Loading ...
Global Do...
News & Politics
4
0
Try Now
Log In
Pricing
HEN10553 S.L.C. 111TH CONGRESS 2D SESSION S. ll To amend the Homeland Security Act of 2002 and other laws to enhance the security and resiliency of the cyber and communications infrastruc- ture of the United States. IN THE SENATE OF THE UNITED STATES llllllllll Mr. LIEBERMAN (for himself, Ms. COLLINS, and Mr. CARPER) introduced the following bill; which was read twice and referred to the Committee on llllllllll A BILL To amend the Homeland Security Act of 2002 and other laws to enhance the security and resiliency of the cyber and communications infrastructure of the United States. Be it enacted by the Senate and House of Representa- 1 tives of the United States of America in Congress assembled, 2 SECTION 1. SHORT TITLE. 3 This Act may be cited as the ‘‘Protecting Cyberspace 4 as a National Asset Act of 2010’’. 5 SEC. 2. TABLE OF CONTENTS. 6 The table of contents for this Act is as follows: 7 Sec. 1. Short title. Sec. 2. Table of contents. Sec. 3. Definitions. 2 HEN10553 S.L.C. TITLE I—OFFICE OF CYBERSPACE POLICY Sec. 101. Establishment of the Office of Cyberspace Policy. Sec. 102. Appointment and responsibilities of the Director. Sec. 103. Prohibition on political campaigning. Sec. 104. Review of Federal agency budget requests relating to the National Strategy. Sec. 105. Access to intelligence. Sec. 106. Consultation. Sec. 107. Reports to Congress. TITLE II—NATIONAL CENTER FOR CYBERSECURITY AND COMMUNICATIONS Sec. 201. Cybersecurity. TITLE III—FEDERAL INFORMATION SECURITY MANAGEMENT Sec. 301. Coordination of Federal information policy. TITLE IV—RECRUITMENT AND PROFESSIONAL DEVELOPMENT Sec. 401. Definitions. Sec. 402. Assessment of cybersecurity workforce. Sec. 403. Strategic cybersecurity workforce planning. Sec. 404. Cybersecurity occupation classifications. Sec. 405. Measures of cybersecurity hiring effectiveness. Sec. 406. Training and education. Sec. 407. Cybersecurity incentives. Sec. 408. Recruitment and retention program for the National Center for Cy- bersecurity and Communications. TITLE V—OTHER PROVISIONS Sec. 501. Consultation on cybersecurity matters. Sec. 502. Cybersecurity research and development. Sec. 503. Prioritized critical information infrastructure. Sec. 504. National Center for Cybersecurity and Communications acquisition authorities. Sec. 505. Technical and conforming amendments. SEC. 3. DEFINITIONS. 1 In this Act: 2 (1) APPROPRIATE CONGRESSIONAL COMMIT- 3 TEES.—The term ‘‘appropriate congressional com- 4 mittees’’ means— 5 (A) the Committee on Homeland Security 6 and Governmental Affairs of the Senate; 7 3 HEN10553 S.L.C. (B) the Committee on Homeland Security 1 of the House of Representatives; 2 (C) the Committee on Oversight and Gov- 3 ernment Reform of the House of Representa- 4 tives; and 5 (D) any other congressional committee 6 with jurisdiction over the particular matter. 7 (2) CRITICAL INFRASTRUCTURE.—The term 8 ‘‘critical infrastructure’’ has the meaning given that 9 term in section 1016(e) of the USA PATRIOT Act 10 (42 U.S.C. 5195c(e)). 11 (3) CYBERSPACE.—The term ‘‘cyberspace’’ 12 means the interdependent network of information in- 13 frastructure, and includes the Internet, tele- 14 communications networks, computer systems, and 15 embedded processors and controllers in critical in- 16 dustries. 17 (4) DIRECTOR.—The term ‘‘Director’’ means 18 the Director of Cyberspace Policy established under 19 section 101. 20 (5) FEDERAL AGENCY.—The term ‘‘Federal 21 agency’’— 22 (A) means any executive department, Gov- 23 ernment corporation, Government controlled 24 corporation, or other establishment in the exec- 25 4 HEN10553 S.L.C. utive branch of the Government (including the 1 Executive Office of the President), or any inde- 2 pendent regulatory agency; and 3 (B) does not include the governments of 4 the District of Columbia and of the territories 5 and possessions of the United States and their 6 various subdivisions. 7 (6) FEDERAL INFORMATION INFRASTRUC- 8 TURE.—The term ‘‘Federal information infrastruc- 9 ture’’— 10 (A) means information infrastructure that 11 is owned, operated, controlled, or licensed for 12 use by, or on behalf of, any Federal agency, in- 13 cluding information systems used or operated 14 by another entity on behalf of a Federal agency; 15 and 16 (B) does not include— 17 (i) a national security system; or 18 (ii) information infrastructure that is 19 owned, operated, controlled, or licensed for 20 use by, or on behalf of, the Department of 21 Defense, a military department, or another 22 element of the intelligence community. 23 (7) INCIDENT.—The term ‘‘incident’’ means an 24 occurrence that— 25 5 HEN10553 S.L.C. (A) actually or potentially jeopardizes— 1 (i) the information security of infor- 2 mation infrastructure; or 3 (ii) the information that information 4 infrastructure processes, stores, receives, 5 or transmits; or 6 (B) constitutes a violation or threat of vio- 7 lation of security policies, security procedures, 8 or acceptable use policies applicable to informa- 9 tion infrastructure. 10 (8) INFORMATION INFRASTRUCTURE.—The 11 term ‘‘information infrastructure’’ means the under- 12 lying framework that information systems and assets 13 rely on to process, transmit, receive, or store infor- 14 mation electronically, including programmable elec- 15 tronic devices and communications networks and any 16 associated hardware, software, or data. 17 (9) INFORMATION SECURITY.—The term ‘‘infor- 18 mation security’’ means protecting information and 19 information systems from disruption or unauthorized 20 access, use, disclosure, modification, or destruction 21 in order to provide— 22 (A) integrity, by guarding against im- 23 proper information modification or destruction, 24 6 HEN10553 S.L.C. including by ensuring information nonrepudi- 1 ation and authenticity; 2 (B) confidentiality, by preserving author- 3 ized restrictions on access and disclosure, in- 4 cluding means for protecting personal privacy 5 and proprietary information; and 6 (C) availability, by ensuring timely and re- 7 liable access to and use of information. 8 (10) INFORMATION TECHNOLOGY.—The term 9 ‘‘information technology’’ has the meaning given 10 that term in section 11101 of title 40, United States 11 Code. 12 (11) INTELLIGENCE COMMUNITY.—The term 13 ‘‘intelligence community’’ has the meaning given 14 that term under section 3(4) of the National Secu- 15 rity Act of 1947 (50 U.S.C. 401a(4)). 16 (12) KEY RESOURCES.—The term ‘‘key re- 17 sources’’ has the meaning given that term in section 18 2 of the Homeland Security Act of 2002 (6 U.S.C. 19 101) 20 (13) NATIONAL CENTER FOR CYBERSECURITY 21 AND COMMUNICATIONS.—The term ‘‘National Cen- 22 ter for Cybersecurity and Communications’’ means 23 the National Center for Cybersecurity and Commu- 24 nications established under section 242(a) of the 25 7 HEN10553 S.L.C. Homeland Security Act of 2002, as added by this 1 Act. 2 (14) NATIONAL INFORMATION INFRASTRUC- 3 TURE.—The term ‘‘national information infrastruc- 4 ture’’ means information infrastructure— 5 (A)(i) that is owned, operated, or con- 6 trolled within or from the United States; or 7 (ii) if located outside the United States, 8 the disruption of which could result in national 9 or regional catastrophic damage in the United 10 States; and 11 (B) that is not owned, operated, controlled, 12 or licensed for use by a Federal agency. 13 (15) NATIONAL SECURITY SYSTEM.—The term 14 ‘‘national security system’’ has the meaning given 15 that term in section 3551 of title 44, United States 16 Code, as added by this Act. 17 (16) NATIONAL STRATEGY.—The term ‘‘Na- 18 tional Strategy’’ means the national strategy to in- 19 crease the security and resiliency of cyberspace de- 20 veloped under section 101(a)(1). 21 (17) OFFICE.—The term ‘‘Office’’ means the 22 Office of Cyberspace Policy established under section 23 101. 24 8 HEN10553 S.L.C. (18) RISK.—The term ‘‘risk’’ means the poten- 1 tial for an unwanted outcome resulting from an inci- 2 dent, as determined by the likelihood of the occur- 3 rence of the incident and the associated con- 4 sequences, including potential for an adverse out- 5 come assessed as a function of threats, 6 vulnerabilities, and consequences associated with an 7 incident. 8 (19) RISK-BASED SECURITY.—The term ‘‘risk- 9 based security’’ has the meaning given that term in 10 section 3551 of title 44, United States Code, as 11 added by this Act. 12 TITLE I—OFFICE OF 13 CYBERSPACE POLICY 14 SEC. 101. ESTABLISHMENT OF THE OFFICE OF CYBER- 15 SPACE POLICY. 16 (a) ESTABLISHMENT OF OFFICE.—There is estab- 17 lished in the Executive Office of the President an Office 18 of Cyberspace Policy which shall— 19 (1) develop, not later than 1 year after the date 20 of enactment of this Act, and update as needed, but 21 not less frequently than once every 2 years, a na- 22 tional strategy to increase the security and resiliency 23 of cyberspace, that includes goals and objectives re- 24 lating to— 25 9 HEN10553 S.L.C. (A) computer network operations, includ- 1 ing offensive activities, defensive activities, and 2 other activities; 3 (B) information assurance; 4 (C) protection of critical infrastructure and 5 key resources; 6 (D) research and development priorities; 7 (E) law enforcement; 8 (F) diplomacy; 9 (G) homeland security; and 10 (H) military and intelligence activities; 11 (2) oversee, coordinate, and integrate all poli- 12 cies and activities of the Federal Government across 13 all instruments of national power relating to ensur- 14 ing the security and resiliency of cyberspace, includ- 15 ing— 16 (A) diplomatic, economic, military, intel- 17 ligence, homeland security, and law enforcement 18 policies and activities within and among Federal 19 agencies; and 20 (B) offensive activities, defensive activities, 21 and other policies and activities necessary to en- 22 sure effective capabilities to operate in cyber- 23 space; 24 10 HEN10553 S.L.C. (3) ensure that all Federal agencies comply 1 with appropriate guidelines, policies, and directives 2 from the Department of Homeland Security, other 3 Federal agencies with responsibilities relating to 4 cyberspace security or resiliency, and the National 5 Center for Cybersecurity and Communications; and 6 (4) ensure that Federal agencies have access to, 7 receive, and appropriately disseminate law enforce- 8 ment information, intelligence information, terrorism 9 information, and any other information (including 10 information relating to incidents provided under sub- 11 sections (a)(4) and (c) of section 246 of the Home- 12 land Security Act of 2002, as added by this Act) rel- 13 evant to— 14 (A) the security of the Federal information 15 infrastructure or the national information infra- 16 structure; and 17 (B) the security of— 18 (i) information infrastructure that is 19 owned, operated, controlled, or licensed for 20 use by, or on behalf of, the Department of 21 Defense, a military department, or another 22 element of the intelligence community; or 23 (ii) a national security system. 24 (b) DIRECTOR OF CYBERSPACE POLICY.— 25 11 HEN10553 S.L.C. (1) IN GENERAL.—There shall be a Director of 1 Cyberspace Policy, who shall be the head of the Of- 2 fice. 3 (2) EXECUTIVE SCHEDULE POSITION.—Section 4 5312 of title 5, United States Code, is amended by 5 adding at the end the following: 6 ‘‘Director of Cyberspace Policy.’’. 7 SEC. 102. APPOINTMENT AND RESPONSIBILITIES OF THE 8 DIRECTOR. 9 (a) APPOINTMENT.— 10 (1) IN GENERAL.—The Director shall be ap- 11 pointed by the President, by and with the advice and 12 consent of the Senate. 13 (2) QUALIFICATIONS.—The President shall ap- 14 point the Director from among individuals who have 15 demonstrated ability and knowledge in information 16 technology, cybersecurity, and the operations, secu- 17 rity, and resiliency of communications networks. 18 (3) PROHIBITION.—No person shall serve as 19 Director while serving in any other position in the 20 Federal Government. 21 (b) RESPONSIBILITIES.