Amends the Homeland Security Act of 2002 to direct the Secretary of Homeland Security (DHS) to perform necessary activities to facilitate the protection of federal systems and to assist critical infrastructure owners and operators, upon request, in protecting their critical infrastructure information systems, including by:
(1) conducting risk assessments and providing technical assistance;
(2) assisting in fostering the development of essential information security technologies and capabilities for protecting federal systems and critical infrastructure information systems;
(3) assisting in efforts to mitigate communications and information technology supply chain vulnerabilities;
(4) supporting nationwide awareness and outreach efforts to educate the public; and
(5) conducting exercises, simulations, and other activities designed to support and evaluate the national cyber incident response plan.
Directs the Secretary, at the direction of the Office of Management and Budget (OMB), to:
(1) conduct targeted risk assessments and operational evaluations for federal systems, which may include threat, vulnerability, and impact assessments and penetration testing;
(2) provide for the use of consolidated intrusion detection, prevention, or other protective capabilities and associated countermeasures for the purpose of protecting federal systems from cybersecurity threats;
(3) assess and foster the development of information security technologies and capabilities for use and dissemination through DHS and to be made available across multiple agencies;
(4) designate an entity within DHS to receive reports and information about cybersecurity incidents, threats, and vulnerabilities affecting federal systems; and
(5) provide incident detection, analysis, mitigation, and response information and remote or on-site technical assistance for federal systems.
Authorizes the Secretary to acquire, intercept, retain, use, and disclose communications and other system traffic transiting to or from, or stored on, federal systems and to deploy countermeasures with regard to such communications and system traffic for cybersecurity purposes (cybersecurity operational activities) if the Secretary certifies that:
(1) such acquisitions, interceptions, and countermeasures are reasonably necessary for protecting federal systems from cybersecurity threats;
(2) the content of communications will be collected and retained only when the communication is associated with a known or reasonably suspected cybersecurity threat and communications and system traffic will not be subject to the operation of a countermeasure unless associated with such threats;
(3) information obtained pursuant to cybersecurity operational activities will only be retained, used, or disclosed to protect federal systems from cybersecurity threats, to mitigate against such threats, or for law enforcement purposes with the Attorney General's approval when the information is evidence of a crime;
(4) notice has been provided to users of federal systems concerning the potential for acquisition, interception, retention, use, and disclosure of communications and other system traffic; and
(5) such activities are implemented pursuant to policies and procedures that have been reviewed and approved by the Attorney General. Authorizes the Secretary to contract with, or request and obtain the assistance of, private entities that provide electronic communication or cybersecurity services to acquire, intercept, retain, use, and disclose communications and other system traffic.
Authorizes agencies to permit the Secretary, or a private entity assisting the Secretary, to acquire, intercept, retain, use, or disclose communications, system traffic, records, or other information transiting to or from, or stored on, a federal system for the purpose of protecting federal systems from cybersecurity threats or mitigating such threats in connection with cybersecurity activities.
Provides that no otherwise privileged communication obtained in accordance with, or in violation of, such activities shall lose its privileged character.
Directs the Secretary to designate a lead cybersecurity official within DHS to provide leadership to the cybersecurity activities of DHS and to ensure that DHS's cybersecurity activities are coordinated with all other DHS infrastructure protection and cybersecurity programs and activities.
Directs the Secretary, in carrying out cybersecurity activities, to:
(1) coordinate with relevant federal agencies, state and local government representatives, critical infrastructure owners and operators, suppliers of technology for such owners and operators, academia, and international organizations and foreign partners; and
(2) develop and maintain a strategy that articulates DHS actions necessary to assure the readiness, reliability, continuity, integrity, and resilience of federal systems and critical infrastructure information systems.
Requires such strategy to:
(1) foster the continued superiority and reliability of the U.S. information technology and communications sectors, and
(2) ensure that DHS activities are undertaken in a manner that protects statutory privacy rights and civil liberties of U.S. persons.
Requires the Privacy Officer of DHS to review on an ongoing basis, and prepare privacy impact assessments on, the cybersecurity policies, programs, and activities of DHS to ensure compliance with constitutional and legal protections.
Authorizes the Secretary, in order to assure that DHS has the necessary resources to carry out such cybersecurity activities, to:
(1) convert competitive service positions to excepted service or establish new excepted service positions within the Office of Cybersecurity and Communications, to carry out cybersecurity functions; and
(2) fix compensation for such positions, provide additional forms of compensation, and pay a retention bonus as needed to retain essential personnel.
Directs the Secretary to submit to appropriate congressional committees a detailed report that includes:
(1) a discussion of the Secretary's use of such flexible authority to recruit and retain qualified employees,
(2) metrics on relevant personnel actions, and
(3) long- and short-term strategic goals to address critical skills deficiencies.