United States Statutes at Large, Volume 128, 113th Congress, 2nd Session

[United States Statutes at Large, Volume 128, 113th Congress, 2nd Session]
[From the U.S. Government Publishing Office, www.gpo.gov]


Public Law 113-282
113th Congress

An Act


 
To codify an existing operations center for cybersecurity. <>

Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled, <>
SECTION 1. <>  SHORT TITLE.

This Act may be cited as the ``National Cybersecurity Protection Act
of 2014''.
SEC. 2. <>  DEFINITIONS.

In this Act--
(1) the term ``Center'' means the national cybersecurity and
communications integration center under section 226 of the
Homeland Security Act of 2002, as added by section 3;
(2) the term ``critical infrastructure'' has the meaning
given that term in section 2 of the Homeland Security Act of
2002 (6 U.S.C. 101);
(3) the term ``cybersecurity risk'' has the meaning given
that term in section 226 of the Homeland Security Act of 2002,
as added by section 3;
(4) the term ``information sharing and analysis
organization'' has the meaning given that term in section 212(5)
of the Homeland Security Act of 2002 (6 U.S.C. 131(5));
(5) the term ``information system'' has the meaning given
that term in section 3502(8) of title 44, United States Code;
and
(6) the term ``Secretary'' means the Secretary of Homeland
Security.
SEC. 3. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION
CENTER.

(a) In General.--Subtitle C of title II of the Homeland Security Act
of 2002 (6 U.S.C. 141 et seq.) is amended by adding at the end the
following:
``SEC. 226. <> NATIONAL CYBERSECURITY AND
COMMUNICATIONS INTEGRATION CENTER.

``(a) Definitions.--In this section--
``(1) the term `cybersecurity risk' means threats to and
vulnerabilities of information or information systems and any
related consequences caused by or resulting from unauthorized
access, use, disclosure, degradation, disruption, modification,
or destruction of information or information systems, including
such related consequences caused by an act of terrorism;
``(2) the term `incident' means an occurrence that--

[[Page 3067]]

``(A) actually or imminently jeopardizes, without
lawful authority, the integrity, confidentiality, or
availability of information on an information system; or
``(B) constitutes a violation or imminent threat of
violation of law, security policies, security
procedures, or acceptable use policies;
``(3) the term `information sharing and analysis
organization' has the meaning given that term in section 212(5);
and
``(4) the term `information system' has the meaning given
that term in section 3502(8) of title 44, United States Code.

``(b) Center.--There is in the Department a national cybersecurity
and communications integration center (referred to in this section as
the `Center') to carry out certain responsibilities of the Under
Secretary appointed under section 103(a)(1)(H).
``(c) Functions.--The cybersecurity functions of the Center shall
include--
``(1) being a Federal civilian interface for the multi-
directional and cross-sector sharing of information related to
cybersecurity risks, incidents, analysis, and warnings for
Federal and non-Federal entities;
``(2) providing shared situational awareness to enable real-
time, integrated, and operational actions across the Federal
Government and non-Federal entities to address cybersecurity
risks and incidents to Federal and non-Federal entities;
``(3) coordinating the sharing of information related to
cybersecurity risks and incidents across the Federal Government;
``(4) facilitating cross-sector coordination to address
cybersecurity risks and incidents, including cybersecurity risks
and incidents that may be related or could have consequential
impacts across multiple sectors;
``(5)(A) conducting integration and analysis, including
cross-sector integration and analysis, of cybersecurity risks
and incidents; and
``(B) sharing the analysis conducted under subparagraph (A)
with Federal and non-Federal entities;
``(6) upon request, providing timely technical assistance,
risk management support, and incident response capabilities to
Federal and non-Federal entities with respect to cybersecurity
risks and incidents, which may include attribution, mitigation,
and remediation; and
``(7) providing information and recommendations on security
and resilience measures to Federal and non-Federal entities,
including information and recommendations to--
``(A) facilitate information security; and
``(B) strengthen information systems against
cybersecurity risks and incidents.

``(d) Composition.--
``(1) In general.--The Center shall be composed of--
``(A) appropriate representatives of Federal
entities, such as--
``(i) sector-specific agencies;
``(ii) civilian and law enforcement agencies;
and
``(iii) elements of the intelligence
community, as that term is defined under section
3(4) of the National Security Act of 1947 (50
U.S.C. 3003(4));

[[Page 3068]]

``(B) appropriate representatives of non-Federal
entities, such as--
``(i) State and local governments;
``(ii) information sharing and analysis
organizations; and
``(iii) owners and operators of critical
information systems;
``(C) components within the Center that carry out
cybersecurity and communications activities;
``(D) a designated Federal official for operational
coordination with and across each sector; and
``(E) other appropriate representatives or entities,
as determined by the Secretary.
``(2) Incidents.--In the event of an incident, during
exigent circumstances the Secretary may grant a Federal or non-
Federal entity immediate temporary access to the Center.