—The Director shall— 22 (1) advise the President regarding the estab- 23 lishment of policies, goals, objectives, and priorities 24 12 HEN10553 S.L.C. for securing the information infrastructure of the 1 Nation; 2 (2) advise the President and other entities with- 3 in the Executive Office of the President regarding 4 mechanisms to build, and improve the resiliency and 5 efficiency of, the information and communication in- 6 dustry of the Nation, in collaboration with the pri- 7 vate sector, while promoting national economic inter- 8 ests; 9 (3) work with Federal agencies to— 10 (A) oversee, coordinate, and integrate the 11 implementation of the National Strategy, in- 12 cluding coordination with— 13 (i) the Department of Homeland Se- 14 curity; 15 (ii) the Department of Defense; 16 (iii) the Department of Commerce; 17 (iv) the Department of State; 18 (v) the Department of Justice; 19 (vi) the Department of Energy; 20 (vii) through the Director of National 21 Intelligence, the intelligence community; 22 and 23 13 HEN10553 S.L.C. (viii) and any other Federal agency 1 with responsibilities relating to the Na- 2 tional Strategy; and 3 (B) resolve any disputes that arise between 4 Federal agencies relating to the National Strat- 5 egy or other matters within the responsibility of 6 the Office; 7 (4) if the policies or activities of a Federal 8 agency are not in compliance with the responsibil- 9 ities of the Federal agency under the National Strat- 10 egy— 11 (A) notify the Federal agency; 12 (B) transmit a copy of each notification 13 under subparagraph (A) to the President and 14 the appropriate congressional committees; and 15 (C) coordinate the efforts to bring the 16 Federal agency into compliance; 17 (5) ensure the adequacy of protections for pri- 18 vacy and civil liberties in carrying out the respon- 19 sibilities of the Director under this title, including 20 through consultation with the Privacy and Civil Lib- 21 erties Oversight Board established under section 22 1061 of the National Security Intelligence Reform 23 Act of 2004 (42 U.S.C. 2000ee); 24 14 HEN10553 S.L.C. (6) upon reasonable request, appear before any 1 duly constituted committees of the Senate or of the 2 House of Representatives; 3 (7) recommend to the Office of Management 4 and Budget or the head of a Federal agency actions 5 (including requests to Congress relating to the re- 6 programming of funds) that the Director determines 7 are necessary to ensure risk-based security of— 8 (A) the Federal information infrastructure; 9 (B) information infrastructure that is 10 owned, operated, controlled, or licensed for use 11 by, or on behalf of, the Department of Defense, 12 a military department, or another element of 13 the intelligence community; or 14 (C) a national security system; 15 (8) advise the Administrator of the Office of E- 16 Government and Information Technology and the 17 Administrator of the Office of Information and Reg- 18 ulatory Affairs on the development, and oversee the 19 implementation, of policies, principles, standards, 20 guidelines, and budget priorities for information 21 technology functions and activities of the Federal 22 Government; 23 (9) coordinate and ensure, to the maximum ex- 24 tent practicable, that the standards and guidelines 25 15 HEN10553 S.L.C. developed for national security systems and the 1 standards and guidelines under section 20 of the 2 National Institute of Standards and Technology Act 3 (15 U.S.C. 278g–3) are complementary and unified; 4 (10) in consultation with the Administrator of 5 the Office of Information and Regulatory Affairs, 6 coordinate efforts of Federal agencies relating to the 7 development of regulations, rules, requirements, or 8 other actions applicable to the national information 9 infrastructure to ensure, to the maximum extent 10 practicable, that the efforts are complementary; 11 (11) coordinate the activities of the Office of 12 Science and Technology Policy, the National Eco- 13 nomic Council, the Office of Management and Budg- 14 et, the National Security Council, the Homeland Se- 15 curity Council, and the United States Trade Rep- 16 resentative related to the National Strategy and 17 other matters within the purview of the Office; and 18 (12) as assigned by the President, other duties 19 relating to the security and resiliency of cyberspace. 20 SEC. 103. PROHIBITION ON POLITICAL CAMPAIGNING. 21 Section 7323(b)(2)(B) of title 5, United States Code, 22 is amended— 23 (1) in clause (i), by striking ‘‘or’’ at the end; 24 16 HEN10553 S.L.C. (2) in clause (ii), by striking the period at the 1 end and inserting ‘‘; or’’; and 2 (3) by adding at the end the following: 3 ‘‘(iii) notwithstanding the exception 4 under subparagraph (A) (relating to an ap- 5 pointment made by the President, by and 6 with the advice and consent of the Senate), 7 the Director of Cyberspace Policy.’’. 8 SEC. 104. REVIEW OF FEDERAL AGENCY BUDGET RE- 9 QUESTS RELATING TO THE NATIONAL STRAT- 10 EGY. 11 (a) IN GENERAL.—For each fiscal year, the head of 12 each Federal agency shall transmit to the Director a copy 13 of any portion of the budget of the Federal agency in- 14 tended to implement the National Strategy at the same 15 time as that budget request is submitted to the Office of 16 Management and Budget in the preparation of the budget 17 of the President submitted to Congress under section 18 1105 (a) of title 31, United States Code. 19 (b) TIMELY SUBMISSIONS.—The head of each Fed- 20 eral agency shall ensure the timely development and sub- 21 mission to the Director of each proposed budget under this 22 section, in such format as may be designated by the Direc- 23 tor with the concurrence of the Director of the Office of 24 Management and Budget. 25 17 HEN10553 S.L.C. (c) ADEQUACY OF THE PROPOSED BUDGET RE- 1 QUESTS.—With the assistance of, and in coordination 2 with, the Office of E-Government and Information Tech- 3 nology and the National Center for Cybersecurity and 4 Communications, the Director shall review each budget 5 submission to assess the adequacy of the proposed request 6 with regard to implementation of the National Strategy. 7 (d) INADEQUATE BUDGET REQUESTS.—If the Direc- 8 tor concludes that a budget request submitted under sub- 9 section (a) is inadequate, in whole or in part, to implement 10 the objectives of the National Strategy, the Director shall 11 submit to the Director of the Office of Management and 12 Budget and the head of the Federal agency submitting 13 the budget request a written description of funding levels 14 and specific initiatives that would, in the determination 15 of the Director, make the request adequate. 16 SEC. 105. ACCESS TO INTELLIGENCE. 17 The Director shall have access to law enforcement in- 18 formation, intelligence information, terrorism information, 19 and any other information (including information relating 20 to incidents provided under subsections (a)(4) and (c) of 21 section 246 of the Homeland Security Act of 2002, as 22 added by this Act) that is obtained by, or in the possession 23 of, any Federal agency that the Director determines rel- 24 evant to the security of— 25 18 HEN10553 S.L.C. (1) the Federal information infrastructure; 1 (2) information infrastructure that is owned, 2 operated, controlled, or licensed for use by, or on be- 3 half of, the Department of Defense, a military de- 4 partment, or another element of the intelligence 5 community; 6 (3) a national security system; or 7 (4) national information infrastructure. 8 SEC. 106. CONSULTATION. 9 (a) IN GENERAL.—The Director may consult and ob- 10 tain recommendations from, as needed, such Presidential 11 and other advisory entities as the Director determines will 12 assist in carrying out the mission of the Office, includ- 13 ing— 14 (1) the National Security Telecommunications 15 Advisory Committee; 16 (2) the National Infrastructure Advisory Coun- 17 cil; 18 (3) the Privacy and Civil Liberties Oversight 19 Board; 20 (4) the President’s Intelligence Advisory Board; 21 (5) the Critical Infrastructure Partnership Ad- 22 visory Council; and 23 19 HEN10553 S.L.C. (6) the National Cybersecurity Advisory Council 1 established under section 239 of the Homeland Se- 2 curity Act of 2002, as added by this Act. 3 (b) NATIONAL STRATEGY.—In developing and updat- 4 ing the National Strategy the Director shall consult with 5 the National Cybersecurity Advisory Council and, as ap- 6 propriate, State and local governments and private enti- 7 ties. 8 SEC. 107. REPORTS TO CONGRESS. 9 (a) IN GENERAL.—The Director shall submit an an- 10 nual report to the appropriate congressional committees 11 describing the activities, ongoing projects, and plans of the 12 Federal Government designed to meet the goals and objec- 13 tives of the National Strategy. 14 (b) CLASSIFIED ANNEX.—A report submitted under 15 this section shall be submitted in an unclassified form, but 16 may include a classified annex, if necessary. 17 (c) PUBLIC REPORT.—An unclassified version of 18 each report submitted under this section shall be made 19 available to the public. 20 20 HEN10553 S.L.C. TITLE II—NATIONAL CENTER 1 FOR CYBERSECURITY AND 2 COMMUNICATIONS 3 SEC. 201. CYBERSECURITY. 4 Title II of the Homeland Security Act of 2002 (6 5 U.S.C. 121 et seq.) is amended by adding at the end the 6 following: 7 ‘‘Subtitle E—Cybersecurity 8 ‘‘SEC. 241. DEFINITIONS. 9 ‘‘In this subtitle— 10 ‘‘(1) the term ‘agency information infrastruc- 11 ture’ means the Federal information infrastructure 12 of a particular Federal agency; 13 ‘‘(2) the term ‘appropriate committees of Con- 14 gress’ means the Committee on Homeland Security 15 and Governmental Affairs of the Senate and the 16 Committee on Homeland Security of the House of 17 Representatives; 18 ‘‘(3) the term ‘Center’ means the National Cen- 19 ter for Cybersecurity and Communications estab- 20 lished under section 242(a); 21 ‘‘(4) the term ‘covered critical infrastructure’ 22 means a system or asset— 23 21 HEN10553 S.L.C. ‘‘(A) that is on the prioritized critical in- 1 frastructure list established by the Secretary 2 under section 210E(a)(2); and 3 ‘‘(B)(i) that is a component of the national 4 information infrastructure; or 5 ‘‘(ii) for which the national information in- 6 frastructure is essential to the reliable operation 7 of the system or asset; 8 ‘‘(5) the term ‘cyber vulnerability’ means any 9 security vulnerability that, if exploited, could pose a 10 significant risk of disruption to the operation of in- 11 formation infrastructure essential to the reliable op- 12 eration of covered critical infrastructure; 13 ‘‘(6) the term ‘Director’ means the Director of 14 the Center appointed under section 242(b)(1); 15 ‘‘(7) the term ‘Federal agency’— 16 ‘‘(A) means any executive department, 17 military department, Government corporation, 18 Government controlled corporation, or other es- 19 tablishment in the executive branch of the Gov- 20 ernment (including the Executive Office of the 21 President), or any independent regulatory agen- 22 cy; and 23 ‘‘(B) does not include the governments of 24 the District of Columbia and of the territories 25 22 HEN10553 S.L.C. and possessions of the United States and their 1 various subdivisions; 2 ‘‘(8) the term ‘Federal information infrastruc- 3 ture’— 4 ‘‘(A) means information infrastructure 5 that is owned, operated, controlled, or licensed 6 for use by, or on behalf of, any Federal agency, 7 including information systems used or operated 8 by another entity on behalf of a Federal agency; 9 and 10 ‘‘(B) does not include— 11 ‘‘(i) a national security system; or 12 ‘‘(ii) information infrastructure that is 13 owned, operated, controlled, or licensed for 14 use by, or on behalf of, the Department of 15 Defense, a military department, or another 16 element of the intelligence community; 17 ‘‘(9) the term ‘incident’ means an occurrence 18 that— 19 ‘‘(A) actually or potentially jeopardizes— 20 ‘‘(i) the information security of infor- 21 mation infrastructure; or 22 ‘‘(ii) the information that information 23 infrastructure processes, stores, receives, 24 or transmits; or 25 23 HEN10553 S.L.C. ‘‘(B) constitutes a violation or threat of 1 violation of security policies, security proce- 2 dures, or acceptable use policies applicable to 3 information infrastructure. 