Amends the Homeland Security Act of 2002 (HSA) to establish within DHS a National Center for Cybersecurity and Communications (NCCC), which shall be headed by a Director, who shall:
(1) work cooperatively with the private sector and lead the federal effort to secure, protect, and ensure the resiliency of the federal and national information infrastructure; and
(2) work with the Assistant Secretary for Infrastructure Protection to coordinate the information, communications, and physical infrastructure protection responsibilities and activities of NCCC and the Office of Infrastructure Protection. Transfers to NCCC the National Cyber Security Division, the Office of Emergency Communications, and the National Communications System. Establishes within NCCC the United States Computer Emergency Readiness Team, which shall:
(1) collect, coordinate, and disseminate information on risks to specified federal information infrastructure and security controls; and
(2) establish a mechanism for engagement with the private sector.
Requires the NCCC Director to:
(1) establish a program for sharing information with and between NCCC and other federal agencies;
(2) develop guidelines to protect the privacy and civil liberties of U.S. persons and intelligence sources and methods;
(3) establish a program to promote and provide technical assistance relating to the implementation of best practices and related standards and guidelines for securing the national information infrastructure; and
(4) identify and evaluate the cyber risks to covered critical infrastructure on a continuous and sector-by-sector basis and issue regulations establishing risk-based security performance requirements to secure covered critical infrastructure against cyber risks.
Authorizes the President to issue a declaration of a national cyber emergency to covered critical infrastructure if there is an ongoing or imminent action by any individual or entity to exploit a cyber risk in a manner that attempts to disrupt the operation of the information infrastructure essential to the reliable operation of covered critical infrastructure.
Requires the President to notify the owners and operators of the infrastructure of the nature of the emergency, consistent with the protection of intelligence sources and methods.
Requires the NCCC Director to take specified steps, including immediately directing the owners and operators to implement required response plans and to ensure that emergency actions represent the least disruptive means feasible to operations.
Prohibits any other federal entity, pursuant to such authority, from:
(1) restricting or prohibiting communications over, and not specifically directed to or from, covered critical infrastructure unless the Director determines that no other emergency action will preserve the reliable operation of such infrastructure or the national information infrastructure;
(2) controlling covered critical infrastructure;
(3) compelling the disclosure of information unless specifically authorized by law; or
(4) intercepting a wire, oral, or electronic communication, accessing a stored electronic or wire communication, installing or using a pen register or trap and trace device, or conducting electronic surveillance relating to an incident unless otherwise authorized by specified statutes.
Requires the President to ensure that any declaration or extension is reported to the appropriate congressional committees before the Director mandates any emergency measure or actions.
Terminates such an emergency measure or action 30 days after the President's declaration and authorizes extensions for not more than 3 additional 30-day periods under certain conditions if approved by a joint resolution by Congress. Requires each owner or operator of covered critical infrastructure to certify to the NCCC Director whether the owner or operator has developed and implemented approved security measures and any applicable emergency measures or actions required for any cyber risks and national cyber emergencies.
Sets forth civil penalties for violations.
Requires the DHS Secretary and the private sector to develop, periodically update, and implement a supply chain risk management strategy designed to ensure the security of the federal information infrastructure.