``(e) Principles.--In carrying out the functions under subsection
(c), the Center shall ensure--
``(1) to the extent practicable, that--
``(A) timely, actionable, and relevant information
related to cybersecurity risks, incidents, and analysis
is shared;
``(B) when appropriate, information related to
cybersecurity risks, incidents, and analysis is
integrated with other relevant information and tailored
to the specific characteristics of a sector;
``(C) activities are prioritized and conducted based
on the level of risk;
``(D) industry sector-specific, academic, and
national laboratory expertise is sought and receives
appropriate consideration;
``(E) continuous, collaborative, and inclusive
coordination occurs--
``(i) across sectors; and
``(ii) with--
``(I) sector coordinating councils;
``(II) information sharing and
analysis organizations; and
``(III) other appropriate non-
Federal partners;
``(F) as appropriate, the Center works to develop
and use mechanisms for sharing information related to
cybersecurity risks and incidents that are technology-
neutral, interoperable, real-time, cost-effective, and
resilient; and
``(G) the Center works with other agencies to reduce
unnecessarily duplicative sharing of information related
to cybersecurity risks and incidents;
``(2) that information related to cybersecurity risks and
incidents is appropriately safeguarded against unauthorized
access; and
``(3) that activities conducted by the Center comply with
all policies, regulations, and laws that protect the privacy and
civil liberties of United States persons.

``(f) No Right or Benefit.--
``(1) In general.--The provision of assistance or
information to, and inclusion in the Center of, governmental or
private entities under this section shall be at the sole and
unreviewable

[[Page 3069]]

discretion of the Under Secretary appointed under section
103(a)(1)(H).
``(2) Certain assistance or information.--The provision of
certain assistance or information to, or inclusion in the Center
of, one governmental or private entity pursuant to this section
shall not create a right or benefit, substantive or procedural,
to similar assistance or information for any other governmental
or private entity.''.

(b) Technical and Conforming Amendment.--The table of contents in
section 1(b) of the Homeland Security Act of 2002 (6 U.S.C. 101 note) is
amended by inserting after the item relating to section 225 the
following:

``Sec. 226. National cybersecurity and communications integration
center.''.

SEC. 4. RECOMMENDATIONS REGARDING NEW AGREEMENTS.

(a) In General.--Not later than 180 days after the
date <> of enactment of this Act, the Secretary shall
submit recommendations on how to expedite the implementation of
information-sharing agreements for cybersecurity purposes between the
Center and non-Federal entities (referred to in this section as
``cybersecurity information-sharing agreements'') to--
(1) the Committee on Homeland Security and Governmental
Affairs and the Committee on the Judiciary of the Senate; and
(2) the Committee on Homeland Security and the Committee on
the Judiciary of the House of Representatives.

(b) Contents.--In submitting recommendations under subsection (a),
the Secretary shall--
(1) address the development and utilization of a scalable
form that retains all privacy and other protections in
cybersecurity information-sharing agreements that are in effect
as of the date on which the Secretary submits the
recommendations, including Cooperative Research and Development
Agreements; and
(2) include in the recommendations any additional
authorities or resources that may be needed to carry out the
implementation of any new cybersecurity information-sharing
agreements.
SEC. 5. ANNUAL REPORT.

Not later than 1 year after the date of enactment of this Act, and
every year thereafter for 3 years, the Secretary shall submit to the
Committee on Homeland Security and Governmental Affairs and the
Committee on the Judiciary of the Senate, the Committee on Homeland
Security and the Committee on the Judiciary of the House of
Representatives, and the Comptroller General of the United States a
report on the Center, which shall include--
(a) information on the Center, including--
(1) an assessment of the capability and capacity of the
Center to carry out its cybersecurity mission under this Act;
(2) the number of representatives from non-Federal entities
that are participating in the Center, including the number of
representatives from States, nonprofit organizations, and
private sector entities, respectively;
(3) the number of requests from non-Federal entities to
participate in the Center and the response to such requests;

[[Page 3070]]

(4) the average length of time taken to resolve requests
described in paragraph (3);
(5) the identification of--
(A) any delay in resolving requests described in
paragraph (3) involving security clearance processing;
and
(B) the agency involved with a delay described in
subparagraph (A);
(6) a description of any other obstacles or challenges to
resolving requests described in paragraph (3) and a summary of
the reasons for denials of any such requests;
(7) the extent to which the Department is engaged in
information sharing with each critical infrastructure sector,
including--
(A) the extent to which each sector has
representatives at the Center;
(B) the extent to which owners and operators of
critical infrastructure in each critical infrastructure
sector participate in information sharing at the Center;
and
(C) the volume and range of activities with respect
to which the Secretary has collaborated with the sector
coordinating councils and the sector-specific agencies
to promote greater engagement with the Center; and
(8) the policies and procedures established by the Center to
safeguard privacy and civil liberties.
SEC. 6. GAO REPORT.

Not later than 2 years after the date of enactment of this Act, the
Comptroller General of the United States shall submit to the Committee
on Homeland Security and Governmental Affairs of the Senate and the
Committee on Homeland Security of the House of Representatives a report
on the effectiveness of the Center in carrying out its cybersecurity
mission.
SEC. 7. CYBER INCIDENT RESPONSE PLAN; CLEARANCES; BREACHES.