4 ‘‘(10) the term ‘information infrastructure’ 5 means the underlying framework that information 6 systems and assets rely on to process, transmit, re- 7 ceive, or store information electronically, including— 8 ‘‘(A) programmable electronic devices and 9 communications networks; and 10 ‘‘(B) any associated hardware, software, or 11 data; 12 ‘‘(11) the term ‘information security’ means 13 protecting information and information systems 14 from disruption or unauthorized access, use, disclo- 15 sure, modification, or destruction in order to pro- 16 vide— 17 ‘‘(A) integrity, by guarding against im- 18 proper information modification or destruction, 19 including by ensuring information nonrepudi- 20 ation and authenticity; 21 ‘‘(B) confidentiality, by preserving author- 22 ized restrictions on access and disclosure, in- 23 cluding means for protecting personal privacy 24 and proprietary information; and 25 24 HEN10553 S.L.C. ‘‘(C) availability, by ensuring timely and 1 reliable access to and use of information; 2 ‘‘(12) the term ‘information sharing and anal- 3 ysis center’ means a self-governed forum whose 4 members work together within a specific sector of 5 critical infrastructure to identify, analyze, and share 6 with other members and the Federal Government 7 critical information relating to threats, 8 vulnerabilities, or incidents to the security and resil- 9 iency of the critical infrastructure that comprises the 10 specific sector; 11 ‘‘(13) the term ‘information system’ has the 12 meaning given that term in section 3502 of title 44, 13 United States Code; 14 ‘‘(14) the term ‘intelligence community’ has the 15 meaning given that term in section 3(4) of the Na- 16 tional Security Act of 1947 (50 U.S.C. 401a(4)); 17 ‘‘(15) the term ‘management controls’ means 18 safeguards or countermeasures for an information 19 system that focus on the management of risk and 20 the management of information system security; 21 ‘‘(16) the term ‘National Cybersecurity Advi- 22 sory Council’ means the National Cybersecurity Ad- 23 visory Council established under section 239; 24 25 HEN10553 S.L.C. ‘‘(17) the term ‘national cyber emergency’ 1 means an actual or imminent action by any indi- 2 vidual or entity to exploit a cyber vulnerability in a 3 manner that disrupts, attempts to disrupt, or poses 4 a significant risk of disruption to the operation of 5 the information infrastructure essential to the reli- 6 able operation of covered critical infrastructure; 7 ‘‘(18) the term ‘national information infrastruc- 8 ture’ means information infrastructure— 9 ‘‘(A)(i) that is owned, operated, or con- 10 trolled within or from the United States; or 11 ‘‘(ii) if located outside the United States, 12 the disruption of which could result in national 13 or regional catastrophic damage in the United 14 States; and 15 ‘‘(B) that is not owned, operated, con- 16 trolled, or licensed for use by a Federal agency; 17 ‘‘(19) the term ‘national security system’ has 18 the same meaning given that term in section 3551 19 of title 44, United States Code; 20 ‘‘(20) the term ‘operational controls’ means the 21 safeguards and countermeasures for an information 22 system that are primarily implemented and executed 23 by individuals not systems; 24 26 HEN10553 S.L.C. ‘‘(21) the term ‘sector-specific agency’ means 1 the relevant Federal agency responsible for infra- 2 structure protection activities in a designated critical 3 infrastructure sector or key resources category under 4 the National Infrastructure Protection Plan, or any 5 other appropriate Federal agency identified by the 6 President after the date of enactment of this sub- 7 title; 8 ‘‘(22) the term ‘sector coordinating councils’ 9 means self-governed councils that are composed of 10 representatives of key stakeholders within a specific 11 sector of critical infrastructure that serve as the 12 principal private sector policy coordination and plan- 13 ning entities with the Federal Government relating 14 to the security and resiliency of the critical infra- 15 structure that comprise that sector; 16 ‘‘(23) the term ‘security controls’ means the 17 management, operational, and technical controls pre- 18 scribed for an information system to protect the in- 19 formation security of the system; 20 ‘‘(24) the term ‘small business concern’ has the 21 meaning given that term under section 3 of the 22 Small Business Act (15 U.S.C. 632); 23 ‘‘(25) the term ‘technical controls’ means the 24 safeguards or countermeasures for an information 25 27 HEN10553 S.L.C. system that are primarily implemented and executed 1 by the information system through mechanisms con- 2 tained in the hardware, software, or firmware com- 3 ponents of the system; 4 ‘‘(26) the term ‘terrorism information’ has the 5 meaning given that term in section 1016 of the In- 6 telligence Reform and Terrorism Prevention Act of 7 2004 (6 U.S.C. 485); 8 ‘‘(27) the term ‘United States person’ has the 9 meaning given that term in section 101 of the For- 10 eign Intelligence Surveillance Act of 1978 (50 11 U.S.C. 1801); and 12 ‘‘(28) the term ‘US–CERT’ means the United 13 States Computer Readiness Team established under 14 section 244. 15 ‘‘SEC. 242. NATIONAL CENTER FOR CYBERSECURITY AND 16 COMMUNICATIONS. 17 ‘‘(a) ESTABLISHMENT.— 18 ‘‘(1) IN GENERAL.—There is established within 19 the Department a National Center for Cybersecurity 20 and Communications. 21 ‘‘(2) OPERATIONAL ENTITY.—The Center 22 may— 23 28 HEN10553 S.L.C. ‘‘(A) enter into contracts for the procure- 1 ment of property and services for the Center; 2 and 3 ‘‘(B) appoint employees of the Center in 4 accordance with the civil service laws of the 5 United States. 6 ‘‘(b) DIRECTOR.— 7 ‘‘(1) IN GENERAL.—The Center shall be headed 8 by a Director, who shall be appointed by the Presi- 9 dent, by and with the advice and consent of the Sen- 10 ate. 11 ‘‘(2) REPORTING TO SECRETARY.—The Direc- 12 tor shall report directly to the Secretary and serve 13 as the principal advisor to the Secretary on cyberse- 14 curity and the operations, security, and resiliency of 15 the communications infrastructure of the United 16 States. 17 ‘‘(3) PRESIDENTIAL ADVICE.—The Director 18 shall regularly advise the President on the exercise 19 of the authorities provided under this subtitle or any 20 other provision of law relating to the security of the 21 Federal information infrastructure or an agency in- 22 formation infrastructure. 23 ‘‘(4) QUALIFICATIONS.—The Director shall be 24 appointed from among individuals who have— 25 29 HEN10553 S.L.C. ‘‘(A) a demonstrated ability in and knowl- 1 edge of information technology, cybersecurity, 2 and the operations, security and resiliency of 3 communications networks; and 4 ‘‘(B) significant executive leadership and 5 management experience in the public or private 6 sector. 7 ‘‘(5) LIMITATION ON SERVICE.— 8 ‘‘(A) IN GENERAL.—Subject to subpara- 9 graph (B), the individual serving as the Direc- 10 tor may not, while so serving, serve in any 11 other capacity in the Federal Government, ex- 12 cept to the extent that the individual serving as 13 Director is doing so in an acting capacity. 14 ‘‘(B) EXCEPTION.—The Director may 15 serve on any commission, board, council, or 16 similar entity with responsibilities or duties re- 17 lating to cybersecurity or the operations, secu- 18 rity, and resiliency of the communications infra- 19 structure of the United States at the direction 20 of the President or as otherwise provided by 21 law. 22 ‘‘(c) DEPUTY DIRECTORS.— 23 30 HEN10553 S.L.C. ‘‘(1) IN GENERAL.—There shall be not less 1 than 2 Deputy Directors for the Center, who shall 2 report to the Director. 3 ‘‘(2) INFRASTRUCTURE PROTECTION.— 4 ‘‘(A) APPOINTMENT.—There shall be a 5 Deputy Director appointed by the Secretary, 6 who shall have expertise in infrastructure pro- 7 tection. 8 ‘‘(B) RESPONSIBILITIES.—The Deputy Di- 9 rector appointed under subparagraph (A) 10 shall— 11 ‘‘(i) assist the Director and the As- 12 sistant Secretary for Infrastructure Protec- 13 tion in coordinating, managing, and direct- 14 ing the information, communications, and 15 physical infrastructure protection respon- 16 sibilities and activities of the Department, 17 including activities under Homeland Secu- 18 rity Presidential Directive–7, or any suc- 19 cessor thereto, and the National Infra- 20 structure Protection Plan, or any successor 21 thereto; 22 ‘‘(ii) review the budget for the Center 23 and the Office of Infrastructure Protection 24 before submission of the budget to the Sec- 25 31 HEN10553 S.L.C. retary to ensure that activities are appro- 1 priately coordinated; 2 ‘‘(iii) develop, update periodically, and 3 submit to the appropriate committees of 4 Congress a strategic plan detailing how 5 critical infrastructure protection activities 6 will be coordinated between the Center, the 7 Office of Infrastructure Protection, and 8 the private sector; 9 ‘‘(iv) subject to the direction of the 10 Director resolve conflicts between the Cen- 11 ter and the Office of Infrastructure Protec- 12 tion relating to the information, commu- 13 nications, and physical infrastructure pro- 14 tection responsibilities of the Center and 15 the Office of Infrastructure Protection; 16 and 17 ‘‘(v) perform such other duties as the 18 Director may assign. 19 ‘‘(C) ANNUAL EVALUATION.—The Assist- 20 ant Secretary for Infrastructure Protection 21 shall submit annually to the Director an evalua- 22 tion of the performance of the Deputy Director 23 appointed under subparagraph (A). 24 32 HEN10553 S.L.C. ‘‘(3) INTELLIGENCE COMMUNITY.—The Direc- 1 tor of National Intelligence shall identify an em- 2 ployee of an element of the intelligence community 3 to serve as a Deputy Director of the Center. The 4 employee shall be detailed to the Center on a reim- 5 bursable basis for such period as is agreed to by the 6 Director and the Director of National Intelligence, 7 and, while serving as Deputy Director, shall report 8 directly to the Director of the Center. 9 ‘‘(d) LIAISON OFFICERS.—The Secretary of Defense, 10 the Attorney General, the Secretary of Commerce, and the 11 Director of National Intelligence shall detail personnel to 12 the Center to act as full-time liaisons with the Department 13 of Defense, the Department of Justice, the National Insti- 14 tute of Standards and Technology, and elements of the 15 intelligence community to assist in coordination between 16 and among the Center, the Department of Defense, the 17 Department of Justice, the National Institute of Stand- 18 ards and Technology, and elements of the intelligence 19 community. 20 ‘‘(e) PRIVACY OFFICER.— 21 ‘‘(1) IN GENERAL.—The Director, in consulta- 22 tion with the Secretary, shall designate a full-time 23 privacy officer, who shall report to the Director. 24 33 HEN10553 S.L.C. ‘‘(2) DUTIES.—The privacy officer designated 1 under paragraph (1) shall have primary responsi- 2 bility for implementation by the Center of the pri- 3 vacy policy for the Department established by the 4 Privacy Officer appointed under section 222. 5 ‘‘(f) DUTIES OF DIRECTOR.— 6 ‘‘(1) IN GENERAL.