding the
subpoena and the identified vulnerability.
(6) Authentication.--
(A) In general.--Any subpoena issued by the
Director under this subsection shall be
authenticated with a cryptographic digital
signature of an authorized representative of
the Agency, or other comparable successor
technology, that allows the recipient of the
subpoena to determine that the subpoena was
issued by the Agency and has not been altered
or modified since it was issued by the Agency.
(B) Invalid if not authenticated.--Any
subpoena issued by the Director under this
subsection that is not authenticated in
accordance with subparagraph (A) shall not be
considered to be valid by the recipient of the
subpoena.
(7) Procedures.--Not later than 90 days after the
date of enactment of this subsection, the Director
shall establish internal procedures and associated
training, applicable to employees and operations of the
Agency, regarding subpoenas issued under this
subsection, which shall address--
(A) the protection of and restriction on
dissemination of nonpublic information obtained
through a subpoena issued under this
subsection, including a requirement that the
Agency shall not disseminate nonpublic
information obtained through a subpoena issued
under this subsection that identifies the party
that is subject to the subpoena or the entity
at risk identified by information obtained,
except that the Agency may share the nonpublic
information of the entity at risk with another
Federal agency if--
(i) the Agency identifies or is
notified of a cybersecurity incident
involving the entity, which relates to
the vulnerability which led to the
issuance of the subpoena;
(ii) the Director determines that
sharing the nonpublic information with
another Federal agency is necessary to
allow that Federal agency to take a law
enforcement or national security action
or actions related to mitigating or
otherwise resolving such incident;
(iii) the entity to which the
information pertains is notified of the
Director's determination, to the extent
practicable consistent with national
security or law enforcement interests;
and
(iv) the entity consents, except that
the entity's consent shall not be
required if another Federal agency
identifies the entity to the Agency in
connection with a suspected
cybersecurity incident;
(B) the restriction on the use of information
obtained through the subpoena for a
cybersecurity purpose, as defined in section
102 of the Cybersecurity Information Sharing
Act of 2015 6 (6 U.S.C. 1501);
(C) the retention and destruction of non-
public information obtained through a subpoena
issued under this subsection, including--
(i) destruction of information
obtained through the subpoena that the
Director determines is unrelated to
critical infrastructure immediately
upon providing notice to the entity
pursuant to paragraph (5); and
(ii) destruction of any personally
identifiable information not later than
18 months after the date on which the
Director receives information obtained
through the subpoena, unless otherwise
agreed to by the individual identified
by the subpoena respondent;
(D) the processes for providing notice to
each party that is subject to the subpoena and
each entity identified by information obtained
under a subpoena issued under this subsection;
(E) the processes and criteria for conducting
critical infrastructure security risk
assessments to determine whether a subpoena is
necessary prior to being issued under this
subsection; and
(F) the information to be provided to an
entity at risk at the time of the notice of the
vulnerability, which shall include--
(i) a discussion or statement that
responding to, or subsequent engagement
with, the Agency, is voluntary; and
(ii) to the extent practicable,
information regarding the process
through which the Director identifies
security vulnerabilities.
(8) Review of procedures.--Not later than 1 year
after the date of enactment of this subsection, the
Privacy Officer of the Agency shall--
(A) review the procedures developed by the
Director under paragraph (7) to ensure that
(i) the procedures are consistent
with fair information practices; and
(ii) the operations of the Agency
comply with the procedures; and
(B) notify the Committee on Homeland Security
and Governmental Affairs of the Senate and the
Committee on Homeland Security of the House of
Representatives of the results of the review.
(9) Publication of information.--Not later than 120
days after establishing the internal procedures under
paragraph (7), the Director shall publish information
on the website of the Agency regarding the subpoena
process under this subsection, including regarding--
(A) the purpose for subpoenas issued under
this subsection;
(B) the subpoena process;
(C) the criteria for the critical
infrastructure security risk assessment
conducted prior to issuing a subpoena;
(D) policies and procedures on retention and
sharing of data obtained by subpoena;
(E) guidelines on how entities contacted by
the Director may respond to notice of a
subpoena; and
(F) the procedures and policies of the Agency
developed under paragraph (7).
(10) Annual reports.--The Director shall annually
submit to the Committee on Homeland Security and
Governmental Affairs of the Senate and the Committee on
Homeland Security of the House of Representatives a
report (which may include a classified annex but with
the presumption of declassification) on the use of
subpoenas under this subsection by the Director, which
shall include--
(A) a discussion of--
(i) the effectiveness of the use of
subpoenas to mitigate critical
infrastructure security
vulnerabilities;
(ii) the critical infrastructure
security risk assessment process
conducted for subpoenas issued under
this subsection;
(iii) the number of subpoenas issued
under this subsection by the Director
during the preceding year;
(iv) to the extent practicable, the
number of vulnerable covered devices or
systems mitigated under this subsection
by the Agency during the preceding
year; and
(v) the number of entities notified
by the Director under this subsection,
and their response, during the previous
year; and
(B) for each subpoena issued under this
subsection--
(i) the source of the security
vulnerability detected, identified, or
received by the Director;
(ii) the steps taken to identify the
entity at risk prior to issuing the
subpoena;
(iii) a description of the outcome of
the subpoena, including discussion on
the resolution or mitigation of the
critical infrastructure security
vulnerability.
(11) Publication of the annual reports.--The Director
shall publish a version of the annual report required
by paragraph (10) on the website of the Agency, which
shall, at a minimum, include the findings described in
clauses (iii), (iv) and (v) of paragraph (10)(A).
(12) Prohibition on use of information for
unauthorized purposes.--Any information obtained
pursuant to a subpoena issued under this subsection
shall not be provided to any other Federal agency for
any purpose other than a cybersecurity purpose, as
defined in section 102 of the Cybersecurity Information
Sharing Act of 2015 (6 U.S.C. 3 1501).