(a) Cyber Incident Response Plan; Clearances.--Subtitle C of title
II of the Homeland Security Act of 2002 (6 U.S.C. 141 et seq.), as
amended by section 3, is amended by adding at the end the following:
``SEC. 227. <>  CYBER INCIDENT RESPONSE PLAN.

``The Under Secretary appointed under section 103(a)(1)(H) shall, in
coordination with appropriate Federal departments and agencies, State
and local governments, sector coordinating councils, information sharing
and analysis organizations (as defined in section 212(5)), owners and
operators of critical infrastructure, and other appropriate entities and
individuals, develop, regularly update, maintain, and exercise adaptable
cyber incident response plans to address cybersecurity risks (as defined
in section 226) to critical infrastructure.
``SEC. 228. <>  CLEARANCES.

``The Secretary shall make available the process of application for
security clearances under Executive Order 13549 (75 Fed. Reg. 162;
relating to a classified national security information program) or any
successor Executive Order to appropriate representatives

[[Page 3071]]

of sector coordinating councils, sector information sharing and analysis
organizations (as defined in section 212(5)), owners and operators of
critical infrastructure, and any other person that the Secretary
determines appropriate.''.
(b) <>  Breaches.--
(1) Requirements.--The Director of the Office of Management
and Budget shall ensure that data breach notification policies
and guidelines are updated periodically and require--
(A) <>  except as provided in
paragraph (4), notice by the affected agency to each
committee of Congress described in section 3544(c)(1) of
title 44, United States Code, the Committee on the
Judiciary of the Senate, and the Committee on Homeland
Security and the Committee on the Judiciary of the House
of Representatives, which shall--
(i) <>  be provided
expeditiously and not later than 30 days after the
date on which the agency discovered the
unauthorized acquisition or access; and
(ii) include--
(I) information about the breach,
including a summary of any information
that the agency knows on the date on
which notification is provided about how
the breach occurred;
(II) an estimate of the number of
individuals affected by the breach,
based on information that the agency
knows on the date on which notification
is provided, including an assessment of
the risk of harm to affected
individuals;
(III) a description of any
circumstances necessitating a delay in
providing notice to affected
individuals; and
(IV) an estimate of whether and when
the agency will provide notice to
affected individuals; and
(B) notice by the affected agency to affected
individuals, pursuant to data breach notification
policies and guidelines, which shall be provided as
expeditiously as practicable and without unreasonable
delay after the agency discovers the unauthorized
acquisition or access.
(2) National security; law enforcement; remediation.--The
Attorney General, the head of an element of the intelligence
community (as such term is defined under section 3(4) of the
National Security Act of 1947 (50 U.S.C. 3003(4)), or the
Secretary may delay the notice to affected individuals under
paragraph (1)(B) if the notice would disrupt a law enforcement
investigation, endanger national security, or hamper security
remediation actions.
(3) <>  OMB report.--
During the first 2 years beginning after the date of enactment
of this Act, the Director of the Office of Management and Budget
shall, on an annual basis--
(A) assess agency implementation of data breach
notification policies and guidelines in aggregate; and
(B) include the assessment described in clause (i)
in the report required under section 3543(a)(8) of title
44, United States Code.
(4) Exception.--Any element of the intelligence community
(as such term is defined under section 3(4) of the National
Security Act of 1947 (50 U.S.C. 3003(4)) that is required to

[[Page 3072]]

provide notice under paragraph (1)(A) shall only provide such
notice to appropriate committees of Congress.

(c) <>  Rule of Construction.--Nothing in the
amendment made by subsection (a) or in subsection (b)(1) shall be
construed to alter any authority of a Federal agency or department.

(d) Technical and Conforming Amendment.--The table of contents in
section 1(b) of the Homeland Security Act of 2002 (6 U.S.C. 101 note),
as amended by section 3, is amended by inserting after the item relating
to section 226 the following:

``Sec. 227. Cyber incident response plan.
``Sec. 228. Clearances.''.

SEC. 8. <>  RULES OF CONSTRUCTION.

(a) Prohibition on New Regulatory Authority.--Nothing in this Act or
the amendments made by this Act shall be construed to grant the
Secretary any authority to promulgate regulations or set standards
relating to the cybersecurity of private sector critical infrastructure
that was not in effect on the day before the date of enactment of this
Act.
(b) Private Entities.--Nothing in this Act or the amendments made by
this Act shall be construed to require any private entity--
(1) to request assistance from the Secretary; or
(2) that requested such assistance from the Secretary to
implement any measure or recommendation suggested by the
Secretary.

Approved December 18, 2014.

LEGISLATIVE HISTORY--S. 2519:
---------------------------------------------------------------------------

SENATE REPORTS: No. 113-240 (Comm. on Homeland Security and Governmental
Affairs).
CONGRESSIONAL RECORD, Vol. 160 (2014):
Dec. 10, considered and passed Senate.
Dec. 11, considered and passed House.