—The Director shall— 7 ‘‘(A) working cooperatively with the private 8 sector, lead the Federal effort to secure, pro- 9 tect, and ensure the resiliency of the Federal in- 10 formation infrastructure and national informa- 11 tion infrastructure of the United States, includ- 12 ing communications networks; 13 ‘‘(B) assist in the identification, remedi- 14 ation, and mitigation of vulnerabilities to the 15 Federal information infrastructure and the na- 16 tional information infrastructure; 17 ‘‘(C) provide dynamic, comprehensive, and 18 continuous situational awareness of the security 19 status of the Federal information infrastruc- 20 ture, national information infrastructure, and 21 information infrastructure that is owned, oper- 22 ated, controlled, or licensed for use by, or on 23 behalf of, the Department of Defense, a mili- 24 tary department, or another element of the in- 25 34 HEN10553 S.L.C. telligence community by sharing and inte- 1 grating classified and unclassified information, 2 including information relating to threats, 3 vulnerabilities, traffic, trends, incidents, and 4 other anomalous activities affecting the infra- 5 structure or systems, on a routine and contin- 6 uous basis with— 7 ‘‘(i) the National Threat Operations 8 Center of the National Security Agency; 9 ‘‘(ii) the United States Cyber Com- 10 mand, including the Joint Task Force- 11 Global Network Operations; 12 ‘‘(iii) the Cyber Crime Center of the 13 Department of Defense; 14 ‘‘(iv) the National Cyber Investigative 15 Joint Task Force; 16 ‘‘(v) the Intelligence Community Inci- 17 dent Response Center; 18 ‘‘(vi) any other Federal agency, or 19 component thereof, identified by the Direc- 20 tor; and 21 ‘‘(vii) any non-Federal entity, includ- 22 ing, where appropriate, information shar- 23 ing and analysis centers, identified by the 24 Director, with the concurrence of the 25 35 HEN10553 S.L.C. owner or operator of that entity and con- 1 sistent with applicable law; 2 ‘‘(D) work with the entities described in 3 subparagraph (C) to establish policies and pro- 4 cedures that enable information sharing be- 5 tween and among the entities; 6 ‘‘(E) develop, in coordination with the As- 7 sistant Secretary for Infrastructure Protection, 8 other Federal agencies, the private sector, and 9 State and local governments, a national incident 10 response plan that details the roles of Federal 11 agencies, State and local governments, and the 12 private sector, including plans to be executed in 13 response to a declaration of a national cyber 14 emergency by the President under section 249; 15 ‘‘(F) conduct risk-based assessments of the 16 Federal information infrastructure with respect 17 to acts of terrorism, natural disasters, and 18 other large-scale disruptions and provide the re- 19 sults of the assessments to the Director of 20 Cyberspace Policy; 21 ‘‘(G) develop, oversee the implementation 22 of, and enforce policies, principles, and guide- 23 lines on information security for the Federal in- 24 formation infrastructure, including timely adop- 25 36 HEN10553 S.L.C. tion of and compliance with standards devel- 1 oped by the National Institute of Standards 2 and Technology under section 20 of the Na- 3 tional Institute of Standards and Technology 4 Act (15 U.S.C. 278g–3); 5 ‘‘(H) provide assistance to the National In- 6 stitute of Standards and Technology in devel- 7 oping standards under section 20 of the Na- 8 tional Institute of Standards and Technology 9 Act (15 U.S.C. 278g–3); 10 ‘‘(I) provide to Federal agencies manda- 11 tory security controls to mitigate and remediate 12 vulnerabilities of and incidents affecting the 13 Federal information infrastructure; 14 ‘‘(J) subject to paragraph (2), and as 15 needed, assist the Director of the Office of 16 Management and Budget and the Director of 17 Cyberspace Policy in conducting analysis and 18 prioritization of budgets, relating to the secu- 19 rity of the Federal information infrastructure; 20 ‘‘(K) in accordance with section 253, de- 21 velop, periodically update, and implement a 22 supply chain risk management strategy to en- 23 hance, in a risk-based and cost-effective man- 24 ner, the security of the communications and in- 25 37 HEN10553 S.L.C. formation technology products and services pur- 1 chased by the Federal Government; 2 ‘‘(L) notify the Director of Cyberspace 3 Policy of any incident involving the Federal in- 4 formation infrastructure, information infra- 5 structure that is owned, operated, controlled, or 6 licensed for use by, or on behalf of, the Depart- 7 ment of Defense, a military department, or an- 8 other element of the intelligence community, or 9 the national information infrastructure that 10 could compromise or significantly affect eco- 11 nomic or national security; 12 ‘‘(M) consult, in coordination with the Di- 13 rector of Cyberspace Policy, with appropriate 14 international partners to enhance the security 15 of the Federal information infrastructure and 16 national information infrastructure; 17 ‘‘(N)(i) coordinate and integrate informa- 18 tion to analyze the composite security state of 19 the Federal information infrastructure and in- 20 formation infrastructure that is owned, oper- 21 ated, controlled, or licensed for use by, or on 22 behalf of, the Department of Defense, a mili- 23 tary department, or another element of the in- 24 telligence community; 25 38 HEN10553 S.L.C. ‘‘(ii) ensure the information required under 1 clause (i) and section 3553(c)(1)(A) of title 44, 2 United States Code, including the views of the 3 Director on the adequacy and effectiveness of 4 information security throughout the Federal in- 5 formation infrastructure and information infra- 6 structure that is owned, operated, controlled, or 7 licensed for use by, or on behalf of, the Depart- 8 ment of Defense, a military department, or an- 9 other element of the intelligence community, is 10 available on an automated and continuous basis 11 through the system maintained under section 12 3552(a)(3)(D) of title 44, United States Code; 13 ‘‘(iii) in conjunction with the quadrennial 14 homeland security review required under section 15 707, and at such other times determined appro- 16 priate by the Director, analyze the composite 17 security state of the national information infra- 18 structure and submit to the President, Con- 19 gress, and the Secretary a report regarding ac- 20 tions necessary to enhance the composite secu- 21 rity state of the national information infrastruc- 22 ture based on the analysis; and 23 ‘‘(iv) foster collaboration and serve as the 24 primary contact between the Federal Govern- 25 39 HEN10553 S.L.C. ment, State and local governments, and private 1 entities on matters relating to the security of 2 the Federal information infrastructure and the 3 national information infrastructure; 4 ‘‘(O) oversee the development, implementa- 5 tion, and management of security requirements 6 for Federal agencies relating to the external ac- 7 cess points to or from the Federal information 8 infrastructure; 9 ‘‘(P) establish, develop, and oversee the ca- 10 pabilities and operations within the US–CERT 11 as required by section 244; 12 ‘‘(Q) oversee the operations of the National 13 Communications System, as described in Execu- 14 tive Order 12472 (49 Fed. Reg. 13471; relating 15 to the assignment of national security and 16 emergency preparedness telecommunications 17 functions), as amended by Executive Order 18 13286 (68 Fed. Reg. 10619) and Executive 19 Order 13407 (71 Fed. Reg. 36975), or any suc- 20 cessor thereto, including planning for and pro- 21 viding communications for the Federal Govern- 22 ment under all circumstances, including crises, 23 emergencies, attacks, recoveries, and reconstitu- 24 tions; 25 40 HEN10553 S.L.C. ‘‘(R) ensure, in coordination with the pri- 1 vacy officer designated under subsection (e), the 2 Privacy Officer appointed under section 222, 3 and the Director of the Office of Civil Rights 4 and Civil Liberties appointed under section 705, 5 that the activities of the Center comply with all 6 policies, regulations, and laws protecting the 7 privacy and civil liberties of United States per- 8 sons; 9 ‘‘(S) subject to the availability of re- 10 sources, and at the discretion of the Director, 11 provide voluntary technical assistance— 12 ‘‘(i) at the request of an owner or op- 13 erator of covered critical infrastructure, to 14 assist the owner or operator in complying 15 with sections 248 and 249, including im- 16 plementing required security or emergency 17 measures and developing response plans 18 for national cyber emergencies declared 19 under section 249; and 20 ‘‘(ii) at the request of the owner or 21 operator of national information infra- 22 structure that is not covered critical infra- 23 structure, and based on risk, to assist the 24 owner or operator in implementing best 25 41 HEN10553 S.L.C. practices, and related standards and guide- 1 lines, recommended under section 247 and 2 other measures necessary to mitigate or re- 3 mediate vulnerabilities of the information 4 infrastructure and the consequences of ef- 5 forts to exploit the vulnerabilities; 6 ‘‘(T)(i) conduct, in consultation with the 7 National Cybersecurity Advisory Council, the 8 head of appropriate sector-specific agencies, and 9 any private sector entity determined appro- 10 priate by the Director, risk-based assessments 11 of national information infrastructure, on a sec- 12 tor-by-sector basis, with respect to acts of ter- 13 rorism, natural disasters, and other large-scale 14 disruptions or financial harm, which shall iden- 15 tify and prioritize risks to the national informa- 16 tion infrastructure, including vulnerabilities and 17 associated consequences; and 18 ‘‘(ii) coordinate and evaluate the mitigation 19 or remediation of cyber vulnerabilities and con- 20 sequences identified under clause (i); 21 ‘‘(U) regularly evaluate and assess tech- 22 nologies designed to enhance the protection of 23 the Federal information infrastructure and na- 24 tional information infrastructure, including an 25 42 HEN10553 S.L.C. assessment of the cost-effectiveness of the tech- 1 nologies; 2 ‘‘(V) promote the use of the best practices 3 recommended under section 247 to State and 4 local governments and the private sector; 5 ‘‘(W) develop and implement outreach and 6 awareness programs on cybersecurity, includ- 7 ing— 8 ‘‘(i) a public education campaign to 9 increase the awareness of cybersecurity, 10 cyber safety, and cyber ethics, which shall 11 include use of the Internet, social media, 12 entertainment, and other media to reach 13 the public; 14 ‘‘(ii) an education campaign to in- 15 crease the understanding of State and local 16 governments and private sector entities of 17 the costs of failing to ensure effective secu- 18 rity of information infrastructure and cost- 19 effective methods to mitigate and reme- 20 diate vulnerabilities; and 21 ‘‘(iii) outcome-based performance 22 measures to determine the success of the 23 programs; 24 43 HEN10553 S.L.C. ‘‘(X) develop and implement a national cy- 1 bersecurity exercise program that includes— 2 ‘‘(i) the participation of State and 3 local governments, international partners 4 of the United States, and the private sec- 5 tor; and 6 ‘‘(ii) an after action report analyzing 7 lessons learned from exercises and identi- 8 fying vulnerabilities to be remediated or 9 mitigated; 10 ‘‘(Y) coordinate with the Assistant Sec- 11 retary for Infrastructure Protection to ensure 12 that— 13 ‘‘(i) cybersecurity is appropriately ad- 14 dressed in carrying out the infrastructure 15 protection responsibilities described in sec- 16 tion 201(d); and 17 ‘‘(ii) the operations of the Center and 18 the Office of Infrastructure Protection 19 avoid duplication and use, to the maximum 20 extent practicable, joint mechanisms for in- 21 formation sharing and coordination with 22 the private sector; 23 44 HEN10553 S.L.C. ‘‘(Z) oversee the activities of the Office of 1 Emergency Communications established under 2 section 1801; and 3 ‘‘(AA) perform such other duties as the 4 Secretary may direct relating to the security 5 and resiliency of the information and commu- 6 nications infrastructure of the United States. 7 ‘‘(2) BUDGET ANALYSIS.—In conducting anal- 8 ysis and prioritization of budgets under paragraph 9 (1)(J), the Director— 10 ‘‘(A) in coordination with the Director of 11 the Office of Management and Budget, may ac- 12 cess information from any Federal agency re- 13 garding the finances, budget, and programs of 14 the Federal agency relevant to the security of 15 the Federal information infrastructure; 16 ‘‘(B) may make recommendations to the 17 Director of the Office of Management and 18 Budget and the Director of Cyberspace Policy 19 regarding the budget for each Federal agency 20 to ensure that adequate funding is devoted to 21 securing the Federal information infrastructure, 22 in accordance with policies, principles, and 23 guidelines established by the Director under 24 this subtitle; and 25 45 HEN10553 S.L.C. ‘‘(C) shall provide copies of any rec- 1 ommendations made under subparagraph (B) 2 to— 3 ‘‘(i) the Committee on Appropriations 4 of the Senate; 5 ‘‘(ii) the Committee on Appropriations 6 of the House of Representatives; and 7 ‘‘(iii) the appropriate committees of 8 Congress. 9 ‘‘(g) USE OF MECHANISMS FOR COLLABORATION.— 10 In carrying out the responsibilities and authorities of the 11 Director under this subtitle, to the maximum extent prac- 12 ticable, the Director shall use mechanisms for collabora- 13 tion and information sharing (including mechanisms relat- 14 ing to the identification and communication of threats, 15 vulnerabilities, and associated consequences) established 16 by other components of the Department or other Federal 17 agencies to avoid unnecessary duplication or waste. 18 ‘‘(h) SUFFICIENCY OF RESOURCES PLAN.— 19 ‘‘(1) REPORT.—Not later than 120 days after 20 the date of enactment of this subtitle, the Director 21 of the Office of Management and Budget shall sub- 22 mit to the appropriate committees of Congress and 23 the Comptroller General of the United States a re- 24 46 HEN10553 S.L.C. port on the resources and staff necessary to carry 1 out fully the responsibilities under this subtitle. 2 ‘‘(2) COMPTROLLER GENERAL REVIEW.— 3 ‘‘(A) IN GENERAL.—The Comptroller Gen- 4 eral of the United States shall evaluate the rea- 5 sonableness and adequacy of the report sub- 6 mitted by the Director under paragraph (1). 7 ‘‘(B) REPORT.—Not later than 60 days 8 after the date on which the report is submitted 9 under paragraph (1), the Comptroller General 10 shall submit to the appropriate committees of 11 Congress a report containing the findings of the 12 review under subparagraph (A). 13 ‘‘(i) FUNCTIONS TRANSFERRED.—There are trans- 14 ferred to the Center the National Cyber Security Division, 15 the Office of Emergency Communications, and the Na- 16 tional Communications System, including all the func- 17 tions, personnel, assets, authorities, and liabilities of the 18 National Cyber Security Division and the National Com- 19 munications System. 20 ‘‘SEC. 243. PHYSICAL AND CYBER INFRASTRUCTURE COL- 21 LABORATION. 22 ‘‘(a) IN GENERAL.—The Director and the Assistant 23 Secretary for Infrastructure Protection shall coordinate 24 the information, communications, and physical infrastruc- 25 47 HEN10553 S.L.C. ture protection responsibilities and activities of the Center 1 and the Office of Infrastructure Protection. 2 ‘‘(b) OVERSIGHT.—The Secretary shall ensure that 3 the coordination described in subsection (a) occurs. 4 ‘‘SEC. 244. UNITED STATES COMPUTER EMERGENCY READI- 5 NESS TEAM. 6 ‘‘(a) ESTABLISHMENT OF OFFICE.—There is estab- 7 lished within the Center, the United States Computer 8 Emergency Readiness Team, which shall be headed by a 9 Director, who shall be selected from the Senior Executive 10 Service by the Secretary. 11 ‘‘(b) RESPONSIBILITIES.—The US–CERT shall— 12 ‘‘(1) collect, coordinate, and disseminate infor- 13 mation on— 14 ‘‘(A) risks to the Federal information in- 15 frastructure, information infrastructure that is 16 owned, operated, controlled, or licensed for use 17 by, or on behalf of, the Department of Defense, 18 a military department, or another element of 19 the intelligence community, or the national in- 20 formation infrastructure; and 21 ‘‘(B) security controls to enhance the secu- 22 rity of the Federal information infrastructure 23 or the national information infrastructure 24 48 HEN10553 S.L.C. against the risks identified in subparagraph 1 (A); and 2 ‘‘(2) establish a mechanism for engagement 3 with the private sector. 4 ‘‘(c) MONITORING, ANALYSIS, WARNING, AND RE- 5 SPONSE.— 6 ‘‘(1) DUTIES.—Subject to paragraph (2), the 7 US–CERT shall— 8 ‘‘(A) provide analysis and reports to Fed- 9 eral agencies on the security of the Federal in- 10 formation infrastructure; 11 ‘‘(B) provide continuous, automated moni- 12 toring of the Federal information infrastructure 13 at external Internet access points, which shall 14 include detection and warning of threats, 15 vulnerabilities, traffic, trends, incidents, and 16 other anomalous activities affecting the infor- 17 mation security of the Federal information in- 18 frastructure; 19 ‘‘(C) warn Federal agencies of threats, 20 vulnerabilities, incidents, and anomalous activi- 21 ties that could affect the Federal information 22 infrastructure; 23 49 HEN10553 S.L.C. ‘‘(D) develop, recommend, and deploy secu- 1 rity controls to mitigate or remediate 2 vulnerabilities; 3 ‘‘(E) support Federal agencies in con- 4 ducting risk assessments of the agency informa- 5 tion infrastructure; 6 ‘‘(F) disseminate to Federal agencies risk 7 analyses of incidents that could impair the risk- 8 based security of the Federal information infra- 9 structure; 10 ‘‘(G) develop and acquire predictive ana- 11 lytic tools to evaluate threats, vulnerabilities, 12 traffic, trends, incidents, and anomalous activi- 13 ties; 14 ‘‘(H) aid in the detection of, and warn 15 owners or operators of national information in- 16 frastructure regarding, threats, vulnerabilities, 17 and incidents, affecting the national informa- 18 tion infrastructure, including providing— 19 ‘‘(i) timely, targeted, and actionable 20 notifications of threats, vulnerabilities, and 21 incidents; and 22 ‘‘(ii) recommended security controls to 23 mitigate or remediate vulnerabilities; and 24 50 HEN10553 S.L.C. ‘‘(I) respond to assistance requests from 1 Federal agencies and, subject to the availability 2 of resources, owners or operators of the na- 3 tional information infrastructure to— 4 ‘‘(i) isolate, mitigate, or remediate in- 5 cidents; 6 ‘‘(ii) recover from damages and miti- 7 gate or remediate vulnerabilities; and 8 ‘‘(iii) evaluate security controls and 9 other actions taken to secure information 10 infrastructure and incorporate lessons 11 learned into best practices, policies, prin- 12 ciples, and guidelines. 13 ‘‘(2) REQUIREMENT.—With respect to the Fed- 14 eral information infrastructure, the US–CERT shall 15 conduct the activities described in paragraph (1) in 16 a manner consistent with the responsibilities of the 17 head of a Federal agency described in section 3553 18 of title 44, United States Code. 19 ‘‘(3) REPORT.—Not later than 1 year after the 20 date of enactment of this subtitle, and every year 21 thereafter, the Secretary shall— 22 ‘‘(A) in conjunction with the Inspector 23 General of the Department, conduct an inde- 24 51 HEN10553 S.L.C. pendent audit or review of the activities of the 1 US–CERT under paragraph (1)(B); and 2 ‘‘(B) submit to the appropriate committees 3 of Congress and the President a report regard- 4 ing the audit or report. 5 ‘‘(d) PROCEDURES FOR FEDERAL GOVERNMENT.— 6 Not later than 90 days after the date of enactment of this 7 subtitle, the head of each Federal agency shall establish 8 procedures for the Federal agency that ensure that the 9 US–CERT can perform the functions described in sub- 10 section (c) in relation to the Federal agency. 11 ‘‘(e) OPERATIONAL UPDATES.—The US–CERT shall 12 provide unclassified and, as appropriate, classified updates 13 regarding the composite security state of the Federal in- 14 formation infrastructure to the Federal Information Secu- 15 rity Taskforce. 16 ‘‘(f) FEDERAL POINTS OF CONTACT.—The Director 17 of the US–CERT shall designate a principal point of con- 18 tact within the US–CERT for each Federal agency to— 19 ‘‘(1) maintain communication; 20 ‘‘(2) ensure cooperative engagement and infor- 21 mation sharing; and 22 ‘‘(3) respond to inquiries or requests. 23 ‘‘(g) REQUESTS FOR INFORMATION OR PHYSICAL AC- 24 CESS.— 25 52 HEN10553 S.L.C. ‘‘(1) INFORMATION ACCESS.—Upon request of 1 the Director of the US–CERT, the head of a Fed- 2 eral agency or an Inspector General for a Federal 3 agency shall provide any law enforcement informa- 4 tion, intelligence information, terrorism information, 5 or any other information (including information re- 6 lating to incidents provided under subsections (a)(4) 7 and (c) of section 246) relevant to the security of 8 the Federal information infrastructure or the na- 9 tional information infrastructure necessary to carry 10 out the duties, responsibilities, and authorities under 11 this subtitle. 12 ‘‘(2) PHYSICAL ACCESS.—Upon request of the 13 Director, and in consultation with the head of a 14 Federal agency, the Federal agency shall provide 15 physical access to any facility of the Federal agency 16 necessary to determine whether the Federal agency 17 is in compliance with any policies, principles, and 18 guidelines established by the Director under this 19 subtitle, or otherwise necessary to carry out the du- 20 ties, responsibilities, and authorities of the Director 21 applicable to the Federal information infrastructure. 22 53 HEN10553 S.L.C. ‘‘SEC. 245. ADDITIONAL AUTHORITIES OF THE DIRECTOR 1 OF THE NATIONAL CENTER FOR CYBERSECU- 2 RITY AND COMMUNICATIONS. 3 ‘‘(a) ACCESS TO INFORMATION.—Unless otherwise 4 directed by the President— 5 ‘‘(1) the Director shall access, receive, and ana- 6 lyze law enforcement information, intelligence infor- 7 mation, terrorism information, and any other infor- 8 mation (including information relating to incidents 9 provided under subsections (a)(4) and (c) of section 10 246) relevant to the security of the Federal informa- 11 tion infrastructure, information infrastructure that 12 is owned, operated, controlled, or licensed for use by, 13 or on behalf of, the Department of Defense, a mili- 14 tary department, or another element of the intel- 15 ligence community, or national information infra- 16 structure from Federal agencies and, consistent with 17 applicable law, State and local governments (includ- 18 ing law enforcement agencies), and private entities, 19 including information provided by any contractor to 20 a Federal agency regarding the security of the agen- 21 cy information infrastructure; 22 ‘‘(2) any Federal agency in possession of law 23 enforcement information, intelligence information, 24 terrorism information, or any other information (in- 25 cluding information relating to incidents provided 26 54 HEN10553 S.L.C. under subsections (a)(4) and (c) of section 246) rel- 1 evant to the security of the Federal information in- 2 frastructure, information infrastructure that is 3 owned, operated, controlled, or licensed for use by, 4 or on behalf of, the Department of Defense, a mili- 5 tary department, or another element of the intel- 6 ligence community, or national information infra- 7 structure shall provide that information to the Di- 8 rector in a timely manner; and 9 ‘‘(3) the Director, in coordination with the At- 10 torney General, the Privacy and Civil Liberties Over- 11 sight Board established under section 1061 of the 12 National Security Intelligence Reform Act of 2004 13 (42 U.S.C. 2000ee), the Director of National Intel- 14 ligence, and the Archivist of the United States, shall 15 establish guidelines to ensure that information is 16 transferred, stored, and preserved in accordance 17 with applicable law and in a manner that protects 18 the privacy and civil liberties of United States per- 19 sons. 20 ‘‘(b) OPERATIONAL EVALUATIONS.— 21 ‘‘(1) IN GENERAL.—The Director— 22 ‘‘(A) subject to paragraph (2), shall de- 23 velop, maintain, and enhance capabilities to 24 evaluate the security of the Federal information 25 55 HEN10553 S.L.C. infrastructure as described in section 1 3554(a)(3) of title 44, United States Code, in- 2 cluding the ability to conduct risk-based pene- 3 tration testing and vulnerability assessments; 4 ‘‘(B) in carrying out subparagraph (A), 5 may request technical assistance from the Di- 6 rector of the Federal Bureau of Investigation, 7 the Director of the National Security Agency, 8 the head of any other Federal agency that may 9 provide support, and any nongovernmental enti- 10 ty contracting with the Department or another 11 Federal agency; and 12 ‘‘(C) in consultation with the Attorney 13 General and the Privacy and Civil Liberties 14 Oversight Board established under section 1061 15 of the National Security Intelligence Reform 16 Act of 2004 (42 U.S.C. 2000ee), shall develop 17 guidelines to ensure compliance with all applica- 18 ble laws relating to the privacy of United States 19 persons in carrying out the operational evalua- 20 tions under subparagraph (A). 21 ‘‘(2) OPERATIONAL EVALUATIONS.— 22 ‘‘(A) IN GENERAL.—The Director may 23 conduct risk-based operational evaluations of 24 the agency information infrastructure of any 25 56 HEN10553 S.L.C. Federal agency, at a time determined by the 1 Director, in consultation with the head of the 2 Federal agency, using the capabilities developed 3 under paragraph (1)(A). 4 ‘‘(B) ANNUAL EVALUATION REQUIRE- 5 MENT.—If the Director conducts an operational 6 evaluation under subparagraph (A) or an oper- 7 ational evaluation at the request of a Federal 8 agency to meet the requirements of section 9 3554 of title 44, United States Code, the oper- 10 ational evaluation shall satisfy the requirements 11 of section 3554 for the Federal agency for the 12 year of the evaluation, unless otherwise speci- 13 fied by the Director. 14 ‘‘(c) CORRECTIVE MEASURES AND MITIGATION 15 PLANS.—If the Director determines that a Federal agency 16 is not in compliance with applicable policies, principles, 17 standards, and guidelines applicable to the Federal infor- 18 mation infrastructure— 19 ‘‘(1) the Director, in consultation with the Di- 20 rector of the Office of Management and Budget, 21 may direct the head of the Federal agency to— 22 ‘‘(A) take corrective measures to meet the 23 policies, principles, standards, and guidelines; 24 and 25 57 HEN10553 S.L.C. ‘‘(B) develop a plan to remediate or miti- 1 gate any vulnerabilities addressed by the poli- 2 cies, principles, standards, and guidelines; 3 ‘‘(2) within such time period as the Director 4 shall prescribe, the head of the Federal agency 5 shall— 6 ‘‘(A) implement a corrective measure or 7 develop a mitigation plan in accordance with 8 paragraph (1); or 9 ‘‘(B) submit to the Director, the Director 10 of the Office of Management and Budget, the 11 Inspector General for the Federal agency, and 12 the appropriate committees of Congress a re- 13 port indicating why the Federal agency has not 14 implemented the corrective measure or devel- 15 oped a mitigation plan; and 16 ‘‘(3) the Director may direct the isolation of 17 any component of the agency information infrastruc- 18 ture, consistent with the contingency or continuity of 19 operation plans applicable to the agency information 20 infrastructure, until corrective measures are taken 21 or mitigation plans approved by the Director are put 22 in place, if— 23 58 HEN10553 S.L.C. ‘‘(A) the head of the Federal agency has 1 failed to comply with the corrective measures 2 prescribed under paragraph (1); and 3 ‘‘(B) the failure to comply presents a sig- 4 nificant danger to the Federal information in- 5 frastructure. 6 ‘‘SEC. 246. INFORMATION SHARING. 7 ‘‘(a) FEDERAL AGENCIES.— 8 ‘‘(1) INFORMATION SHARING PROGRAM.—Con- 9 sistent with the responsibilities described in section 10 242 and 244, the Director, in consultation with the 11 other members of the Chief Information Officers 12 Council established under section 3603 of title 44, 13 United States Code, and the Federal Information 14 Security Taskforce, shall establish a program for 15 sharing information with and between the Center 16 and other Federal agencies that includes processes 17 and procedures, including standard operating proce- 18 dures— 19 ‘‘(A) under which the Director regularly 20 shares with each Federal agency— 21 ‘‘(i) analysis and reports on the com- 22 posite security state of the Federal infor- 23 mation infrastructure and information in- 24 frastructure that is owned, operated, con- 25 59 HEN10553 S.L.C. trolled, or licensed for use by, or on behalf 1 of, the Department of Defense, a military 2 department, or another element of the in- 3 telligence community, which shall include 4 information relating to threats, 5 vulnerabilities, incidents, or anomalous ac- 6 tivities; 7 ‘‘(ii) any available analysis and re- 8 ports regarding the security of the agency 9 information infrastructure; and 10 ‘‘(iii) means and methods of pre- 11 venting, responding to, mitigating, and re- 12 mediating vulnerabilities; and 13 ‘‘(B) under which the Director may re- 14 quest information from Federal agencies con- 15 cerning the security of the Federal information 16 infrastructure, information infrastructure that 17 is owned, operated, controlled, or licensed for 18 use by, or on behalf of, the Department of De- 19 fense, a military department, or another ele- 20 ment of the intelligence community, or the na- 21 tional information infrastructure necessary to 22 carry out the duties of the Director under this 23 subtitle or any other provision of law. 24 60 HEN10553 S.L.C. ‘‘(2) CONTENTS.—The program established 1 under this section shall include— 2 ‘‘(A) timeframes for the sharing of infor- 3 mation under paragraph (1); 4 ‘‘(B) guidance on what information shall 5 be shared, including information regarding inci- 6 dents; 7 ‘‘(C) a tiered structure that provides guid- 8 ance for the sharing of urgent information; and 9 ‘‘(D) processes and procedures under 10 which the Director or the head of a Federal 11 agency may report noncompliance with the pro- 12 gram to the Director of Cyberspace Policy. 13 ‘‘(3) US–CERT.—The Director of the US– 14 CERT shall ensure that the head of each Federal 15 agency has continual access to data collected by the 16 US–CERT regarding the agency information infra- 17 structure of the Federal agency. 18 ‘‘(4) FEDERAL AGENCIES.— 19 ‘‘(A) IN GENERAL.—The head of a Federal 20 agency shall comply with all processes and pro- 21 cedures established under this subsection re- 22 garding notification to the Director relating to 23 incidents. 24 61 HEN10553 S.L.C. ‘‘(B) IMMEDIATE NOTIFICATION RE- 1 QUIRED.—Unless otherwise directed by the 2 President, any Federal agency with a national 3 security system shall immediately notify the Di- 4 rector regarding any incident affecting the risk- 5 based security of the national security system. 6 ‘‘(b) STATE AND LOCAL GOVERNMENTS, PRIVATE 7 SECTOR, AND INTERNATIONAL PARTNERS.— 8 ‘‘(1) IN GENERAL.—The Director, shall estab- 9 lish processes and procedures, including standard 10 operating procedures, to promote bidirectional infor- 11 mation sharing with State and local governments, 12 private entities, and international partners of the 13 United States on— 14 ‘‘(A) threats, vulnerabilities, incidents, and 15 anomalous activities affecting the national in- 16 formation infrastructure; and 17 ‘‘(B) means and methods of preventing, re- 18 sponding to, and mitigating and remediating 19 vulnerabilities. 20 ‘‘(2) CONTENTS.—The processes and proce- 21 dures established under paragraph (1) shall in- 22 clude— 23 ‘‘(A) means or methods of accessing classi- 24 fied or unclassified information, as appropriate, 25 62 HEN10553 S.L.C. that will provide situational awareness of the 1 security of the Federal information infrastruc- 2 ture and the national information infrastructure 3 relating to threats, vulnerabilities, traffic, 4 trends, incidents, and other anomalous activi- 5 ties affecting the Federal information infra- 6 structure or the national information infra- 7 structure; 8 ‘‘(B) a mechanism, established in consulta- 9 tion with the heads of the relevant sector-spe- 10 cific agencies, sector coordinating councils, and 11 information sharing and analysis centers, by 12 which owners and operators of covered critical 13 infrastructure shall report incidents in the in- 14 formation infrastructure for covered critical in- 15 frastructure, to the extent the incident might 16 indicate an actual or potential cyber vulner- 17 ability, or exploitation of that vulnerability; and 18 ‘‘(C) an evaluation of the need to provide 19 security clearances to employees of State and 20 local governments, private entities, and inter- 21 national partners to carry out this subsection. 22 ‘‘(3) GUIDELINES.—The Director, in consulta- 23 tion with the Attorney General and the Director of 24 National Intelligence, shall develop guidelines to pro- 25 63 HEN10553 S.L.C. tect the privacy and civil liberties of United States 1 persons and intelligence sources and methods, while 2 carrying out this subsection. 3 ‘‘(c) INCIDENTS.— 4 ‘‘(1) NON-FEDERAL ENTITIES.— 5 ‘‘(A) IN GENERAL.— 6 ‘‘(i) MANDATORY REPORTING.—Sub- 7 ject to clause (i), the owner or operator of 8 covered critical infrastructure shall report 9 any incident affecting the information in- 10 frastructure of covered critical infrastruc- 11 ture to the extent the incident might indi- 12 cate an actual or potential cyber vulner- 13 ability, or exploitation of a cyber vulner- 14 ability, in accordance with the policies and 15 procedures for the mechanism established 16 under subsection (b)(2)(B) and guidelines 17 developed under subsection (b)(3). 18 ‘‘(ii) LIMITATION.—Clause (i) shall 19 not authorize the Director, the Center, the 20 Department, or any other Federal entity to 21 compel the disclosure of information relat- 22 ing to an incident or conduct surveillance 23 unless otherwise authorized under chapter 24 119, chapter 121, or chapter 206 of title 25 64 HEN10553 S.L.C. 18, United States Code, the Foreign Intel- 1 ligence Surveillance Act of 1978 (50 2 U.S.C. 1801 et seq.), or any other provi- 3 sion of law. 4 ‘‘(B) REPORTING PROCEDURES.—The Di- 5 rector shall establish procedures that enable 6 and encourage the owner or operator of na- 7 tional information infrastructure to report to 8 the Director regarding incidents affecting such 9 information infrastructure. 10 ‘‘(2) INFORMATION PROTECTION.—Notwith- 11 standing any other provision of law, information re- 12 ported under paragraph (1) shall be protected from 13 unauthorized disclosure, in accordance with section 14 251. 15 ‘‘(d) ADDITIONAL RESPONSIBILITIES.—In accord- 16 ance with section 251, the Director shall— 17 ‘‘(1) share data collected on the Federal infor- 18 mation infrastructure with the National Science 19 Foundation and other accredited research institu- 20 tions for the sole purpose of cybersecurity research 21 in a manner that protects privacy and civil liberties 22 of United States persons and intelligence sources 23 and methods; 24 65 HEN10553 S.L.C. ‘‘(2) establish a website to provide an oppor- 1 tunity for the public to provide— 2 ‘‘(A) input about the operations of the 3 Center; and 4 ‘‘(B) recommendations for improvements 5 of the Center; and 6 ‘‘(3) in coordination with the Secretary of De- 7 fense, the Director of National Intelligence, the Sec- 8 retary of State, and the Attorney General, develop 9 information sharing pilot programs with inter- 10 national partners of the United States. 11 ‘‘SEC. 247. PRIVATE SECTOR ASSISTANCE. 12 ‘‘(a) IN GENERAL.—The Director, in consultation 13 with the Director of the National Institute of Standards 14 and Technology, the Director of the National Security 15 Agency, the head of any relevant sector-specific agency, 16 the National Cybersecurity Advisory Council, State and 17 local governments, and any private entities the Director 18 determines appropriate, shall establish a program to pro- 19 mote, and provide technical assistance authorized under 20 section 242(f)(1)(S) relating to the implementation of, 21 best practices and related standards and guidelines for se- 22 curing the national information infrastructure, including 23 the costs and benefits associated with the implementation 24 of the best practices and related standards and guidelines. 25 66 HEN10553 S.L.C. ‘‘(b) ANALYSIS AND IMPROVEMENT OF STANDARDS 1 AND GUIDELINES.—For purposes of the program estab- 2 lished under subsection (a), the Director shall— 3 ‘‘(1) regularly assess and evaluate cybersecurity 4 standards and guidelines issued by private sector or- 5 ganizations, recognized international and domestic 6 standards setting organizations, and Federal agen- 7 cies; and 8 ‘‘(2) in coordination with the National Institute 9 of Standards and Technology, encourage the devel- 10 opment of, and recommend changes to, the stand- 11 ards and guidelines described in paragraph (1) for 12 securing the national information infrastructure. 13 ‘‘(c) GUIDANCE AND TECHNICAL ASSISTANCE.— 14 ‘‘(1) IN GENERAL.—The Director shall promote 15 best practices and related standards and guidelines 16 to assist owners and operators of national informa- 17 tion infrastructure in increasing the security of the 18 national information infrastructure and protecting 19 against and mitigating or remediating known 20 vulnerabilities. 21 ‘‘(2) REQUIREMENT.—Technical assistance pro- 22 vided under section 242(f)(1)(S) and best practices 23 promoted under this section shall be prioritized 24 based on risk. 25 67 HEN10553 S.L.C. ‘‘(d) CRITERIA.—In promoting best practices or rec- 1 ommending changes to standards and guidelines under 2 this section, the Director shall ensure that best practices, 3 and related standards and guidelines— 4 ‘‘(1) address cybersecurity in a comprehensive, 5 risk-based manner; 6 ‘‘(2) include consideration of the cost of imple- 7 menting such best practices or of implementing rec- 8 ommended changes to standards and guidelines; 9 ‘‘(3) increase the ability of the owners or opera- 10 tors of national information infrastructure to protect 11 against and mitigate or remediate known 12 vulnerabilities; 13 ‘‘(4) are suitable, as appropriate, for implemen- 14 tation by small business concerns; 15 ‘‘(5) as necessary and appropriate, are sector 16 specific; 17 ‘‘(6) to the maximum extent possible, incor- 18 porate standards and guidelines established by pri- 19 vate sector organizations, recognized international 20 and domestic standards setting organizations, and 21 Federal agencies; and 22 ‘‘(7) provide sufficient flexibility to permit a 23 range of security solutions. 24 68 HEN10553 S.L.C. ‘‘SEC. 248. CYBER VULNERABILITIES TO COVERED CRIT- 1 ICAL INFRASTRUCTURE. 2 ‘‘(a) IDENTIFICATION OF CYBER 3 VULNERABILITIES.— 4 ‘‘(1) IN GENERAL.—Based on the risk-based as- 5 sessments conducted under section 242(f)(1)(T)(i), 6 the Director, in coordination with the head of the 7 sector-specific agency with responsibility for covered 8 critical infrastructure and the head of any Federal 9 agency that is not a sector-specific agency with re- 10 sponsibilities for regulating the covered critical infra- 11 structure, and in consultation with the National Cy- 12 bersecurity Advisory Council and any private sector 13 entity determined appropriate by the Director, shall, 14 on a continuous and sector-by-sector basis, identify 15 and evaluate the cyber vulnerabilities to covered crit- 16 ical infrastructure. 17 ‘‘(2) FACTORS TO BE CONSIDERED.—In identi- 18 fying and evaluating cyber vulnerabilities under 19 paragraph (1), the Director shall consider— 20 ‘‘(A) the perceived threat, including a con- 21 sideration of adversary capabilities and intent, 22 preparedness, target attractiveness, and deter- 23 rence capabilities; 24 ‘‘(B) the potential extent and likelihood of 25 death, injury, or serious adverse effects to 26 69 HEN10553 S.L.C. human health and safety caused by a disruption 1 of the reliable operation of covered critical in- 2 frastructure; 3 ‘‘(C) the threat to or potential impact on 4 national security caused by a disruption of the 5 reliable operation of covered critical infrastruc- 6 ture; 7 ‘‘(D) the extent to which the disruption of 8 the reliable operation of covered critical infra- 9 structure will disrupt the reliable operation of 10 other covered critical infrastructure; 11 ‘‘(E) the potential for harm to the econ- 12 omy that would result from a disruption of the 13 reliable operation of covered critical infrastruc- 14 ture; and 15 ‘‘(F) other risk-based security factors that 16 the Director, in consultation with the head of 17 the sector-specific agency with responsibility for 18 the covered critical infrastructure and the head 19 of any Federal agency that is not a sector-spe- 20 cific agency with responsibilities for regulating 21 the covered critical infrastructure, determine to 22 be appropriate and necessary to protect public 23 health and safety, critical infrastructure, or na- 24 tional and economic security. 25 70 HEN10553 S.L.C. ‘‘(3) REPORT.— 1 ‘‘(A) IN GENERAL.—Not later than 180 2 days after the date of enactment of this sub- 3 title, and annually thereafter, the Director, in 4 coordination with the head of the sector-specific 5 agency with responsibility for the covered crit- 6 ical infrastructure and the head of any Federal 7 agency that is not a sector-specific agency with 8 responsibilities for regulating the covered crit- 9 ical infrastructure, shall submit to the appro- 10 priate committees of Congress a report on the 11 findings of the identification and evaluation of 12 cyber vulnerabilities under this subsection. 13 Each report submitted under this paragraph 14 shall be submitted in an unclassified form, but 15 may include a classified annex. 16 ‘‘(B) INPUT.—For purposes of the reports 17 required under subparagraph (A), the Director 18 shall create a process under which owners and 19 operators of covered critical infrastructure may 20 provide input on the findings of the reports. 21 ‘‘(b) RISK-BASED PERFORMANCE REQUIREMENTS.— 22 ‘‘(1) IN GENERAL.—Not later than 270 days 23 after the date of the enactment of this subtitle, in 24 coordination with the heads of the sector-specific 25 71 HEN10553 S.L.C. agencies with responsibility for covered critical infra- 1 structure and the head of any Federal agency that 2 is not a sector-specific agency with responsibilities 3 for regulating the covered critical infrastructure, and 4 in consultation with the National Cybersecurity Ad- 5 visory Council and any private sector entity deter- 6 mined appropriate by the Director, the Director 7 shall issue interim final regulations establishing risk- 8 based security performance requirements to secure 9 covered critical infrastructure against cyber 10 vulnerabilities through the adoption of security 11 measures that satisfy the security performance re- 12 quirements identified by the Director. 13 ‘‘(2) PROCEDURES.—The regulations issued 14 under this subsection shall— 15 ‘‘(A) include a process under which owners 16 and operators of covered critical infrastructure 17 are informed of identified cyber vulnerabilities 18 and security performance requirements de- 19 signed to remediate or mitigate the cyber 20 vulnerabilities, in combination with best prac- 21 tices recommended under section 247; 22 ‘‘(B) establish a process for owners and 23 operators of covered critical infrastructure to 24 select security measures, including any best 25 72 HEN10553 S.L.C. practices recommended under section 247, that, 1 in combination, satisfy the security performance 2 requirements established by the Director under 3 this subsection; 4 ‘‘(C) establish a process for owners and op- 5 erators of covered critical infrastructure to de- 6 velop response plans for a national cyber emer- 7 gency declared under section 249; and 8 ‘‘(D) establish a process by which the Di- 9 rector— 10 ‘‘(i) is notified of the security meas- 11 ures selected by the owner or operator of 12 covered critical infrastructure under sub- 13 paragraph (B); and 14 ‘‘(ii) may determine whether the pro- 15 posed security measures satisfy the secu- 16 rity performance requirements established 17 by the Director under this subsection. 18 ‘‘(3) INTERNATIONAL COOPERATION ON SECUR- 19 ING COVERED CRITICAL INFRASTRUCTURE.— 20 ‘‘(A) IN GENERAL.—The Director, in co- 21 ordination with the head of the sector-specific 22 agency with responsibility for covered critical 23 infrastructure and the head of any Federal 24 agency that is not a sector-specific agency with 25 73 HEN10553 S.L.C. responsibilities for regulating the covered crit- 1 ical infrastructure, shall— 2 ‘‘(i) consistent with the protection of 3 intelligence sources and methods and other 4 sensitive matters, inform the owner or op- 5 erator of covered critical infrastructure 6 that is located outside the United States 7 and the government of the country in 8 which the covered critical infrastructure is 9 located of any cyber vulnerabilities to the 10 covered critical infrastructure; and 11 ‘‘(ii) coordinate with the government 12 of the country in which the covered critical 13 infrastructure is located and, as appro- 14 priate, the owner or operator of the cov- 15 ered critical infrastructure, regarding the 16 implementation of security measures or 17 other measures to the covered critical in- 18 frastructure to mitigate or remediate cyber 19 vulnerabilities. 20 ‘‘(B) INTERNATIONAL AGREEMENTS.—The 21 Director shall carry out the this paragraph in 22 a manner consistent with applicable inter- 23 national agreements. 24 74 HEN10553 S.L.C. ‘‘(4) RISK-BASED SECURITY PERFORMANCE RE- 1 QUIREMENTS.— 2 ‘‘(A) IN GENERAL.—The security perform- 3 ance requirements established by the Director 4 under this subsection shall be— 5 ‘‘(i) based on the factors listed in sub- 6 section (a)(2); and 7 ‘‘(ii) designed to remediate or mitigate 8 identified cyber vulnerabilities and any as- 9 sociated consequences of an exploitation 10 based on such vulnerabilities. 11 ‘‘(B) CONSULTATION.—In establishing se- 12 curity performance requirements under this 13 subsection, the Director shall, to the maximum 14 extent practicable, consult with— 15 ‘‘(i) the Director of the National Se- 16 curity Agency; 17 ‘‘(ii) the Director of the National In- 18 stitute of Standards and Technology; 19 ‘‘(iii) the National Cybersecurity Advi- 20 sory Council; 21 ‘‘(iv) the heads of sector-specific agen- 22 cies; and 23 ‘‘(v) the heads of Federal agencies 24 that are not a sector-specific agency with 25 75 HEN10553 S.L.C. responsibilities for regulating the covered 1 critical infrastructure. 2 ‘‘(C) ALTERNATIVE MEASURES.— 3 ‘‘(i) IN GENERAL.—The owners and 4 operators of covered critical infrastructure 5 shall have flexibility to implement any se- 6 curity measure, or combination thereof, to 7 satisfy the security performance require- 8 ments described in subparagraph (A) and 9 the Director may not disapprove under this 10 section any proposed security measures, or 11 combination thereof, based on the presence 12 or absence of any particular security meas- 13 ure if the proposed security measures, or 14 combination thereof, satisfy the security 15 performance requirements established by 16 the Director under this section. 17 ‘‘(ii) RECOMMENDED SECURITY MEAS- 18 URES.—The Director may recommend to 19 an owner and operator of covered critical 20 infrastructure a specific security measure, 21 or combination thereof, that will satisfy the 22 security performance requirements estab- 23 lished by the Director. The absence of the 24 recommended security measures, or com- 25 76 HEN10553 S.L.C. bination thereof, may not serve as the 1 basis for a disapproval of the security 2 measure, or combination thereof, proposed 3 by the owner or operator of covered critical 4 infrastructure if the proposed security 5 measure, or combination thereof, otherwise 6 satisfies the security performance require- 7 ments established by the Director under 8 this section. 9 ‘‘SEC. 249. NATIONAL CYBER EMERGENCIES. 10 ‘‘(a) DECLARATION.— 11 ‘‘(1) IN GENERAL.—The President may issue a 12 declaration of a national cyber emergency to covered 13 critical infrastructure. Any declaration under this 14 section shall specify the covered critical infrastruc- 15 ture subject to the national cyber emergency. 16 ‘‘(2) NOTIFICATION.—Upon issuing a declara- 17 tion under paragraph (1), the President shall, con- 18 sistent with the protection of intelligence sources 19 and methods, notify the owners and operators of the 20 specified covered critical infrastructure of the nature 21 of the national cyber emergency. 22 ‘‘(3) AUTHORITIES.—If the President issues a 23 declaration under paragraph (1), the Director 24 shall— 25 77 HEN10553 S.L.C. ‘‘(A) immediately direct the owners and 1 operators of covered critical infrastructure sub- 2 ject to the declaration under paragraph (1) to 3 implement response plans required under sec- 4 tion 248(b)(2)(C); 5 ‘‘(B) develop and coordinate emergency 6 measures or actions necessary to preserve the 7 reliable operation, and mitigate or remediate 8 the consequences of the potential disruption, of 9 covered critical infrastructure; 10 ‘‘(C) ensure that emergency measures or 11 actions directed under this section represent the 12 least disruptive means feasible to the operations 13 of the covered critical infrastructure; 14 ‘‘(D) subject to subsection (f), direct ac- 15 tions by other Federal agencies to respond to 16 the national cyber emergency; 17 ‘‘(E) coordinate with officials of State and 18 local governments, international partners of the 19 United States, and private owners and opera- 20 tors of covered critical infrastructure specified 21 in the declaration to respond to the national 22 cyber emergency; 23 78 HEN10553 S.L.C. ‘‘(F) initiate a process under section 248 1 to address the cyber vulnerability that may be 2 exploited by the national cyber emergency; and 3 ‘‘(G) provide voluntary technical assist- 4 ance, if requested, under section 242(f)(1)(S). 5 ‘‘(4) REIMBURSEMENT.—A Federal agency 6 shall be reimbursed for expenditures under this sec- 7 tion from funds appropriated for the purposes of 8 this section. Any funds received by a Federal agency 9 as reimbursement for services or supplies furnished 10 under the authority of this section shall be deposited 11 to the credit of the appropriation or appropriations 12 available on the date of the deposit for the services 13 or supplies. 14 ‘‘(5) CONSULTATION.—In carrying out this sec- 15 tion, the Director shall consult with the Secretary, 16 the Secretary of Defense, the Director of the Na- 17 tional Security Agency, the Director of the National 18 Institute of Standards and Technology, and any 19 other official, as directed by the President. 20 ‘‘(6) PRIVACY.—In carrying out this section, 21 the Director shall ensure that the privacy and civil 22 liberties of United States persons are protected. 23 ‘‘(b) DISCONTINUANCE OF EMERGENCY MEAS- 24 URES.— 25 79 HEN10553 S.L.C. ‘‘(1) IN GENERAL.—Any emergency measure or 1 action developed under this section shall cease to 2 have effect not later than 30 days after the date on 3 which the President issued the declaration of a na- 4 tional cyber emergency, unless— 5 ‘‘(A) the Director affirms in writing that 6 the emergency measure or action remains nec- 7 essary to address the identified national cyber 8 emergency; and 9 ‘‘(B) the President issues a written order 10 or directive reaffirming the national cyber 11 emergency, the continuing nature of the na- 12 tional cyber emergency, or the need to continue 13 the adoption of the emergency measure or ac- 14 tion. 15 ‘‘(2) EXTENSIONS.—An emergency measure or 16 action extended in accordance with paragraph (1) 17 may— 18 ‘‘(A) remain in effect for not more than 30 19 days after the date on which the emergency 20 measure or action was to cease to have effect; 21 and 22 ‘‘(B) be extended for additional 30-day pe- 23 riods, if the requirements of paragraph (1) and 24 subsection (d) are met. 25 80 HEN10553 S.L.C. ‘‘(c) COMPLIANCE WITH EMERGENCY MEASURES.— 1 ‘‘(1) IN GENERAL.—Subject to paragraph (2), 2 the owner or operator of covered critical infrastruc- 3 ture shall immediately comply with any emergency 4 measure or action developed by the Director under 5 this section during the pendency of any declaration 6 by the President under subsection (a)(1) or an ex- 7 tension under subsection (b)(2). 8 ‘‘(2) ALTERNATIVE MEASURES.—If the Director 9 determines that a proposed security measure, or any 10 combination thereof, submitted by the owner or op- 11 erator of covered critical infrastructure in accord- 12 ance with the process established under section 13 248(b)(2) addresses the cyber vulnerability associ- 14 ated with the national cyber emergency that is the 15 subject of the declaration under this section, the 16 owner or operator may comply with paragraph (1) of 17 this subsection by implementing the proposed secu- 18 rity measure, or combination thereof, approved by 19 the Director under the process established under 20 section 248. Before submission of a proposed secu- 21 rity measure, or combination thereof, and during the 22 pendency of any review by the Director under the 23 process established under section 248, the owner or 24 operator of covered critical infrastructure shall re- 25 81 HEN10553 S.L.C. main in compliance with any emergency measure or 1 action developed by the Director under this section 2 during the pendency of any declaration by the Presi- 3 dent under subsection (a)(1) or an extension under 4 subsection (b)(2), until such time as the Director 5 has approved an alternative proposed security meas- 6 ure, or combination thereof, under this paragraph. 7 ‘‘(3) INTERNATIONAL COOPERATION ON NA- 8 TIONAL CYBER EMERGENCIES.— 9 ‘‘(A) IN GENERAL.—The Director, in co- 10 ordination with the head of the sector-specific 11 agency with responsibility for covered critical 12 infrastructure and the head of any Federal 13 agency that is not a sector-specific agency with 14 responsibilities for regulating the covered crit- 15 ical infrastructure, shall— 16 ‘‘(i) consistent with the protection of 17 intelligence sources and methods and other 18 sensitive matters, inform the owner or op- 19 erator of covered critical infrastructure 20 that is located outside of the United States 21 and the government of the country in 22 which the covered critical infrastructure is 23 located of any national cyber emergency 24 82 HEN10553 S.L.C. affecting the covered critical infrastruc- 1 ture; and 2 ‘‘(ii) coordinate with the government 3 of the country in which the covered critical 4 infrastructure is located and, as appro- 5 priate, the owner or operator of the cov- 6 ered critical infrastructure, regarding the 7 implementation of emergency measures or 8 actions necessary to preserve the reliable 9 operation, and mitigate or remediate the 10 consequences of the potential disruption, of 11 the covered critical infrastructure. 12 ‘‘(B) INTERNATIONAL AGREEMENTS.—The 13 Director shall carry out this paragraph in a 14 manner consistent with applicable international 15 agreements. 16 ‘‘(4) LIMITATION ON COMPLIANCE AUTHOR- 17 ITY.—The authority to direct compliance with an 18 emergency measure or action under this section shall 19 not authorize the Director, the Center, the Depart- 20 ment, or any other Federal entity to compel the dis- 21 closure of information or conduct surveillance unless 22 otherwise authorized under chapter 119, chapter 23 121, or chapter 206 of title 18, United States Code, 24 the Foreign Intelligence Surveillance Act of 1978 25 83 HEN10553 S.L.C. (50 U.S.C. 1801 et seq.), or any other provision of 1 law. 2 ‘‘(d) REPORTING.— 3 ‘‘(1) IN GENERAL.—Except as provided in para- 4 graph (2), the President shall ensure that any dec- 5 laration under subsection (a)(1) or any extension 6 under subsection (b)(2) is reported to the appro- 7 priate committees of Congress before the Director 8 mandates any emergency measure or actions under 9 subsection (a)(3). 10 ‘‘(2) EXCEPTION.—If notice cannot be given 11 under paragraph (1) before mandating any emer- 12 gency measure or actions under subsection (a)(3), 13 the President shall provide the report required under 14 paragraph (1) as soon as possible, along with a 15 statement of the reasons for not providing notice in 16 accordance with paragraph (1). 17 ‘‘(3) CONTENTS.—Each report under this sub- 18 section shall describe— 19 ‘‘(A) the nature of the national cyber 20 emergency; 21 ‘‘(B) the reasons that risk-based security 22 requirements under section 248 are not suffi- 23 cient to address the national cyber emergency; 24 and 25 84 HEN10553 S.L.C. ‘‘(C) the actions necessary to preserve the 1 reliable operation and mitigate the con- 2 sequences of the potential disruption of covered 3 critical infrastructure. 4 ‘‘(e) STATUTORY DEFENSES AND CIVIL LIABILITY 5 LIMITATIONS FOR COMPLIANCE WITH EMERGENCY 6 MEASURES.— 7 ‘‘(1) DEFINITIONS.—In this subsection— 8 ‘‘(A) the term ‘covered civil action’— 9 ‘‘(i) means a civil action filed in a 10 Federal or State court against a covered 11 entity; and 12 ‘‘(ii) does not include an action 13 brought under section 2520 or 2707 of 14 title 18, United States Code, or section 15 110 or 308 of the Foreign Intelligence 16 Surveillance Act of 1978 (50 U.S.C. 1810 17 and 1828); 18 ‘‘(B) the term ‘covered entity’ means any 19 entity that owns or operates covered critical in- 20 frastructure, including any owner, operator, of- 21 ficer, employee, agent, landlord, custodian, or 22 other person acting for or on behalf of that en- 23 tity with respect to the covered critical infra- 24 structure; and 25 85 HEN10553 S.L.C. ‘‘(C) the term ‘noneconomic damages’ 1 means damages for losses for physical and emo- 2 tional pain, suffering, inconvenience, physical 3 impairment, mental anguish, disfigurement, loss 4 of enjoyment of life, loss of society and compan- 5 ionship, loss of consortium, hedonic damages, 6 injury to reputation, and any other nonpecu- 7 niary losses. 8 ‘‘(2) APPLICATION OF LIMITATIONS ON CIVIL 9 LIABILITY.—The limitations on civil liability under 10 paragraph (3) apply if— 11 ‘‘(A) the President has issued a declaration 12 of national cyber emergency under subsection 13 (a)(1); 14 ‘‘(B) the Director has— 15 ‘‘(i) issued emergency measures or ac- 16 tions for which compliance is required 17 under subsection (c)(1); or 18 ‘‘(ii) approved security measures 19 under subsection (c)(2); 20 ‘‘(C) the covered entity is in compliance 21 with— 22 ‘‘(i) the emergency measures or ac- 23 tions required under subsection (c)(1); or 24 86 HEN10553 S.L.C. ‘‘(ii) security measures which the Di- 1 rector has approved under subsection 2 (c)(2); and 3 ‘‘(D)(i) the Director certifies to the court 4 in which the covered civil action is pending that 5 the actions taken by the covered entity during 6 the period covered by the declaration under 7 subsection (a)(1) were consistent with— 8 ‘‘(I) emergency measures or actions 9 for which compliance is required under 10 subsection (c)(1); or 11 ‘‘(II) security measures which the Di- 12 rector has approved under subsection 13 (c)(2); or 14 ‘‘(ii) notwithstanding the lack of a certifi- 15 cation, the covered entity demonstrates by a 16 preponderance of the evidence that the actions 17 taken during the period covered by the declara- 18 tion under subsection (a)(1) are consistent with 19 the implementation of— 20 ‘‘(I) emergency measures or actions 21 for which compliance is required under 22 subsection (c)(1); or 23 87 HEN10553 S.L.C. ‘‘(II) security measures which the Di- 1 rector has approved under subsection 2 (c)(2). 3 ‘‘(3) LIMITATIONS ON CIVIL LIABILITY.—In any 4 covered civil action that is related to any incident as- 5 sociated with a cyber vulnerability covered by a dec- 6 laration of a national cyber emergency and for which 7 Director has issued emergency measures or actions 8 for which compliance is required under subsection 9 (c)(1) or for which the Director has approved secu- 10 rity measures under subsection (c)(2), or that is the 11 direct consequence of actions taken in good faith for 12 the purpose of implementing security measures or 13 actions which the Director has approved under sub- 14 section (c)(2)— 15 ‘‘(A) the covered entity shall not be liable 16 for any punitive damages intended to punish or 17 deter, exemplary damages, or other damages 18 not intended to compensate a plaintiff for ac- 19 tual losses; and 20 ‘‘(B) noneconomic damages may be award- 21 ed against a defendant only in an amount di- 22 rectly proportional to the percentage of respon- 23 sibility of such defendant for the harm to the 24 plaintiff, and no plaintiff may recover non- 25 88 HEN10553 S.L.C. economic damages unless the plaintiff suffered 1 physical harm. 2 ‘‘(4) CIVIL ACTIONS ARISING OUT OF IMPLE- 3 MENTATION OF EMERGENCY MEASURES OR AC- 4 TIONS.—A covered civil action may not be main- 5 tained against a covered entity that is the direct 6 consequence of actions taken in good faith for the 7 purpose of implementing specific emergency meas- 8 ures or actions for which compliance is required 9 under subsection (c)(1), if— 10 ‘‘(A) the President has issued a declaration 11 of national cyber emergency under subsection 12 (a)(1) and the action was taken during the pe- 13 riod covered by that declaration; 14 ‘‘(B) the Director has issued emergency 15 measures or actions for which compliance is re- 16 quired under subsection (c)(1); 17 ‘‘(C) the covered entity is in compliance 18 with the emergency measures required under 19 subsection (c)(1); and 20 ‘‘(D)(i) the Director certifies to the court 21 in which the covered civil action is pending that 22 the actions taken by the entity during the pe- 23 riod covered by the declaration under subsection 24 (a)(1) were consistent with the implementation 25
